hypervisor.cpuid.v0 = “FALSE”
pciHole.start = “2048”
hypervisor.cpuid.v0 = “FALSE”
pciHole.start = “2048”
Had an issue with Exchange 2016 CU14 not allowing users to login, but administrators could login just fine.
Turns out the policies on the server were corrupted, and a full reset needed to be done to fix the issue.
Move Exchange Computer account to OU with Blocking Inherritance
RUN: RD /S /Q “%WinDir%\System32\GroupPolicyUsers”
RUN: RD /S /Q “%WinDir%\System32\GroupPolicy”
RUN: GPupdate /force
RUN: secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
TEST you can connect to OWA ECP Outlook… it should work 🙂
Move your Exchange server Back to its normal out, then execute “gpupdate /force”
Confirm it still works, if not fix your Group Policies.
Maybe its this problem?
1.Click on Start/Run type secpol.msc.
3.Expand Local Policies -> Click on User Rights Assignment
4.In the right pane double click Access this computer from the network.
5.Click Add user or Group ->Type in Authenticated Users (by default only Administrators is entered)
6.Click Ok -> Click Ok
That should do it. You may need to reboot.
Hyper-V Sucks sometimes. You should disable VMQ to get better performance on your network:
Get-NetAdapterVmq | Disable-NetAdapterVmq
clear mac address-table dynamic interface gi1/0/5
First check to see if you need to add a new Virtual Disk, or if you can just increase the current Virtual disk
Login to the VM and look at this command
If you already have 4 separate Partitions, you will need to add a New Virtual Disk, Otherwise you can increase the current size, and we’ll add a new LVM Partition to the new space thats added.
You NEED to do this as the Root user. So ‘sudo su -‘
If you expanded the existing disk
echo 1 > /sys/block/sda/device/rescan
If you added a new disk
Depending on what your host is, adjust the next command as needed
echo “- – -” > /sys/class/scsi_host/host0/scan
Once the rescan is completed, verify you see the new disk, or the new size
Now we will go into fdisk for the disk that needs the changes, either the free space on the original disk, or the new blank disk
enter ‘n’ to create a new partition
enter ‘p’ for a primary partition
enter the partition number that is one higher then the current highest one
First cylinder should default to the first available one in free space
Last Cylinder should default to the last available one in the free space
Now you need to tell it what type of partition it is
enter the partition number you just created (eg 4)
the Hex code for VLM is ‘8e’ you can verify that by entering ‘L’
enter ‘q’ to wright the configuration to the disk
Rescan partition table for linux to find the updates
Sometimes that doesn’t work and you need to do
partx -v -a /dev/sda
Check your work
You should now see an additional partition you just made (eg /dev/sda4)
Note, i’ll be using /dev/sda4, be sure to use the correct one you made
You should see it was created, now find our your Volume Group name
Now add the Physical volume to the Volume Group
vgextend cl /dev/sda4
Check your work
Now you can extend your Logical Volume (eg var) to use the space thats available on the new Physical volume you added. Use lvdisplay to see what the name is.
lvextend /dev/cl/var /dev/sda4
Assuming your using XFS:
If your using EXT:
Enable SSH on ESXi host
SSH into Host
#Set Multipathing to Round Robin default
esxcli storage nmp satp set -P VMW_PSP_RR -s VMW_SATP_ALUA
#change Default IOPS to 3
esxcli storage nmp satp rule add -s "VMW_SATP_ALUA" -V "COMPELNT" -P "VMW_PSP_RR" -O "iops=3"
#!/bin/bash #Set Hostname echo "Enter the Hostname of this System" read hostname hostnamectl set-hostname $hostname hostnamectl --pretty set-hostname $hostname cp /etc/hostname /mnt/sysimage/etc/hostname cp /etc/machine-info /mnt/sysimage/etc/machine-info
Its really simple, but Atlassian make it sound more complicated then it needs to be.
First thing you want to make the Tomcat process that Jira uses to only run on a self signed SSl cert, so all communication is encrypted.
Run this as root
/opt/atlassian/jira/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -validity 1095
When asked, set the password to “changeit” without quotes
This will make a .keystore file in root’s home directory.
Move it to where jira can get to it easily.
mv /root/.keystore /opt/atlassian/jira/
make sure Jira is stopped
Now its time to Exit the server.xml
Find the original port 8080 connector section and commend it out by surrounding it in
Create a New Connector
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxHttpHeaderSize="8192" SSLEnabled="true" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" proxyName="jira.domain.com" proxyPort="443" clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true" keystoreFile="/opt/atlassian/jira/.keystore"/>
Change your proxyName value to what it would be on your front end. Jira needs to know this so when it serves the page up it has correct links.
Start Jira, make sure there are no errors
Check your server on https://ipaddress:8443 and make sure it hosts the page correctly.
Then you can set your IIS or Apache Proxy to point to https://ipaddress:8443 and you can then serve as needed
1. Check that the document library and contact is set to allow from all senders (network scanners were not regarded as authenticated users)
2. Check the size limits on the SharePoint send connector (Exchange -> Hub Transport -> Send Connectors -> Properties -> Maximum message size (KB))
3. Check the size limits on SMTP receiver on SharePoint (IIS 6 Mgr -> Properties on SMTP Virtual Server -> Messages tab -> Limit message size, Limit session size)
4. Turn off SharePoint reading RTF documents from Exchange (Exchange -> Hub Transport -> Remote Domains -> Format of original message sent as attachment to journal report: -> Exchange rich-text format -> Never use)
5. Check for potential mail routing problems (Exchange -> Hub Transport -> Accepted Domains -> Add domain for INTERNAL RELAY) – we noticed a couple of times the scanned mail tried to go external through our mail gateway – this was the last 1% of our problems.
Tips from: http://www.heyweb.net/2011/02/diagnosing-problems-with-sharepoint-incoming-email/
A Basic Reg file is all you need.
This was tested on a Server 2008R2 with all the latest patches
This Disables all old protocols (Only TLS1.0, 1.1, and 1.2 are enabled)
Be Careful, as this will Disable SSL3.0 which is used by the previous Standard SMTP:587 and you will need to migrate everyone to use TLS SMTP, which can be set to any port as you wish, but exchange likes port 25 for TLS.
Its probably best to do this one step at a time, and reboot after each step to see what you may have broke. (backup software, all webpages, sql server, smtp, webmail, etc, etc
First you need to Configure all your Protocols
Continue reading “IIS 7.5 Hardening – A rating on SSL Labs”