I got myself an eval kit for RSA SecurID tokens to see how easy / hard this would be to deploy via AD. Well, I didn't get very far, that is, installation failed spectacularly in the early stages:

After this "helpful" message box setup decided to be more specific:

Ohh-Kay. Let's go to RSA and their support center (it takes roughly five clicks to get to online support, but that's another usability story) - sign in required. Hmmm. How about creating an account?

The eligibility is a real joke: "RSA customers who have a trial product (This does not include two user demos)". Excuse moi? On the Web site you told me that I was ordering a trial and in actuality it turned out to be a "2-User Promo Kit" (the moment I needed support I looked more closely on the package...) without support.

Maybe it's the Microsoft Windows Server 2003 R2 Enterprise Edition VHD I am using?

A couple of notes to self:

• Creating a CSR (the short version)
• How do I generate a certificate request? (more detailed if you want to change RSA key lengths which I would recommend)
• Contents of .pem file for Stunnel

The latter is especially important if one fails to grasp how to turn the private key plus the certificate into the .pem for Stunnel. By the way, I was using CAcert. That works just fine for internal email servers.

Before going on holidays last week I decided to put a Longhorn Beta 3 box live on the Internet. It doesn't run a lot of things just yet (except for trials of the all-new FTP server), but today I decided to take the plunge and try FastCGI (see Using FastCGI to host PHP applications on IIS7).

An application I wanted to test-drive for a long time is WebSVN. The UI looks like this:

It is PHP-based, needs Cygwin-based tools, and is quite useful for browsing Subversion repositories. After downloading the latest code from the WebSVN repository, I was able to get up and running in about half an hour (that includes failing with WebSVN RC4, installing Cygwin, etc). You can check it out at http://iis7.chrison.net/websvn/index.php

I'll add more applications to this box over the coming days and weeks, to see what works and what doesn't for the mix of technologies I am using.

Oh, and it seems that I am the first European site registered at IIS7 On Tour:

Tonight, SQL Server decided to write a 14GB error log to disk - filling it up neatly, which of course had a couple of "side effects". Drat! All log file directories (HTTPERR, IIS, MailEnable, you name it) - everything except the SQL error log is on a separate partition for exactly one purpose: that no application log can stop the server dead in its tracks.

After clearing up the mess I thought "let's move the logs for SQL Server". Thanks to Alex I finally figured out where to do that - in the Configuration Manager:

Go to the Properties dialog, and modify the Startup Parameters (-eC):

Details can be found in the article Moving System Databases, section Moving the master and Resource Databases. Someone from Microsoft care to enlighten me as to why this log directoy has been hidden so far away from sight?

Usually, this wouldn't be down my alley, but thanks to VSTS I am a WSS user: all new WSS templates in one download. There are quite a few templates to choose from:

• Absence Request and Vacation Schedule Management
• Help Desk
• Budgeting and Tracking Multiple Projects
• Inventory Tracking
• Bug Database
• IT Team Workspace
• Call Center
• Job Requisition and Interview Management
• Change Request Management
• Knowledge Base
• Compliance Process Support Site
• Lending Library
• Contacts Management
• Physical Asset Tracking and Management
• Document Library and Review
• Project Tracking Workspace
• Event Planning
• Room and Equipment Reservations
• Expense Reimbursement and Approval Site
• Sales Lead Pipeline

I highlighted a few that might be interesting to developers.

Once again, the TFS installation guide has been updated (2/5/2007). Download here

The most useful utility for deployment (or name your task, like directory comparison) is most decidedly Robocopy, which previously shipped only as part of the OS resource kits. Now with Windows Vista, however, Robocopy comes in the box.

To get up and running quickly, I recommend that you get Robocopy GUI:

It makes getting started with Robocopy a tad easier.

This is the firewall settings dialog - much the same as we know it from Windows XP already:

However, once you fire up the management console (mmc.exe), you can add snapins for advanced firewall configuration (ok, IPSec is one of my personal favorites and not necessary to configure the firewall per se...):

Once you have done this, you can now configure the firewall like, well, an administrator would expect - rule based:

In today's pre-lunch session at IT Forum the speaker used a term I had never heard before: stiffware. And I have to agree - stiffware does pose a serious problem when you cannot 'call' (other means of 'communication' might be unreliable to say the least <g />) the guy who wrote that piece of software so you can properly configure or even install it.

Speaking of the session itself, Microsoft SoftGrid is a really cool technology. The client - which contains more than the SoftGrid client - called the Desktop Optimization Pack, is equally interesting.

If you need to find out just what devices are running Web services in your network (aside from the obvious Web servers, this includes nowadays printers, access points and many more), then you should check out httprint. It doesn't rely on server banners or fall for other obfuscation techniques, so it is quite handy to find out just what software is running on that box.

In case you need it too: Configuring SSL Host Headers shows you how to get up and running with one IP, port and certificate but multiple host headers. All you need is a wildcard certificate (learn more here) and some CLI magic because there is no UI for it. Basically, it boils down to (for example):

adsutil.vbs set w3svc/siteid/SecureBindings ":443:host.wildcarddomain.com"

Don't know how this one could slip by me - Windows Server 2003 Service Pack 1 (SP1) shipped a rather important update: you can run SSL in kernel mode (http.sys) instead of user mode. There are restrictions which are detailed here (most B2C SSL sites will do just fine), and the procedure to enable kernel-mode SSL shows how to get up and running in no time. Mostly you are only dealing with the registry key HKLM\System\CurrentControlSet\Services\HTTP\Parameters\EnableKernelSSL.

On Windows Server 2003, this is the default logging directory for the Hypertext Transfer Protocol (HTTP) APIs, better known by the kernel level http.sys driver. Chances are, you don't know that this directory exists, and what is logged there (except that when you are looking right now, you will be surprised how big that directory is!).

When you are using IIS 6.0, all requests are first received by http.sys, and then passed on to IIS - previously, IIS itself was listening for requests. Http.sys is passing on the requests intelligently, which means that certain requests never even reach IIS. For example, invalid URLs are caught:

2006-02-23 19:05:00 172.179.161.165 1422 195.234.231.66 80 HTTP/1.1 GET /serv<script%20language= 400 - URL -

Most oftentimes it is simple connection timeouts, but to get the most out of the (huge) log files, you should be using LogParser anyways.

The reason why I started this blog entry is actually this: if you don't like the HTTPERR log files on your system disk, you can relocate them. The procedure is detailed in the article Error logging in HTTP API, which also dives into the format of the log file, and which kinds of errors are actually logged there.

Today, I got this message when I tried to access Microsoft Update on my Windows Server 2003 box. It told me that it either didn't find the control, or that it wasn't installed - and that I should look out for that yellowish bar advertising an ActiveX install attempt. Well...

After some hair pulling, Stephan pointed me to the article ActiveX controls may not load as expected in Internet Explorer due to defense in depth changes introduced in cumulative security update 896688. The downloadable olereg.vbs did the trick - WU is now back in business.

Three months ago, I installed the NoSpamToday! SMTP Proxy on my dedicated server box (you can read about the adventures encountered in my blog entry Web applications and SMTP proxies don't mix well). Today I had a look at the statistics:

On average, the proxy rejects four out of five mails before they reach the mail server - for reasons ranging from malformed headers, banned file extensions, virus-contaminated attachments, and a SpamAssassin-based spam detection. Needless to say that my inbox is virtually spam-free since then. Neato.

Downloads are available for x86, x64, as well as the documentation.

It is time for a "Dear John" letter to the programmer who came up with this default location:

The Program Files directory! Yikes. And I thought programmers are well aware of the fact that they should not, must not write to this location. But here in Trillian it is the default! Welcome to 2006.

Instead of risking my sanity by trying to install Virtual PC 2004 on my x64 box, I decided to go with Virtual Server 2005 R2 x64. Thankfully, this new release of Virtual Server allows installation on an XP host, and the setup experience was pleasantly uneventful.

Of course I ran into a snag - my default browser is Firefox, and the administration Web site didn't fully function with it. So back to Internet Explorer, and configure the first (existing) virtual machine:

I learned the following things:

• Do not forget to configure the network adapters. Otherwise connecting to your domain can be a challenge.
• Definitely enable Remote Desktop on your virtual machines, which brings me to the next item on my list:
• When renaming a virtual machine beware of your own cleverness. Especially if all your virtual machines were copied from a once-configured image, and you renamed one of those instance so that the original name no longer exists in Active Directory.

Other than that I have to say that Virtual Server 2005 R2 is a much better experience than Virtual PC 2004.

Now THAT takes the biscuit by a long distance:

Those are the two hard disks of my RAID mirror! Showing up in Safely Remove Hardware... hard disks, which of course are nowhere to be seen in the device manager:

Anybody have an idea on how to exclude certain devices from Safely Remove Hardware? Let me know, I'd be really glad to hear.

Update A friend of mine pointed out that he had seen this with a RAID controller on one of his boxes too. He suggested that stopping the device would not work. After some hesitation, I decided to give it a try - and it failed:

Thank goodness. If it had succeeded, I would have had a problem.

Today I set out to do something simple - at least I thought so. My server is configured to have a German keyboard layout together with the German input locale, like so:

So I set the Default input language to English (United States). Click Apply & OK, log off, and then log on again. Guess what - I am back to square one. Neither rebooting or any other brute force let me change that, it always automagically reverted back. I'm quickly loosing confidence in my sanity and the Windows server platform.

Update: Good grief! The local input language settings are automatically remoted to the Terminal session. This default behavior I view as counterintuitive. But it can be fixed, thanks to Markus Oestreicher for pointing it out to me - Input Language of Terminal Server Client Does Not Match That of Terminal Server Session

My dedicated server box not only serves Web applications (such as this blog), it also handles mail for the respective domains. This means I have to deal with spam. Which on one hand is nice because I can do whatever I please: drop mail based on whatever criteria I set up, and use whatever filtering software I need.

This is how the NoSpamToday! SMTP Proxy found its way on my box. I simply got tired of maintaining my (rather old) standalone SpamAssassin installation, and dealing with MailEnable's integrated but not chained RBL / SPF / virus scanning (by not chained I mean that those filters are evaluated separately, not like SA, where all filters[rules] are weighted and evaluated as a whole).

Because I only have one box, I had to resort to relocate MailEnable to port 45, so that NoSpamToday! could listen on 25 and forward to MailEnable if appropriate (*). I did configure SMTPS previously (port 465 redirected to localhost:45 via stunnel), so standard users could deliver their mail directly to MailEnable instead of having their outgoing mail scanned by the proxy.

But what about my Web applications? Initially, those were sending to localhost directly, and as such I had a relaying exception set up in MailEnable. This one had to go, obviously. So how can applications deliver mail to the mail server via the proxy? SMTP authentication is necessary for this to happen.

But this doesn't solve the whole issue, it opens a can of worms, performance-wise. The problem is, every single application (Community Server, dasBlog, Gemini, ...) assumes that your SMTP server listens on port 25. Wrong. That's the proxy. And that's a problem: all local outgoing email from those applications is scanned by antivirus and antispam filters. And that's completely wasting CPU resources. As well as adding to # of addresses accepted by the backend mailserver, driving up the licenses that would be needed for NoSpamToday! (**).

Call to action: Implement not only SMTP authentication in your applications, but also make the SMTP server port configurable. I'm guilty as well.

(*)

(**)

Another great tip from Ben Armstrong, aka Virtual PC Guy: Configuring NAT via using the Microsoft Loopback Adapter and Internet Connection Sharing.

Here you will find various documents to get you started with Monad. Includes a getting started guide (now that was a surprise), MSH language reference, using tracing and three hands-on labs. Downloads for Monad itself can be found in the Related Downloads section.

I admit that I am not the sort of person who likes to go through long and winded installation instructions. However, I am willing to go to great lengths when it comes to security - still with certain limits though. And I hit such a brick wall today: trying to secure Subversion. From the documentation, I knew that the recommended path was SSH, so I set out to find out how to get this up and running on my Windows box.

Owning the black sock in Google fu, I came up with various articles, the most helpful being SVN+SSH+public key authentication on Windows Box as server. Most helpful because after reading the aforementioned recipe plus Subversion / TortoiseSVN SSH HowTo, I decided to scratch my efforts. Why?

For starters, I am not a big fan of Cygwin. That's just personal mischief of a Windows guy, I can swallow my pride when the tools that depend on it provide merit. What's more of a problem for me is installing a service for adding security to another service - especially if I need that new service just for the "security purpose", and not the other bells and whistles it can provide (plus the security issues that might be hidden in those unused parts). Call me paranoid, but I simply like to reduce "moving parts" in my setups, because: What's worse than malicious traffic? Right, encrypted malicious traffic.

Secondly, do you think - honestly - that developers love to jump through hoops to get access to the repository? (I am referring to the client side of things on Windows) Not really. From the top of my head, I fall short of naming a single developer I personally know that would love to follow those steps. But every single one of them would be more than willing to just replace svn:// for svns:// when accessing a repository.

Conclusion: yes, I am whining about the usability of an open source project. As I am participating on one myself, you very well can spare me the "usual" arguments of do-it-yourself-because-the-sourcecode-is-available-anyways. This is a rant. I want to be unreasonable. But it sure would be nice if security was in the box. Especially nowadays.