Category: Computing

POODLE Attack – Disabling SSLv3 in Internet Explorer via Group Policy

The POODLE attack (which stands for “Padding Oracle On Downgraded Legacy Encryption”) is a man-in-the-middle exploit which takes advantage of Internet and security software clients’ fallback to SSL 3.0. Further details on the nature of the attack can be found here.

SSL 3.0 will be disabled in the next releases of all the major web browsers, but until then the following steps can be taken to protect clients in your company through disabling SSL 3.0 and enabling TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy.

You can disable support for the SSL 3.0 protocol in Internet Explorer via Group Policy by modifying the Turn Off Encryption Support Group Policy Object.

  • Open Group Policy Management.
  • Select the group policy object to modify, right click and select Edit.
  • In the Group Policy Management Editor, browse to the following setting:
    Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support
  • Double-click the Turn off Encryption Support setting to edit the setting.
  • Click Enabled.
  • In the Options window, change the Secure Protocol combinations setting to “Use TLS 1.0, TLS 1.1, and TLS 1.2”.
  • Click OK.

Note Administrators should make sure this group policy is applied appropriately by linking the GPO to the appropriate OU in their environment.

To achieve the same in Mozilla Firefox is not possible centrally via Group Policy but can be done on an individual basis through installation of the SSL Version control plugin.



Debugging and fixing the BUGCODE_USB_DRIVER (fe) Blue Screen of Death

A remote laptop user has been suffering from occasional blue screens of death with the error BUGCODE_USB_DRIVER. I asked him to email me the mini-dump that had been generated by the last BSOD so that I could analyse it with WinDbg.

Output from analysis of dump file using WinDbg

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
BUGCODE_USB_DRIVER (fe)
USB Driver bugcheck, first parameter is USB bugcheck code.
Arguments:
Arg1: 0000000000000008, USBBUGCODE_RESERVED_USBHUB
Arg2: 0000000000000006, USBHUB_TRAP_FATAL_TIMEOUT
Arg3: 0000000000000005, TimeoutCode: Timeout_PCE_Suspend_Action3 - PortData->PortSuspendEvent
Arg4: fffffa8007dfcc80, TimeoutContext - PortData

Debugging Details:
------------------
CUSTOMER_CRASH_COUNT: 1

DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT

BUGCHECK_STR: 0xFE

PROCESS_NAME: System

CURRENT_IRQL: 0

LAST_CONTROL_TRANSFER: from fffff88006830a5c to fffff80002ed8bc0

STACK_TEXT:
fffff880`035d9ad8 fffff880`06830a5c : 00000000`000000fe 00000000`00000008 00000000`00000006 00000000`00000005 : nt!KeBugCheckEx
fffff880`035d9ae0 fffff800`031cfc93 : fffffa80`07df6050 00000000`00000001 ffffffff`dc3a58a0 fffff800`0307e2d8 : usbhub!UsbhHubProcessChangeWorker+0xec
fffff880`035d9b40 fffff800`02ee2261 : fffff800`0307e200 fffff800`031cfc01 fffffa80`036d9000 fffffa80`036d9040 : nt!IopProcessWorkItem+0x23
fffff880`035d9b70 fffff800`0317473a : 24d524c5`24c524c5 fffffa80`036d9040 00000000`00000080 fffffa80`036669e0 : nt!ExpWorkerThread+0x111
fffff880`035d9c00 fffff800`02ec98e6 : fffff880`033d7180 fffffa80`036d9040 fffff880`033e1fc0 54d3e93c`92e2655f : nt!PspSystemThreadStartup+0x5a
fffff880`035d9c40 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KxStartSystemThread+0x16

STACK_COMMAND: kb

FOLLOWUP_IP:
usbhub!UsbhHubProcessChangeWorker+ec
fffff880`06830a5c cc int 3

SYMBOL_STACK_INDEX: 1

SYMBOL_NAME: usbhub!UsbhHubProcessChangeWorker+ec

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: usbhub

IMAGE_NAME: usbhub.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 52954e12

FAILURE_BUCKET_ID: X64_0xFE_usbhub!UsbhHubProcessChangeWorker+ec

BUCKET_ID: X64_0xFE_usbhub!UsbhHubProcessChangeWorker+ec

The important bit here are the arguments following the Bug Check 0xFE: BUGCODE_USB_DRIVER. These parameters give the exact underlying error associated with the general BUGCODE_USB_DRIVER error. The parameters indicate the failure was due to ‘Timed out waiting for a suspend-port request to complete.’

A highly recommended solution to this issue is to disable USB Selective Suspense in the power settings.

Open the Power Settings from the Control Panel and then click Edit Plan Settings for your current plan.

power_settings_1

Click on Change advanced power settings.

power_settings_2

In the Advanced settings window for Power Options scroll down to the USB settings and expand them to display the USB selective suspend setting. It should be enabled by default. To disable it just click on Enabled and then in the drop down menu that appears change the option to Disabled and then Apply the change and close the window.



Resolving Microsoft Office 2010 issues with Office 365

We have a mixture of licenses for Microsoft Office 2010 and 2013 here and there is the occasional need to reinstall Microsoft Office such as when rebuilding a PC or migrating a user to a new computer.

Problem
New installs of Microsoft Office 2010 will have issues when trying to work with Office 365 i.e. Exchange and SharePoint online.

The issue will be most apparent when trying to connect Outlook with the Exchange mail server as it will continue to request login details on an infinite loop which is difficult to cancel without killing off the Outlook process in Task Manager.

Solution
Microsoft Office 2010 needs to be updated to the most recent version by installing Service Pack 2 (and possibly subsequent Windows Updates that relate to Office 2010).

You can determine what exact version of Office you have by doing the following. On the File tab, click Help. You will see the version information in the About Microsoft section.

office 2010 version number

• The version number of Office 2010 SP2 is greater than or equal to 14.0.7015.1000.
• The version number of Office 2010 SP1 is greater than or equal to 14.0.6029.1000 but less than 14.0.7015.1000.
• The version number of the original RTM release of Office 2010 (that is, with no service pack) is greater than or equal to 14.0.4763.1000 but less than 14.0.6029.1000.



The redo log is corrupted. If the problem persists, discard the redo log.

redo-log

Yesterday about an hour before the end of my work day one of our critical servers fell over and was displaying the following message in the vSphere client.

The redo log of VisualSVNServer_1-000001.vmdk is corrupted. If the problem persists, discard the redo log.

The error message refers to a redo log, but this is legacy VMware terminology. VMware have from ESXi 3.1 started to use the term snapshot to mean the same thing but for some reason the error messages still use the old term.

The server was named Subversion and was a VisualSVN Server.

There was a snapshot dated from 15th December 2013 in the Snapshot manager for the Subversion VM so returning to this snapshot would have meant returning to a point several weeks ago and then trying to import the backup of the repository that was made the night of 29th January.

The underlying cause of the corruption cannot be definitively determined but I think was due to the amount of disk activity on the physical disk that constitutes datastore 3_2 on the host server S003-ESXi. This caused the system to fail to write to the log and to create updated delta disks which contain all the changes to the disks since the point of the snapshot.

I believe that if there had not been a snapshot the data corruption probably wouldn’t have happened. I have since educated staff that taking snapshots in vSphere is really not the same as backing up the server and they shouldn’t be doing it on the Subversion server at all.

I resolved the issue with Subversion by carrying out the following steps.

I clicked OK to the error message in the slim hope that the VM could overcome the glitch itself upon a simple reboot.

This didn’t work. So I started the process of backing up the VM by forcing a shutdown of the machine by virtually cutting off the power and then making a copy of the virtual machine folder on the datastore.

Whilst the copy process was going I checked Virtual Machine Logs, vmware-3.log was completely corrupt and the vmware.log was showing some corruption.

The copy process took over an hour as it was 150GB in total size. Mostly due to the two virtual disks the first VisualSVNServer.vmdk which constitutes the C: drive of the server is 40GB and the second VisualSVNServer_1.vmdk which is the E: drive is 100GB.

Having made a copy of everything I attempted to fix the snapshots. I made sure that there was sufficient space on the datastore and then using Snapshot Manager in vSphere created a new snapshot of the Subversion VM.

This operation was successful, so I then tried to commit the changes and to consolidate the disks. This worked for VisualSVNServer.vmdk merging all the changes, but not entirely for VisualSVNServer_1.vmdk, however it did reduce the size of the delta disks significantly meaning that there was likely to be only minimal data lost.

Nothing more could be done through the vSphere client so I then started a process of trying to manually consolidate the following disks into a single disk.
VisualSVNServer_1.vmdk
VisualSVNServer_1-000001.vmdk
VisualSVNServer_1-000002.vmdk

Enabled SSH on the host server s003-esxi.

Using PuTTY I logged into the command line of the host and changed the directory to the relevant directory that contained the virtual machine files for Subversion /vmfs/volumes/Datastore3_2/VisualSVNServer

Then ran the command ls *.vmdk –lrt to display all virtual disk components.

Then starting with the highest number snapshot ran the following command to clone the disk in a way that would merge the delta disks into a copy of the main disk.

vmkfstools –i VisualSVNServer_1-000002.vmdk VisualSVNServer-Recovered_1.vmdk

This process took another hour or so as it was trying to create a 100GB file.

This failed with the following error message displayed:

Failed to clone disk: Bad File descriptor (589833)

Then starting with the next highest number snapshot I ran command to clone the disk without the most recent changes.

vmkfstools –i VisualSVNServer_1-000001.vmdk VisualSVNServer-Recovered_1.vmdk

This process again took about hour as again it was trying to create a 100GB file.

Again this failed with the following error message displayed:
Failed to clone disk: Bad File descriptor (589833)

Abandoned the idea of merging the disks I removed the VM from the inventory in vSphere and then moved all but the following files into a separate folder.
VisualSVNServer.nvram
VisualSVNServer.vmx
VisualSVNServer.vmdk
VisualSVNServer_1.vmdk

I could then recreate the VM from these files. I downloaded the file VisualSVNServer.vmx which is the virtual machine’s configuration file and stores the settings regarding the virtual devices that make up a virtual machine. I edited the file to change all references to VisualSVNServer_1-000002.vmdk to VisualSVNServer_1.vmdk so that the machine could be booted up ignoring the delta disks and any data they might contain.

Added the VM back into the inventory and then booted up the machine. It booted up fine, checked the E: drive and there appeared to be data written to the disk all the way up to the time that the server fell over so it appeared that there was minimal if any data lost.

Thanks to XtraVirt for the necessary steps.




New Spiceworks profile

I use the Spiceworks app as an IT systems management and inventory tool in my company but until recently have only participated in the community very rarely.

Things have changed since they launched their new style of profile page which allows community members to create a ‘portfolio’ of IT projects that they’ve worked on or led.

Spiceworks profile

Eli Etherton believes that they are better than a résumé for IT professionals and I’d be inclined to agree to some extent. For more senior technical roles it is crucial to be able to demonstrate experience with the relevant technologies and it is difficult to condense some IT projects into a bullet point. I can easily sum up one project e.g. Migrated 85 mailboxes into Office 365 Exchange Online.

But setting up a branch office and all that actually entailed is more difficult and the Spiceworks profile allows me to flesh out and illustrate the project.

There is a downside and that is will the recruitment process actually allow me to show off my skills and experience through this new means. Recruitment Agencies and Human Resources departments will favour CVs and LinkedIn profiles because they are the tools that they use and they act as gatekeepers between the IT professional that is seeking a new employee and the IT professional that is seeking a new role.



Surface Pro deployment in retail

MQ Retail AB deploys Surface Pro in their brick and mortar stores



New virtual server in DMZ not accessible

​I had created a new server as a test environment for a new client of the company and configured it to reside in the DMZ with an external IP address so that people at the client could test the system from their location.

I tested connectivity to this new IP address and the server was connectable and everything seemed fine.

However one of our implementation consultants reported that he wasn’t able to access the server from his location using the IP address that I had provided to him. I tested it again and again it all appeared fine.

I then tried connecting to it from a different network outside of the company and I hit the exact same problem as my colleague had ‘TTL Expired In Transit’. So I then tried a TraceRoute to see if this revealed where the issue might be.

At first glance it appeared okay, traffic was being bounced back correctly from each router along the way. Then I saw the problem, it was because of a configuration error in our ISP’s routers which meant that traffic coming from outside of their network that was destined for the IP address I had assigned to the server was getting routed to a particular couple of routers which were then just bouncing it back and forth between the two of them until the TTL expired.



Converting Windows Server 2012 Standard to Windows Server 2012 Datacenter

It probably won’t come to this as I have now convinced the management to allow me to purchase Vsphere Essentials Plus, but I was curious about whether I could convert my Windows Server 2012 Standard Server to Windows Server 2012 Datacenter without having to do a complete reinstall.

Good news! It is possible and is dead simple to do. Via http://technet.microsoft.com/en-us/library/jj574204.aspx

From an elevated command prompt run the DISM tool and pop your new key in.

DISM /online /Set-Edition:ServerDatacenter /ProductKey:[Datacenter key, e.g. XXXXX-XXXXX-XXXXX-XXXXX-XXXXX] /AcceptEula



Happy SysAdmin Day

It’s the last Friday of July so that must mean that it is System Administrator Appreciation Day!

I will have to supply some cakes for my colleagues today I think, even though the idea is supposed to be that they buy me cake to show their appreciation for me and the work I do.



Huge collection of Free Microsoft eBooks for you

Microsoft are giving away more eBooks. Previous ebook giveaways

I grabbed Administrator’s Guide for Microsoft Diagnostics and Recovery Toolset and TCP/IP Fundamentals for Microsoft Windows.