In previous releases of Windows Server, the updates were installed during a maintenance period and rebooted if required right after the update. The day and time was configurable so that this would have minimal effect during peak hours.
This however changed in Windows Server 2012. The default setting downloads the available updates and notifies the user and requires user action within one day. After one day the updates are installed as soon as possible and forces reboot on the server. On production servers this is not appropriate behaviour as it may force reboot at critical time causing very unpredictable downtimes.
Luckly this can be configured although it’s not located in same place as in previous versions of Windows Server. Here’s a step by step tutorial on how to configure the updates to automatically install at 3am on Sundays:
1. Open the Local Group Policy Editor
Either search for “Edit Group Policy” or open the gpedit MMC snap-in using Run
The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. All Windows servers 2008 R2 and 2012 are affected!
Windows Update seems to have done the trick automatically for my 2008 R2 servers but the 2012 servers are still affected after installing the latest updates.
How to check if you are affected?
If you have a Linux server lying around, type this command:
wget --header="Range: bytes=18-18446744073709551615" http://serverip/iis-85.png
Windows server 2008 enables SSL v2 and SSL v3 by default. These versions are outdated weak and exposed to recent threats, including POODLE. To secure the server and pass PCI compliance checks you must disable these weak ciphers and enforce clients to use TLS 1.0 or greater.
Here’s how to disable SSL v2:
1. Start – Run Continue reading
After the last automatic updates from Microsoft, installed in January 2013 the Outlook Web Access (OWA) interface seems to be broken. When trying to delete messages this message is shown: “An unexpected error occurred and your request couldn’t be handled.”. Continue reading
In the Windows server 2003 days this was an easy task. Just type the primary IP address first and any additional IP addresses won’t be used as the outgoing IP address. However, in Windows server 2008 this is not so simple and there seems to be no easy GUI way of doing that. Continue reading
The Receive Window Auto-Tuning feature lets the operating system continually monitor routing conditions such as bandwidth, network delay, and application delay. Therefore, the operating system can configure connections by scaling the TCP receive window to maximize the network performance. To determine the optimal receive window size, the Receive Window Auto-Tuning feature measures the products that delay bandwidth and the application retrieve rates. Then, the Receive Window Auto-Tuning feature adapts the receive window size of the ongoing transmission to take advantage of any unused bandwidth.
While the feature may improve speed, in some cases it can also cause problems and slow down the network.
To disable the feature, use this command:
netsh interface tcp set global autotuning=disabled
To see if the feature is enabled or disabled, use this command:
netsh interface tcp show global
To enable the Receive Window Auto-Tuning Level, use this command:
netsh interface tcp set global autotuning=normal
Here’s a list of available options for the autotuning parameter:
disabled: Fix the receive window at its default value.
highlyrestricted: Allow the receive window to grow beyond its default value, but do so very conservatively.
restricted: Allow the receive window to grow beyond its default value, but limit such growth in some scenarios.
normal: Allow the receive window to grow to accommodate almost all scenarios.
experimental: Allow the receive window to grow to accommodate extreme scenarios. WARNING: This can dramatically degrade performance in common scenarios and should only be used for research purposes.
To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Windows that used a default port range of 1025 through 5000. This is known as MaxUserPort in Windows 2003.
However, this may not be enough for busy servers. To increase this number use this command:
netsh int ipv4 set dynamicportrange tcp start=16384 num=49151
Here we change the number of ports from the default 16.383 to 49.151. You can choose any number but make sure the end port (start + num) is not higher than 65535.
To show the current number of ports, use this command:
netsh int ipv4 show dynamicportrange tcp
Today when adding a secure binding to one of my sites in IIS 7, I got this error:
One or more intermediate certificates in the certificate chain are missing. To resolve this issue, make sure that all of the intermediate certificates are installed. For more information, see http://support.microsoft.com/kb/954755.