Stuff I'm Up To

Technical Ramblings

IIS & Multiple HTTPS Bindings — October 7, 2016

IIS & Multiple HTTPS Bindings

I’m beginning to think this is going to be a blog about SSL certificates as most of the articles seem that way inclined just now!

When it comes to IIS serving a single web site over HTTPS it’s pretty straight forward. Select bindings and add a new one for HTTPS. You should notice that at this stage you can’t enter in a host name as that field becomes greyed out when you choose HTTPS. This is the crux of our problem. You want to run another HTTPS site on port 443, but can’t.

Well you may not be able to do this from the GUI, but you can from the command line using an admin script.

Continue reading

Remmina RDP (Remote Desktop) —

Remmina RDP (Remote Desktop)

I’ve been using Remmina to RDP to my Windows servers for some time and it’s been just great. But just recently it started popping up with a fairly bland message “Unable to connect to RDP server MYSERVER” on a number of my servers. Not all of them, but some of them.

After a long session of Googling (which may be why you’re here) I found out it’s related to our recent CA certificate changes and probably a freerdp-lib or ssl change.

After running Remmina from the command line I found the problem was self explanatory.

Continue reading

MSSQL Server SSL Certificate — October 5, 2016

MSSQL Server SSL Certificate

Having updated the CA certificate it’s time to start rolling out the new SHA-256 algorithm to the other Windows servers. Group Policy (GPO) takes care of the new CA certificate distribution and the clients and servers are getting that in their Trusted Root stores automatically. But the servers have a range of certificate expiry dates and won’t  expire for some time. So to satisfy the vulnerability scan results we’re having to update each server as we get to them.

This means visiting each server running MMC, adding in the Certificate Snap-in for the Local Computer and then renewing the certificate(s). Once that’s done it’s a case of telling the applications to use the new certificate.

Typically this means choosing the certificate in the Terminal Services Session Host management console, setting IIS to use the new certificate and updating SQL so that uses the new certificate too.

Continue reading

Windows Proxy Settings —

Windows Proxy Settings

Set the Server to use the proxy at the command line using:

C:\> netsh winhttp set proxy "http://myproxy:3128" "<local>"

Where the <local> parameter means skip using a proxy for local addresses.

View your setting using:

C:\> netsh winhttp show proxy

Syntax:

set proxy [proxy-server=] ProxyServerName [bypass-list=] <HostsList>
Nessus Trusted CA Certificates — October 4, 2016

Nessus Trusted CA Certificates

It’s that time again. Scanning for vulnerabilities means keeping certificates up to date. After updating our CA certificate to SHA-256 and KSP we now need to tell Nessus to trust the new certificate.

So after doing the obvious and adding it to the Linux server trusted CA certificates the scan still failed to trust the new certificate. This is because Nessus uses it’s own certificate repository.

It’s a simple text file /opt/nessus/lib/nessus/plugins/custom_CA.inc

To add the new cert just cat it into it.

$ sudo cat public_key.crt >> /opt/nessus/lib/nessus/plugins/custom_CA.inc