When we tried our first attempt to disable unsecure protocols, we run into an annoying problem on the servers that run SQL Server. After disabling all the outdated security protocols, we could no longer connect to our databases. The error message was no help at all: We had no other option than to postpone the …
The internet moves on and the next big thing that gets dropped is the support for older versions of TLS (Transport Layer Security). If you not already have done so, now would be a good time to check that your server understands TLS 1.2 and disable the older versions of TLS on your web servers. …
A few months ago, my co-worker Lukas run into a problem when he wanted to deploy code with pipelines in Azure DevOps. As a final step, he needed to restart the web server. That is no problem in an interactive session on the machine itself, you just add sudo in front of the command and …
Like all web servers, Microsoft’s Internet Information Server (IIS) sends its version number with every response: This information is in most cases no problem. However, hiding it may be a requirement because some security scanner mark it as a problem or your reports give you false positive results (like unsupported version while you have extended …
Most security scanners detect the activated OPTIONS method of HTTP/S and report them as a potential problem. This method can help an attacker to find out about your server configuration and offer a shortcut to other vulnerabilities. However, there are valid use cases to use the OPTIONS method, like for REST APIs or CORS. If …
Let’s Encrypt offers free SSL certificates to protect the traffic between your website and your visitors. Earlier this year I wrote about the hoops you need to jump through to use those certificates on Azure. This post shows you a way to use Let’s Encrypt certificates on your on-premises servers. The objective of Let’s Encrypt …
A few weeks ago, we run into a strange problem. We were in the middle of our Let’s Encrypt rollout, in which we create a dedicated certificate for each of our domains. Since we run multiple domains on a single web server with only one IP address, we need to activate SNI (Server Name Indication). …
There is always that one machine that you cannot upgrade on a current version because some dependencies outside of your control demand that specific configuration. You may postpone the inevitable, but one day you run out of luck. If your box is a web server, that day will come sooner than you think. Out of …
Group Policy is a feature of the Windows operating system that lets you define company-wide rules that are applied to all accounts and machines in an organisation. For example, your company can use a ruleset in a Group Policy Object (GPO) to prevent you from accepting third-party cookies in your browser or set the location …
Most web sites now use SSL. While this a great increase of security, there is one situation in which this is a bad thing: Connecting to a WiFi network that tries to add a login screen into the website you requested. This is not possible and without that login (and accepting the terms of service) …