Configure RDP over SSL with SelfSSL

Posted on October 21st, 2006 in Microsoft, Server 2003 by Gil Kreslavsky


Windows 2003 Service Pack 1 included a new feature, RDP over SSL. This feature will allow you to use TLS authentication and encryption with your RDP connections using SelfSSL to create the SSL certificate. It still uses RDP and TCP port 3389 so your firewall rules should not need to be modified.

Before we get started there are a few pre-requisites on both the server side and client side that need to be met first.

Server-side

- The Terminal Server must run 2003 SP1
- The Terminal Server must have a certificate from a Windows CA or a 3rd Party CA
- The certificate must meet the following criteria
- Certificate is a computer certificate
- Certificate is for server authentication
- Certificate must have a private key
- Certificate is stored in the TS personal store
- Certificate has a Crytographic Service Provider that can be used for TLS/SSL

Client-side

- Must run Windows 2000, Windows XP, or Windows 2003
- Must use RDP Client 5.2, this can be found on the 2003 SP1 server under %systemroot%\system32\clients\tsclient\win32\msrdpcli.msi
- Must trust the root CA for the certificate

If you do not have a CA, don’t wish to spend money on a "real" SSL cert, or just want to do some testing, you can use SelfSSL from the IIS 6.0 Resource Kit. Once you have downloaded and installed SelfSSL, run it with the following command

SelfSSL.exe /CN=domain.com /V:365

The command will create and install a certificate for domain.com that is valid for 365 days. If you do not have IIS installed, you may get an error message but you can ignore this message, the SSL certificate is still created and installed. The CN must be the name you will be accessing the TS with.

Next open up Administrative Tools, and launch the Terminal Server Configuration applet. Right-click RDP-Tcp and select properties.

Click Edit next to the Certificate, you will be shown the SSL certificate that SelfSSL created. Select it and click OK

Next, select SSL from the Security Layer drop down box and set the Encryption Level to High.

Now you will need to install the new RDP client on all workstations that will be accessing the Terminal Server. You will notice a new tab under the connection properties called Security. Select this tab and then choose Require Authentication from the drop down.

When you try to connect, you will be denied access because the SSL cert is not trusted. Click View Certificate, and then Install to install the certificate to the local machines certificate store.

Attempt to connect again and the connection will be allowed. You are now connected through RDP over SSL. If you are connected in full screen mode, you will see the SSL lock symbol next to the pushpin in the yellow toolbar.

Source: http://thelazyadmin.com

Download Details: Internet Information Services (IIS) 6.0 Resource Kit Tools
Article ID: 275727 – High Encryption on a Remote Desktop or Terminal Services Session Does Not Encrypt All Information

Removing Symantec Antivirus Corporate Edition SCScleanwipe

Posted on October 17th, 2006 in Symantec by Gil Kreslavsky

Some times removing Corporate edition is not that easy.

Don’t worry that tool will do the job.

Download the zipped file scscleanwipeto your desktop

Warnings about SCSCleanWipe:

SCSCleanWipe removes ALL Symantec products, not only the AntiVirus program. If you have other Symantec programs installed, make sure you can reinstall them after running SCSCleanWipe.

The SCSCleanWipe User’s Guide says: “…SCSCleanWipe is an unsupported Symantec tool provided as a fallback resource in case a regular uninstallation cannot properly commence. The tool is provided as an “as is” state and Symantec takes no responsibilities with any unforeseen errors resulting from usage of the tool.”

How to download and use SCSCleanWipe

  1. SaveSCSCleanWipe.zip to your desktop
  2. Close the browser
  3. On the desktop, double click SCSCleanWipe.zip
  4. Double click SCS_CleanWipe.bat
  5. Click Extract all
  6. Click Next
  7. Click Next
  8. Click Finish
  9. Close both SCSCleanWipe windows
  10. Find the SCSCleanWipe folder, double click it
  11. Double click SCS_CleanWipe.bat

The SCSCleanWipe manual is in the Docs folder, SCS CleanWipe Users Guide.doc.

If you want manualy remove . Go To Symantec Site

NTFS Junction Points

Posted on October 16th, 2006 in Other by Gil Kreslavsky

NTFS Junction Points allow you to graft a target folder on another NTFS folder and ‘mount’ a volume onto an NTFS Junction Point. This effectively eliminates the 26 drive letter limitation.
I actually used it for Ftp Isolation: restrict users to their own directories, but provide certain users the ability to read/write to all ftp user’s directories.

It is possible to do something like that using a hierarchy that resembles the following example:

c:\inetpub ftproot     LocalUser         User1 [junction] ==> d:\users\content1         User2 [junction] ==> d:\users\content2         User3             User1 [junction] ==> d:\users\content1             User2 [junction] ==> d:\users\content2

That being said, you would have to make sure that the folders have the correct permissions. For example, User1 needs to have R/W access to the d:\users\content1 folder, User2 needs to have R/W access to d:\users\content2, and User3 needs to have R/W access to both the d:\users\content1 and d:\users\content2 folders.

————————————————————————————

Source: http://blogs.msdn.com/robert_mcmurray/archive/2006/05/08/592821.aspx

Some links
http://forums.serverbeach.com/archive/index.php/t-1904.html
http://www.codeproject.com/useritems/JunctionPointsNet.asp
http://www.rekenwonder.com/linkmagic.htm
http://www.sysinternals.com/Utilities/Junction.html
http://support.microsoft.com/?kbid=205524

To add additional hiden components to the Add/Remove Programs

Posted on October 16th, 2006 in Other by Gil Kreslavsky

To add additional components to the Add/Remove Programs list (Windows Components):

Tools/Folder Options/View/Show Hidden Files and Folders and Show Extensions for known file types. Then go to Windows Explorer/Inf Folder/Sysoc.inf (Double Click it). You will find several lines that include the word ‘hide’. Simply remove the word ‘hide’ (but leave the comma). Save and exit. From there you will be able to remove it from add/remove.

Add and Remove – Show All Files

Windows XP doesn’t let you add or remove all the programs it installs by default. Multimedia applications, the XP messenger, games, accessories, and accessibility options do not show up in the Add/Remove Programs dialog box. What if you want to get rid of them? Here’s how to make Windows treat these applications just like it treats all the others.

Go to Windows Explorer/Inf. In the right pane, scroll down to sysoc.inf, double click it. Scroll down to:

[Components]
NtComponents=ntoc.dll,NtOcSetupProc,,4
WBEM=ocgen.dll,OcEntry,wbemoc.inf,hide,7
Display=desk.cpl,DisplayOcSetupProc,,7
Fax=fxsocm.dll,FaxOcmSetupProc,fxsocm.inf,,7
NetOC=netoc.dll,NetOcSetupProc,netoc.inf,,7
iis=iis.dll,OcEntry,iis.inf,,7
com=comsetup.dll,OcEntry,comnt5.inf,hide,7
dtc=msdtcstp.dll,OcEntry,dtcnt5.inf,hide,7
IndexSrv_System = setupqry.dll,IndexSrv,setupqry.inf,,7
TerminalServer=TsOc.dll, HydraOc, TsOc.inf,hide,2
msmq=msmqocm.dll,MsmqOcm,msmqocm.inf,,6
ims=imsinsnt.dll,OcEntry,ims.inf,,7
fp_extensions=fp40ext.dll,FrontPage4Extensions,fp40ext.inf,,7
AutoUpdate=ocgen.dll,OcEntry,au.inf,hide,7
msmsgs=msgrocm.dll,OcEntry,msmsgs.inf,hide,7
WMAccess=ocgen.dll,OcEntry,wmaccess.inf,,7
RootAutoUpdate=ocgen.dll,OcEntry,rootau.inf,,7
IEAccess=ocgen.dll,OcEntry,ieaccess.inf,,7
OEAccess=ocgen.dll,OcEntry,oeaccess.inf,,7
WMPOCM=ocgen.dll,OcEntry,wmpocm.inf,,7

Games=ocgen.dll,OcEntry,games.inf,,7
AccessUtil=ocgen.dll,OcEntry,accessor.inf,,7
CommApps=ocgen.dll,OcEntry,communic.inf,HIDE,7
MultiM=ocgen.dll,OcEntry,multimed.inf,HIDE,7
AccessOpt=ocgen.dll,OcEntry,optional.inf,HIDE,7
Pinball=ocgen.dll,OcEntry,pinball.inf,HIDE,7
MSWordPad=ocgen.dll,OcEntry,wordpad.inf,HIDE,7
ZoneGames=zoneoc.dll,ZoneSetupProc,igames.inf,,7

  1. The word “HIDE” in an entry hides that application from your Add/Remove Programs dialog box. To add games to the Add/Remove menu, delete the word HIDE from its entry (but leave the commas that surround it). You also have to remove “HIDE” from “AccessUtil=” for this tip to work.

  2. Save the file. Check for the new entries in the Add/Remove Programs dialog box after you restart your computer.

Summer clock (Daylight Savings Time or DST)

Posted on October 16th, 2006 in Other by Gil Kreslavsky

Microsoft Windows

The time zone database in most Windows-based computer systems stores only a single start and end rule for each zone, and daylight saving information is stored in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\, under the TZI registry value. (In Windows XP and Windows 2003, timezone information is stored in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation\). For example, DST ends on the last Sunday in October, regardless of year. When the rule changes (e.g. Israeli DST ending almost one mount earlier than United States), an update needs to be applied. In the case of a single-year anomaly, a new time zone is created and used. Before the following year, the time zone will have to be switched back to the original. For permanent rule changes, the rule definition for the time zone can be changed without requiring a new time zone to be set up.

One of the problems of this approach is that software that uses time zone information will get incorrect results if referring to a year with rules that are different from those currently in the database. Microsoft did not modify the start and end rule for the time zones affected, but instead added new timezones with the words “(Commonwealth Games)”which caused various issues with many software applications, including Ms Outlook and several accounting packages. Workarounds for the issue were to use the Microsoft utility timezone to modify the start and finish of each affected timezone, then either reboot the computer or go into Date and Time in the Control Panel, click on the Time Zone tab and click on OK to force Windows to refresh its daylight saving time information.

Utilities and more info you can find in:

http://www.petri.co.il/summer_clock_in_israel_for_2006.htm

http://guy.netguru.co.il/

http://gsexdev.blogspot.com/

http://regevnet.dyndns.org/ the site is in Hebrew

The start and stop dates for Daylight Saving Time (IDT) for 2002 – 2009 are:

Year

Start

End

2002

Mar 29

Oct 7

2003

Mar 28

Oct 3

2004

Apr 7

Sep 22

2005

Apr 1

Oct 9

2006

Mar 31

Oct 1

2007

Mar 30

Sep 16*

2008

Mar 28

Oct 5

2009

Mar 27

Sep 27