My little part of the Internet

Month: April 2007

Windows Firewall Network Awareness….. how it works it out

Stolen from Mark Minasi’s supurb site…. at http://www.minasi.com/newsletters/nws0409.htm handy referance how Windows XP SP2+ detects between Standard and Domain settings.   In Vista this changes but its the same principle.
===
There’s a personal firewall built into XP that’s always been there.  But now it’s kind of “in your face,” as it’s turned on by default and it’s much easier to configure and control from the GUI, group policies, and command-line tools.
Even better, it’s got two “profiles;” it behaves one way when you’re inside your domain and another when you’re outside, such as when you’re connected to the Internet with your laptop from home or a hotel.
You might have heard about Firewall’s two profiles, the “standard” and the “domain” profile.  (“Domain” means you’re in the domain, on site; “standard” means you’re somewhere else, out of the firewall.)  But did you ever wonder, how does it know when you’re “in the domain?”  I wondered.  Is it something as easy as IP address ranges?  Pinging the domain controller to measure the latency periods?  Arcanely measuring the Earth’s magnetic field to estimate how far you are from Headquarters?  Nope.  It’s like this:

  • Windows Firewall (call it WF) remembers the last time that you got group policies.
  • It remembers the DNS suffix of the system that you got them from.  (So, for example, if your AD domain was called bigfirm.com, then the domain controller (DC) that your system got the group policies from almost certainly had a DNS suffix of bigfirm.com.)
  • WF then looks at all of your network adapters — here’s where it gets geeky — and examines their adapter-specific DNS suffixes.  If any of them match the DNS suffix of your last GP update, then it assumes you’re in the domain.

In English, then… suppose you’re out on the road and for some reason want the firewall to think that you’re in “domain” mode rather than “standard” mode.  Just go to the Advanced properties of your NIC, click the DNS tab and punch in your domain’s name in the “DNS suffix” field, and your firewall will behave as if you’re on the corporate grounds.  
That, by the way was the simplified version; if you’d like to know more about how the network location awareness in Windows works, get this article:
http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx

Controlling SSL Ciphers on Windows 2003/2008 Server

On Windows 2003/2008 Servers running anything over SSL (ie HTTPS) via applications like IIS, Terminal Services (SP1+) and ISA Server even if the application can set ‘Force 128bit encryption’ other weak ciphers are still availible on the server.
 To stop this:
1) Backup your registry or at least export the key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL
2) Copy below into a text document and rename to .reg

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsPCT 1.0Client]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsPCT 1.0Server]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersDES 56/56]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC2 40/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4 40/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4 56/128]
“Enabled”=dword:00000000
 

3) Double click the .reg file to run and answer Yes to dialog
4) Confirm working ciphers.  A good site is http://www.serversniff.net/content.php?do=ssl 
 Have fun

© 2024 Kevsters Blog

Theme by Anders NorénUp ↑