Good article on WindowSecurity.com about securing RDP using SSL. Important for PCI Compliance & better security in general.

Note that if you already have an SSL certificate from GeoTrust, etc. you can just use that certificate instead of creating a new one.

To do so:

• Under Request TLS/SSL certificate:
• For step 10 you'd choose "Import" and pick your existing SSL cert & allow the storage location based on the cert.
• Skip steps 11-14
• Under Configure the Workstation
• Skip steps 1-4 about importing the certificate
• You can download the latest RDP Connection software (version 6) here.

If you want a better administrative panel on your GoDaddy VDS/VPS, and you have PHP5 installed, you can install WebMin. SSH into your box using PuTTY.

First we want to install Perl's Net::SSL library, which allows Webmin to run under SSL. But first we need the OpenSSL source code:

su - root

cd /usr/local
wget http://www.openssl.org/source/openssl-0.9.7f.tar.gz
tar xvfz openssl-0.9.7f.tar.gz
mv openssl-0.9.7f openssl

Next we install perl's Net::SSL library via RPM:

wget ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/linux/extras/4/i386/perl-Net-SSLeay-1.26-3.fc4.i386.rpm
rpm -i perl-Net-SSLeay-1.26-3.fc4.i386.rpm

Now test to make sure Net:SSLeay works. When you run the below command you should get no response. If you get an error then it's not installed correctly:

perl -e 'use Net::SSLeay'

Ok, now we can download and install WebMin:

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.330-1.noarch.rpm
rpm -U webmin-1.330-1.noarch.rpm

Now you can log into webmin at https://yourserver:10000. Log in under the same account as your PuTTY account.

Note the above assumes you're installing version 1.330 :)

Ok ok, you want to compress your ASPX files in IIS, but you don't want to do it for every site, and you want to exclude certain directories. You don't want to edit the metabase by hand, either.

No problem! Copy the below into a BAT file, run it from a command prompt, and voila! Note that you should edit the site number and directory numbers.

But before you run the below BAT, back up your metabase and make sure you know how to restore it! IIS Manager->Right-click server->Tasks -> Backup/Restore Configuration.

If you don't feel comfortable administering IIS or running the below batch file, don't! And even though I hate disclaimers, this script is provided AS-IS with no warranty in any way.

REM HTTP Compression Script
REM
REM Enables compression of static and dynamic files
REM Turns off compression for all sites except site #123
REM Also turns off compression for site #123's /SomeDirectory/Directory2 directory
REM
REM Copyright 2007 Ben Strackany
REM This script is provided AS-IS, no warranty implied or provided, Ben Strackany and 
REM DevelopmentNow are not responsible for any damage your site, server, or love life 
REM may incur as a result of running this batch file.
REM
REM BACK UP YOUR METABASE BEFORE RUNNING THIS SCRIPT!

REM compress static files
CSCRIPT.EXE C:\Inetpub\AdminScripts\ADSUTIL.VBS SET W3Svc/Filters/Compression/GZIP/HcFileExtensions "htm" "html" "js" "txt" 
CSCRIPT.EXE C:\Inetpub\AdminScripts\ADSUTIL.VBS SET W3Svc/Filters/Compression/DEFLATE/HcFileExtensions "htm" "html" "js" "txt"

REM compress dynamic files
CSCRIPT.EXE C:\Inetpub\AdminScripts\ADSUTIL.VBS SET W3Svc/Filters/Compression/DEFLATE/HcScriptFileExtensions "asp" "asmx" "aspx"
CSCRIPT.EXE C:\Inetpub\AdminScripts\ADSUTIL.VBS SET W3Svc/Filters/Compression/GZIP/HcScriptFileExtensions "asp" "asmx" "aspx"

REM set compression level
CSCRIPT.EXE C:\Inetpub\AdminScripts\ADSUTIL.VBS SET W3Svc/Filters/Compression/GZIP/HcDynamicCompressionLevel "9" 
CSCRIPT.EXE C:\Inetpub\AdminScripts\ADSUTIL.VBS SET W3Svc/Filters/Compression/DEFLATE/HcDynamicCompressionLevel "9"


REM turn off global compression
cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/root/DoStaticCompression False 
cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/root/DoDynamicCompression False 

REM turn on compression for a specific site
REM ****** EDIT THE NUMBER TO BE THE SITE # YOU WANT TO TURN COMPRESSION ON FOR ****
cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/123/root/DoStaticCompression True 
cscript.exe C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/123/root/DoDynamicCompression True

REM turn off compression for a given dir
REM note that the dir needs to exist in the metabase: in IIS, create the vdir, then optionally
REM open properties for it and click "Remove" next to the application
REM ****** EDIT THE NUMBER AND DIRECTORY TO BE THE SITE AND DIRECTORY YOU WANT TO TURN COMPRESSION OFF FOR ****
cscript.exe c:\inetpub\adminscripts\adsutil.vbs set w3svc/123/root/SomeDirectory/Directory2/DoStaticCompression false
cscript.exe c:\inetpub\adminscripts\adsutil.vbs set w3svc/123/root/SomeDirectory/Directory2/DoDynamicCompression false

REM restart IIS
iisreset.exe

 

The above is pretty self-explanatory. In the top half, we're setting which file types should be compressed, along with the compression level. In the bottom half, we're adjusting compression settings globally, for various sites, and for a specific directory.

The script is not only to use, but to help you understand how the HTTP Compression configuration works, so you can adjust it to suit. For example, you can include other extensions to compress (CFM, PHP), or turn on & off compression for other webs, directories, or files.

To test your settings, get yourself a copy of Fiddler and install it. Run Fiddler, and browse your site. In the left pane, click a request that you think should be compressed, then click the Session Inspector tab on the right and look in the HTTP Compression area. If your page is compressed, GZIP or DEFLATE Encoding will be selected.

Thanks go to posts from BlueDog, KB234497, and Scott Forsyth.

A question came up recently on a mailing list I'm on about virtual machines for production applications. I've used virtual servers for web & database apps before, but only for dev/qa purposes. It made it much easier to go through deployment scenarios, try out new builds & roll back if the install failed, & generally avoid the time & money sink of dealing with setting up & maintaining actual physical machines. Plus virtual machines are easier to throw onto more powerful hosts as your needs grow.

However, if your organization is considering virtual machines for their production apps, they're in growing company. Most of my experience with production apps has been to start with traditional shared hosting plans, then move up to dedicated machines. That approach works especially well if you only have a few web apps that can all run on the same machines, or if your CPU needs are high.

However, using virtual machines (aka virtual servers or virtual private servers) can be a good way to save money if you have a number of heterogenous and/or legacy applications that need their own "server" (for security, configuration, manageability, specific OS requirements, or other reasons) but don't have very high horsepower needs. In that scenario, having a separate physical machine for each app can be costly overkill, and require you to answer repeated questions from your boss like "why did we need to buy and maintain 5 new servers when they're all under 10% utilization?" 

Instead, you can have each app on its own virtual server, and put them all on one or more physical machines -- however many are needed to run the apps effectively. Costs are reduced since you have fewer machines to power, watch, store, and maintain. Scaling applications can be simplified since you can allocate more or fewer resources to specific vitual servers, and you can always move them onto other, more powerful physical machines as your needs grow. Plus, disaster recovery can be easier, since if you have a hardware failure, you can just load the virtual server onto a different machine and keep on truckin'.

VMWare has some good info on their site: http://www.vmware.com/solutions/home.html

So does XenSource (Xen is open source virtualization software) http://www.xensource.com/solutions/ 

And I might as well link to MS Virtual Server, which apparently is free(?) :) http://www.microsoft.com/windowsserversystem/virtualserver/evaluation/vsoverview.mspx

Plus there are some other links around the web if you search on "virtual server" or "virtual private server."

Fresh Installs With Fresh Hardware

Say you just bought a new motherboard, SCSI drive, or RAID card and you want to install a fresh copy of Windows onto it. If the standard Windows OS install contains drivers for it, then you can just boot from the install CD and start installing. Otherwise, you'll need to install the drivers after the install is complete, or during the install.

Installing drivers after you're done installing Windows isn't that bad if you have them on CD and you don't need them during the install. But if you're installing Windows onto a RAID array or a SCSI drive, for example, you'll need those drivers during the install, not after, because you won't be able to complete the installation without them. In my case, I just bought a new RAID card from NewEgg (this one). My plan was to make a RAID 1 (Mirrored) array for redundancy and install a clean copy of Windows onto it. But to do that, I needed the drivers to be available during the install.

Installing Drivers During an Install -- the F6 Floppy Solution

To install the drivers during a Windows install, you need to watch for the message "Press F6 to add a third party SCSI or RAID driver". The message may not be exactly like that depending on which version of Windows you're installing, but it definitely starts with "Press F6." It appears at the bottom of the screen almost right away in the install (while the screen is still blue and in text mode), and you only get a second or two to hit F6 before the opportunity is lost, forcing you to reboot and try again. The F6 method also requires you to have the drivers on a floppy, assuming the drivers will even fit on a floppy, and assuming you even have a floppy drive anymore. A USB Floppy Drive won't always work -- you really need a good ol' fashioned floppy "A:" drive. Blech.

Slipstreaming Your Windows Install CD -- a Cleaner Way

But assume you don't want to go the floppy drive route. You can instead make a "slipstream" version of your Windows install CD, which is basically a copy of the install CD that includes any extra drivers you need (RAID cards, network cards, etc). No floppy drive needed, no pressing F6, no driverless hardware after install, etc. A slipstream CD can also contain hotfixes and service packs, or even be an "unattended" version with all the install questions answered ahead of time. Note that a slipstream CD is not an illegal copy -- you must own a legal version of Windows. For those of you with MSDN subscriptions, your developer disks will work as well.

Slipstreaming used to be a PITA, but nowadays the process is easier thanks to NLite, a free utility that handles most of the dirty work. This quick & dirty guide assumes you know what driver files (.INF) are and have installed drivers and hardware before. It also assumes you know which drivers are the right ones for your hardware and OS.

Using NLite to Make the Slipstream

Anyhow, to make a slimstream CD:

1. Get your Windows OS Install CD and copy all the files into a folder on your hard drive called c:\windowsinstall or somesuch. If you have an ISO image of the install CD (as you might if you had downloaded the ISO from MSDN), you can instead use a tool like IsoBuster to copy the files from the ISO to c:\windowsinstall. Otherwise you'd have to burn the ISO to a CD and then rip the files. Moving on....
2. Download and install NLite. You'll need .NET 2.0 in order to run it.
3. Get the drivers, hotfixes, and service packs you want and save them somewhere on your hard drive. If the drivers are in an EXE (for example, platform drivers for NForce motherboards) you'll need to get them out of the EXE via winzip, or maybe by running the driver EXE and hitting Cancel after the drivers have been extracted but before they've been installed (this works for nforce drivers). Remember that the drivers are where the INF files are.
4. Run NLite.
5. Navigate to the folder containing the files from your install cd (e.g. c:\windowsinstall). NLite will scan the files and try to guess what the OS is. If it's correct, click Next.
6. You'll see a screen listing any previous NLite sessions. If you used it before it'll ask you if you want to load a previous session. In this case we're starting from scratch so click Next.
7. Now you'll see some toggle buttons where you click on all the things you want to do with your new slipstream CD. I wish NLite had them as checkboxes instead of buttons, but anyhow. If you want to learn about the options, you can read the full NLite guide. In this case we're just integrating some drivers, so click Integrate Drivers and Create a Bootable ISO (so they highlight) and click Next.
8. You'll see the Integrate Drivers screen. At the bottom, click Install. You'll see two options: Single Driver and Multiple Driver Folder.
9. Single Driver
   1. If you have one driver in a folder (which is often the case with RAID drivers), choose Single Driver and navigate to the folder, click the appropriate INF file, and click Open.
   2. NLite will auto suggest a mode (PlugNPlay or Textmode) and show the driver(s) below.
   3. Click the appropriate one and click OK. You'll see it added to the list of driver.
10. Multiple Driver Folder
    1. If you have a bunch of drivers in a single folder (e.g. NForce drivers in C:\NVIDIA\nForceWin2KXP\5.11), click Multiple driver folder.
    2. Navigate to the folder containing all the drivers and click OK. NLite will recurse through that folder and subfolders and display all the drivers it found.
    3. Highlight all the drivers you want to install and click OK. NLite may ask you to pick from a few different drivers as in the Single Driver selection, then finally drop you back to the Integrate Drivers screen.
11. Now that you've chosen the drivers, click Next. NLite will ask you to confirm, and then it'll start packing all the files together into a single install set, which might take a few minutes. Then click Next.
12. Now you'll have a chance to specify a label and attributes for a bootable ISO. Enter an ISO Label, leave the attributes alone, and click Make ISO. Choose a target directory and name, click OK, and wait as the ISO is created.
13. Once your ISO is built, go ahead and burn it to CD or DVD using Nero, Deepburner, or your favorite ISO burning program.

That's it! Now you have a customized Windows OS Install CD that you can use to install a fresh copy of Windows on your new hardware without worrying about hitting F6, missing drivers, installing drivers later, etc.

Note that with certain RAID/SATA drivers there may be extra things you need to do to slipstream them correctly. If you have install problems using the above rough guide, check out the NLite forum or MediaMan's article on Slipstreaming, especially pages 4-5.

So after upgrading my XP Pro laptop to 2GB of RAM, I'm no longer able to hibernate it. Which stinks. I instead get the helpful "Insufficient System Resources Exist to Complete the API" error. And no, having lots of free disk space doesn't do anything.

Apparently it's a known issue, with an unsupported hotfix that you have to get by calling Microsoft. Thankfully, Owen Cutajar's UGH post contains a link to download the fix. Let's see if it works...

Edit: Seems to work! :)

If you have a 32 bit application uses custom registry values (e.g. HKLM/Software/MyApp/MySetting), it might have problems accessing those keys when run on 64-bit Windows. That's because 64-bit Windows (via WOW64, the 32-bit emulator that runs on 64-bit Windows) has separate sections in the registry for 32-bit apps and 64-bit apps. So when run on 64-bit windows, if a 32-bit app is looking for

HKLM/Software/MyApp/MySetting

it actually needs to look in

HKLM/Software/WOW6432Node/MyApp/MySetting

when running on 64-bit Windows.

If you want to use the same key location regardless of which OS you're running, you need to enable registry reflection (or registry mirroring) for the keys you're interested in. WOW64 uses registry reflection to store certain keys in both the 32-bit and 64-bit registry sections. This allows 32-bit and 64-bit applications to share the same set of registry keys, and allows your application to use the same key on 32-bit and 64-bit Windows. A number of keys are reflected by default (e.g. HKLM/Software/Classes, a bunch of stuff under HKLM/Software/Microsoft), but you can use the RegEnableReflectionKey function to ask the OS to provide reflection for any key you need shared between 32-bit & 64-bit code (for example, our friend HKLM/Software/MyApp/MySetting).

More info:

http://support.microsoft.com/?kbid=305097

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/win64/win64/registry_reflection.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/win64/win64/running_32_bit_applications.asp

 

 

If you use Remote Desktop (aka Terminal Services) to connect to Windows servers, you probably know that by default ony two people can be connected via RDC at a time. So it sucks when you need to get onto a machine but you get the dreaded messages:

The terminal server has exceeded the maximum number of connections

or

The system can not log you on. The system has reached its licensed logon limit.

Especially when it's late at night and no one else is in the office. :) So, there are two solutions to get you past the blockade:

1. Log onto a different server (one with free RDC connections) on the same network and domain as the blocked server. Open up Terminal Services Manager, navigate to the blocked server, open up the list of connected users, right-click a victim (preferably a long-idle one) and Log Out and Disconnect them. Wait up to 30 seconds, and they should drop off. Now you can connect to that server and fix that bug you accidentally migrated. :)
2. If the above solution doesn't work, you can actually RDC to the console session (i.e. as if you were sitting at the PC's keyboard), which can act as a third RDC connection independent of the two main RDC connections. To do this:
   • Open on a command prompt (Start->Run->"cmd").
     
   • Enter "mstsc /v:<servername> /console" and hit Enter. <servername> should be replaced by the machine name of the server you're connecting to.
   • You should see a familiar RDC console window come up & be able to log in. Note that if someone else is logged in at the console, either
     • If you're an Administrator, you'll have the opportunity to kick them off.
     • If you're not an Administrator, you're out of luck on the console session. But at least you tried.

Hopefully the above will help provide a workaround for the 2-connection RDC limit on busy boxes.

Slashdot has an interesting blurb on running Windows 2000 on old, crappy machines. The original information is very helpful for getting rid of any performance-draining services & effects. BlackViper is also a resource for stripping OS settings down to the bare minimum for optional performance.

One big reason for running Windows 2000 on old hardware is so you can make use of otherwise "junk" boxes. Use them as file servers, web servers, test machines, internet terminals, etc.