Historically VMware has not used the strongest hashing algorithms to store root passwords on ESXi or ESX hosts. And to make matters worse, ESX/i 4.1 had a major security hole that was open for over four months, which you can read about here. The short story is that ROOT passwords...
Yesterday I stumbled upon a blog post about a free Microsoft security tool. No matter how secure you think your system is, it can always be more secure. So I eagerly read Ed Bott's article about Microsoft's EMET (Enhanced Mitigation Experience Toolkit). I quickly installed it, configured it for maximum...
As most Windows administrators know when you logon to any system locally or remotely Windows generates a token that contains a list of security identifiers of all the groups the user belongs to. In large environments or where you have implemented granular role-based security, top-tier users could be a member...
Today a colleague of mine asked me if I really thought one could tell what cipher strength is used during SSL transactions. I said sure! Piece of cake if you know what to look for. Just like in the movie Matrix, if you stare at the cipher text long enough...
One of the neat security features with SQL 2005 and later is the ability to use a SSL certificate to encrypt off-host SQL server communications over port 1433. Encrypting communications between your SQL server and your remote applications is strongly recommended. Do you really want credit card data, personal information...
While journying down the whole cipher suite road this weekend, I put together a little one liner that reconfigures the cipher suite order that Windows will try and use. As I mentioned in a previous blog, you can configure this via GPO. But, maybe you want to build in the...
After many hours of digging around the Windows registry and experimenting with various keys to enable TLS 1.2 on Windows Server 2008 R2 and Windows 7 (see my blog post here), I found this free tool that gives you one click access to configuring your Windows Cipher Suites. The Harden...
One of the sessions that I attended today was by the very popular Marcus Murray. He's a Swedish security expert and Microsoft security MVP. I heard him speak a couple of years ago at TechEd Orlando and was really blown away by the content and his presentation style. Thankfully Microsoft...
This was a KILLER session by Laura Chappell, who is the author of Wireshark Network Analysis. I've never heard her present before, but she really rivals Mark Minasi in every way. Her presentation was filled with great tidbits of information including:- Full duplex taps - These are much preferred over...
VMware has finally released their draft version of the security hardening guides for vSphere 4.0. After taking a look at some of them, I'll make a few observations:1) Totally different format than previous versions, now organized in tables. Very similar to the DISA STIG security guides.2) VMware adopted various security...
In the release notes of vCenter 4.0 Update 1 it mentions that the SSL thumbprint problem is solved. The bug in 4.0 caused various thumbprint entries buried deep in the ADAM LDAP database to not be updated when the certificates were replaced. That caused all kind of issues. Today I...
For quite a while I've been trying to get SSL certificates uploaded to an ESXi 4.0 host which were issued by our internal Microsoft CA. Unfortunately I ran into issues, the last being that adding an ESXi 4.0 host to vCenter 4.0 with the certificate would die at 80%.After additional...