How to enable TLS 1.2 for ASP.NET 3.5 on Windows server 2012 R2

ASP.NET 3.5 is getting pretty old and the ideal solution would be to update to the latest ASP.NET version but let’s face it, there are some legacy systems already running 3.5 that are not easy to upgrade and most external services are closing support for the depreciated TLS 1.0 and TLS 1.1 protocols.

I searched for solutions online and most replies were indicating that there was no TLS 1.2 support in ASP.NET 3.5 and it would not be supported which is not true.

Microsoft released upgrade a while ago which added TLS 1.2 support for ASP.NET 3.5. Chances are that you already have it installed on the server but if not, you can download it here. If you get the error: “The update is not applicable to your computer.” it’s probably already installed. Continue reading

How to schedule Windows Update to install updates at certain time in Windows Server 2012

In previous releases of Windows Server, the updates were installed during a maintenance period and rebooted if required right after the update. The day and time was configurable so that this would have minimal effect during peak hours.

This however changed in Windows Server 2012. The default setting downloads the available updates and notifies the user and requires user action within one day. After one day the updates are installed as soon as possible and forces reboot on the server. On production servers this is not appropriate behaviour as it may force reboot at critical time causing very unpredictable downtimes.

Luckly this can be configured although it’s not located in same place as in previous versions of Windows Server. Here’s a step by step tutorial on how to configure the updates to automatically install at 3am on Sundays:

1. Open the Local Group Policy Editor

Either search for “Edit Group Policy” or open the gpedit MMC snap-in using Run

gpedit.msc

Continue reading

How to patch Windows server 2012 R2 to resolve the MS15-034 vulnerability

The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. All Windows servers 2008 R2 and 2012 are affected!

Windows Update seems to have done the trick automatically for my 2008 R2 servers but the 2012 servers are still affected after installing the latest updates.

How to check if you are affected?

If you have a Linux server lying around, type this command:

wget --header="Range: bytes=18-18446744073709551615" http://serverip/iis-85.png

Continue reading

How to disable Receive Window Auto-Tuning Level in Windows 7 / 2008

The Receive Window Auto-Tuning feature lets the operating system continually monitor routing conditions such as bandwidth, network delay, and application delay. Therefore, the operating system can configure connections by scaling the TCP receive window to maximize the network performance. To determine the optimal receive window size, the Receive Window Auto-Tuning feature measures the products that delay bandwidth and the application retrieve rates. Then, the Receive Window Auto-Tuning feature adapts the receive window size of the ongoing transmission to take advantage of any unused bandwidth.

While the feature may improve speed, in some cases it can also cause problems and slow down the network.

To disable the feature, use this command:

netsh interface tcp set global autotuning=disabled

To see if the feature is enabled or disabled, use this command:

netsh interface tcp show global

To enable the Receive Window Auto-Tuning Level, use this command:

netsh interface tcp set global autotuning=normal

Here’s a list of available options for the autotuning parameter:

disabled: Fix the receive window at its default value.
highlyrestricted: Allow the receive window to grow beyond its default value, but do so very conservatively.
restricted: Allow the receive window to grow beyond its default value, but limit such growth in some scenarios.
normal: Allow the receive window to grow to accommodate almost all scenarios.
experimental: Allow the receive window to grow to accommodate extreme scenarios. WARNING: This can dramatically degrade performance in common scenarios and should only be used for research purposes.

How to change the number of dynamic ports

To comply with Internet Assigned Numbers Authority (IANA) recommendations, Microsoft has increased the dynamic client port range for outgoing connections in Windows Vista and in Windows Server 2008. The new default start port is 49152, and the default end port is 65535. This is a change from the configuration of earlier versions of Windows that used a default port range of 1025 through 5000. This is known as MaxUserPort in Windows 2003.

However, this may not be enough for busy servers. To increase this number use this command:

netsh int ipv4 set dynamicportrange tcp start=16384 num=49151

Here we change the number of ports from the default 16.383 to 49.151. You can choose any number but make sure the end port (start + num) is not higher than 65535.

To show the current number of ports, use this command:

netsh int ipv4 show dynamicportrange tcp