McAfee HIPS breaks IIS when uninstalling

McAfee HIPS has proven to be more of a hindrance than help, so I've been going around uninstalling it.

Unfortunately this frequently breaks IIS in Windows 2008 (yes, really, in an "Enterprise" product!) and you end up with Error 503 messages when you try to access the website and event log messages:

The Module DLL C:\Windows\System32\inetsrv\HipIISEngineStub.dll failed to load.  The data is the error.


If you remove Host Intrusion Prevention (Host IPS) 8.0 from a Microsoft Server 2008 running with IIS 7.0, the ISAPI filter references are not removed from the IIS applicationHost.config file.

Edit the IIS 7.0 applicationHost.config file and remove the following configuration lines:

1. Click Start, Run, type explorer and click OK.
2. Navigate to: %windir%\system32\inetsrv\config
3. Open the file applicationHost.config as Administrator for editing in Notepad.
4. Edit the <globalModules> section and remove the following line:
   
   <add name="MfeEngine" image="%windir%\System32\inetsrv\HipIISEngineStub.dll" /> 
5. Edit the <modules> section and remove the following line:
   
   <add name="MfeEngine" /> 
6. After you have finished editing the applicationHost.config file, save the file, then restart the IIS server using iisreset or by restarting the system.

Microsoft seem to make every effort to hide the Google Search provider for IE9 - here's the direct link:

http://www.microsoft.com/windows/ie/searchguide/en-en/default.mspx#

Changing the default User and Computer OU

I like to keep my "Real" Users in a separate folder away from all the other system accounts. This ensures that only valid accounts are displayed if you use LDAP lookups for various applications (e.g. a network scanner)


Windows 2003 introduced a couple of new commands that allow you to change the default location:


Users:


   ReDirUsr "OU=RealUsers,DC=domain,DC=com"


Computers:


   ReDirCmp "OU=RealComputers,DC=domain,DC=com"


You need to run this on a Domain Controller, and you need the AD to be in Windows 2003 mode as a minimum.


As you want to ensure the path to the new directory is correct, I recommend Softerra LDAP browser (it's free) which allows you to connect to the AD with LDAP and copy object locations.


I hope this helps you out...please click on an advert to show your appreciation.

0x8007010b errors in Task Scheduler

Windows 7 and 2008 introduced a new, more comprehensive Task Scheduler.


While the "Create Task" button provides you with every option available, I could not run any tasks without the  0x8007010b error message.


It turns out that this error is caused by the "quotes" in the Start in field. The "Program/script" field needs quotes (if there is a space in the path to the file, but all quotes must be stripped from the "Start in (optional)" field.


It's counter-intuitive, but that's the way Microsoft wrote it.

Anyway, I hope this tip helps, and don't forget to click on the ads to show your appreciation :)

Setting up Exchange 2010 to relay

By default, Exchange 2010 is locked down to stop unauthenticated users sending out emails to the Internet.
This is very good practice, but sometimes you do want this functionality (for example I want my monitoring system to alert me by SMS which involves sending an email to to phone provider).


First, you're going to need a new internal IP address.. there might be ways around this, but this will minimise any security risks... you don't need another NIC, just add a second IP address to your existing one.

One you have that set up, go to Server Config – Hub Transport:

Edit Default Receive Connector to only listen on the OLD IP address.

Then:  

Actions – New Receive Connector

Follow the wizard filling in the information:

Name: RelayConnector

Use: Custom

Local Network settings:

FQDN:

Remote Network Settings:

Then edit the new Receive Connector so nothing is ticked on the Authentication Tab

Then make sure Anonymous users is selected on the Permissions Groups tab

Once this is done, open up Exchange PowerShell and allow anonymous users to authenticate using:

Get-ReceiveConnector RelayConnector | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

You should then be able to relay from you own subnet to external IPs.

I hope this tip helps you out... show your appreciation by clicking on an advert on the site.

SharedView - a free alternative to Webex and GoToAssist from Microsoft

Having to support people in remote sites has its difficulties, especially when you need to take them through complex procedures.

Often, viewing the Remote Desktop is the only way to get the job done. Traditionally, this has been very expensive for companies, who need to purchase a license for each potential user of Webex/GoToAssist or whatever application they want to use. If you have five peope in your Tech Support team you're looking at quite a bit of money.

Now, Microsoft have released a new free application that provides you that facility. In this article I will take you through how to use it.

Installing the Agent.

Both machines need to have the SharedView application installed, but only the initiator of the call needs to have a live.com account. If you are in a support organisation, you may want to set up a Windows Live ID with your business email address here. To install SharedView on your PC download the application here (3.2Mb).

Starting a session

The chances are that the other user doesn't have SharedView installed, but that's OK. Just fire

up SharedView and once you have logged in with your Live ID, and click on "Start a new session".

You can use the "Copy instrctions to the clipboard" or "Open a new e-mail message" buttons to send the other user the details, or tell them to go to https://joinsvw.sharedview.com/join.aspx and enter the Session Name and Password.

The click on Start to commence the session.

You will be prompted when the other user connects.

Sharing the screen

Each user can choose to share a running application, or the whole desktop. To do this, just click on the SharedView toolbar at the top of the screen and select what you would like to share.

You can then request control by clickiung on the "Request control" button. The end user will need to approve this before you will be able to make changes on their PC.

And that's it!

SharedView is simple, quick and comes from a trusted source.

Enjoy!

Windows 2008 Remote Desktop Gateway Woes (but finally fixed)

Windows 2008 Remote Desktop gateway is a great idea.

Instead of opening up multiple machines on your firewall to allow users to remote dektop in, RD gateway allows you to open up a single IP which then tunnels through to RDP servers inside of your network.

RDG uses a combnation of RDRAP and RDCAP to verify who is allowed to use the gateway, and what servers they can connect to.

I had a situation were we needed to grant business Partners access to one of our servers bu I didn't want them to be able to access any other network resources.

So I created a new user and put him in his own group. I also clicked the "Logon to" button and gave him access to the targer server: TARGET

Then I granted that group access to TARGET with RDRAP.

I also added the user into the "Administrators" group on the TARGET machine.

But...

Something didn't work...

I could connect using RDP in the office with that username to the TARGET machine but not through the RD gateway. I kept getting logon error messages and asked to re enter the password.

After much headscratching it was found that it was the "Logon to" setting that was causing the problem.

RD Gateway will not work with a user with "Logon to" set. You can either delete the setting OR add in the client machine name.. yes.. really... the name of the PC you wil be running the Remote Desktop Client from!It sounds crazy, but it definitely works, so hopefully you don't have to go throught the same hoops I did to work it out.

Thanks go to the guys on the Windows Server Forums for helping me work this out.

If this post helped you out, please show your thanks by clicking on one of the adverts located on the page.