Enable TLS 1.2 on Windows 7 & 8.

My beautiful picture We’re in the process of developing a new Windows 8.1 SOE for a customer.  One of the things I looked at was Internet Explorer HTTPS transmission security.  Out of that, one of the things I recommend is enabling TLS 1.2.

TLS 1.2 – Configure Internet Explorer to use TLS 1.2 by default.
Transport Layer Security is how web browsers* communicate over the Internet.  The current version, TLS 1.2 has a number of security enhancements & protection mechanisms over previous versions.  Enabling it is, not only a Microsoft recommendation, but a good thing.  Internet Explorer will fail back to older TLS versions if the web site doesn’t support TLS 1.2.

You can enable TLS 1.2 support via Group Policy or directly via Internet Explorer –> Internet Options –> Advanced –> Security.

How do I test that Internet Explorer is using TLS 1.2?

  1. https://cc.dcsec.uni-hannover.de/
    If the webpage reports under the “Further Information” heading that “This connection uses TLSv1.2 with …”, then you have enabled TLS 1.2.
  2. How’s My SSL?  If, under the Version heading, it says TLS 1.2, then you’re using TLS 1.2.

What about other web browsers?
No.  You’ll need to configure each web browser to support TLS 1.2.  Some have better TLS support than others.

How do I tell whether a website supports TLS 1.2?
Use SSL Configuration Checker to test the website.

What if my web host tells me to disable TLS 1.1 or TLS 1.2?
”Run!”, would be my first thought.  Your web host is telling you that they are not interested in providing a secure website.

Security Advisory 2868725: Recommendation to disable RC4
Microsoft MSDN Blog – Support for SSL/TLS protocols on Windows
Disabling TLS/SSL RC4 in Firefox and Chrome
RC4 in TLS is Broken: Now What?
IE11 Automatically Makes Over 40% of the Web More Secure While Making Sure Sites Continue to Work
SSL Pulse – Survey of the SSL Implementation of the Most Popular Web Sites

* amongst other things.

The Microsoft “Ask the Performance Team” write about WMI

And I am going to include the links here, because a) they are useful and b) they compliment some of the posts I’ve written about WMI (Group Policy and WMI Filtering Slowness / The WMI Fix – which is better? / The WMI overflow error with getobject )

Ask the Performance Team:

Mid-week link roundup

Or “let’s dump all my open browser tabs out to a list”. 
ie.  this is what I’ve been working on today.

RC4 – related

TLS related

Account lockout related

Wireless Network Priority Setting in Windows 7 & 8

The Microsoft DLL Help Database – retired

SilverSeekKB back in February 2010.  Used to use the DLL Help Database quite a bit back in the heady of Windows 9x and NT4 SOE Development/Support.

I was reminded of it today when I read about SilverSeekKB.

DLL Help Database allowed you to look up a Microsoft DLL file to see what product that particular DLL version shipped with.

SilverSeekKB is kinda like that, but isn’t.

SilverSeekKB allows you to determine the latest available version of any Microsoft binary, which is handy to know.  It’s handy to know in case you’re searching for a new binary because the current binary is:

  1. causing a Blue Screen of Death, or
  2. you’ve been asked to apply a patch, and are wondering if that is the latest patch available.

There is also the “System Inspector” option, which allows you to scan a local system to see what later patches are available for installation.

Thank you for writing it Julien Clauzel.

KB2918614 – Not only does it break MSI Repair .

“What the security bulletin doesn’t say is that the change in Windows Installer repair operations means that application repair attempts will be met with a User Account Control credential window each time. However, the credentials required are administrator access.”
Bug or Feature? KB2918614 Alters Windows Installer Behavior

KB2918614 Should your application install use Active Setup, to say, personal per-user settings, then this MS14-049 security patch causes a UAC prompt as well.

The current workaround, courtesy of happysccm,  is as follows:

  1. Uninstall the application and reinstall it with the security update installed. (sourcehash file generated with security update)
  2. Manually copy the sourcehash file to c:\windows\installer folder. As the sourcehash file is generated based on the application files, the sourcehash file generated on computer A can be used on computer B.

Not scalable if, say, you have 500 packaged applications deployed to customers.

Saturday link roundup – the domain trust for a workstation

Had a question today on how to fix the “The trust relationship between this workstation and the primary domain failed” error on Windows 7.

It would appear in our case, that the Windows 7 Startup Repair is causing the trust relationship to break.  Some possible answers.

“The server application, source file, or item can’t be found,

or returned an unknown error.  You may need to reinstall the server application.”
The server application, source file, or item can't be found, or returned an unknown error.  You may need to reinstall the server application.

We had two cases of this error occur within a short time frame.

  1. “When I paste from Visio into Powerpoint, an error occurs.”
  2. “Clicking on a Visio diagram in a Powerpoint document, causes an error to occur.”

The solution was simple enough, and it was to re-register the Component Object Model provider, OLE32.dll.
regsvr32 c:\windows\system32\ole32.dll

6, 8 and 16 free, not-free, and online-backup solutions.

A backup of your information is only good if it is stored in a separate place, such your office.  Or stored with a web Online Backup service.  This list last updated August 2014.

Local Backup, aka You Store It

Cobian Backup
Karen’s Replicator
Microsoft SyncToy v2
SyncBack Freeware Edition

BounceBack Ultimate
EMC Replistor
FileBack PC
Second Copy
Super Flexible File Synchronizer

Online Backup aka they store it

Name Free service? Plans from Free trial? Paid for space Maximum Limit?
BackBlaze No $5 Yes Unlimited Unlimited
Carbonite No $59.95 (year) Yes Unlimited Unlimited
Comodo Cloud No $80 (year) Yes 100GB 500GB
CrashPlan Yes $3.96 Yes - Unlimited
CrashPlan Pro No $396 (year) Yes - Unlimited
DropBox Yes, 2 GB $10.99 - 100 GB 500 GB
Egnyte No $96 (year) Yes 1 TB Unlimited
Final-Byte No $7.95 Yes 5 GB 100 GB
Gmail Sync Yes, Unlimited - - - -
iDrive Yes, 5GB $37.12 (yearly) No 300 GB 300 GB
Iron Mountain No <unknown> No <unknown> <unknown>
Jungle Disk No $4 No 5 GB Unlimited
Microsoft OneDrive Yes, 15 GB $1.99 - 100 GB 1 TB
Mozy Yes, 2 GB $5.95 - 50 GB ?
SOS Online Backup No $7.99 No Unlimited Unlimited
SpiderOak Yes, 2GB $10 - 100 GB Unlimited

Me?  I use SyncBackSE with a collection of Western Digital and Seagate external hard drives.

Some notes, as of August 2014:

  • I last updated this list in January 2010, and the thing I’m impressed with is that all “Online Backup” providers are still around.
  • A number of Online Backup providers offer mobile device backup as well, which is useful for Smartphones and Tablets.

Bookmark and Share