Amazing……. how long have ‘we’ been bleating on about this ? – I was pointed to a good article the other day on ZDNET that seems to fit the bill…..
http://www.zdnetasia.com/insight/hardware/0,39043471,61985296-39000220c-1,00.htm
Next post I think all up some of my suggestions that have been used in sites in the UK buisness, financial and government.
Page 6 of 7
Stolen from Mark Minasi’s supurb site…. at http://www.minasi.com/newsletters/nws0409.htm handy referance how Windows XP SP2+ detects between Standard and Domain settings. In Vista this changes but its the same principle.
===
There’s a personal firewall built into XP that’s always been there. But now it’s kind of “in your face,” as it’s turned on by default and it’s much easier to configure and control from the GUI, group policies, and command-line tools.
Even better, it’s got two “profiles;” it behaves one way when you’re inside your domain and another when you’re outside, such as when you’re connected to the Internet with your laptop from home or a hotel.
You might have heard about Firewall’s two profiles, the “standard” and the “domain” profile. (“Domain” means you’re in the domain, on site; “standard” means you’re somewhere else, out of the firewall.) But did you ever wonder, how does it know when you’re “in the domain?” I wondered. Is it something as easy as IP address ranges? Pinging the domain controller to measure the latency periods? Arcanely measuring the Earth’s magnetic field to estimate how far you are from Headquarters? Nope. It’s like this:
- Windows Firewall (call it WF) remembers the last time that you got group policies.
- It remembers the DNS suffix of the system that you got them from. (So, for example, if your AD domain was called bigfirm.com, then the domain controller (DC) that your system got the group policies from almost certainly had a DNS suffix of bigfirm.com.)
- WF then looks at all of your network adapters — here’s where it gets geeky — and examines their adapter-specific DNS suffixes. If any of them match the DNS suffix of your last GP update, then it assumes you’re in the domain.
In English, then… suppose you’re out on the road and for some reason want the firewall to think that you’re in “domain” mode rather than “standard” mode. Just go to the Advanced properties of your NIC, click the DNS tab and punch in your domain’s name in the “DNS suffix” field, and your firewall will behave as if you’re on the corporate grounds.
That, by the way was the simplified version; if you’d like to know more about how the network location awareness in Windows works, get this article:
http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx
On Windows 2003/2008 Servers running anything over SSL (ie HTTPS) via applications like IIS, Terminal Services (SP1+) and ISA Server even if the application can set ‘Force 128bit encryption’ other weak ciphers are still availible on the server.
To stop this:
1) Backup your registry or at least export the key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL
2) Copy below into a text document and rename to .reg
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsPCT 1.0Client]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsPCT 1.0Server]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Client]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELProtocolsSSL 2.0Server]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersDES 56/56]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC2 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4 56/128]
“Enabled”=dword:00000000
3) Double click the .reg file to run and answer Yes to dialog
4) Confirm working ciphers. A good site is http://www.serversniff.net/content.php?do=ssl
Have fun
Shamelessly robbed from http://www.akadia.com/services/redhat_static_routes.html
|
Overview
Persistent static routes for ANY linux distribution
Force the old static-routes file to work under Redhat 9
Remember to use /etc/sysconfig/network for your default gateway
|
Shamefully taken from https://www.eng.uwaterloo.ca/twiki/bin/view/Engcomp/CommonCiscoCommands
To enable privileged command mode
enable
To enter switch configuration mode (from privileged command mode)
configure terminal
To enter port configuration mode (from switch configuration mode)
interface FastEthernet0/5
To return from one mode to the previous mode
exit
To show the mac table
show mac-address-table
To show port information
show interfaces
To show the switch version
show version
To save the configuration
write memory
To show the configuration
show running-config
To set the port description of FastEthernet0/5 to “engmail”
configure terminal interface FastEthernet0/5 description engmail exit
To remove the port description from FastEthernet0/5
configure terminal interface FastEthernet0/5 no description exit
To set FastEthernet0/5 to 100/full
configure terminal interface FastEthernet0/5 speed 100 duplex full exit
To set FastEthernet0/5 to auto/auto
configure terminal interface FastEthernet0/5 speed auto duplex auto exit
To turn FastEthernet0/5 into a dot1q trunk
configure terminal interface FastEthernet0/5 no switchport access vlan switchport mode trunk switchport trunk encapsulation dot1q exit
To turn FastEthernet0/5 into a non trunk
configure terminal interface FastEthernet0/5 no switchport mode trunk no switchport trunk encapsulation no switchport trunk allowed vlan no switchport trunk native vlan switchport mode access exit
To set the allowed vlans on trunk port FastEthernet0/5 to 20,50,100
configure terminal interface FastEthernet0/5 switchport trunk allowed vlan 20,50,100 exit
To remove the allowed vlans from trunk port FastEthernet0/5 (will default to all vlans in vlan database)
configure terminal interface FastEthernet0/5 no switchport trunk allowed vlan exit
To restrict the number of mac address on FastEthernet0/5 to 1
2900/3500 series…
configure terminal interface FastEthernet0/5 port security max-mac-count 1 exit
2950/3550 series…
conf term interface FastEthernet0/5 switchport port-security switchport port-security maximum 1 switchport port-security violation protect switchport port-security mac-address sticky switchport port-security aging static exit
To remove the mac address restriction from FastEthernet0/5
configure terminal interface FastEthernet0/5 no port security exit
To set the vlan on FastEthernet0/5 to 150
configure terminal interface FastEthernet0/5 switchport access vlan 150 exit
To remove the vlan from FastEthernet0/5 (port will default to vlan 1)
configure terminal interface FastEthernet0/5 no switchport access vlan exit
To set the native vlan (untagged vlan) on trunk FastEthernet0/5 to 75
configure terminal interface FastEthernet0/5 switchport trunk native vlan 75 exit
To remove the native vlan (untagged vlan) from trunk FastEthernet0/5
configure terminal interface FastEthernet0/5 no switchport trunk native vlan exit
To set FastEthernet0/5 to portfast
configure terminal interface FastEthernet0/5 spanning-tree portfast exit
To set FastEthernet0/5 to not be portfast
configure terminal interface FastEthernet0/5 no spanning-tree portfast exit
To disable spanning tree on vlan 20
configure terminal no span vlan 20 exit
To enable spanning tree on vlan 20
configure terminal span vlan 20 exit
To disable port FastEthernet0/5
configure terminal interface FastEthernet0/5 shutdown exit
To enable port FastEthernet0/5
configure terminal interface FastEthernet0/5 no shutdown exit
To get a GBIC port to talk to a BayStack
configure terminal interface GigabitEthernet0/2 no negotiation auto exit
IOS upgrade (general procedure)
Important. Read the Cisco documentation. This procedure is minimal, and does not install the web management interface. Do not follow these instructions unless you are familliar with the procedure.
dir flash:
delete the html directory, and diag file (if any)
delete flash:html/*
rename the existing image to the name of the new image
rename flash:c3500XL-c3h2s-mz.120-5.WC2.bin flash:c3500xl-c3h2s-mz.120-5.WC5a.bin conf term boot system flash:c3500xl-c3h2s-mz.120-5.WC5a.bin exit copy tftp://129.97.x.y/tmpdata/c3500xl-c3h2s-mz.120-5.WC5a.bin flash:c3500xl-c3h2s-mz.120-5.WC5a.bin copy flash:c3500xl-c3h2s-mz.120-5.WC5a.bin tftp://129.97.x.y/tmpdata/junk
check the md5 on junk compared to c3500xl-c3h2s-mz.120-5.WC5a.bin before doing the reload
write mem reload
I can never remember any of these commands. I know that you flip flop waring, bearded, leather patch wallahs can but heres a list they is very useful.
vmstat n – To show Virtual Machine, Disk I/O, Swap etc use. The n makes it refresh every n seconds
/etc/sysconfig/network-scripts/ifcfg-eth1 – Use to set static interface on most Linux’s
Contents something like:
# Description of type
DEVICE=eth1
BOOTPROTO=static
IPADDR=x.x.x.x
NETMASK=x.x.x.x
ONBOOT=yes
TYPE=Ethernet
Remember to use /etc/sysconfig/network for your default gateway
NETWORKING=yes
HOSTNAME=”hostname.linux.org”
GATEWAY=”10.164.234.1″
GATEWAYDEV=”eth0″
FORWARD_IPV4=”yes”
TAR – Use extracting/imploding files to one file – does not compress
tar cvf nameoftarfile.tar -I textfile.txt – takes the contents of the text file and adds to tar
tar xcvf nameoftarfile.tar – extract and verify
Solaris and 802.1q tagged interfaces
Interfaces are usually called hostname.ceVLANID000
Adding Interfaces to Solaris – making sure they work on boot
vi /etc/netmasks – add the subnet to this
vi /etc/hosts – add the interface and VLAN
create a hostname.ceVLANID000 file
manually plumb:
plumb eth1 (bring up L1)
ifconfig add inet x.x.x.x netmask x.x.x.x broadcast x.x.x.x
ifconfig eth1 up
Ill keep adding as I think of them
Finally I have a motor I can use daily and do some Greenlaning. Have a look at http://blackcountrylaners.co.uk/photos/kevs_pictures/category1033.aspx for some pictures and http://blackcountrylaners.co.uk/forums/thread/1401.aspx for the story so far.
Stumbled over on a real intresting document over on the Register (http://www.theregister.co.uk/2006/05/22/network_overdesign_gartner/) about Gartner saying companies waste money on overdesigning network kit.
So true however you wont see that with my designs
Just a refresh and a quick note here…..
Main things to do:
- Put all the files into a main folder
- Get a copy of the boot files (various places including http://www.tacktech.com/pub/microsoft/bootfiles/bootfiles.zip)
- Use Nero to burn a new Bootable DVD/CD
- When the dialog opens, set Bootable Disc Type: to No Emulation.
Click the “>>Advanced” button, and set the Load Segment: to 0x000 and the Sector Count: to 4. Now click “Browse” where the dialog asks you to “locate the image file that contains the bootable image.” - Follow the usual process to make the DVD, remembering to keep a copy of the ISO/NRG image 🙂
Good luck
One of my intrests is Greenlaning and Off Roading. I used to own a real old Series IIA Land Rover that was a classic, but its no more – lost in time.
Luckilly some of my mukkas still have some top motors and we get away quite a lot. Check out http://blackcountrylaners.co.uk for our site – specially the Files(Videos) and the Photo section
Recent Comments