Thursday, May 10, 2018

How to force servers to communicate only on TLS 1.2

TLS 1.2 is a crytographic protocol of communication between computers.

The RFC link is below and more details on the protocol can be found on it.

https://tools.ietf.org/html/rfc5246#section-5

First of all you have to determine the tools that you would use to confirm TLS communication in your environment.


First I used netmon and wireshark to determine the communication. Both of them showed TLS 1.2 in the packet captures.



But microsoft message analyzer did not show TLS communication.It showed this.
 


If i look at a packet for RDP however I could see it using TLS 1.2.

Screenshot below is for an RDP session.



 

And that is how the communication between my IIS and SQL should have looked.

After a lot of searching and testing these were the things that were done to have servers communicate only on TLS 1.2.

1. Installing the right patches.
https://support.microsoft.com/en-us/help/3154520/support-for-tls-system-default-versions-included-in-the-net-framework
You can also upgrade the .net framework to 4.6 and above which is what I did.

2. Adding registry entries to disable protocols other than  TLS 1.2.


Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
      "DisabledByDefault"=dword:00000000



3. Adding SQL certificate(pfx) in SQL server configuration manager to enable encrypted communications.
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?view=sql-server-2017



After making the changes given above and restarting the servers. I was able to see the same behavior in Message Analyzer for the communication between our IIS and SQL.





Additional reading
https://blogs.perficient.com/2016/04/28/tsl-1-2-and-net-support/
Implications of turning off FIPS compliance policy.
https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/

Environment:
SQL 2016,Windows 2012 R2.


Tuesday, March 27, 2018

Hyper-V can not be installed: The hypervisor is already running

Using powershell perform installation in online mode.

Enable-WindowsOptionalFeature –Online -FeatureName Microsoft-Hyper-V –All –NoRestart



Install HyperV tools

Install-WindowsFeature RSAT-Hyper-V-Tools –IncludeAllSubFeature

Install Cluster feature.

Install-WindowsFeature RSAT-Clustering –IncludeAllSubFeature

Install Multipath IO feature.

Install-WindowsFeature Multipath-IO

Restart the computer and validate.

Friday, March 9, 2018

DFS file shares are not working with the namespace



A summary of the solution is detailed below.

    •    Symptom - We are facing a problem where the DFS file shares are not working with the namespace once we have introduced the new DFS
    •    Cause - Stale information present in Active Directory
    •    Resolution –
->We suggested to delete the "ftDFS class object" from Active directory using ADSIEDIT and make sure it is synced with all the domain controllers.
Note: In this case as the replication was not health, we have to do the manual intervention to get that done, else it is not required)
->We ran the below mentioned commands and after that reopen the DFS management console using which now it allowed us to redefine the DFS namespace and everything worked as expected.
dfsutil cache provider flush
dfsutil cache domain flush
dfsutil cache referral flush
dfsutil /pktflush
dfsutil /spcflush
dfsutil /purgemupcache

    •    More Information –
For a domain-based DFS namespace, verify the removal of the AD DS namespace configuration data. Before the removal process, you must accurately identify the object that is associated with the malfunctioning or inconsistent namespace. To remove the AD DS namespace configuration data, follow these steps:
Open the Adsiedit.msc tool. This tool is included in Windows Server 2008 and requires that the AD DS role or tools are installed. This tool is available in Windows Server 2003 Support Tools.

For more information about the Adsiedit.msc tool, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/cc773354(WS.10).aspx

Locate the domain partition of the domain hosting the domain-based namespace. Move to the following location:
CN=Dfs-Configuration,CN=System,DC=<domain DN>
Note The <domain DN> placeholder is the distinguished name of the domain.

DFS Namespaces store the configuration objects in this location. "Windows 2000 Server mode" namespaces have an "fTDfs" class object that is named identically to the namespace. "Windows Server 2008 mode" namespaces have an "msDFS-NamespaceAnchor" class object that is named identically to the associated namespace and that may contain additional child objects for any configured folders.
Select the appropriate object such as the "fTDfs" or "msDFS-NamespaceAnchor" object, and then delete it together with any child objects.

Note Active Directory replication latencies may delay this change operation from propagating to the remote domain controllers.
On any namespace servers that are hosting the namespace, verify the removal of the DFS namespace registry configuration data. If other functioning namespaces are hosted on the server, make sure that the registry key of only the inconsistent namespace is removed. To remove the DFS namespace registry configuration data, follow these steps:
In Registry Editor, locate the configuration registry key of the namespace at the appropriate path by using one of the following paths:

Domain-based DFSN in "Windows Server 2008 mode"
HKEY_LOCAL_MACHINE \Software\Microsoft\Dfs\Roots\domainV2
Stand-alone DFSN
HKEY_LOCAL_MACHINE \Software\Microsoft\Dfs\Roots\Standalone
Domain-based DFSN in "Windows 2000 Server mode"
HKEY_LOCAL_MACHINE\Software\Microsoft\Dfs\Roots\Domain
For more information about the Windows 2000 Server registry storage locations, click the following article number to view the article in the Microsoft Knowledge Base:

224384 HOW TO: Force Deletion of DFS Configuration Information

If a registry key that is named identically to the inconsistent namespace is found, use the Dfsutil.exe tool to remove the registry key. For example, run the following command:
dfsutil /clean /server:servername /share:sharename /verbose

Note The servername placeholder is the name of the server hosting the namespace and the sharename placeholder is the name of the root share.
Or, delete the key manually.
On the namespace server, restart the DFS service in Windows Server 2003 or the DFS Namespaces service in Windows Server 2008 to register the change on the service.
Remove the file share that was associated with the namespace from the namespace servers. Failure to follow this step may cause the recreation of the namespace to fail because DFS Namespaces may block the namespace creation.

Windows Server 2003
Open the Computer Management MMC snap-in. To do this, run the Compmgmt.msc tool.
Expand System Tools, expand Shared Folders, and then click Shares.
Right-click the DFS namespace share, and then click Stop Sharing. If you receive the following error message, you must restart the server and then try again to remove the share by using Computer Management MMC snap-in:
"The system cannot stop sharing <\\server\share> because the shared folder is a Distributed File System (DFS) namespace root"
Windows Server 2008
Open the "Share and Storage Management" MMC snap-in. To do this, run the StorageMgmt.msc tool.
Right-click the share of the namespace, and then click Stop Sharing. If you receive the following error message, you must restart the server and then remove the share by using Computer Management MMC snap-in:
The system cannot stop sharing <\\server\share> because the shared folder is a Distributed File System (DFS) namespace root
Changing the DFS namespace configuration data should only be considered after you evaluate all other recovery options. We recommend that you regularly obtain backups of the system state for the DFS namespace servers and for the domain controllers of domain-based DFS namespaces. These backups may be used to restore the namespace configuration to full operation without the risk of having inconsistent DFS namespace configuration data.

How DFS stores its information in registry and Active directory?
https://support.microsoft.com/en-in/help/977511/about-the-dfs-namespaces-service-and-its-configuration-data-on-a-computer-that-is-running-windows-server-2003-or-windows-server-2008
Maintaining the DFS Configuration
https://technet.microsoft.com/en-us/library/cc962150.aspx
Disaster recovery - Backup and restore for DFS
https://support.microsoft.com/en-us/help/969382/recovery-process-of-a-dfs-namespace-in-windows-2003-and-2008-server