Microsoft BizSpark is now a one-year programme

As of 1 December 2016, Microsoft’s BizSpark programme is now only for one year, down from the original three years.

Given how useful the free Visual Studio tools are, and what is possible with Azure, I’m not surprised, but this is going to affect a lot of people.

From the BizSpark page:

A one year program, BizSpark puts all Microsoft development and test software at your fingertips, including Azure, Windows, Visual Studio, Office and SQL Server for free. Plus, enjoy access to hundreds of free training classes, technical content, and 4 break-fix phone support incidents to help you on your journey.

Anyone who signed up before 1 December 2016 is not affected by this change. The annual renewal is still in effect, but you still qualify for the full three-year programme.

Defensive SSL security in Windows and IIS

In my previous post, I wrote about how SSLMate has made my life easier.

I also mentioned how SSL-based attacks like POODLE and Heartbleed have forced us into using TLS.

Which is all very well, except that Microsoft’s whole premise in their product line is backward compatibility.

This means that a lot of older security protocols are on by default in Internet Information Service, even on Windows Server 2012 R2. As demonstrated by the recent vulnerabilities in the SSL protocol, this is not a good thing.

The recommended solution is to manually disable each of the older protocols using the registry editor.

IIS Crypto

Instead of this risky method, I discovered a free tool called IIS Crypto, by Nartac Software.

And so too, apparently, did @SwiftOnSecurity.

IIS Crypto is a free tool that allows configuring TLS protocols, ciphers, hashes and key exchange algos on WinServer https://www.nartac.com/Products/IISCrypto

This is how it looks:

iiscrypto

My recommended settings

I installed the .NET 4.0 GUI version. You can install the command-line version instead, but given that you’ll only run this application once or twice in the lifetime of the server, and you need to deselect some items, the GUI is easier to navigate.

Once you’ve installed IIS Crypto on your web server, run it and choose the Best Practices option (located under the Templates section).

You will then need to uncheck the Diffie-Hellman Key Exchange, on the top right, like so:

iiscryptodh(Click to enlarge)

Now you can click the Apply button, which will prompt you to restart your server.

In my own experimentation, I just issued an iisreset command to restart IIS, but it’s probably a good idea to restart the server anyway, as this tool makes changes to the Windows Registry.

Warning

According to the Qualys SSL Labs Test (which you can access from IIS Crypto in the URL field at the bottom of the screen), you will get a best score of an A-minus with these settings.

To achieve an A or higher, follow the instructions from the test result.

Coincidentally, because my company has more than one website served on the same IP address (common with virtual hosts), I achieved an A score by enabling SNI (Server Name Indication) on my website’s SSL bindings.

By default, this forces incompatibility with older browsers, who will be served a default SSL/TLS certificate, so keep this in mind.

Summary

I hope that this tool will make your life easier, by keeping only the most secure protocols and cyphers active on IIS.

This is just one aspect of security in depth. You should also look at the rest of the top 10 vulnerabilities, as collated by OWASP, to see how else you can protect your web applications.

SQL Server 2012 Exams

I’m taking the plunge to write all five SQL Server 2012 exams that are currently available, on my track to obtain the MCSM qualification (previously known as MCM, or Microsoft Certified Master).

By going public with my plan, I hope to motivate myself to spend some time preparing properly for it.

But in true Randolph style, I’m hitting all five over a two-week period, starting next week:

  • 070-461: Querying Microsoft SQL Server 2012*
  • 070-462: Administering a Microsoft SQL Server 2012 Database*
  • 070-463: Implementing Data Warehouses with Microsoft SQL Server 2012*
  • 070-464: Developing Microsoft SQL Server 2012 Databases^
  • 070-465: Designing Database Solutions for Microsoft SQL Server 2012^

My reasoning is simple: if I do them all at once, I have less time to worry about them.

* Microsoft Certified Solutions Associate: SQL Server
^ Microsoft Certified Solutions Expert: Data Platform

Exchange 2003 Fail Server

Holy hell, it’s hard to recover mail from an Exchange server if you’ve lost your domain controller. But I’ve done it. Once again, I’m a legend.

On Monday, a customer’s Windows 2003 Small Business Server went down due to a planned power outage. When it came back up again, the drives were corrupt. Their most recent backup was over a year old, and the RAID mirror had replicated the corruption.

I spent the better part of Monday and Tuesday fighting with the machine. Before I did anything, though, I imaged the data. I then replaced the existing drives with new 1TB drives to eliminate hard drive failure, and then began the arduous process of rebuilding data.

Active Directory was gone. I was able to log into the server using cached credentials. All attempts at either backing up or repairing the NTDS folder failed miserably. I reimaged the new drives probably four times.

Then on Wednesday morning, the server stopped booting. My boss and I decided to replace the hardware and begin rebuilding the server from scratch. This is an extremely painful process, because it means literally recreating years of configuration, certificates, licencing, e-mail and user data in a few days.

I was able to repair the Exchange database, using the built-in command-line tools. I made a backup of the EDB and STM files on a separate partition, along with the user shares and the Intranet website files (and SQL database), to prepare for the server rebuild.

Yesterday, Thursday, it became clear that Windows 2003 was not going to run on the new hardware we specified. What ever I tried, Active Directory kept failing. Whether at the initial AD setup phase, or during the Exchange 2003 installation, we got error after error.

So it was with a bold and insecure step that we decided to put our faith back in the original server. As the hard drives had already been replaced, I decided to replace the power supply as well.

As of right now, the server is still going strong. I believe that the power outage caused damage to the power supply in the server, which in turn caused corruption on the drives. With a new supply, the server has been performing admirably (despite being a Dell).

Tonight, I decided that I would spend some time this long weekend to recover the Exchange mailboxes. If you know anything about Exchange, you’ll know that it is deeply tied to Active Directory. Since I’ve had to rebuild the server (and change the domain name to avoid conflict when we reconnect the server to the network), all associations between the old Exchange database and the new domain are severed.

There are tools that Microsoft provides, to allow reconnection of the Exchange store. However, there are some steps one must follow:

1. Ensure that you’re logged in as a Domain Admin. It’s the right thing to do in this case.

2. Shut down the MSExchangeIS service and swap the EDB and STM files with the ones you’ve recovered from the old server.

3. Restart the Information Store service, and mount the store you’ve switched in.

4. Make sure the user has full rights on the Mail store, including Receive As and Send As permissions.

5. Now the fun part: if you’ve changed permissions, you should restart Windows. It’s quicker than waiting for the AD to replicate permissions (usually 15 minutes, but can take longer). I was fortunate in that I set up a LAN consisting of only one machine: the server.

6. Once in Exchange System Manager again, hook up the Administrative Group display. It gives you more options. You’ll have to go out and come back in again.

7. Now create some AD users. Make sure you do not give them email addresses, or associate them with Exchange. The reason is simple: you want to assign the old mailboxes with the new users.

8. In the mail store, set the Limits to 9999 days for keeping items. This will bring across every item associated with the old mailbox for the user.

9. In the Mailbox Recovery Center, hook up your mail store. You may need to refresh something, or run the Cleanup Agent or something. I forget now.

10. Right click on an account, and Find Match. If the AD user you’ve created has the same name, you’re in luck. You can then Reconnect it and it’ll be happy.

11. Once you’ve reconnected all of the mailboxes, start up Exmerge. This tool allows you to export and import mailboxes in PST format. Very nice. Very useful.

12. Using the two-step process, export all the mailboxes from the mail store to a folder on your hard drive. Make sure the errors are managed accordingly.

13. Shut down the Information Store again, and switch back the new files.

14. Restart the Information Store and mount the store if necessary.

15. Using Outlook from each users’ machines, import each PST file back into Exchange. Personally, I’d do this route instead of maintaining the old mailboxes, because you can take this opportunity to clean up each mailbox.

SQL Server 2008 R2 demo

My boss convinced me this week to demo the new features in Microsoft SQL Server 2008 R2 to our team, so that they can get a basic handle on why I think SQL Server 2000 should be buried.

The big day is on 27 January, and I have 45 minutes in which to make the presentation. All of our customers are still on SQL Server 2000, so I am expecting to demo some 2005 features as well.

Here is my proposed list:

– Management Studio overview – 5 min
– Table partitioning – 5 min
– SSIS overview – 10 min
– Compression (2008) – 10 min
– Master Data Services (2008) – 10 min
– Questions – 5 min

Thoughts?