Helpforsure

Microsoft Windows Experts

HowTo: Disable Internet Protocol version 6 (IPv6) components in Windows Vista & 2008, Windows 7 & 2008 R2 and Windows Small Business Server 2008 & 2011 April 27, 2011


This article describes step-by-step instructions for how to disable certain Microsoft Internet Protocol version 6 (IPv6) components in Windows Vista & 2008, Windows 7 & 2008 R2 and Windows Small Business Server 2008 & 2011. To disable IPv6 components, you must be logged on to the computer as a member of the Administrators group.

 To disable certain IPv6 components yourself, follow these steps:

Launch Registry Editor and modify DisabledComponents key located under:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\

 Note: If it’s not available, you must create it.

Name: DisabledComponents

Type: DWORD (32-bit) Value

Type any one of the following values to configure the IPv6 protocol:

  • Type 0 to enable all IPv6 components(Note: The value “0” is the default setting.)
  • Type 0xffffffff to disable all IPv6 components, except the IPv6 loopback interface. This value also configures Windows Vista to use Internet Protocol version 4 (IPv4) instead of IPv6 in prefix policies.
  • Type 0x20 to use IPv4 instead of IPv6 in prefix policies.
  • Type 0x10 to disable native IPv6 interfaces.
  • Type 0x01 to disable all tunnel IPv6 interfaces.
  • Type 0x11 to disable all IPv6 interfaces except for the IPv6 loopback interface.

Note: Using a value other than 0x0 or 0x20 will cause the Routing and Remote Access service to fail after this change goes into effect.

You must restart your computer for these changes to take effect.

 

Certificate Concepts April 19, 2011


Certificate Concepts

19 April 2011  07:12

I would like to share some information with you about how digital certificates work. Understanding the concepts about how certificates work is important when troubleshooting PKI issues.

Let’s start by defining digital certificate: digital certificates are electronic credentials that are used to assert the online identities of individuals, computers and other entities on a network. The concept of digital certificates is much like the concept of a driver’s license. Like a drivers’ license, a certificate is issued by a central authority that has validated the identity of the person (or computer, application, services, etc.) requesting the certificate. Now that we have defined digital certificates let us move on to the details.

Certificate Architecture

Certificates issued by Windows Server 2003 and earlier are based on standards established by the Public-Key Infrastructure X.509 Working Group of the Internet Engineering Task Force. Version 1 of the standard defines a set of fields that should exist in every X.509 digital certificate. Version 2 added two more fields in order to support X.500 directory access control. Finally, version 3 introduced the concept of a Certificate Extension. Certificate extensions are simply fields that may be specified in standards or may be defined by a registered by a vendor, individual, or community. The Windows Certificate Server included in Windows 2000 and later supports X.509 Version 3 digital certificates.

The format of a v3 digital certificate is illustrated below.

X.509 Version 3 Certificate

 

      • Version: Identifies the version of the X.509 standard to which the certificate adheres. Certificates issued by a Windows CA certificate authority are always v3.
      • Certificate Serial Number: A unique identifier for each certificate issued by a particular Certificate Authority. This number must be unique amongst all certificates issued by that CA.
      • Issuer: The distinguished name of the CA that issued the certificate. This field identifies the authority responsible for verifying the identity of the Subject of the certificate.
      • Subject: The name of the computer, user, network device or service to which the certificate is issued.
      • Valid from: The date and time when the certificate becomes valid.
      • Valid to: The date and time when the certificate expires.
      • Public Key: Contains the public key of the key pair that is associated with the certificate.
      • Issuer Unique Identifier: Information that can be used to uniquely identify the issuer of the digital certificate.
      • Subject Unique Identifier: Information that can be used to uniquely identify the owner of the digital certificate.
      • Extensions: Version 3 certificates include extensions that provide additional functionality and features to the certificates.

As can be seen, a digital certificate links a subject identity and a public/private key in a signed and therefore verifiable digital document.

Example User Certificate

 

When double clicking on a certificate in Windows the Details tab displays the fields mentioned above. This is an easy way of visually verifying the Validity dates and the Subject.

The Certification Path tab displays the certificate path from the root down to the certificate being evaluated.

Basic Certificate Validation:

For a certificate to function properly, the following items must validate correctly (at a minimum):

1. Subject name: The subject of the certificate must match the resource subject that is being used. For example, when using https the subject in the certificate being used on the web server must match the https URL that users will use to connect to the https website. Subject name is analogous to the name on a driver’s license.

2. Validity Period: The (Valid From) and (Valid To) must be within the time frame the certificate is planning on being used. This is much like the expiration of a driver’s license. Validity period is analogous to the expiration date on a driver’s license.

3. Trust: The certificate must be used by a trusted Certificate Authority. Trust is analogous to the State that issued a driver’s license. Because the State that issued the license is a member of the union that makes up the United States we trust the issuer of the license.

4. Chain Building: Chain building is the process of building a trust chain, or certification path, from the end certificate to a root CA that is trusted by the security principal. The chain-building process will validate the certification path by checking each certificate in the certification path from the end certificate to the root CA’s certificate.

5. Key Usage: To help control the usage of a certificate outside of its intended purpose, the optional Enhanced Key Usage extension can be included in the certificate by the CA. The Enhanced Key Usage extension contains a list of usages for which the certificate is valid. These usages, also known as intended purposes, are displayed on the General tab of the certificate dialog box. This is important when evaluating why a certificate may not be working correctly. Key Usage is analogous to driver’s license endorsements (types of vehicles that can be driven with this license).

6. Revocation Checking: Each certificate in the certificate chain is verified to ensure that none of the certificates are revoked. A certificate can be revoked prior to the expiration date to disavow the certificate. Revocation Checking is analogous to checking a driver’s license against a State database to verify that a driver’s license has not been revoked for a violation.

Summary:

Certificates issued by Windows Server 2003 and earlier are based on standards established by the Public-Key Infrastructure X.509 Working Group of the Internet Engineering Task Force. The Windows Certificate Server included in Windows 2000 and later supports X.509 Version 3 digital certificates. Subject Name, Validity Period, Trust, Chaining, Key Usage, and Revocation need to be validated for a certificate to function properly.

 

FYI: The Point and Print User configuration policy is ignored by Windows 7, Windows Server 2008 R2 and Service Pack 2 release of Windows Vista, Windows Server 2008. April 17, 2011


We all have encountered issues with setting up Point & Print Restrictions in Vista+ Operating Systems, this is the most recent fix from Microsoft PSS….Hope it helps..if not please drop a comment…

Knowledge Base Article: 2307161

 

Cool Stuff | Pin Hotmail on your Windows-7 Taskbar April 16, 2011

Filed under: Misc — helpforsure @ 11:34 am
Tags: , , , , ,

Hotmail just got even better when run on IE9. Today, Hotmail added email notifications to its pinned site that displays the number of new messages directly in the taskbar. It’s an easy way to keep an eye on new updates with a glance. Pin Hotmail to your taskbar to start seeing this in action!

Hotmail also gives you quick access to mail tasks from the jumplist. Right-click on the Hotmail icon to jump to a task like send mail:

 

Now when you pin Hotmail to the taskbar, you can use it like a native desktop application on Windows 7. With pinned sites, developers can add capabilities like notifications, jumplists and thumbnail toolbars to your Web sites too. See these MSDN articles and Test Drive demo for details:

Check out many more useful (and addictive) pinned site experiences on beautyoftheweb.com and on the Internet Explorer Gallery.

If you’re running Windows 7 but not yet running IE9, upgrade now to get the most from your browsing experience.

 

Windows XP Virtual Machines exhibiting degraded performance & high CPU utilization with Hyper-V & VDI


I came across and issue where a customer had a VDI deployment of Windows XP machines running on Windows Server 2008 R2 Hyper-V servers. The problem was that while performance of the virtualized desktops was fine on one of the Hyper-V machines, it was not so good on the other.

In checking the performance of the Windows XP VM’s, it was found that CPU usage was significantly higher on the ones running on the problem server that the other. Perfmon showed the higher CPU usage, but was not conclusive as to a specific process causing the issue.

As we were looking for performance difference on VM’s running on the two different Hyper-V hosts, we collected Performance Monitor logs for the various Hyper-V counters. From these, we saw that the counter Hypervisor Virtual Processor\APIC TPR Accesses/sec was a flat line on the good performing server, but had a lot of ups and downs on the problem server.

TPR stands for Task Priority Register. It turns out that Windows XP and prior operating systems do very frequent access to the APIC TPR, which puts a bit more overhead on the hypervisor. Essentially, when the IRQL is raised, it immediately accesses the processor’s local APIC to set the interrupt mask. This prevents it from being pre-empted by a lower IRQL interrupt. And now, when the IRQL needs to be lowered, we need to access the local APIC again.

However, in Windows Server 2003 and later operating systems, we implement a concept known as Lazy IRQL. With this, when the IRQL is raised, the HAL keeps a note of the raised IRQL within a structure of it’s own. Now, if the processor gets a lower priority interrupt, the OS checks this with the locally stored IRQL and only then accessed the APIC to set the interrupt mask. In the newer versions of Windows, the duration for which an Interrupt Service Request (ISR) actually needs to run is very low. However this is not the case with Windows XP and earlier operating systems. An APIC TPR request must occur for every IRQL raise and also subsequent lowering. This additional overhead is small on an individual scale, but can add up quickly, and was in fact what was causing the VM’s to be slower. Now, this explains the poor performance for the Windows XP VM’s on one of the servers, but what about the other server that had good performance? Both of these servers were superficially identical, and were even running the same model of Intel processor.

Well, it turns out that Intel has a technology called vTPR that is designed to work around this type of issue. However, this technology is not present in all of their CPU models. Even though the processors in both servers were the same model, the stepping revision was not. The server exhibiting the performance issue had a stepping revision of B3, whereas the other server had a stepping of G0. It turns out that the processor with the stepping of B3 did not implement vTPR, but the one with stepping G0 did.

So, how do we work around the initial issue? Unfortunately there is not a simple software trick to get around this. The solution to this issue would be to either replace the processor with one which implements vTPR, or to upgrade the guest operating systems to something which supports Lazy IRQL; I recommend Windows 7. More info on Intel vTPR can be found in the this document.