Star Wars Despecialized Edition!

Star Wars Despecialized

Star Wars Despecialized

After years of pleas from his fans and just as many middle fingers from Mr. Lucas, we finally have HD, unedited versions of the original Star Wars trilogy! Harmy has released what the studios have never done for us; a completely restored, HD version of the films as originally seen in theaters. Han shoots first. The silly, horrible CGI that was added into various scenes is gone. Kenobi’s original Krayt dragon roar that frightens the sand people away is back. Here we have Lucas’ original versions of all three films, the ones we the fans have been waiting for since the DVD format dawned many years ago.

The latest version of Harmy’s ‘A New Hope’ is entitled ‘STAR WARS DESPECIALIZED EDITION REMASTERED v2.5 MKV‘ and you can find it at a torrent site near you. This version has some improvements over their v2.0 edition. It is also in MKV format which can be easily ripped to a DVD or Blu-ray via an enoding app like Freemake Video Converter.

THE EMPIRE STRIKES BACK – DESPECIALIZED EDITION v2.0

RETURN OF THE JEDI – DESPECIALIZED EDITION HD


Combiner Wars Devastator – The Ultimate Devastator!

Combiner Wars Devastator is big… REAL BIG! Long Haul alone stands almost as tall as MP-10 Prime. He is almost twice as tall as MP-22 Ultra Magnus. This is the most G1 accurate Devastator to date and he is on par with the Masterpiece line. He scales nicely with the MP line generally. In reality he could easily punt most Masterpiece Autobots with ease. Every year Takara/Hasbro surprise their fans and this time is no different. CW Devastator is an amazing figure and well worth the $140-$150 price tag.


MP-25 Tracks Color Pics

I am so excited about this guy. Tracks is looking great so far. He seems to be a good median between his G1 toon/toy counterparts and the faithful Stingray alt mode. From what I can see of his face in the new, small images, he seems to have a vein, conceited look which made up his show character.


VirtualBox Guest VM Headless Mode

vbox1

 

VirtualBox is a great free virtual server and can be even cooler when you run guests in Headless mode. Headless mode will allow a VM to run in the background on your machine without having the VirtualBox application windows open. Neither the VBox Manager nor the guest’s console window need be open. Here’s how to do it.

 

Set a system path to VirtualBox’s command line exe

  1. Find the path to your installation of VirtualBox. Mine is at C:\Program Files\Oracle\VirtualBox, so I will create a path to that directory.
  2. From Start, type in SystemPropertiesAdvanced.exe and hit enter to run the advanced system properties.
  3. Click the Environment Variables button.
  4. Under System variables, scroll down to Path and click the Edit button.
  5. Hit the End key to move to the end of the Variable value field, add a semi-colon ( ; ) and paste the path from step 1 after the semi-colon.
    1. Note that this path will open up all exe files in this directory to run from the command prompt.
  6. OK out of the advanced system properties. If you have any CMD windows open, you must first close them for the path to take affect.
  7. Open a CMD window and type vboxmanage to verify your path is set. You should see a list of commands.

 

Create a headless batch file to run your guest VM

The location for my VM guests is E:\VM, so my scripts point here. You will need to find the path(s) to your guests and substitute E:\VM with it including the correct .vbox guest name.

VBoxManage startvm "E:\VM\Windows\Windows.vbox" --type headless
VBoxManage startvm "E:\VM\Linux\Linux.vbox" --type headless

The above lines run 2 VM guests in headless mode. You can test each of these commands in a CMD or Powershell window. In order to administer these guests, you will need to either SSH in if it’s Linux or RDP if Windows. There will be no guest VM console window. To force kill one of these, you will need to run Windows Task Manager as administrator (right-click, run as administrator). Task Manager is located under your %systemroot% directory. When running TaskMan as admin, you can mouse over the VBoxSVC.exe process and see the path to the VM. If you do not run as admin and have multiple guests running, you will not see distinguished names, i.e., you will have multiple vboxsvc.exe processes, but not be able to tell which guest each is.

 

Create an optional save state shutdown batch file

If you want your guests to have a clean stop in the event of a system reboot/shutdown, create a script to save the state before Windows goes down. The below script will save the state of the 2 guests from the headless script above. Note that you need to put the name of the guest in quotes below, not the path or .vbox name as in the headless script. You can get the name of the instance of the guest from mousing over your VirtualBox.exe task in TaskMan and notating the –comment section or via VirtualBox Manager.

vboxmanage.exe controlvm "Windows" savestate
vboxmanage.exe controlvm "Linux" savestate

 

Create a scheduled task to run the above files at startup and shutdown

To bring this all together, create a scheduled Windows task to automatically start your guests at boot and save their states on shutdown.

  1. Open Windows Task Scheduler in Windows 8 or Scheduled Tasks in 7
  2. Create a new task
  3. Set it to run when the computer starts
  4. Point to your headless batch file as the program to start/run
  5. Complete the task, then edit its properties
  6. Set it to run whether logged on or not. This will allow the system to run the tasks without you even needing to login after boot.
  7. Set the option to allow the task to be run on demand so you can run the task manually

Create another task, but set it to run when a system event is logged. This will run when the computer receives a shutdown/reboot command. Set the options for the task as below.

  • Log: System
  • Source: Kernel-Power
  • Event ID: 109

MP-25 Tracks – Takara’s Next Transformers Masterpiece Figure

It would seem that Tracks is Takara’s next figure in their Masterpiece line (3Q 2015). Tracks was always a favorite of mine. I love the lines of the Stingray and even the original G1 figure’s bot mode looks great. I’m enjoying all the Masterpiece figures, but would really appreciate more Decepticons in the line. Perhaps a triple changer like Astrotrain or a combiner, even!


Masterpiece Soundwave Energon Sheet By Takara

Takara Energon Sheet

Takara Energon Sheet – download the PDF for priting actual size

I had completely forgotten about the colored energon insert Takara provided for MP-13 Soundwave. You can print this and insert it into the clear energon cube that comes with MP Soundwave. I’m providing the PDF here for download, both from Takara and locally just in case the original goes offline at some point.

Original Takara site link

Download local PDF


Cloned Virtualbox VM Network Issues

I spent hours trying to figure out why my cloned VM was not saving its ifconfig changes. Even though you can tell Virtualbox to regenerate the network ID when cloning, you still won’t have a working VM if you create a new one later using the cloned image. It turns out that you must delete the persistent network rule and apply a new MAC address. Thanks, Oracle, for making this completely clear utterly baffling.

1. Generate a new MAC in Virtualbox and notate it.

Generate a new MAC address for the VM

2. Run the following to delete all persistent net rules:

rm -f /etc/udev/rules.d/70*net*

3. Edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file and replace the MAC address with the one you generated above, then save:

vi /etc/sysconfig/network-scripts/ifcfg-eth0
Replace the MAC address in /etc/sysconfig/network-scripts/ifcfg-eth0

Replace the MAC address in /etc/sysconfig/network-scripts/ifcfg-eth0

4. Run sys-unconfig. This command will reset system settings and force a shutdown. When you reboot you will be presented with root password reset, network configuration and services autostart setup screens.

You should now be able to configure eth0 with a new IP address which will not be overwritten and lost. It seems that iptables is unaffected, so that’s good.

 

Reset SSHD (SSH) config

In CentOS, the SSHD service will not work from a cloned VM, either. This is because the /etc/ssh/sshd_config file is still configured with the old IP address. Edit this file and save it, then restart the SSHD service (service sshd restart).

Change the ListenAddress in the /etc/ssh/sshd_config file

Change the ListenAddress in the /etc/ssh/sshd_config file


Takara MP-22 Ultra Magnus

Magnus wants Whiskey

Magnus wants Whiskey

After a long wait I was finally able to open my new Masterpiece Ultra Magnus for my birthday. This guy is huge and chunky. He stands around the size of the grandfather of the MP line, MP-01 Optimus Prime. MP-10 Prime, however, is a few inches smaller than Magnus, more to scale with their G1 movie/cartoon counterparts.

I’ve pushed the joints to their limits in the image below where he is firing upwards like the 1986 poster. The leg joints don’t have the wide stance capabilities of the other masterpiece figures. The arms and shoulders have quite a nice range of motion, but are slightly limited by the sheer bulk and white stacks.

From behind, Magnus looks like a big pile of parts. It’s quite strange how different he looks from the front as compared with the rear. This is by no means a complaint. Who displays their figures from behind anyway?

The paint application and colors are amazing. Aside from the sprue marks on his forearms, the engineering and finish are superb, just like the rest of the line.

 

Transformers Gallery prime_gallery_pointer


Secure Your WordPress Site

EnigmaMachine3

Logging into your WordPress site is all fun and games… until you wind up on an unprotected wireless access point which is being sniffed by nefarious noses. Then you might have a problem. You see, on your home LAN you are protected (or should be) by your router. Hopefully you have a strong passphrase protecting you from the outside world. If not, well, you should apply one soon.

Once you step outside of your network you are trusting that any wireless access points beyond your control are secure. This is where SSL comes in handy. Normally, connecting to your website on port 80 (http://) is perfectly fine. An issue arises, though, when you want to log in to your site. Once you enter your username and password all that information is transmitted in clear text to your server or web hosting company. Any malicious user sitting on the same network can sniff that traffic and acquire your URL and subsequently your IP address, your username and your password. If that account has admin permissions on your WordPress server, you can practically say goodbye to it because now the aforementioned malicious user has everything they need to log in to your account and indiscriminately destroy all your hard work.

SSL encrypts all traffic to and from a website. Applying a SSL certificate to your site and logging in via HTTPS is all you need to feel warm and fuzzy that if there is someone out there watching your traffic they cannot see when you log in. Although normal traffic to your site may not need encryption, logging in certainly does.

 

startssl2

Begin by acquiring a free SSL certificate from StartSSL.com

StartSSL has guides for requesting a cert and applying it to your server as do other sites on the interwebs. I might write a guide in the future.

 

Apply your SSL cert to your Apache/HTTPd webserver

I am on CentOS, so your directory and file locations may differ on other Linux flavors.

Copy your private key file to:

/etc/pki/tls/private

Copy your SSL key, the CA root and CA chain to:

/etc/pki/tls/certs

Open your  /etc/httpd/conf.d/ssl.conf file and edit the following sections to enable SSL on your server.

ServerName yourdomain.com:443

 

qualysA

Enforce high encryption in Apache and ace the Qualys SSL Test

Disable SSLv2 and SSLv3. These protocols are now considered weak, vulnerable, pathetic.

SSLProtocol All -SSLv2 -SSLv3

Add the ‘SSLHonorCipherOrder On‘ directive:

SSLHonorCipherOrder On

Enable a strong cipher suite:

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:!ECDH-ECDSA-RC4-SHA:!ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:!MD5:!aNULL:!EDH

Set the path to your SSL certificate:

SSLCertificateFile /etc/pki/tls/certs/yourdomain.com-cert.txt

Set the path to your SSL private key file:

SSLCertificateKeyFile /etc/pki/tls/private/yourdomain.com-prikey.txt

Set the path to the CA chain and root certs:

SSLCertificateChainFile /etc/pki/tls/certs/CA-chain.pem
SSLCACertificateFile /etc/pki/tls/certs/CA-bundle.crt

Restart the webserver:

service httpd restart

or

systemctl restart httpd

 

Enable SSL through your Linux server firewall

I edited my iptables file with the below 443 rule:

-A INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j ACCEPT

 

Force SSL on the admin wp-login page

You can force SSL via the wp-config.php file as well. Doing so will force any requests on port 80 to the admin login page to 443. Add the below line to the very top of your wp-config.php file. Make sure you applied a valid SSL cert before doing this.

define( 'FORCE_SSL_ADMIN', true );

 

Change your MySQL database root username

Another hardening step is to change your MySQL root username to something else. This will protect against brute force attacks where all standard usernames are tried, especially root.

UPDATE mysql.user SET user="newusername" WHERE user="root";

 

Disable wrong username/password messages on login page

When you enter a wrong username or password on the login page, the system informs you of this. Disabling this may not be a super security measure, but it is certainly part of the security by obscurity motto which can be part of an overall policy to protect your site.

Add this line to your wp-content/themes/themename/functions.php file for your selected theme:

add_filter('login_errors',create_function('$a', "return null;"));

 

Secure Apache

  1. Edit your /etc/httpd/conf/httpd.conf
  2. Disable directory browsing by deleting ‘Indexes‘ from the section ‘Options Indexes FollowSymLinks‘.
  3. Remove access to xmlrpc.php by adding the following to the ALIAS directive section:
    1. redirect 404 /xmlrpc.php
  4. Hide versioning of Apache by adding the following at the very end:
    1. ServerTokens ProductOnly
    2. ServerSignature Off
  5. Restart Apache
    1. systemclt restart httpd

Hide PHP versioning

Edit your PHP.ini file, located at /etc/PHP.ini, and modify the line for expose_php = on to off.

expose_php = off

Patching Exchange 2010 DAG Clusters

exchangelogo

  • Tip: Download and manually install rollups and service packs via an administrative command line. Soooo many problems can come from updating these via WSUS or automatic updates. Run these first, then reboot if need be and install the remaining patches. This can save you many hours of heartache.

Prerequisites

Patch your servers

  1. Run Exchange Management Shell as administrator.
  2. Put the server into maintenance mode (must be run on the server being placed in maintenance mode):
    1. maintenancewrapper –server <servername> –action start
  3. Run one of the following to verify that the server is in maintenance mode and that the PAM and database have been moved:
    1. This script will give you quite a few stats for the cluster and servers:
      1. checkpam
    2. This command will list the PAM and any servers in maintenance along with the server containing the mounted database:
      1. get-databaseavailabilitygroup <dagname>-status | fl name,primaryactivemanager,serversinmaintenance;get-mailboxdatabase | fl server,name
  4. Once the server is in maintenance mode and the PAM and database are active on the other server, patch and reboot.
  5. Once patches complete run the following to remove the server from maintenance mode, then verify using the checkpam script:
  6. Stop maintenance mode:
    1. maintenancewrapper –server <servername> –action stop
  7. Run checkpam to get health and status of the DAG:
    1. checkpam
  8. If the server you want to does not take over as cluster manager, run this command:
    1. cluster <dagname> group “cluster group” /moveto:<servername>
  9. If the database does not activate on the server, follow these steps:
    1. Open the management console
    2. Expand ‘Organization Configuration’
    3. Highlight ‘Mailbox Database number’ in the top pane
    4. Right-click the same database name in the bottom pane and select ‘Activate Database Copy’
    5. Choose the default option of ‘NONE’ and click OK

Troubleshooting

The cluster file share witness will not come back online
  1. Go to Server Manager → Features → Failover Cluster Manager
  2. Highlight <dagname.fqdn>
  3. In the right hand Actions pane, click on More Actions → Configure Cluster Quorum Settings
  4. Click Next and copy the path to the share, then paste it somewhere for later.
  5. Click Previous and choose Node Majority, then Next and finish
  6. The cluster will then be in Node Majority, meaning that if either server goes down, the cluster is dead and so, too, is the Exchange database. So do not reboot.
  7. Once done, go back into Configure Cluster Quorum Settings and choose Node and File Share Majority
  8. Click Next, paste in the path to the share copied in step 4, click Next and finish
  9. Under Cluster Manager, you should now see 2 shares listed. Highlight the file share that has failed. It should have a red X next to it. Remove this resource.
  10. The cluster should now show healthy. Determine this by running checkpam on either server.
  11. Manually move the active database to another server
Mailbox database won’t move to server
  • move-activemailboxdatabase -identity ‘mailbox database number’ -activateOnServer <servername> -mountdialoverride ‘none’
  • This can be accomplished through the Exchange Management Console as well via step #9 above

Draining Netscaler 9.1 Services

It took me a while to figure this one out. In order to safely and effectively drain connections from a service or services on a Netscaler virtual server, follow this procedure. The services must not have infinite cookies, i.e., if your service is set for COOKIEINSERT with a timeout of 0, this may not work effectively.

Two default settings on LB services and virtual servers to note are ‘Down state flush‘ on the Advanced tab and the ‘Weight‘ value on the LBVS Services tab.

  • Disabling ‘Down state flush’ on a service and/or LBVS allows active sessions to remain active in the event that a service is in the ‘out of service’ state. The default for the Netscaler is enabled (checked).
    • If enabled, all sessions to a service are severed if it goes out of service.
    • Unchecking this option will allow active sessions to timeout before being kicked. When this option is not enabled and you disable a service, you will be prompted to specify a timeout in seconds. The service will be set to ‘Out of service’ at which time subsequent sessions are created on the higher weighted services in the LBVS.

Remember that a higher value weight gets more connections than a lower value. Depending upon which method you are using (least connection, round robin, etc.) connections will be sent using the Netscaler’s algorithm; the higher value will get a higher percentage of connections.

  1. Load Balancing -> Services:
    • Uncheck the ‘Down state flush’ option in the Advanced tab of the services assigned to your load balancing virtual server.
  2. Load Balancing -> Virtual Servers:
    • Open the LBVS that contains the services from step 1.
      • In the Services tab, set the weight of the service to disable to 1 and the weight of the service to remain in the pool to 100, then OK to save the config.
      • In the Advanced tab, uncheck the ‘Down state flush’ option.
  3. Load Balancing -> Services:
    • Right-click the service you want to disable and click Disable.
    • Enter the time in seconds before the service goes down, then click Enter.

Once you click Enter the service should show as ‘Out of service’. Sessions will begin to drain from it as they time out and the service weighted 100 should begin to accept more connections.

 

lbweights

Set weight values. Higher values get higher priority for connections.

 

lbns_dsf

Disable ‘Down state flush’

 

 

lbwaittime

Set desired time in seconds before service is disabled.


Batch File for New Windows Server

I use this batch file to deploy new servers, whether it be 2003, 2008 or 2012. I run it after the initial Windows install and before joining a domain. It includes various ‘fixes’ such as disabling all SSL versions and weak ciphers for IIS, Installs the Telnet client for 2008 and above, allows joining to a single label domain, properly disables the Windows firewall, etc.

Updated to restrict more weak cipher suites and enable TLS1.0 through TLS1.2.

Modify 1.1.1.1 IPs to preference.

@echo off
echo:
echo ======================================================================
echo DO NOT RUN THIS SCRIPT ON A DOMAIN MEMBER SERVER!
echo USE WSUS-REINSTALL SCRIPTS INSTEAD TO RESET WSUS CLIENT.
echo ======================================================================
PAUSE
echo:
:: Install Telnet client
echo Installing Telnet client...
pkgmgr /iu:"TelnetClient"

echo:
:: Allow single label domain name (i.e., domain vs domain.com)
echo ----------------------------------------------------------------------
echo Setting 'Allow single label domain name'...
reg add "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v "AllowSingleLabelDnsDomain" /t reg_dword /d 00000001 /f

echo:
:: Disable subcategory logging for event IDs 5156, 5757, 4963
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

echo:
:: Set Windows Firewall to OFF for all profiles - only if behind hardware firewall
echo ----------------------------------------------------------------------
echo Disabling Windows Firewall...
net start MpsSvc
netsh advfirewall set allprofiles state off
sc config "MpsSvc" start= demand

echo:
:: Set RDP to enabled from its default setting of not allowed
echo ----------------------------------------------------------------------
echo Enabling RDP...
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t reg_dword /d 00000000 /f

echo:
:: Set NTP client - for non-domain servers only
echo ----------------------------------------------------------------------
echo Syncing with NTP server...
sc config w32time start= auto
net start w32time
tzutil /s "Central Standard Time"
RunDLL32.exe shell32.dll,Control_RunDLL timedate.cpl,,/Z Central Standard Time
w32tm /config /manualpeerlist:"1.1.1.1" /syncfromflags:manual /update
net stop w32time && net start w32time
w32tm /resync

echo:
:: Enable Telnet and SNMP
echo ----------------------------------------------------------------------
dism /online /enable-feature /featurename:TelnetClient /featurename:SNMP /featurename:Server-RSAT-SNMP

echo:
:: Reinstall WSUS client and clear potentially corrupt files
echo ----------------------------------------------------------------------
echo Setting up WSUS client...
net stop bits && net stop wuauserv
ipconfig /flushdns
del "C:\Users\All Users\Application Data\Microsoft\Network\Downloader\*.*" /Q
del "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\*.*" /Q
reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v "BalloonTime" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v "BalloonType" /f
net start wuauserv
net stop bits && net stop wuauserv
regsvr32 wuaueng.dll /s
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "WUServer" /t reg_sz /d "http://1.1.1.1" /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "WUStatusServer" /t reg_sz /d "http://1.1.1.1" /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "TargetGroupEnabled" /t reg_dword /d 00000001 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "TargetGroup" /t reg_sz /d "WSUS Servers" /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "UseWUServer" /t reg_dword /d 0000001 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "NoAutoUpdate" /t reg_dword /d 00000000 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "AUOptions" /t reg_dword /d 00000002 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "ScheduledInstallDay" /t reg_dword /d 00000000 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "ScheduledInstallTime" /t reg_dword /d 00000003 /f
net start bits && net start wuauserv
wuauclt.exe /detectnow

echo:
:: Set ArpRetryCount registry entry for IP conflict issue on 2008
echo ----------------------------------------------------------------------
echo Setting ArpRetryCount registry entry...
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "ArpRetryCount" /t reg_dword /d 00000000 /f

echo:
echo ----------------------------------------------------------------------
echo Disabling weak SSL ciphers...

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel" /v "EventLogging" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\NULL" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 40/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 56/56" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 56/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 128/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 40/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 56/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 64/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 128/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\Triple DES 168" /v "Enabled" /t reg_dword /d 00000000 /f

:: Disable PCT 1.0
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Client" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Server" /v "Enabled" /t reg_dword /d 00000000 /f

:: Disable SSLv2
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server" /v "Enabled" /t reg_dword /d 00000000 /f

:: Disable SSLv3
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server" /v "Enabled" /t reg_dword /d 00000000 /f

:: Enable TLS1.0, TLS1.1, TLS1.2
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server" /v "Enabled" /t reg_dword /d 00000001 /f

echo:
:: Rename default Administrator account, rename & disable Guest account
echo ----------------------------------------------------------------------
echo Renaming Administrator and Guest accounts...
wmic useraccount where name='Guest' call rename name='NewGuest'
wmic useraccount where name='NewGuest' set disabled='True'
wmic useraccount where name='Administrator' set passwordexpires='False'
wmic useraccount where name='Administrator' call rename name='NewAdmin'
net accounts /maxpwage:90
echo ======================================================================
echo If Admin account was renamed, log out before making further changes.
echo ======================================================================
set ask==none
set /p ask=Log out now? Type YES, NO or hit ENTER to exit:
if %ask%==y goto logoff
if %ask%==yes goto logoff
if %ask%==YES goto logoff
if %ask%==n goto exit
if %ask%==no goto exit
if %ask%==NO goto exit
if %ask%==none goto exit
:logoff
echo Logging off...
logoff
:exit
echo ======================================================================
echo Remember to log off if Admin account has been renamed.
echo ======================================================================
timeout 5 > nul
exit

 


Dual Boot on Windows 8.1

WinDualBoot

I remember the old days of spending hours trying to finger out how to dual boot Windows. With Windows 7 and 8 it is as simple as running a few commands from the command prompt. Follow along, out loud if you like, to create an entry in your current boot manager to allow choosing an OS to boot from, whether it be Windows, *nix or even 2 or 3 different physical HDDs.

Create a new boot loader using BCDEDIT

  1. In Windows 8, run command prompt as administrator (Right-click -> Run as Administrator)
    • Powershell will not work for this task.
  2. Open DISKPART:
    • diskpart
  3. Display a list of all volumes:
    • list volume
  4. Determine which disk is the volume containing your Windows 7 OS and make a note of its Ltr (drive letter).
  5. Type EXIT to close DISKPART.
  6. Make a backup of your current boot manager:
    • bcdedit /export d:\bootmgrbak
      • To restore your original config, run the following:
        • bcdedit /import d:\bootmgrbak
  7. Run the below command to list your current boot configuration:
    • bcdedit
      • The first section is your bootmgr
      • The second is the 8.1 boot loader. We’ll make a copy of this section and modify it.
  8. Run the below to copy the {current} boot loader and create a second entry. Type or copy the below exactly as it appears… no need to modify any part of it unless you want a name other than ‘Windows 7’.
    • bcdedit /copy {current} /d “Windows 7”
      • /d sets the name for the copied config to what is in quotes and sets it as a boot menu choice.
  9. Now let’s modify the config to point to our other volume/drive:
    • bcdedit
      • Note that you now have a 3rd entry with its description set to ‘Windows 7’.
      • Copy the ‘identifier’ string including the brackets {} and replace the bracket section in each command below and replace the partition value with your volume letter:
        • bcdedit /set {xxx} device partition=e:
        • bcdedit /set {xxx} osdevice partition=e:
        • bcdedit /set {xxx} systemroot \Windows
          • This should be the same whether 8 or 7 and you shouldn’t need to change it, but I’ve included it just in case.
        • bcdedit /set {xxx} path \windows\system32\boot\winload.exe
          • This should be the same whether 8 or 7 and you shouldn’t need to change it, but I’ve included it just in case.

That’s it. Reboot and you should see the fancy new Windows 8 bootloader screen with a choice between Windows 8.1 or Windows 7.

Avoid rebooting twice when you load the Windows 7 boot loader

If you choose Windows 7, your machine will reboot again to load the 7 boot loader. If you want to be able to make a choice without rebooting, run the following to change to the legacy boot screen… that old, familiar black and white, text-only screen. Once this is set to legacy, either choice will throw you straight into the selected OS without having to wait out another reboot and POST.

  • bcdedit /set “{current}” bootmenupolicy legacy
    • To reverse this, run the above, but replace ‘legacy’ with ‘standard’

Edit the timeout for the menu selection screen

  • From within Windows
    • Run msconfig from the command prompt or open Administrative Tools -> System Configuration.
    • Click on the Boot tab and set a timeout in seconds.
  • From an administrative command prompt:
    • bcdedit /timeout X
      • Substitue a time in seconds for X

Install Windows 8.1 From USB

Create a bootable Windows 8.1 USB installation disk via Diskpart. Simply simple.

NOTE: See end of post for a screenshot that sums up these steps. You can use it instead, just make sure to choose the correct disk so you don’t lose any data!

Prerequisites

  • Windows 8.1 ISO file or DVD
  • 4GB or larger USB stick
  • Whiskey (optional)

Get started

  1. Plug in your USB stick.
  2. In Windows 7 open a command line.
  3. Run diskpart:
    • diskpart
  4. Determine which disk is your USB drive:
    • list disk
      • In the next step, make sure to choose your USB stick and not another volume that you need such as your boot volume.
  5. Select the USB drive:
    • select disk 1
      • Where ‘1’ is the number of your USB drive.
  6. Wipe the drive:
    • clean
  7. Create a partition:
    • create partition primary
  8. Select the partition:
    • select partition 1
  9. Make the new partition active:
    • active
  10. Format the partition:
    • format fs=ntfs quick
  11. Assign a drive letter:
    • assign
  12. Once you see the drive in Explorer you can copy the contents of the Windows ISO/DVD to your USB drive. You now have a bootable 8.1 USB stick. Installing from a class 10 USB stick to my Samsung 840 Pro SSD took about 7 minutes up to the time I was requested to name my installation. 🙂

 

diskpart


The Computer Chronicles on YouTube

Ah yes, whether you’re looking for the latest Pentium II chip, wanting to upgrade to more than 640K of memory or on the fence about buying Netscape Navigator or Communicator, The Computer Chronicles‘ YouTube channel has you covered.

What a marvelous waste of time these videos are! Not to mention nostalgic and just awe inspiring considering how far technology has come in so few years. Check out their video reviews of technologies like early Macs, DOS memory management software, OS2 Warp and so many other classic forgotten tech. Epic comb overs are sure to please as is a very promising technology called the world wide web.

Also, this guy…

Stewart Cheifet, host of The Computer Chronicles

Stewart Cheifet, host of The Computer Chronicles

 

Watch The Computer Chronicles

 

As a bonus I give you more quality 80’s TV!

Watch Monsters

Watch Tales From the Darkside

Watch 80’s and 90’s TV Commercials

Watch The Twilight Zone


IBM Connect:Direct Installation on Windows 2012 R2

Connect:Direct is such an easy installation and just a fun application to work with, so I’ve decided to detail my experience during a recent migration from version 4.5.0.1 to 4.6.01 on Windows 2012. Obviously, I’m being facetious. Connect:Direct is a mainframe FTP application that was ported to Windows similar to a console game ported to PC; it still has controls based upon a controller, but now you get to use a keyboard to control it. Yay.

 

PREREQUISITES

  • Configure a local or domain user and set it as an administrator on the host machine.
  • Login to the server with the new user.
  • Install Connect:Direct by running the installer as administrator.
    • Select Custom Setup.
    • Import the USER or NETMAP files at this time.
      • You can import these later instead via a CMD window by doing the following:
        • CD to the C:\Program Files (x86)\Sterling Commerce\Connect Direct v4.6.00\Server directory
        • Copy your map.cfg and user.cfg files here.
        • Run the following commands to import each cfg:
          • cdconfig /Q /I /Fmap.cfg
          • cdconfig /Q /I /Fuser.cfg
    • Configure a SMTP server if you have one.
    • Set the following files to run as administrator for all users by selecting Properties -> Compatability -> Change settings for all users -> Run this program as an administrator

CONFIGURATION

  • Open CD Requester
  • There will nothing configured.
  • Select Node -> Connection Settings -> Insert Node
  • Enter the new node’s name, select Windows as the Operating System, set its IP Address and check the Set as the default node option
  • Hit OK to populate the node in the Requester.
  • Right-click the node name -> Connection Settings -> Edit Userids
  • Click Insert
    • Name: <new admin user from prerequisites>
      • Check Remember password
    • Password: <password>
      • Check Set as the default user
  • Ok and close the window
  • Open Netmap and configure all nodes for 10 concurrent sessions or however many you need.
  • Initial configuration is complete.

CONFIGURE SECURE+

  • Open CD Secure+ Admin Tool
  • File -> Sync with Netmap
  • Select Add All
  • Skip the next step
  • You should now see all Netmap entries within the Secure+ Admin Tool list
  • Double-click .Local to open its properties
  • Under Security Options select Enable SSL Protocols and Enable Override
  • Under TLS/SSL Protocol
    • Browse to the directory with your CA certificate authority file and apply it to the Trusted Root Certificate File field
    • Browse to the directory with your host’s keyfile cert and apply it to the Key Certificate File field
    • Enable the following cipher suites
      • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
      • TLS_RSA_WITH_AES_256_CBC_SHA
      • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
      • TLS_RSA_WITH_AES_128_CBC_SHA
      • SSL_RSA_WITH_RC4_128_SHA
      • SSL_RSA_WITH_RC4_128_MD5
      • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
      • SSL_RSA_WITH_3DES_EDE_CBC_SHA
      • SSL_DHE_RSA_WITH_DES_CBC_SHA
      • SSL_RSA_WITH_DES_CBC_SHA
    • Leave the following cipher suites disabled in the Available window
      • SSL_RSA_EXPORT_WITH_RC4_40_MD5
      • SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
      • SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
      • SSL_RSA_WITH_NULL_SHA
      • SSL_RSA_WITH_NULL_MD5
  • Click OK to save this entry
  • Now you must disable Secure+ on all other nodes that do not use it. Open each node and configure as Disable Secure+ and Enable Override.
  • Secure+ is configured

CHANGE IP ADDRESS OF AN EXISTING NODE

You can change the IP address on a node, but you cannot change the node name without reinstalling Connect:Direct.

  • Modify Connect:Direct IP address:
    1. Select Start -> Programs -> Connect:Direct -> Admin Tools
    2. Stop the Connect:Direct service
    3. Right click on the Connect:Direct Node name and select Initialization Properties
    4. Go to the TCP/IP tab and correct the IP address for the API and Host
    5. Start the service
    6. Start CD Requester
    7. Highlight the Connect:Direct server
    8. Right click the node and select properties
    9. Type the new IP address and click OK
    10. Open Netmap
    11. Double click the local node name
    12. Correct the IP address and hit OK
    13. Right click in the Netmap window and select Apply.
    14. Select the local node and hit OK.
    15. Close Netmap.

LMT 16″ SPM With Bushnell TRS-25 Red Dot

I finally have a red dot for my AR! It makes it so much easier to shoot and enjoy. Having practiced with iron sights for the past 3 years, I figured it was time to move up to faster target acquisition with a red dot. The TRS-25 is cheap, but by no means a cheap product. It holds zero, has 10 levels of brightness and is tiny so as not to add too much weight. I went for a 1/3 cowitness instead of absolute. 1/3 cowitness seems to me be the most flexible with fixed sights. When and if I get flip up sights I will likely change to absolute.

lmt


MP-10 Prime, MP-21 Bumblebee, MP-22 Ultra Magnus!

Takara/Hasbro had a stellar year in 2014 with the likes of Masterpiece Bumblebee, Ultra Magnus (who is sitting dormant until my birthday in February!), Wheeljack, Prowl, Sideswipe… the list goes on. I happened to also snag the Asia reissue MP-10 Optimus Prime as well making it an amazing year for my collection.

Masterpiece Optimus Prime’s MP-10 incarnation is such an amazing figure and, to me, the holy grail of the Materpiece line. He is the best representation of the line so far, the one figure every collector should own. Bumblebee is a fan favorite and is at his best in this mold. Some say his yellow is too orange, but I think it’s very representative of his original color. He’s small and expensive, but worth having in your collection.

MP-22 Ultra Magnus remains in his box until my birthday. I can’t wait to open this guy! The box is massive and heavy. Unfortunately, until we move into a new house, I don’t have the space to really display him.

Transformers Gallery prime_gallery_pointer


Masterpiece Wheeljack

I welcomed the latest Takara Masterpiece figure Wheeljack to the family this weekend. This figure is one of the most articulate and detailed I have. Its G1 nods and attention to detail of the Lancia car are amazing. He is easily worth the price tag and anyone who was deprived of the original G1 toy owes it to themselves to get one.

Transformers Gallery prime_gallery_pointer


Exchange 2010 DAG Cluster Health Check

exchangelogo

I’ve created a few Powershell scripts to help with my DAG, but this one is a great assist when patching host machines. Save the below as a .ps1 file and run from within an Exchange Management Shell.

 

# Import the FailoverClusters PowerShell module
# Needed to run the get-clustergroup command
# Must run each time a new shell is opened
write-host Importing FailoverClusters module, please wait...
import-module failoverclusters
write-host
write-host ------------------------------------------
# Lists the PAM server
write-host -nonewline PAM AND SERVERS IN MAINTENANCE...
get-databaseavailabilitygroup -status | fl name,primaryactivemanager,serversinmaintenance
write-host ------------------------------------------
# Lists server with active cluster group
write-host -nonewline CLUSTER GROUP OWNER...
get-clustergroup | ? {$_.State -eq "online"} | fl name,ownernode,state
write-host ------------------------------------------
# Lists server with active database
write-host -nonewline MOUNTED DATABASE LOCATION...
get-mailboxdatabase | fl server,name
write-host ------------------------------------------
# Lists mailbox, mailbox copy and index status
write-host -nonewline DATABASE INDEXING STATES...
get-mailboxdatabasecopystatus *\* | fl name,activedatabasecopy,*index*
write-host ------------------------------------------
# Lists status of replication between cluster servers
write-host CLUSTER HEALTH...
test-replicationhealth
write-host
write-host
write-host ------------------------------------------
# Lists details of any queue with more than 5 messages
#write-host QUEUE STATUS...
#get-transportserver | get-queue | ? {$_.messagecount -gt 5}