Thursday, May 17, 2018

Unable to RDP to Virtual Machine: CredSSP Encryption Oracle Remediation

To resolve a vulnerability issue with Credential Security Support Provider protocol (CredSSP), a monthly Windows update in May was applied which does two things:

1. Correct how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process

2. Change the group policy Encryption Oracle Remediation default setting from Vulnerable to Mitigated.

This RDP authentication issue can occur if the local client and the remote host have differing Encryption Oracle Remediation settings that define how to build an RDP session with CredSSP. If the server or client have different expectations on the establishment of a secure RDP session the connection could be blocked. There is the possibility that the current default setting could change from the tentative update and therefore impact the expected secure session requirement.

Examples:

1. If the client is updated and you try to RDP to an Azure VM that was not updated, then it will be blocked and see the error message.

2. If the client is not patched while server is updated, RDP can still work. But the session will be exposed to the attack.

3. If both client & server are patched with default setting (Mitigated), RDP will work in a secure way.

References:

Resolution/ Fix

Ensure both client & server side have latest patch installed so that RDP can be established in a secure way.

You can find the list of the corresponding KB number for each operating system here: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886

If you cannot RDP to VMs from your patched client, we can consider changing the policy settings on the client to temporarily gain RDP access to the servers. You can change the settings in Local Group Policy Editor. Execute gpedit.msc and browse to Computer Configuration / Administrative Templates / System / Credentials Delegation in the left pane:

Change the Encryption Oracle Remediation policy to Enabled, and Protection Level to Vulnerable:

This has been taken from the link - https://blogs.technet.microsoft.com/mckittrick/unable-to-rdp-to-virtual-machine-credssp-encryption-oracle-remediation/

Monday, April 9, 2018

Get Private Key and certificate from pfx file

1. Get Private Key and certificate from pfx file (for this we need to install the SSL certificate):

a. open cmd and go to the installation directory of openSSL

C:\Users\admin>cd %Installed Path of openSSL%

b. Run the following commands:

C:\OpenSSL-Win32>set openssl_Home=%Installed Path of openSSL%

C:\OpenSSL-Win32>set openssl_conf=%Installed Path of openSSL%\bin\openssl.cfg

C:\OpenSSL-Win32>set path=%Installed Path of openSSL%

c. Go to bin directory:

C:\OpenSSL-Win32>cd bin

d. Run the below command to convert pfx file

C:\OpenSSL-Win32\bin>openssl pkcs12 -in mydomain.pfx -nodes

Here you will get private key and certificate

Wednesday, April 4, 2018

WP Super Cache — Content Encoding Error

if you are getting the below error:

Steps to fix this:

Go to the advanced settings page and make sure compression is disabled.

Since the host already ‘gzip compresses’ enabled, asking Super Cache to do that for you again ends up giving out these weird encoding errors.

Content Encoding Error

The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.

* Please contact the website owners to inform them of this problem.

WordPress - Add custom field automatically when post or page is publish

Wordpress - Add custom field automatically when post or page is publish

Adding this snippet to the functions.php of your wordpress theme will add a custom field to a post or page when published. Don’t forget to update the FIELD_NAME and the CUSTOM VALUE.

add_action('publish_page', 'add_custom_field_automatically');
add_action('publish_post', 'add_custom_field_automatically');

function add_custom_field_automatically($post_ID) {
global $wpdb;
if(!wp_is_post_revision($post_ID)) {
add_post_meta($post_ID, 'FIELD_NAME', 'CUSTOM VALUE', true);
}
}

Monday, February 19, 2018

Wordpress - Redirect www URLs to non-www

You can redirect all of the requests for www.yourdomain.com domain to yourdomain.com by modifying your website's .htaccess file. You need to add the following lines at the beginning of the file in order to setup that redirection:

RewriteEngine on

RewriteCond %{HTTP_HOST} ^www.yourdomain.com [NC]

RewriteRule ^(.*)$ http://yourdomain.com/$1 [L,R=301]

Where yourdomain.com is your actual domain name.

Wordpress - Redirect non-www URLs to www

You can redirect all of the requests for yourdomain.com domain to www.yourdomain.com by modifying your website's .htaccess file. You need to add the following lines at the beginning of the file in order to setup that redirection:


RewriteEngine on

RewriteCond %{HTTP_HOST} ^yourdomain.com [NC]

RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [L,R=301]

Where yourdomain.com is your actual domain name.

Tuesday, January 30, 2018

Avoiding the Not Secure Warning in Chrome

Chrome will have following impact after the version 65:

1. The websites that having Symantec-issued TLS certificates older than June 1, 2016 and that must be replaced
2. Chrome will mark non-secure pages containing password and credit card input fields as Not Secure in the URL bar.

To avoid this you need to install the SSL on the website that contains containing password and credit card input fields.

For testing:

Please install the updated version of chrome - https://www.google.com/chrome/browser/canary.html
Configure Chrome to show the warning as it will appear in January 2017, open chrome://flags/#mark-non-secure-as and set the Mark non-secure origins as non-secure option to Display a verbose state when password or credit card fields are detected on an HTTP page. Then relaunch your browser.

https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn

Tuesday, January 23, 2018

Wordpress - Set the maximum upload size limit for non-administrators.

/**
* Set the upload size limit for non-administrators.
* @param string $size Upload size limit (in bytes).
* @return int (maybe) Filtered size limit.
*/
function filter_site_upload_size_limit( $size ) {
// Set the upload size limit to 2 MB for users lacking the 'manage_options' capability.
if ( ! current_user_can( 'manage_options' ) ) {
// 2 MB.
$size = 2 * 1024* 1024;
}
return $size;
}
add_filter( 'upload_size_limit', 'filter_site_upload_size_limit', 2 );

Friday, January 19, 2018

WordPress - Briefly unavailable for scheduled maintenance. Check back in a minute.

Briefly unavailable for scheduled maintenance. Check back in a minute.

How to fix it.

When this happens, WordPress generates a .maintenance file in the root directory of the installation. With normal behavior, the update script completes and WordPress auto-removes the .maintenance file. In the case of an interruption of some sort, this file doesn’t get deleted and the message won’t go away.

The answer? Delete it manually.

Here are the steps:

Log into your web server via FTP or your web host’s control panel.*
Locate the root of your WordPress install (this is where you’ll find folders for wp-content, wp-admin, and wp-includes)
Look for a file called .maintenance
Delete it

Saturday, January 13, 2018

Wordpress - The requested URL /page/ was not found on this server.

How to fix The requested URL was not found on this server error for the hello/name url?

This error is due to the rewrite module and this is the .htaccess file error, please update the .htaccess file with the following code:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

For more information, please visit the wordpress codex - https://codex.wordpress.org/htaccess

Information