How to schedule Windows Update to install updates at certain time in Windows Server 2012

In previous releases of Windows Server, the updates were installed during a maintenance period and rebooted if required right after the update. The day and time was configurable so that this would have minimal effect during peak hours.

This however changed in Windows Server 2012. The default setting downloads the available updates and notifies the user and requires user action within one day. After one day the updates are installed as soon as possible and forces reboot on the server. On production servers this is not appropriate behaviour as it may force reboot at critical time causing very unpredictable downtimes.

Luckly this can be configured although it’s not located in same place as in previous versions of Windows Server. Here’s a step by step tutorial on how to configure the updates to automatically install at 3am on Sundays:

1. Open the Local Group Policy Editor

Either search for “Edit Group Policy” or open the gpedit MMC snap-in using Run

gpedit.msc

Continue reading

How to disable ciphers vulnerable to the BEAST vulnerability on Windows server/IIS

By default the SSL protocol encrypts data by using CBC mode with chained initialization vectors. This allows an attacker, which is has gotten access to an HTTPS session via man-in-the-middle (MITM) attacks or other means, to obtain plain text HTTP headers via a blockwise chosen-boundary attack (BCBA) in conjunction with Javascript code that uses the HTML5 WebSocket API, the Java URLConnection API, or the Silverlight WebClient API. This vulnerability is more commonly referred to as Browser Exploit Against SSL/TLS or “BEAST”. Continue reading

How to disable Receive Window Auto-Tuning Level in Windows 7 / 2008

The Receive Window Auto-Tuning feature lets the operating system continually monitor routing conditions such as bandwidth, network delay, and application delay. Therefore, the operating system can configure connections by scaling the TCP receive window to maximize the network performance. To determine the optimal receive window size, the Receive Window Auto-Tuning feature measures the products that delay bandwidth and the application retrieve rates. Then, the Receive Window Auto-Tuning feature adapts the receive window size of the ongoing transmission to take advantage of any unused bandwidth.

While the feature may improve speed, in some cases it can also cause problems and slow down the network.

To disable the feature, use this command:

netsh interface tcp set global autotuning=disabled

To see if the feature is enabled or disabled, use this command:

netsh interface tcp show global

To enable the Receive Window Auto-Tuning Level, use this command:

netsh interface tcp set global autotuning=normal

Here’s a list of available options for the autotuning parameter:

disabled: Fix the receive window at its default value.
highlyrestricted: Allow the receive window to grow beyond its default value, but do so very conservatively.
restricted: Allow the receive window to grow beyond its default value, but limit such growth in some scenarios.
normal: Allow the receive window to grow to accommodate almost all scenarios.
experimental: Allow the receive window to grow to accommodate extreme scenarios. WARNING: This can dramatically degrade performance in common scenarios and should only be used for research purposes.

How to change the number of dynamic ports

To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Windows that used a default port range of 1025 through 5000. This is known as MaxUserPort in Windows 2003.

However, this may not be enough for busy servers. To increase this number use this command:

netsh int ipv4 set dynamicportrange tcp start=16384 num=49151

Here we change the number of ports from the default 16.383 to 49.151. You can choose any number but make sure the end port (start + num) is not higher than 65535.

To show the current number of ports, use this command:

netsh int ipv4 show dynamicportrange tcp

How to migrate multiple sites from IIS 6 to IIS 7

This is a quick guide on how to migrate all sites from IIS 6 to IIS 7. You can probably use the same commands to move sites from one IIS 7 to another.

Everything will be migrated, including application pools, virtual directories, SSL certficiates etc.

1. Download and install Web Deployment Tool on both source and destination servers: http://www.iis.net/download/webdeploy Continue reading