Technolgy et al

IIS exploits in Windows Server and how you can fix them

Posted by penguyen on June 3, 2015

This is a really good article from techtarget:


I believe it’s safe to say that a common goal of Windows server administrators is to have reasonably resilient systems. There’s a lot going on in the world of online security threats. The last thing you need is someone on the other side of the world, or internal to your organization, exploit something in IIS or Windows server that could’ve been prevented.

Your hands may be tied in terms of application-specific flaws but there’s plenty you can do at the server level to make your IIS-based systems more secure. In reviewing my Web security assessment projects over the past year, here are the top IIS vulnerabilities afflicting Windows servers:

Unhandled exceptions (HTTP 500 errors) are generated.
This can disclose sensitive configuration information and facilitate SQL injection. The server-side fix is to disable detailed error messages via the following in the server’s web.config file:

<customErrors mode=”RemoteOnly” defaultRedirect=”AppErrors.aspx”>

<error statusCode=”404″ redirect=”NoSuchPage.aspx”/>

<error statusCode=”403″ redirect=”NoAccessAllowed.aspx”/>

<error statusCode=”500″ redirect=”RequestNotAllowed.aspx”/>


Viewstate parameter encryption and MAC are disabled.
This can allow an attack to manipulate sensitive parameters and gain unauthorized access. The server-side fix is to enable viewstate hashing and MAC on all pages of the application via the following to the server’s web.config file:


<pages viewStateEncryptionMode=”Always”>

<pages enableViewStateMac=”true”/>

<machineKey validation=”3DES”/>


Unencrypted HTTP connections can be made.
This can lead to the exposure of login credentials and other sensitive information because everything to and from the Web server is transmitted plaintext communications. The server-side fix is to require TLS version 1.1+ encryption across the entire website/application.



Find more PRO+ content and other member only offers, here.

SSL versions 2 and 3 and weak encryption ciphers are enabled.
This can facilitate man-in-the-middle attacks and lead to the compromise of sensitive information. The server-side fix is to require TLS version 1.1+ and disable weak ciphers such as RC4.

Cross-frame scripting is possible.
This can facilitate clickjacking and trick users into clicking on something different from what they perceive they are clicking on. The server-side fix is to set the X-Frame-Options header to DENY, SAMEORIGIN or ALLOW-FROM based on your specific needs.

Sensitive server directories and files are publicly-accessible.
This can expose system configuration, code or sensitive data. The server-side fix is to ensure that only the necessary permissions are enabled for public access.

Windows patches are missing.
This can lead to anything from denial of service to full remote access to the Web server using a tool such as Metasploit. The server-side fix is to patch your servers. It’s that simple. Even if you’re concerned about taking production servers offline, patching needs to be performed consistently across the board if you’re going to have a secure Web environment.

Most of these vulnerabilities may not be considered “critical” but they can certainly be problematic long term. As you can see, they’re relatively easily to resolve. In fact, the only thing it will cost you to fix them is your time. Find and fix these issues — they’re easy security wins for your business and will help keep your vulnerability scan and security assessment reports as clean as possible.

Once you tackle these website security server fundamentals you can more on to bigger — often more complex — security flaws within your Web applications themselves. This includes everything from cross-site scripting (an all too common vulnerability) to SQL injection (a less common yet lethal flaw) to weak user authentication and session management. That’s where the real fun begins.

Posted in Uncategorized | Leave a Comment »

Converting NDRs to x500

Posted by penguyen on January 21, 2015


You ran a script to modify SMTP addresses on an Exchange 2010 user and accidentally overwrote all of their previous SMTP addresses including the legacyexchangeDN aka x500. (or you accidentally deleted a user and created their mailbox to the same AD account)

Now internal users are reporting that they’re receiving NDRs about the user no longer exists, even though you’ve already added the same exact SMTP address to their mailbox

Cause: Internal users typically caches the x500 address for internal communication instead of using SMTP addresses.


Not so efficient solution: Have every users that have this person’s contact autofilled in their Outlook client delete the contact from the autofill and re-enter their SMTP address.

Better: Have someone send a NDR to you for this particular user and recreate the x500 from that NDR on this user’s mailbox



Delivery has failed to these recipients or distribution lists:

Nguyen, Peter
The recipient’s e-mail address was not found in the recipient’s e-mail system. Microsoft Exchange will not try to redeliver this message for you. Please check the e-mail address and try resending this message, or provide the following diagnostic text to your system administrator.

If you click on the name, the NDR will get resolved to:

EXCH is the Exchange Organization name

So now we need to convert the above address into proper x500

First step: Replace all underscores “_” to “/”


Then replace all +28 to “(” and +29 to “)”

Replace all +20 to space ” ”

Replace all +2E to a period “.”

The final x500 would look like this:


Now just add this new string to the user’s Alias under the Exchange console as a custom address and you’re golden.

Posted in Uncategorized | Leave a Comment »

2014 in review

Posted by penguyen on December 30, 2014

The stats helper monkeys prepared a 2014 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 15,000 times in 2014. If it were a concert at Sydney Opera House, it would take about 6 sold-out performances for that many people to see it.

Click here to see the complete report.

Posted in Uncategorized | Leave a Comment »

Amazon Glacier is a Tape driven archival storage solution

Posted by penguyen on May 21, 2014


Amazon Web Services much famous Glacier, which was launched a couple of months ago is a cloud based storage solution offered to the enterprises as a Cloud based archival solution. All the cold data which is not in frequent use in an enterprise can be fed to Glacier and can be retrieved on demand.

All these days, enterprises were maintaining their cold data on tape libraries and had to deal with the painful management and maintenance of these cost efficient storage solutions. In order to ease the job of the enterprise IT team, AWS released Glacier which allowed its users to store data at just one cent per gig/month cost. This cloud based storage solution was termed to be as the low cost archival solution available in the data storage market till date.

Glacier has the potential to accept any amounts of data at a cost that even the traditional…

View original post 279 more words

Posted in Uncategorized | Leave a Comment »

The default transaction resource manager on volume C: encountered an error while starting and its metadata was reset. The data contains the error code.

Posted by penguyen on April 23, 2014

The default transaction resource manager on volume C: encountered an error while starting and its metadata was reset. The data contains the error code.

EventID: 134

Log Name: System

Issue: This will happen whenever the Windows file system transaction log is corrupted. The Windows file system uses the transaction log to recover system transactions when a file error occurs.The Common Log File System (CLFS) transaction logs may be left in an inconsistent state. When the CLFS transaction logs are in an inconsistent state



delete the .blf files and the .regtrans-ms files from the %Windir%\System32\SMI\Store\Machine folder.


The run CMD as Admin

at the command prompt type: fsutil resource setautoreset true c:\
 These steps assume that Windows is installed in the default location, on drive C. If this is not the case, adjust the drive letter of the folder path to match your configuration.


Posted in Uncategorized | Leave a Comment »

remove stuck mailbox move

Posted by penguyen on August 1, 2013

When Remove-moverequest fails

1. Open ADSIEDIT and navigate to the OU where your broken user account is stored. (Under: Default Naming Context)
2. Locate the user account, right-click on it and then choose “Properties”.
3. Click on the “Filter” button and make sure “Show only attributes that have values” is checked.
4. Scroll down the attributes and search for an entry called “msExchMailboxMoveRemoteHostName”.
5. Click on the “Edit” button.
6. Click on the “Clear” button.
7. Click the “OK” button.





Posted in Active Directory, Exchange, Windows | Tagged: , | Leave a Comment »

Force removing Exchange 2010 database – ADSIEDIT.MSC

Posted by penguyen on August 1, 2013

Run Get-Mailbox -Database “Database Name” –Arbitration command to find all the arbitration mailboxes

If there are some arbitration mailboxes, move them to different databases and then delete the database again

If all above don’t work, you can use ADSIEDIT tool to delete mailbox database:

1. Open Adsiedit.msc

2. Connect to the configuration partition.

3. Expand Configuration-Services-Microsoft Exchange–Administrative Groups-Servers–Information Stores.

4. Delete the appropriate database.

I ran Set-AdServerSettings -ViewEntireForest $True then ran get-mailbox -database db1 -arbitration and all of a sudden I now see a mailbox!!! How annoying.

I moved the arbitraion mailbox to another DB and I was then able to delete the DB.

I was not aware of the Set-AdServerSettings command.

get-mailboxstatistics -database |fl

Posted in Active Directory, Exchange, Windows | Tagged: , | Leave a Comment »

Resetting the entire registry permission

Posted by penguyen on July 29, 2013

There will be times when you either:

1) Have some sort of malware running on your machine

2) Accidentally changed the permissions of your registry

and needed to reset the registry permissions to default. 


Here’s how:


download SubInACL from here

SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

Create a file with the name reset.cmd under C:\Program Files\Windows Resource Kits\Tools folder

Now you need to Edit the reset.cmd file and add the following lines

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f

Save and exit your file

Now launch command prompt and run the following command

cd “C:\Program Files\Windows Resource Kits\Tools”

after this press enter and enter the following command


after entering this press Enter

After a few minutes by processing subinacl, the permission will be reset


Posted in Windows | Leave a Comment »

Listing Windows Updates using Powershell

Posted by penguyen on September 28, 2012


Listing Windows Updates

There is a not widely known COM object that you can use to list all the installed Windows Updates on a machine. Here is the code:

$Session = New-Object -ComObject Microsoft.Update.Session

$Searcher = $Session.CreateUpdateSearcher()

$HistoryCount = $Searcher.GetTotalHistoryCount()

$Searcher.QueryHistory(1,$HistoryCount) |

  Select-Object Date, Title, Description

Posted in Powershell | Tagged: , , , | Leave a Comment »

Exchange SP1 – Previously install failed

Posted by penguyen on August 23, 2011

If you ran an Exchange SP1 install and it failed, once you recovered from the setup /m:recoverserve switch (see my previous blog on how to do this), you may run into this error when trying to re-run SP1 setup again:

” Some controls aren’t valid. Setup previously failed while performing the action “Install”. You can’t resume setup by performaing the action “BuildToBuildUpgrade”.”

It seems that setup thinks that setup never completed. The soluion to this is to delete the registry keys. Open up Registry Editor, and navigate to:


Here you will see different roles, inspect every single once and locate the reg keys below to delete. For us it was under CAS and Hub roles.

The keys to delete are: Action and Watermark.

Make sure you export the keys for back up before deleting them. Once you delete the keys, setup should continue.

Posted in Exchange | Tagged: | Leave a Comment »


Get every new post delivered to your Inbox.

Join 428 other followers