Thursday, December 27, 2007

ICMP - Pinging Server 2008

One of the most common ways for an administrator to see if a particular server is up or not is to send an ICMP package to the server or to Ping it. This is also called an Echo Request.

Windows Server 2008 disable this Echo Request by default. Here's how you can turn this on:

1. Open Server Manager
2. Expand Configuration section
3. Expand Windows Firewall with Advanced Security (OK, Microsoft, is there a Basic one???)
4. Click on Inbound Rules
5. In the middle pane, scroll down and find "File and Printer Sharing (Echo Request - ICMPvX-in)" where the X stands for the IP version number
6. Right click it and select Enable
7. If you want to edit advanced options then right click it and select Properties option instead

If you are running the core version, you can accomplish the same thing by issuing the netsh command:

netsh firewall set icmpsetting 8

IIS 7 - FTP Server

I was evaluating the much anticipated Windows Server 2008 RC1 and one of the areas I was focusing on was IIS7. Pretty much every component was updated except for the FTP server. It seems that Microsoft was rushing RC1 out and didn't have enough time to add the new FTP server in there so they went with the old version instead.

When you enable FTP role, the old IIS 6 snapin will be added to let you manage the FTP server. I didn't like the way it turned out and searched around a bit more and found out FTP Server 7 RC0 is out.

You can download the new FTP Server here. In order to install this package, you must first uninstall the old FTP version.

Wednesday, December 26, 2007

Start a Port Configuration In a Clean State

If you are reconfiguring or changing the port settings on a router you can remove or change the old commands one by one until the job is done. However, there's a "default interface" command that you can use to quickly reset the port's configuration to its default values:

Router(config#): default interface fa0/1

Once the "default interface"command issued, you can be certain that all previous commands set on the specified ports are gone.

Thursday, December 20, 2007

Protecting Your Network Edge with TTL

Protecting your network by authenticating every EBGP session is a good measure to keep the bad guys out. While this approach can keep attackers from getting inside your network, it can't keep them from launching attacks by flooding packets at BGP port (TCP port 179) and causing tremendous authentication failures which can lead to legistimate BGP connections at the target interface to fail, BGP process failure or even system crash due to spike in system resources & CPU spike.

Fortunately, you can use TTL (Time To Live) as an additional measure to reduce such DoS attacks against BGP. The default behavior of most BGP implementations is that it will send packets to external neighbors with a TTL value of 1 and accepts packets from external neighbors with TTL of 0 or higher.

You can tighten up your network by changing this default behavior by having BGP originated packets with a TTL value of 255 and only accepting packets with TTL of 254 (measured after the local router has decremented the TTL of the packet it received) or higher.

Now even if the attackers originate packets with a maximum TTL value of 255, the packets can't get to your BGP network if the attackers are not directly connected to the target interface. This is because each router hop decrements the TTL value by 1. If they are two hops away, by the time the packets reach the port TTL will be decremented to 253 and will be rejected.

You can configure the TTL value by issuing the statement:

neighbor-address ttl-security hops 254

This will instruct your router to discard incoming BGP packets with TTL value below 254 and also set outgoing packets TTL value to 255. You will need to make sure that both neighbors are configure with the same statement.

Monday, December 17, 2007

The Day The Routers Die

Those of us that are in the networking field might find this video amusing.

Note: In the song, the performer (Gary Feldman) mentioned RIPE55 quite a few times. RIPE stands for Réseaux IP Européens (European IP Networks) which is a forum open to all parties who are interested in the technical development of internet and 55 is the meeting number during which he performed the song.

Gary sung in native English accent so it might be a bit hard to understand. Here's a to link the lyrics.

Escape SQL strings

As part of my development job, I often create and troubleshoot SQL queries. And one of such tasks is validating SQL data to make sure the query would return the correct data set as expected.

Time and again, I would run into queries like:

Select blah blah From Table1 Where FieldName In ('abc', 'efd'.....)

Dealing with a short list doesn't involve a lot of typing so it's not a big deal. But when facing a large list, this can be a daunting task as you have to escape the strings and separate them by commas.

This is where Excel spreadsheet comes in handy. In Excel you can do a simple formula to take care of this by typing the following in a cell:

="'" & A1 & "',"

What this does is it takes the value in cell A1 and wrapped it with a single quote and then adds a comma at the end. You can replicate this formula to other cells and it should save you quite a bit of typing.

If you have a list of strings like:

abc
edf
123


all you have to do is copy and paste it in the Excel spreadsheet created with the formula above and you will have a list of escape strings that you can place in your IN criteria. I use this a lot and it saves me a whole lot of typing.

Don't forget to take out the last comma. See attached file for more info.

Sunday, December 16, 2007

Windows 2008 Hyper-V Installation - Login

I was checking out Windows 2008 Hyper-V RC1. Downloaded the ISO image and installed it. Everything went pretty well with minimum user intervention. After a couple of auto reboots the login window appeared and I had only one option - Other Login (for the core installation).

I was scratching my head trying to figure out what login I can use since the installation didn't ask me to create any login. So I tried out a couple of well known default username and password and finally I got in with the Administrator & blank password combination.

Once I logged in, I was presented with the good old Command prompt. For those of you who are used to the Windows interface, this might be a bit of a shocker.

The next thing I did was to enable Hyper-V in the core server deployment. This was done with the command:

Start /w ocsetup Microsoft-Hyper-V

A reboot is required once Hyper-V is enabled. Please note that the command is case sensitive so you must type the command exactly as seen here.

Tuesday, December 11, 2007

How to set up SQL Server to listen on multiple static TCP ports

Did you know you can have your MS SQL Server listen on multiple TCP ports? I find this feature very useful since I run my DB server on a specific port and often run into clients that require to have database connection on a different port because it falls inline with their security practice.

Here's how you can do it:

1. Start SQL Server Network Utility
2. Select TCP/IP and click Properties button
3. Enter the port numbers (separated by commas)
4. Click OK twice
5. Stop & restart SQL Server for the change to take effect

Tuesday, December 4, 2007

Terminal Services Client (MSTSC) and Vista/2008

A few months back, I wrote a blog about as you can see here.

Well, in the newer version of MSTSC for Windows Vista and Windows 2008, the "/console" option is no longer available. However, you can use a new switch "/admin".

This new switch has an advantage that "/admin" session can still be created when the session count has maxed out. Also, the "/admin" sessions don't count toward the session limit that may be configured on a terminal server to limit the number of sessions.