Blog

At a customer site, running a Baracuda firewall, iPhone users were unable to check for devices updates. Everytime the user would have iTunes check for device updates it would fail. One of the rules in the Barracuda is to allow iTunes updates.  The rule to allow iTunes updates was enabled, but the traffic was still being blocked. I monitored the weblog and found the iPhone version check was being blocked by a streaming media filter. I added a URL pattern to allow access to iTunes.apple.com and iPhone update traffic could get through the Barracuda.

I was troubleshooting an application called QuickFile which uses FTP to be able to transmit certain Tax data at one of our customer sites. When you launched the application or when you tried to send the data it would give you an error saying that it could not connect to the FTP server. I worked on allowing outbound ftp access from this computer but it was still not working. After watching the logs on the ASA I could see the FTP connection was successfully being established. I then called the vendor and they sent me a breakdown of what the program is trying to do at that point and I found that it had to modify some files in the QuickFile program directory during the process. I then gave the user rights to that directory and it started to work again. So be careful not to completely trust the error messages that applications display as they can sometimes be misleading.

The time would not stay synchronized on my Windows 7 machine.  It looked like it was configured to sync with DC3, but it was not working.  After some research I found a hotfix, http://support.microsoft.com/kb/978714, that fixed it.  I used this command to configure the time synchronization:

w32tm /config /manualpeerlist:time-a.timefreq.bldrdoc.gov /update /syncfromflags:manual

See http://support.microsoft.com/kb/223184 for additional settings in the registry.  This KB article is for Windows 2000.  I could not find a KB article for Windows 7, but I think most of these settings still work.  There are other documents from Microsoft about this, but I just liked this KB article best.

Secunia is one of the many security firms who maintain teams of researchers looking for vulnerabilities in software applications.  I have seen their name credited on several vulnerability notices from CERT and SANS.  They offer a software vulnerability tool called Secunia Personal Software Inspector that is free for personal use.  It scans your system looking for all executable files and then compares them to their database of current software versions/vulnerabilities.  I have used it on a couple of systems that I believed to be current and found at least half a dozen out-of-date or vulnerable apps.  Apart from the security benefits, it can also be an easy way to see if there have new releases for any of your software.  For example, Secunia PSI informed me that a new version of Wireshark was available for my home computer even though it didn't find any security vulnerabilities for the version I was using.  This can be much easier than individually opening each app and clicking on "check for updates", or even worse, having to go to the app's website to see if a new version is available.

In IIS6 you allowed large file uploads to an ASP.NET website by adding the following key to the web.config:

<httpRuntime maxRequestLength="102400"
     useFullyQualifiedRedirectUrl="true"
     executionTimeout="900" />

You would just set the maxRequestLength to a number of kilobytes that is greater than the size of the largest file you plan to upload.  We recently moved a site from a server running IIS6 to IIS7.  After the move, when our website users were having problems uploading large files.  They would submit a form, the progress bar would move for a while, then they would get a 404 page not found error.  The form was posting back to itself, so the page did exists.  Turns out we needed to add an additional web.config setting that’s new to IIS7. [more]

    <system.webServer>
        <security>
            <requestFiltering>
                <requestLimits maxAllowedContentLength=" 104857600"/>
            </requestFiltering>
        </security>
    </system.webServer>

The maxAllowedContentLength in this settings is specified in bytes.

Note: These settings exist to help revent denial of service attacks, so keep that in mind when you pick your limits.

During an IT security audit this week, I had the chance to test the Cisco AnyConnect VPN client from a VPN-hostile network.  The bank has implemented multiple layers of Internet filtering including web content filtering, outbound port filtering, and inbound IP address/port filtering.  As expected, the old Cisco IPSEC VPN client could not connect.  The AnyConnect client, however, connected on the first try without having to ask the bank to modify any of their access controls.

FYI, the AnyConnect client dynamically determines if it can also use a Datagram Transport Layer Security (DTLS) tunnel via UDP in addition to the SSL tunnel.  If the DTLS tunnel connects and is “healthy” the client will use both the SSL and DTLS tunnels to transmit data.  If the DTLS tunnel cannot connect or is unreliable, the client will dynamically switch to using only the SSL tunnel.  You can read more about it on Cisco’s AnyConnect FAQ page.

While debugging a problem that required uploading files to a website, one of the files started getting an error at the start of the upload instead of at the end.  This didn’t make sense because the problem being debugged was after the file was uploaded to the website.  This looked like another problem instead of the original problem we were hunting.   We suspected that the problem was connected to the file being uploaded instead of the website.  When we looked for the file on the Desktop it wasn’t there.  This was odd.  Went back to Internet Explorer and the file was displayed in Internet Explorer’s  file dialog.   But the file was not on the Desktop.  We tried closing Internet Explorer and restarting, but Internet Explorer still showed the phantom file. 

It turns out this is an artifact of Internet Explorer’s sandbox implementation on Vista or Windows 7.  Under certain conditions Internet Explorer writes to a virtualized Desktop folder located on the file system at: C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\xxx\Desktop.  If you have need to move or remove the files in the “Virtualized” directory, the easiest solution is to open the file browser dialog in Internet Explorer and then move or delete the files from inside that dialog. [more]

More information is available in a article by Mark Russinovich: http://blogs.technet.com/markrussinovich/archive/2009/02/03/3174194.aspx

If you use the setup wizard for Cisco ASA appliances to allow SSH access it doesn’t auto-generate a key.  It will create the access-rules, but you still won’t be able to SSH to the firewall until the key is generated.  The quickest way to generate the key is via the command:

“generate crypto key rsa modulus-size” [more]

Note: The modulus-size can be 512, 768, 1024, or 2048.  The value of 1024 is recommended.

We've had issues with cached credentials not updating when a user’s password expires while he or she is away from the office. The only connection into the network is through terminal services (non-VPN) and the password is changed on the terminal server.  The problem is that the cached credentials on the user’s laptop are not updated, even after the user connects via VPN for a while.  Here is the easiest way I've found to force cached credentials to update to the new password.  While connected via VPN, have the user lock their laptop (Win+L) and then unlock the laptop using the new password. This procedure forces the laptop to check in with the domain controller and authenticate using the new password.