Meeting PCI Security Standard with IIS SSL

As a web development manager/network administrator, we've been asked by many of our clients to meet the PCI Security Standard. Since we are an MS shop and use IIS primarily, one common vulnerability is the IIS/SSL protocol not meeting the security standard. According to Microsoft, all SSL protocols and ciphers (including the ones with known vulnerabilities) are all "enabled" by default. Hence, to meet the PCI Security Standard, these vulnerabilities must be addressed. Here's my own quick and dirty list of what must be disabled based on varioius sources for my own use:

1. 322756 (http://support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows

2. Start->Run->Regedt32.

3. Navigate to each of the item in the following list. If the "Enabled" DWORD is not there, you could safely create one by right click on the item, then "New->DWORD" value. Please remember that "0x00000000" means "FALSE" AND "0xffffffff" means "TRUE". For example, setting "Enabled" DWORD value to "0x00000000" means "Disable"; while "0xffffffff" means "Enable" (yeah I myself find it pretty confusing also.)

4. Here's the list of entries in the registry that should be disabled:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

5. Exit out of Registry Editor and reboot the computer.

(Disclaimer: The information is only based on the compilation of various sources on the Internet. I'm not employed by Microsoft and the information above should not be considered as official information. I will not bear any responsibility for any system crashes/damages/liability as a result of utilizing the above information. Please use at your own risk.)

Seagate Drive Gone Bad? Don't worry. Here's the link to check your warranty

I've just seen my dear friend on Facebook saddened by a broken Seagate hard drive. The frustration is understandable, so here's my humble attempt to cheer him up a bit:

http://support.seagate.com/customer/warranty_validation.jsp

If for nothing, at least you would have a spare drive available for backup or whatever purpose suits. I've personally RMAed a couple Seagate hard drives in the past and it seems Seagate is pretty good at shipping the replacement.

Just a personal tip to share with all Dell desktop users. Almost all latest Dell Inspiron, Vostro (possibly other lines also) already come with SATA RAID configuration in the BIOS (not activated by default). For maximum data security, all it takes is 2 identical hard drives to form a RAID 1 array (e.g. 2 x 1TB). Yes, you may only get 1TB storage out of 2 x 1TB hard drive, but it's 1TB fully redundant data storage! So if 1 of the hard drives goes bad, your computer would still work with the remaining good one while you go back to manufacturer (e.g. Seagate) and get your replacement hard drive (Seagate provides 5-year warranty on most of their hard drives). Just some food for thought!!!

Cheers!!!

DELL Inspiron 530 Q6600 with 24" monitor $663 (Expired)

Repost from Slickdeals.net: (couldn't resist this deal myself and in for 1)

Sorry to disappoint you but the deal is now officially expired.

http://configure.us.dell.com/dellstore/config.aspx?oc=dddodg4&cs=19&dgvcode=ss&c=US&l=EN& m_1=CT545HN&m_3=2G2D&dgc=CJ&cid=7420&lid=0

Add 24" E248WFP monitor with the 40% monitor off purchase with desktop deal(2days left)
plus 250 off 999 coupon V57X6FHK5Z$DLN
it comes with price $663.00 use DPA save more.


SPEC:
PROCESSOR Intel Core 2 Quad Processor Q6600 (8MB L2 cache,2.4GHz,1066FSB) edit
OPERATING SYSTEM Genuine Windows Vista® Home Premium Service Pack 1 edit
MONITOR 24 inch E248WFP Entry Widescreen Digital Flat Panel Monitor edit
MEMORY 2GB Dual Channel DDR2 SDRAM at 800MHz- 2DIMMs edit
HARD DRIVE 500GB Serial ATA Hard Drive (7200RPM) w/DataBurst Cache™ edit
OPTICAL DRIVE 16X DVD+/-RW Drive edit
VIDEO CARD Integrated Intel Graphics Media Accelerator 3100 edit

SQL Server Backup and Recovery Models

http://www.mssqltips.com/tip.asp?tip=1219

I have never been able to figure out the mystery of why transaction log backup always failed until today. It's definitely a huge oversight on my behalf. Here is one good link on the recovery models of each system database in SQL Server:

http://msdn.microsoft.com/en-us/library/ms365937.aspx

To sum it up:

Master (Simple) - Okay to backup the database file but NOT the transaction log

Model (Full) - Full backup on both database file and transaction log

msdb (Simple) - changed to Full Recovery Model is highly recommended. Full backup on both database file and transaction log

tempdb (Simple) - Simple Recovery Model is REQUIRED. You CANNOT backup tempdb database.

Hope this reminds and helps the ones who find the tips helpful! Cheers!

SQL Server 2005 Database Email setup and stored procedures

Here's a great article on how to setup the Database E-mail accordingly in SQL Server 2005:

http://www.mssqltips.com/tip.asp?tip=1438

And the T-SQL way to do it as well as a sample use of the sp_send_dbmail Stored Procedure:

http://www.dotnetspider.com/resources/19638-Sending-email-through-sql-server-stored-procedure.aspx

I personally find Database E-mail on SQL Server 2005 a step forward from SQL Server 2000. It did away the buggy MAPI mail profile and instead allows you to create Mail Profiles and multiple SMTP Accounts under each Mail Profile.

Mail Profile is like an "umbrella" that may consist one or more SMTP accounts. The Mail Profile name is also what's been used in the sp_send_dbmail Store Prodecure to send e-mails.

SMTP account is the actual configuration of which SMTP server to use, the originator's e-mail address, etc.

One of the advantage of Mail Profile is the ability to configure multiple SMTP accounts. It could be used as a "fail over", in the event that if the first SMTP account failed to send e-mail for whatever reason, it would automatically use the second SMTP account to send the same e-mail.

The sp_send_dbmail Stored Procedure also has some significant improvements and provide additional flexibility.

Finally, database developers are able to utilize Stored Procedure to send e-mails directly from within a Scheduled Task or Stored Procedure, instead of relying on external programs for sending e-mails.

Hopefully you would find this article a bit helpful! I welcome any comments and questions alike. I would also continue to modify this post as I dig deeper in Database Email and Stored Procedure in SQL Server 2005.

Cheers! Thanks for reading!

Obama and McCain Tax Proposals

For those of you who cares:

http://www.washingtonpost.com/wp-dyn/content/story/2008/06/09/ST2008060900950.html

3rd Commandment - Do not misuse God's name! (2 King 5)

Out of the 10 Commandments, I've used to consider the 3rd one to be very easy--simply restrict myself from swearing or misusing God/Jesus names would do the trick. Little did I know that there's a much deeper implication than these superficial acts of obedience. Thank God that He reveals to me from one of the sermons recently.

2 Kings 5 is about Naaman healed of leprosy (a terminal skin disease back in the old days). I've studied this passage several times and getting familiar with Elisha, the servant girl, even the king...but I really wasn't paying attention to Naaman until I listened to the sermon at Sunset Church. The pastor pointed out that in verse 11 it's a classic example of breaking the 3rd Commandment - Do not misuse God's name:

9 So Naaman went with his horses and chariots and stopped at the door of Elisha's house. 10 Elisha sent a messenger to say to him, "Go, wash yourself seven times in the Jordan, and your flesh will be restored and you will be cleansed."

11 But Naaman went away angry and said, "I thought that he would surely come out to me and stand and call on the name of the LORD his God, wave his hand over the spot and cure me of my leprosy. 12 Are not Abana and Pharpar, the rivers of Damascus, better than any of the waters of Israel? Couldn't I wash in them and be cleansed?" So he turned and went off in a rage.


One would probably think that Naaman was being unreasonable. But if we dig deep into verse 11, what Naaman was expecting would seem humanly "reasonable", as Naaman's expectation was actually resembling how Jesus and other prophets cured diseases in the past. What actually went wrong?

The root problem is what I would call "spirtual fantasy", a state where a person paints a "spiritual" picture of how things should work according to this person's own or other's "spiritual" experience. For Naaman, his "spirtual fantasy" of healing of leprosy is "I thought that he would surely come out to me and stand and call on the name of the LORD his God, wave his hand over the spot and cure me of my leprosy.". When God's answer via Elisha (verse 10) contradicts Naaman's "spiritual fantasy", Naaman got angry and refused to obey.

Did Naaman got cured by his "spiritual fantasy" way? No. Naaman got cured when he finally obeyed God's command:

"14 So he went down and dipped himself in the Jordan seven times, as the man of God had told him, and his flesh was restored and became clean like that of a young boy."

Our pastor pointed out that we Christians, like Naaman, are often forming and dwelling into our own "spiritual fantasies", and equally frustrated at God when God's answers are in contrast with our predetermined expectations. As a result, we are missing out a lot of God's blessings due to our disobedience and pride.

I've given "spiritual fantasy" some thoughts and come up with some ways to identify them in our lives:

-Is this "spirtual fantasy" inline with the God I know from the Bible?
-Are there things/actions in this "spirtual fantasy" directly contradict the Scripture?

Consider the following scenarios:

-A young Christian college student claims that "God could only prove His care for me if He helps me an A out of this class", despite this student missed half of the classes as well as assignments and failed the midterm and final exam.

-A desperate homeowner who's facing foreclosure claims that "God could only prove His care for me if He helps me to pay my mortgage payment and avoid foreclosure", despite the fact that this homeowner was dishonest about his income when he applied for the mortgage for this house.

-A church leader chooses to remain silent while other church leaders are committing premarital sex, adulteries, bearing false witnesses (lying) and attacking each other in church ministries, all in the name of "keeping the unity of the church because the unity of the church pleases God".

Which of the above are actually biblical? Which ones of the above are "spiritual fantasies"?

By now we should realize we are breaking the 3rd commandment much more times than we could have imagined. Could you identify any "spiritual fantasy" in your life or lives of others? Let's all repent and go back to the Bible and obey His words. Remember what Jesus says in John 15:

10If you obey my commands, you will remain in my love, just as I have obeyed my Father's commands and remain in his love.

14You are my friends if you do what I command.

A humble sharing from a brother in Christ

A Fun Way to Practice Your Typing Skill

Just found out this site today and have tried it myself. The idea is simple yet very very addictive (you are warned!):

http://play.typeracer.com/

Enjoy!

Please pray hard for students nowadays...

Fw: 對 一 個 不 值 得 愛 的 人 死 心 - 袁彌明 - Sudden Weekly No. 662

怎 樣 才 可 令 自 己 對 一 個 不 值 得 愛 的 人 死 心 ？

第 一 ， 不 要 渴 求 一 個 答 案 。 不 要 反 問 自 己 他 為 何 不 愛 你 ， 為 何 背 叛 你 。 得 不 到 他 的 答 案 而 反 複 地 自 責 只 會 令 自 己 受 傷 害 。 人 ， 特 別 是 女 人 ， 偏 愛 沉 迷 在 受 害 人 的 角 色 ， 受 人 同 情 、 憐 憫 ， 不 願 面 對 現 實 。
第 二 ， 不 要 把 那 人 理 想 化 。 不 要 因 為 悲 劇 收 場 而 誤 以 為 這 是 一 個 蕩 氣 迴 腸 的 愛 情 故 事 ， 誤 以 為 這 人 是 你 一 生 最 愛 。
第 三 ， 要 原 諒 那 個 傷 害 過 你 的 人 。 不 原 諒 ， 心 有 不 甘 ， 覺 得 他 欠 你 的 沒 有 還 清 ， 你 就 會 變 得 頑 固 。
撤 退 一 段 感 情 像 戒 毒 一 樣 難 ， 愈 有 害 的 東 西 偏 偏 愈 誘 人 ， 只 有 靠 你 自 己 的 決 心 和 耐 力 ， 毒 癮 散 了 又 是 一 片 海 闊 天 空 。 不 知 你 有 否 聽 過 孟 敏 墮 甑 的 故 事 。 孟 敏 背 甑 走 ， 不 慎 失 手 ， 甑 墜 地 打 破 了 ， 孟 敏 頭 也 不 回 繼 續 向 前 走 。 這 事 被 當 時 的 名 士 郭 林 宗 看 見 了 ， 問 他 ， 他 回 答 說 ： 「 甑 既 已 破 ， 視 之 何 益 ？ 」 學 孟 敏 灑 脫 地 擺 脫 過 失 ， 別 作 無 益 的 惋 惜 。
亦 舒 作 品 《 忘 記 他 》 封 面 寫 ： 「 許 多 身 心 都 已 經 痊 癒 的 女 性 ， 看 到 從 前 叫 她 流 淚 的 人 ， 都 會 訝 異 得 不 置 信 地 問 自 己 ： 是 嗎 ， 就 是 這 個 人 ？ 怎 麼 可 能 ？ 」 這 往 往 是 許 多 年 後 偶 遇 曾 讓 你 放 不 開 的 男 人 時 的 潛 臺 詞 。 驀 然 回 首 ， 流 過 的 淚 早 歸 塵 土 ； 那 個 人 也 只 不 過 是 生 命 中 可 有 可 無 的 過 客 。