Enabling HTTP Strict Transport Security (HSTS) For WordPress

If you are a WordPress site administrator, one of the things you can do to improve SEO results and security is secure your site with SSL. Yes, even if you aren’t doing transactions like ecommerce, paypal, etc. using SSL is still recommended. Depending on your WordPress hosting company, they may even have free SSL certificates for you to use. But there are different flavors and configurations of SSL that can improve or detract from your security posture. One feature that was recently brought to my  attention is HTTP strict transport security, or HSTS.

HSTS, in short, tells your browser that you only want it to use (and enforce) SSL connections. Attempts to downgrade to non-encrypted communications are prohibited. HSTS is a flag that you configure on your WordPress site, and is not enabled by default (that I’m aware of). Since SSL configuration can be tricky, and you can end up with mixed mode content, I recommend a WordPress plug-in called Really Simple SSL.

As the plugin name implies, this makes configuring SSL (with HSTS) super easy and all from the GUI. It also scans your WordPress site for potential mixed content issues and brings them to your attention. My site had a couple of flagged issues that I fixed. The free version of the plug-in doesn’t configure/test HSTS for you, but their premium version does (and makes it 1-click easy).

However, it may still take a bit of configuration tweaking to fully enable HSTS. First, after you enable HSTS in the plugin, go to hstspreload.org and check your results. In my case, I had two errors. My site is currently error free, so I’m using aol.com as an example for what you may see.

First, ignore the no HSTS header error. That is likely caused by the second error and does not mean Really Simple SSL didn’t do its HSTS configuration. I use WP Engine as my provider, so I contacted their help desk and gave them a copy of the error. They did some back-end redirection magic and fixed up the redirection issue in about 15 minutes. My redirection issue was slightly different from AOL’s problem, but caused the same red failure message. After your redirection issue is fixed, re-try the scan. In my case, it came back with a green screen showing everything is good. Next, you can submit your site to be included on the global HSTS list, which I also did. Many browsers like Chrome and Firefox use the HSTS list for additional security measures.

And just to make sure my SSL is in top notch, I went over to SSL Labs and ran a test. And yes, my site is now rated A+, which is exceptionally good. It even catches the fact I’m successfully using HSTS.

And there you go! A simple, but not totally free, way to deploy and check HSTS on your WordPress site. Given the plug-in is just a few dollars, and helps fix up a variety of SSL issues besides HSTS, I think it’s money well spent.

Ignite 2015: Platform security vision

Session: BRK2482

Technology landscape:

Virtualization: VMs decoupled from hardware. Can’t use TPM, UEFI, secure boot, etc. VM mobility, complex lifecycle, strong isolation.

Cloud Computing: Treat your systems like cattle, not pets. Management process at scale. Distributed cloud.

Service Providers: trust boundary between tenant and service provider. Governance, risk, compliance. Cloud adoption blocker? Distributed accountability.

Administrator privileges – a risk factor. Stolen admin credentials. Insiders. Malicious service provider staff. They WILL be compromised.

Principles: Assume breach, trust boundaries.

Microsoft is introducing the “Trust Plane” between the Fabric and the workloads.

Virtual Secure Mode: Separate address space isolated from host OS. Enforced by hypervisor using hardware. Small “trustlets”. NO Windows stack, no network, no drivers, etc.

VM protected at rest and in transit: VM encrypted on disk, encryption key is locked in virtual TPM. Secure key exchange within the trust plane. Fabric and control plane have no access to keys.

Showed a demo where a tenant admin could NOT open a bitlocker encrypted VHDX.

Attestation service – Uses physical TPM, vTPM and UEFI. If a host is rootkited, it will invalidate the trust chain and be evicted from the cloud. Provider admin can’t open a console to a shielded VM.

Protect Workloads from direct attack

Encryption does not protect against legitimate access. Identity management is fundamental.

Demo: Privileged access control. Just in time and just enough privs to do you job. Shows off a portal to request privs, then it contains your privs to a specific part of the system.

Reduce attack surface: Nanoserver

Harden for common attacks: pass-the-hash mitigations (LSA in VSM). Applies only to Windows 10 and Server 2016.

Operations Insights Security Pack

Shows a demo of a pass-the-hash attack where the Microsoft product detected and alerted on it in real time.

Bottom line: Get servers with TPM 2.0 and UEFI.

Critical VMware Security Patches Released

In case you missed it, VMware has released a number of product updates to address critical vulnerability in JRE. JRE is used in many products, so a wide range of products are affected. You can read the full bulletin here. The bulletin details which product version you need to be running to be patched. In many cases patches are “pending” such as vCenter 6.0, and SRM. So keep your eyes out for another VMware announcement when the patches become available. The full patch matrix seems to include products that didn’t made the affected products list. So carefully review the full security bulletin, as a majority (if not nearly all) VMware products are affected.

(Some) Affected Products:

Horizon View 6.x or 5.x
Horizon Workspace Portal Server  2.1 or 2.0
vCenter Operations Manager 5.8.x or 5.7.x
vCloud Automation Center 6.0.1
vSphere Replication prior to or
vRealize Automation 6.2.x or 6.1.x
vRealize Code Stream 1.1 or 1.0
vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
vSphere AppHA Prior to 1.1.x
vRealize Business Standard prior to 1.1.x or 1.0.x
NSX for Multi-Hypervisor  prior to 4.2.4
vRealize Configuration Manager 5.7.x or 5.6.x
vRealize Infrastructure 5.8, 5.7

vSphere 5.1 U3 Now Out

Right on the heels of VMware Workstation 11 being released, VMware has released vSphere 5.1 U3. No major new features, but according to the release notes there is support for new guest operating systems (without being specific) and it also resolves a number of issues. Also updated in this release are VMware tools and the SCSI MegaRAID SAS VIB. Some security patches are also included, so be sure to start testing this release and planning your change control windows.

One interesting change in 5.1 U3, which was included in 5.5 U2, is the resetting of the CBT counter when doing a storage vMotion. Now if you do a svMotion CBT state will be maintained. New to vCenter 5.1 U3 is the support for Oracle 12c, and Microsoft SQL 2014. It’s great to see VMware keeping up with database support. vCenter 5.1 U3 also includes an updated Java engine, which addresses a plethora of security issues. So once again, view 5.1 U3 as a security update which you need to plan on rolling out in your environment.

ESXi 5.1 U3 Release notes are here

vCenter 5.1 U3 Release notes are here

As always, you can download the newest updates from My VMware portal. Be sure to conduct thorough testing in a lab environment before deploying this into product. Nutanix supports “U” releases day zero. But remembering back to NFS issues introduced in “U” releases, a good amount of testing is advised before putting this into production.



SQL 2014 Always-on AG Pt. 3: Service Accounts

This is Part 3 of the SQL 2014 Always-On Availability group series where we setup two service accounts and a security group. One account is for the database engine and the other is for the SQL agent. In order for Kerberos to work properly the database engine account must be Active Directory based. We will also be observing the rule of least privilege. The less privileges the accounts have the more secure you are. So these accounts won’t be given local administrator rights. You don’t want your SQL service running with admin rights!

New to my SQL install series is the usage of a gMSAs (group managed service account) which are new to Windows Server 2012.  For AlwaysOn Availability Groups I use a ‘regular’ service account for the database engine and a gMSA for the SQL agent. Using regular service accounts would work for the SQL Agent, but I like using new OS features. Plus this means you have one less password to change since the gMSA automatically updates the password on a periodic basis. For those of you not familiar with gMSAs, they are special type of account which Windows automatically manages the password for and changes on a periodic basis. You need at least one 2012 domain controller, and use 2012 or 2012 R2 member servers.

Blog Series

SQL 2014 Always-on AG Pt. 1: Introduction
SQL 2014 Always-on AG Pt. 2: VM Deployment
SQL 2014 Always-on AG Pt. 3.: Service Accounts
SQL 2014 Always-On AG Pt 4.: Node A Install
SQL 2014 Always-on AG Pt. 5: Unattended Node B
SQL 2014 Always-on AG Pt. 6: Cluster Configuration
SQL 2014 Always-on AG Pt. 7: TempDB
SQL 2014 Always-on AG Pt. 8: Max Mem & Email
SQL 2014 Always-on AG Pt. 9: SQL Maintenance
SQL 2014 Always-On AG Pt. 10: AAG Setup
SQL 2014 Always-On AG Pt. 11: File Share Witness

Database Engine Account

1. Using ADUC create a service account using your naming convention. I’ll call mine SVC-D002SQL03-DBE. Set a complex password and make sure it does not expire.


2. Security is always at the top of the list, so let’s enable AES encryption for Kerberos. I’d also set an account description, so that two years from now you know what the service account is for.


Agent gMSA Configuration

1. On your SQL server enter the following PowerShell command:

Add-WindowsFeature -Name “RSAT-AD-PowerShell” –IncludeAllSubFeature

2. Download the free Managed Service Account GUI from here. Install it using all defaults.

3. If you have never used a gMSA before, enter the following PowerShell command on your 2012 domain controller:

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))

3. Create a new service account. The account name MUST be equal to or less than 14 characters long. Select “Group MSA.”


4. When prompted to assign the new service account, say Yes. Enter the two new server names of what will be your SQL AlwaysOn Group.


User Rights

1. In order to support large page tables and instant database initialization we need to configure a couple of user rights on each node configured in the Local Security Policy. Add to the Lock Pages in Memory and Perform Volume maintenance tasks user rights the database engine service account. If you want SQL to write to the windows security log, then also add the DBE account to Generate Security Audits and Manage auditing and security log.

The lock pages in memory option is somewhat controversial. Some people to say only use it for VMs with 16GB+ RAM, others say don’t use it at all. Later on you will see that I configure the SQL Max memory parameter, which greatly minimizes the potential problems from SQL page locking. The trend seems to be you SHOULD configure it (along with SQL max memory), thus my recommendation to do so. The combination of large pages and locking pages in memory prevents the SQL server buffer pool from being paged out by Windows. This also inhibits the balloon driver, which we don’t want activated since it can tank SQL performance.

You can go ahead and configure this user right now, since large page tables have to be enabled in SQL via a trace flag.



3. Reboot both nodes after you configure the user rights, or they will not take effect.

4. Do NOT, I repeat, do NOT add either service account to the local administrators group on the SQL server. This is a security risk, and the SQL service should not be elevated. The SQL server will make the needed permission changes.

5. Lastly, we will create an AD security group that will be assigned SQL administrator rights. This is far better than assigning a specific user account. I called my group SQL_Sysadmin. Add your administrator account to this group.


This is a very short and simple installment in the SQL 2014 AlwaysOn Availability group series. We created two service accounts, gave them the proper user rights, and created a security group.  Next up in Part 4 we finally get to start installing the SQL server services on the first node.

VMworld 2014: DISA STIG vSphere 5 Deep Dive

Session INF1273

This was a very technical session on how to implement the DISA STIG’s (security lockdowns) for DoD/Government customers. Many of the slides contained script snippets that help automate the process. Thus my session notes are very light. If you are a U.S. Government Federal customer that must comply with the STIG’s, then look at the reference slide I have below. The speaker’s automated scripts and VIBs are located on a CAC-only web site for you to download. If you attended VMworld, then listen to this session and gain some insights on issues the authors found and how to overcome them.

STIGS are broken up into three area: hosts, VMs and vCenter

Checking VM settings with PowerCLI: Easiest report to create since it relies most only VMX settings

Checking ESXi settings with Power CLI: Most host STIG controls cannot be queried via exposed APIs. Shows a script that uses Plink and PowerShell to query settings.

Checking vCenter controls with PowerCLI: Very manual process.

ESXi host hardening requires changing of permanent files or adding new files. They will be non-persistent and disappear upon reboot.

ESXi5-CPT: Graphical tool to create VIBs that can replace files on ESXi hosts.

Use ‘ESXcli vib install -d <path> -no-sig-check’ to install the custom VIB or PowerCLI

Additional tools: vCenter Configuration manager (vCM), Nessus scanner, VMware compliance checker, DoD Forge.mil project







VMware ESXi 5.1 Patches Released

VMwareHot off the presses are some ESXi 5.1 patches. This build of ESXi 5.1 (1157734) fixes several bugs and more importantly addresses some security issues. As always in any environment, please test out the patches thoroughly before putting them into production. Each environment is unique, and issues may surface that could cause you some headaches. These bug fixes aren’t earth shattering, so I would not suggest rushing them out to production systems.

ESXi 5.1 Build 1157734

Highlights of the patch bundle included in this release are:

  • Black frames might appear around text boxes in an application running on Virtual Machine Hardware Version 8 or later. This issue occurs on virtual machines with Windows 7 guest operating system and View 5.0 PCoIP.
  • For two ESXi hosts with different host names, identical machine names are generated in the domain controller under certain conditions. As a result, the ctive Directory functionality is lost for one of the two ESXi hosts.
  • After you upgrade to ESXi 5.1 from an earlier version, attempts to power on a virtual machine with static MAC address outside the allowed range (00:50:56:[00-3f] or 00:50:56:[80-BF]) fail with the following error message: The MAC address entered is not in the valid range.
  • If a physical NIC is named using non-standard naming conventions (other than vmnic#) and is added to a vSwitch, host profile creation fails with the following error message: Invalid value chosen for active NICs.
  • ESXi 5.1 hosts might get disconnected randomly from the vCenter Server system. This issue might occur if the heartbeat thread in the vpxa agent does not receive a response from the futex_wait system call. As a result, the heartbeat thread stops responding, and the vCenter Server does not receive heartbeat messages from the ESXi hosts for several hours.
  • Upon reboot, ESXi 5.1 hosts configured to obtain DNS configuration and host name from a DHCP server displays its host name as localhost in syslog rather than displaying the host name obtained from the DHCP server. As a result, for a remote syslog collector, all ESXi hosts appear to be the same, with the same host name.
  • To prevent buffer overflow, the HPSA proc node truncates LUN details on an ESXi host.
  • This patch updates the esx-base VIB to resolve a stability issue.

As always, you can down the ESXi patches from here. The full KB article for the patch bundle is here.

Critical Adobe Flash and Air player vulnerabilites

*Shocked* to see that Adobe has major security problems with Flash Player and Air. Be sure to download the latest versions, released on December 8th, here. You can read the related security bulletin here.

© 2017 - Sitemap