Rebuild the RD Licensing Database Automatically

To rebuild the RD Licensing database automatically

  1. On the license server, open Remote Desktop Licensing Manager. To open Remote Desktop Licensing Manager, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Licensing Manager.
  2. Verify that the connection method for the Remote Desktop license server is set to Automatic connection (recommended) by right-clicking the license server on which you want to rebuild the RD Licensing database, and then clicking Properties. On the Connection Method tab, change the connection method if necessary, and then click OK.
  3. Select the license server whose RD Licensing database you want to rebuild, and then on the Action menu, click Manage RDS CALs.
  4. On the Welcome to the Manage RDS CALs Wizard page, click Next.
  5. On the Action Selection page, click Rebuild the license server database.
  6. Select a reason for rebuilding the RD Licensing database, and then click Next.
  7. On the Confirm Deletion of RDS CALs page, select the Confirm deletion of RDS CALs currently installed on this license server check box, and then click Next.
  8. After the contents of the RD Licensing database have been deleted, on the Reinstalling RDS CALs page, click Next.
    noteNote
    You can only reinstall one set (or pack) of RDS CALs at a time. After you have reinstalled the first set of RDS CALs, the wizard asks you if you want to reinstall another set of RDS CALs. You are asked this after each set of RDS CALs is reinstalled. 

     

  9. On the License Program page, select the appropriate program through which you purchased your RDS CALs, and then click Next.
  10. The License Program that you selected on the previous page in the wizard determines what information you need to provide on this page. In most cases, you must provide either a license code or an agreement number. Consult the documentation provided when you purchased your RDS CALs.
  11. After you have entered the required information, click Next.
  12. On the Product Version and License Type page, select the appropriate product version, license type, and quantity of RDS CALs for your environment based on your RDS CAL purchase agreement, and then click Next.
  13. The Microsoft Clearinghouse is automatically contacted and processes your request. The RDS CALs are then automatically reinstalled onto the license server.
  14. To reinstall another set of RDS CALs, on the Reinstalling Additional RDS CALs page, click Continue reinstalling additional RDS CALs, and then click Next. Repeat steps 9 through 13.

    To finish rebuilding the RD Licensing database, click Finish rebuilding the RD Licensing database, click Next, and then click Finish.

Fix Windows7 Temporary Profile Problem

1)      Log in with temp profile.

2)      Start registry editor by typing regedit in find box in Windows 7.

3)      Navigate the following location in Windows 7.

Fix Temporary Profile in Windows 7

4)      You can see similar keys under profile list with .bak difference, as shown below.

Fix Temporary Profile in Windows 7

5)      You correct profile key is marked as bak. Currently your Windows 7 computer logged in with fresh profile with same key. So, rename the new profile key ( which is not having.bak) and remove .bak from correct profile key. See below.

Fix Temporary Profile in Windows 7

6)      That’s it. Log off and log in with your user name and password. You must get your icons and profile settings back in Windows 7. This is very simple and easy method to fix temp profile in Windows 7  issue.

ITunes Showing Error 42404 after 10.5.3.3 upgrade

Yesterday I found that my ITunes stopped working and showed the above error.

Looked around on the internet and found different people recommending different resolutions.

Here is what fixed mine:

My Configuration is Windows 7 Professional 64BIT PC

Step 1 – Uninstall ITunes completely

Step2 – Download and install Unlocker 64BIT edition from here

Step3 – Go to “C:\Program Files (x86)\Common Files” make sure the hidden files are visible (You can enable this via Folder Options)

Step4 – Look For a folder called “Apple” – Right click on this folder, choose Unlocker and rename this folder to anything else

Step5 – Download the latest version of ITunes setup – Right click and run as administrator.

Once ITunes is installed, you will find this problem is gone !

Install BES 5.0.1 MR1 or higher in an Exchange 2010 Environment

Below is the information from a post in Blackberry Forums, I used it, so I thought it would be worthwhile to file it:

Note: In an Exchange 2010 environment BlackBerry Enterprise Server should NOT be installed on the mail server. Also before installing BES you MUST have public folders enabled and have an Offline Address book configured in Exchange 2010.

STEP 1

On the server you have selected to load BlackBerry Enterprise Server download and install “Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1” (Exchange 2010 requires version 6.5.8147 or higher and Exchange 2010 SP1 requires version 6.5.8211.0 or higher) which is available from the Microsoft Download site (a.k.a ExchangeMapiCdo.EXE). This will install the CDO and MAPI DLLs which is a prerequisite for BES to operate correctly. This replaces the previous requirement to have Exchange System Manager installed in Exchange 2000 or 2003 environments. The current download link is as follows: Download details: Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1

STEP 2

Log onto your Exchange Server using an account which has permissions to create an new account. Open the Exchange Management Console and create a new account and mailbox for a user called BESadmin.

STEP 3

From the Exchange 2010 server open the “Exchange Management Shell” which can be found in the Exchange program group run the following two scripts to set the required delegate control and permissions:

Add-RoleGroupMember “View-Only Organization Management” -Member “BESAdmin”

Get-MailboxDatabase | Add-ADPermission -User “BESAdmin” -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin

STEP 4

Now you need to set the Send AS permissions using the command below:

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User “BESAdmin” -Identity CN=Users,DC=<domain_1>,DC=<domain_2>,DC=<domain_3> ”

Example:

Add-ADPermission -InheritedObjectType User -InheritanceType Descendents -ExtendedRights Send-As -User “BESAdmin” -Identity “CN=Users,DC=bbforums,DC=local”

Note: It is common for this command to fail and you will receive the error below. If this error appears please refer to the workaround provide that is listed under the error code below.

Active Directory operation failed on Domain ***Controllor Name***. This error is not retriable. Additional information: Access is
denied.
Active directory response: 00000005: SecErr: DSID-031521D0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
+ CategoryInfo : WriteError: (0:Int32) [Add-ADPermission], ADOperationException
+ FullyQualifiedErrorId : DA172DD1,Microsoft.Exchange.Management.RecipientTa sks.AddADPermission

Workaround 1

Assign Send As permissions to all users via Active Directory

1. Open Active Directory.
2. Select the “View” menu and ensure “Advanced Features” is checked.
3. Right mouse click on your domain name and select Properties
4. Select the Security tab
5. Press the Advanced button at the bottom on the security tab
6. Select “Add” and enter your Blackberry Service Account name (e.g. BESadmin) and select OK
7. When the permissions screen appears change “Apply onto:” to “User Objects” (or “Descendant User Objects” on Server 2008)
8. In the permissions box scroll down and check the Allow box beside “Send As” and press OK
9. Press Apply and OK to exit

Workaround 2

Individually assign Send As permissions to a user via the Exchange Management Shell:

Add-ADPermission “BES User Mailbox Name” -User “Domain\BESadmin” -Extendedrights “Send As”

Example: Add-ADPermission “Gary Cutri” -User “Domain\BESadmin” -Extendedrights “Send As”

STEP 5

We need to turn off client throttling in Microsoft Exchange 2010 as it enforces bandwidth limits which will affect the BlackBerry Server. To do this run the following three commands from the Exchange Management Shell.

New-ThrottlingPolicy BESPolicy

Set-ThrottlingPolicy BESPolicy -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null

Set-Mailbox “BESAdmin” -ThrottlingPolicy BESPolicy

If the Microsoft Exchange Server is 2010 SP1, complete the following steps:

New-ThrottlingPolicy BESPolicy -CPAMaxConcurrency $NULL -CPAPercentTimeInCAS $NULL -CPAPercentTimeInMailboxRPC $NULL -RCAMaxConcurrency $null -RCAPercentTimeInAD $null -RCAPercentTimeInCAS $null -RCAPercentTimeInMailboxRPC $null -EWSMaxConcurrency $null -EWSPercentTimeInAD $null -EWSPercentTimeInCAS $null -EWSPercentTimeInMailboxRPC $null -EWSMaxSubscriptions $null -EWSFastSearchTimeoutInSeconds $null -EWSFindCountLimit $null

Set-Mailbox “BESAdmin” -ThrottlingPolicy BESPolicy

STEP 6

NOTE: This step is not required in Exchange 2010 SP1 as it is now managed with the Throttling Policy (i.e. -CPAMaxConcurrency $NULL -CPAPercentTimeInCAS $NULL -CPAPercentTimeInMailboxRPC $NULL)

Now we need to increase the maximum number of connections Exchange 2010 allows to the Address Book service. By default this is set to 50 and to increase this navigate to “\Program Files\Microsoft\Exchange Server\V14\Bin” and open the microsoft.exchange.addressbook.service.exe.config file with Notepad. Now change the MaxSessionsPerUser entry to 100000 and then save the file and restart the Address Book service.

Note: By default you may not have permission to edit this file so edit the permissions > add the administration account you are using > grant this account access to edit the file.

STEP 7

You have the ability to allow the BES to use Exchange Web Services to manage calendars on the devices, in order to utilize this service you need to configure a management role by running the following command from the
Exchange Management Shell:

New-ManagementRoleAssignment -Name “BES Admin EWS” -Role ApplicationImpersonation -User “BESAdmin”

Get-Mailbox -Server “<messaging_server_name>” | Set-CalendarProcessing -ProcessExternalMeetingMessages $true

STEP 8

Make BESadmin a local Administrator of the server where you will be installing the BES software. This is done by right mouse clicking My Computer and selecting “Manage”. From Computer Management expand “Local Users & Groups” and select Groups (or in Server 2008 right click Computer > From Server Manager expand Configuration and select “Local Users & Groups” > Select Groups). From Groups double click “Administrators” and add BESadmin.

STEP 9

On the BES server go to “Administrative Tools” and open “Local Security Policy” and then expand the “Local Policies” and “User Right Assignment”. You need to add BESadmin to “Log on Locally” and “Log on as Service”.

STEP 10

Log onto the server where you will be installing the BES using the BESadmin account. Extract the install files and run the setup file. When making your selection please note that the Monitoring service should be installed on a separate machine and the MDS Integration Service is only required for application development (note: the standard MDS service is installed by default). During the install you will be prompted to reboot, please ensure after the restart you logon as BESadmin again as the installation will continue. During the final part of the installation when you enter your SRP ID, Auth Key and CAL please ensure you select the verify option as apart from validating the info it confirms that Port 3101 is opened correctly.

Note: If you are installing BES onto server with existing services that use port 443 during the BES install change the HTTPS Service Port to a port that does not conflict with any other applications e.g. 643 or 3443. For further information on issues that prevent access to BAS please refer to the link below:

The Unofficial BlackBerry Support Forum – Threads Tagged with bas

STEP 11

Once the installation is completed and the service have started log onto the Blackberry Administration Service. Please note that the BAS-AS services needs to reach approximately 385MB of memory usage (you can check this via task manager) before it can be accessed.

Note: If you are unable to logon to the BAS using Active Directory credentials please run the attached “AddBASAuthentication.sql” script below as this will create a local “BlackBerry Administration Service” account with the username: admin and the password: blackberry.

STEP 12

In order to get you up to speed on adding users and performing activations please refer to the video tutorial below:

Tutorial – BlackBerry Administration Service

Extra Details:

Send As Permissions
Unlisted message error or Desktop email program unable to submit message

Note: For sites running Exchange 2010 SP1 you must be running BES 5.0.2 MR4 and MAPI\CDO Client 1.2.1 version 6.5.8211.0 or above to prevent latency issues (More Info: Guide: BES 5.0.2 and Exchange 2010 SP1 Latency Issues)

Outlook Anywhere Failing – RPC End Points – 6004

It was brought to my attention that autodiscover was not behaving correctly externally. I ran it through Microsoft’s Exchange connectivity tester @ http://www.testexchangeconnectivity.com/ and received the following output:

To resolve this first simple part I just went into the EMS and gave it an ExternalURL via:

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -ExternalUrl https://autodiscover.domain.com/Autodiscover/Autodiscover.xml

I now received this error:

“Failed to ping RPC Endpoint 6004 (NSPI Proxy Interface)”

..and also RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime

Most curious about an RPC error at this level. Perhaps a connection between the Hub/Cas and MBX server or MBX server and AD/DCs/GCs? The environment was not 2008, nor was it using IPv6.

The following is what fixed my issue:

Using the configurations here I was able to remedy the situation. Basically what happened was that it could not use DSPROXY via HTTP, and it is a known issue. The fix is to:

1. Changes for Mailbox servers..

a. create a DWORD called “Do Not Refer HTTP to DSProxy” at HKLM\System\CCS\Services\MSExchangeSA\Parameters\ and the value set to 1. This will, as it spells out, stop it from trying to use DSProxy when using HTTP.

b. HKLM\System\CCS\Services\MSExchangeSA \Parameters key “NSPI Target Server” to the FQDN of the domain controller that you would like used for profile creation.

 

2. Changes for Client Access Servers..

a. Ensure that the “PeriodicPollingMinutes” key at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

\MSExchangeServiceHost\RpcHttpConfigurator\ is set to zero. This will ensure that the system won’t continue to over write our settings every 15 minutes.

3. b. Also modify “ValidPorts” at HKLM\Software\Microsoft\RPC\RPCProxy such that it lists the DCs which can be accessed via port 6004. An example of this would be:

domaincontroller.domain.com:6004;domaincontroller2.domain.com:6004

4. Changes for all Global Catalog (GC) servers..

a. Be sure that there is an REG_MULTI_SZ entry created named NSPI interface protocol sequences at HKLM\System\CurrentControlSet\Services\NTDS\Parameters\ and the value set to “ncacn_http:6004”

Testing autodiscover/Outlook anywhere now yields the following output in the connectivity tester:

If all the roles are configured on the same server, then all the settings will apply on that server itself, for example SBS

In addition to above, I also made sure that a valid SSL is installed correctly and IPV6 was disabled

You can double check these settings by configuring a profile in Outlook, then Ctrl+RightClicking the outlook icon on the system tray, and running “Test E-Mail Autoconfiguration.”

For the full explanation I highly recommend reading the official blog post by Siddhartha Mathu at:

http://msexchangeteam.com/archive/2008/06/20/449053.aspx

Good read!

Recovering from a crash using Backup Exec Tapes

Steps to keep in mind while recovering a crashed server using Backup Exec tape backups:

First and foremost, the client should be clearly aware that restores from Backup Exec tapes are mess and have a lot of aftermath post restore, like an eventlog full of different errors.

So if the network is not considerably large and the client can cope with a business interruption of about 2-3 days depending upon the time it takes to rebuild the system as clean install and setup PCs etc again, it will be sensible to take this as a possibility As the result will be a nice and healthy system which would last for years and years.

The above will be more cost effective as well in most cases where there are no other servers / services dependent on the crashed machine.

Otherwise if it is Critical to restore the system ASAP, then it will not only take a lot of extra hours probably going into late evening and the night, but the end result will still have issues which will require a lot of added engineering time for cleanup.

So, if you do decide to go for a restore, then below are high level steps:

  1. Make sure that the backup in the tape has full windows volume backed up, in addition to system state, otherwise partial restore will create a lot of aftermath.
  2. Look into the previous specs of the drive partitioning to make sure the new Volume is portioned in exactly the same way after the RAID array is built again.
  3. Install Likes for Likes OS with a clean install option on the same windows volume as pre crash.
  4. Run windows updates
  5. Install Backup exec in a NON-Default location then update it and reboot
  6. Insert tape à Run Inventory à Run catalogue
  7. If This is not a DC, proceed with restoring everything including system state
  8. If it is a DC à reboot into Directory Services restore mode à run a Full Restore à Reboot
  9. Manually delete the backup Exec Installation which was used for this restore from the NON-Default location
  10. Check event logs for issues – (There will be a lot of aftermath like Sharepoint errors which will need to be looked into manually on case per case basis)
  11. In one of the cases I dealt with recently, the Exchange Transport service kept on failing to start.
    1. It was found that Symantec mail Security for Exchange was installed on this server which had corrupted
    2. Trying to UNinstall the software didn’t work, as there were permissions issues in Registry.
    3. I first looked into and resolved the permissions issues, then manually uninstalled the Symantec software, then used powershell commands to get rid of the Exvhange transport agent, then rebooted the server.
    4. This brought back the exchange services and mails started flowing normally.
  12. However, the server in the above case still had a lot of issues including the one with Windows installer, due to which it took a lot of time to fix, in order to reinstall Symantec and other softwares which were having issues after the install.

Migrate Primary Domain Controller to a new server

I often get queries on moving a PDC to a new server, mostly when old hardware needs to be made redundant or the 2008 family is being introduced into a network.

Here is a High Level process of migrating from a server 2003 PDC to 2008R2 PDC (Or to any new windows server):

  1. Configure a new server2008R2
  2. Join to the domain
  3. Run adprep /forestprep on the server2003 PDC (This can be found in the tools directory of Server2008r2 dvd)
  4. raise the Domain and forest functional levels to 2003 in Active Directory Domains & Trusts
  5. Run adprep /domainprep on the server 2003 pdc
  6. Run DCpromo to add it as secondary DC, make the new server a GC and DNS server
  7. Move all 5 FSMO roles to the new server
    1. Schema
    2. Domain Naming
    3. RID
    4. PDC Emulator
    5. Infrastructure
  8. Leave the two servers to replicate for an acceptable period.
  9. Run DCpromo on the old server and demote from DC role.
    1. Note that this is an important step to decommission the server properly from the network
    2. If this step is skipped, the new server will still have all the traces of the old server in DNS and everywhere
    3. This may cause issues down the line.
  10. Once the server is gracefully decommissioned, take it off the domain
  11. Shut down and remove from network.

Detailed Steps on transferring FSMO roles:

  1. Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI

To Transfer the Domain-Specific RID Master, PDC Emulator, and Infrastructure Master FSMO Roles:

Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.

If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Users and Computers and press Connect to Domain Controller.

Select the domain controller that will be the new role holder, the target, and press OK.

Right-click the Active Directory Users and Computers icon again and press Operation Masters.

Select the appropriate tab for the role you wish to transfer and press the Change button.

Press OK to confirm the change.

Press OK all the way out.

  1. Transferring the Domain Naming Master via GUI

Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.

If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to Active Directory Domains and Trusts and press Connect to Domain Controller.

Select the domain controller that will be the new role holder and press OK.

Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.

Press the Change button.

Press OK to confirm the change.

Press OK all the way out.

  1. Transferring the Schema Master via GUI:

Register the Schmmgmt.dll library by pressing Start > RUN and typing:

regsvr32 schmmgmt.dll

Press OK. You should receive a success confirmation.

From the Run command open an MMC Console by typing MMC.

On the Console menu, press Add/Remove Snap-in.

Press Add. Select Active Directory Schema.

Press Add and press Close. Press OK.

If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller.

Press Specify …. and type the name of the new role holder. Press OK.

Right-click right-click the Active Directory Schema icon again and press Operation Masters.

Press the Change button.

Press OK all the way out.

Backup Exec Server paused

I had this client where the backups were failing continously for some time.

I updated the software and applied all the hotfixes, but the server still showed as “Paused” when checked in BEUTILIY

Restarted all the services and the media server as well but to no avail.

So I went to Devices –> Right Click on the server (It showed that it was running) –> I paused it then unpaused it

Checked the status in BEUtility and it showed that it was running!

This is a known issue which Symantec has fixed in later versions and probably effects V12 only

I will now keep an eye on the backups as they seem to now run OK

 

 

Configure Symantec Premium Antispam to Mark messages to go into User’s Junk Mail folder

In order to facilitate moving a message processed by the Premium Antispam feature of Symantec Mail Security to the users Junk folder you must assign an SCL to the message that is greater than your organization’s configured Junk mail threshold. If you have an Edge Transport server or have installed the Microsoft Antispam Agents on your Hub Transport server you will need to make sure you do not have a reject, delete or quarantine action configured with an SCL value lower than the value chosen for the Junk mail threshold or equal to the SCL that you will assign to the message. If you are using Outlook Web Access make sure that the filtering of Junk E-mail is enabled within the options.

The below steps show how to configure the SCLJunkThreshold via the Exchange Management Shell.
 

  1. Verify your current Junkmail threshold:
    Get-OrganizationConfig | select SCLJunkThreshold
  2. Review your Exchange 2007 content filter configuration to make sure that there are no conflicting actions for the given SCL threshold enabled.
    Get-ContentFilterConfig
     
  3. Set an appropriate Junk mail threshold. You will need to replace <SCL> in the command below with the desired SCL value (between 0 and 9). 
    Set-OrganizationConfig -SCLJunkThreshold <SCL>

    The final step is to configure Premium Antispam to assign an SCL value greater than the SCL defined for the SCLJunkThreshold for messages that you wish to send to the users junk folder. This can be configured with the Premium Antispam Actions section within the Symantec Mail Security for Microsoft Exchange management console.

Enforcing SSL 3.0 and removing weak encryption vulnerability over SSL

Running a Custom Penetration test on IIS 6.0 server having SSL enabled may show vulnerability reports as a weak encryption on IIS . ISA server 2000 acts as proxy in front of the IIS server and also has certificate installed on it. The following is the error report generated by the Custom penetration test when we have already forced SSL 3.0 , however still have the weak encryption keys supported on the server , which may be used by attackers to exploit man in the middle like attacks on the server.

SSL Server Supports Weak Encryption Vulnerability port 443/tcp over SSL
QID: 38140

The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.
SSL encryption ciphers are classified based on encryption key length as follows:
HIGH – key length larger than 128 bits
MEDIUM – key length equal to 128 bits
LOW – key length smaller than 128 bits
Messages encrypted with LOW encryption ciphers are easy to decrypt. Commercial SSL servers should only support MEDIUM or HIGH strength ciphers to
guarantee transaction security.

IMPACT:


An attacker can exploit this vulnerability to decrypt secure communications without authorization.

Further the “require 128 bit Encryption ” on IIS 6.0 dose not enforce strong SSL/TLS ciphers. It only ensures that 128 bit keys are used for encryption.The setting “Require 128-bit encryption” enables all 128-bit encryption algorithms, including RC2 and RC4. It also enables suites that use MD5 for integrity. Since all of them wont provide utmost security, we need to disable them separately.


Resolution

SSL/TLS supports a range of algorithms. For symmetric encryption, it can use AES, 3DES, RC2, or RC4. For message integrity, it can use MD5 or SHA. For asymmetric encryption, the algorithm is RSA.

A cipher suite is a combination of algorithms. RSA_AES_SHA is an example of a cipher suite. FIPS has approved specific cipher suites as strong. These use AES or 3DES for encryption, and SHA for integrity. FIPS does not consider other cipher suites strong.

Now why we want to enforce SSL3.0 when it is almost a completely different protocol as compared to SSL 2.0 ?

The reason being SSL2.0 as compared to SSL 3.0 is a much weaker protocol and prone to security hacks.

SSL Version 3.0 uses the BSAFE 3.0 implementation from RSA Data Security, Incorporated. BSAFE 3.0 includes a number of timing attack fixes and the SHA-1 hashing algorithm. The SHA-1 hashing algorithm is considered to be more secure than the MD5 hashing algorithm. SHA-1 allows SSL Version 3.0 to support additional cipher suites which use SHA-1 instead of MD5.


SSL Version 3.0 protocol reduces man-in-the-middle (MITM) type of attacks from occurring during SSL handshake processing. In SSL Version 2.0, it was possible, though unlikely, that a MITM attack could accomplish cipher specification weakening. Weakening the cipher could allow an unauthorized person to break the SSL session key.

A Possible scenario can be , someone intercepting the initial message in an SSL2.0 handshake can force the server and client to agree to the weakest mutually supported encryption standard. So if you are connecting to servers that support 40 bit export-weakened encryption, and transmitting sensitive info, you could have trouble

This is fixed by enforcing SSL3.0 from the registry and disabling older verions of SSL from here ,

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols

refer KB 187498

Now coming to the second error as reported by the penetration testing , this occurs since although we have SSL3.0
enforced but due to the weak encryption schemes still configured in the registry we may reach a scenarion where in we fall back on the weakest mutually supported encryption standard as mentioned earlier.

SSL encryption ciphers are classified based on encryption key length as follows:
HIGH – key length larger than 128 bits
MEDIUM – key length equal to 128 bits
LOW – key length smaller than 128 bits

To get around this we need to make the changes in the registry to restrict certain algorithms and protocols in schannel.dll
To ensure that only high encryption keys are used , we need to make the following registry changes :

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphers]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersDES 56/56]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersNULL]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC2 128/128]
“Enabled”=dword:ffffffff
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC2 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC2 56/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4 128/128]
“Enabled”=dword:ffffffff
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4 40/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4 56/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersRC4 64/128]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersTriple DES 168/168]
“Enabled”=dword:ffffffff

For detailed description refer KB http://support.microsoft.com/kb/245030

Note: If ISA server uses HTTPS and we want only the high encryption keys to be used we need to check
“Require 128 bit, encryption over HTTPS” in ISA (upto ISA Server 2006) , however this dose not enforce 128 bit encryption .

Refer KB : http://support.microsoft.com/kb/937293

Refer KB : http://support.microsoft.com/kb/187498