Activate Windows SMB Signing for PCI Compliance

Internal PCI scans are now reporting that file transfer protocols must be digitally signed. This is an automatic failing condition. A server is affected if it is included in your internal PCI scope and serves Windows File Shares.

Read More

Microsoft’s KB2992611 Critical SSL TLS Update Fiasco

Microsoft released KB2992611, MS14-066, a critical patch to address remote code execution schannel vulnerabilities, during the November 11, 2014 patch Tuesday.  Admins scrambled to install this zero-day update as the community feared “drive-by” attacks and many security agencies rated it as one of the most critical updates released by Microsoft.  Unfortunately, the patch broke...

Read More

Enable TLS in Browser for Poodle Vulnerability Fix

For users who see broken websites, they need to enable newer protocol support in their browsers. These end user instructions will fix broken websites and will secure them from POODLE:

Read More

Clear IIS Log Directories

IIS creates a new log directory for each site. Here is a script to delete Microsoft Windows IIS logs.

Read More

Windows CMD Script to Update Time Source

When prepping for a PCI audit, we often need to update locations where servers get their time.  PCI requires 2 time sources which when dealing with workgroup or DMZ machines, can be time consuming.  Copy this script to your hosts and run to maintain consistency across your infrastructure.   Echo # Time Source Update to pool.ntp.org and time.windows.com Echo # query current source and check...

Read More

Disable Remote Desktop Copy Paste

PCI DSS requires copy/paste be disabled in Microsoft Windows Remote Desktop Sessions and may need to be demonstrated to an onsite auditor.  The compliance requirement is that clipboard redirection be disabled for all servers that interact with cardholder data including web, app, and db hosts. Since many prod web hosts are workgroup machines in a DMZ (not joined to a domain) Group Policy Editor...

Read More