Windows Services not starting (Event ID 7000/7009)

In case you have confronted the situation where some Windows Services are not starting after a computer restart (usually after your system installed some updates) this is probably because of an Event ID 7000/7009. This means that the Service received a timeout after trying to contact the Service Control Manager (SCM) for 30 seconds (the default value). The solution is to increase the default service timeout period:

Click the Start button, then click Run, type regedit, and click OK.

  1. In the Registry Editor, click the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
  2. In the details pane, locate the ServicesPipeTimeout entry, right-click that entry and then select Modify.Note: If the ServicesPipeTimeout entry does not exist, you must create it by selecting New on the Edit menu, followed by the DWORD Value, then typing ServicesPipeTimeout, and clicking Enter.
  3. Click Decimal, enter the new timeout value in milliseconds (60000 means 1 minute), and then click OK.
  4. Restart the computer.
Advertisements

IIS permissions and authentication mechanisms

Application Pool Identity – An application pool identity allows you to run an application pool under a unique account without having to create and manage domain or local accounts. The name of the application pool account corresponds to the name of the application pool (eg. IIS APPPOOL\DefaultAppPool). This will be the account that IIS will use to access the application folder.

By default the Application Pool Identity is a member of IIS_IUSRS group and Users Group.

When configuring the permissions for an application folder it is recommended to disable inheritance of permissions so that accounts and groups (eg. Users, TrustedInstaller) are not automatically given permissions on that folder.

1) Anonymous

When you enable Anonymous authentication, IIS does not use any other authentication schemes unless NTFS permissions deny access to a resource.

By default IIS will use the Application Pool Identity to access the application folder, but you can also use a custom windows account that must be given NTFS permissions to the application folder.

2) Basic

Requires the creation of individual Windows accounts for each user. It is insecure unless using SSL/TLS, which impacts performance.

3) Digest

When a client attempts to access a resource requiring Digest authentication, IIS send a challenge to the client to create a digest and send it to the server. The client concatenates the password with data known to both the server and the client. The client then applies a digest algorithm (specified by the server) to the combined data. The client sends the resulting digest to the server as the response to the challenge. The server uses the same process as the client to create a digest using a copy of the client’s password it obtains from Active Directory, where the password is stored using reversible encryption.

One of the downsides of Digest Auth is that it requires storing of passwords in cleartext using reversible encryption for all domain accounts in Active Directory that will use this type of authentication.

Digest authentication is only a slight improvement over Basic authentication. In the absence of SSL/TLS, an attacker could record communication between the client and server. Using this information, the attacker can then use that information to replay the transaction.

4) Windows authentication

Integrated Windows authentication can use either NTLM or Kerberos authentication.

If Internet Explorer recognizes the Negotiate header, it will choose it because it is listed first. When using Negotiate, the browser will return information for both NTLM and Kerberos. At the server, IIS will use Kerberos if both the client (browser) and server (IIS) are members of the same domain or trusted domains. Otherwise, the server will default to using NTLM.

If Internet Explorer does not understand Negotiate, it will use NTLM.

NTLM

NTLM is a Windows integrated authentication protocol that leverages the interactive use of a login box that requires the end user to input their network credentials manually. Those credentials would include the users Username, password and domain name if logging into an organizations domain. Because it is windows integrated NTLM also supports SSO. When using NTLM it is not required to have direct access to the domain controller.

8562.image_20A76D5DRead More »

Fix unbootable windows system

First you will need a DVD with the windows OS. After you boot from the DVD access the “Repair your computer” link. After the open the Command Prompt:

Untitled1.png

After you open the Command Prompt enter the following commands:

diskpart 
list disk 
select disk 0
list partition 
select partition 1
active

NOTE: The selected partition must be the partition on which the OS is installed. In order to mark a partition as “active” the disk must be MBR, so in case you have GPT you must first convert it to MBR(use Aomei Partition Assistant).

Read More »

Sharepoint 2013 Architecture

1. Logical Architecture

Sharepoint 2013 Logical Components:

  • Farm – the highest level boundary.
  • Service Applications – provide different functionalities to Web Application; they can be shared between Web Applications and even between Farms.
  • Application Pools – help isolate Web Applications; provide a security and resource boundary between Web Applications.
  • Web Applications – an IIS Website; can have one or more content databases.
  • Site Collections – a boundary within a Web Application;
  • Sites – sites that you creates in a Web Application are stored in the content database. You can use central administration to see and manage them.
  • Apps – Lists, Libraries, Items

sps-2013-design-sample-corporate-portal-path-based-sitesRead More »

SQL Server Security

1.Logins & Server Roles

  • Logins and Server Roles define users and permissions at the Instance level.
  • Server Role permissions cannot be seen through the user interface, to do this you need to execute:
sp_srvrolepermission
  • If you want to grant or deny a specific permission on a database to a user you can use the following command:
USE [database]
GO
DENY ALTER TO [domain\user]
GO

NOTE: Deleting the Logins won’t delete the Users at the database level. This will result in orphaned Users.
Read More »