Hello we are using Azure Virtural Machine. Now We cannot remote into the server due to the following error message. Would like to get suggestion on the error since we don't have the support plan and the live agent suggest me to ask here.
Thanks all.
Error Message Image
So I resolved the issue temporarily. Follow these steps on your local computer (not on server)
Note : The below steps are not recommended by Microsoft. So follow these steps just to login to your machine and do necessary updates. Once it's done, revert the configuration changes
1 . Go to "Administrative Templates" (type /search it directly on window)
Please see above image.
Right click and edit Encryption Oracle Remediation.
Make it enabled, and change protection level to "vulnerable"
Click on Apply and close window.
Try to connect to VM. And after establishing a connection, update the VM if there's any pending updates
For a fast workaround that doesn't involve any server side changes just type the following in a console with administrator privileges
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2
I didn't have permission (human permission) to make any change to the server so this was a perfect solution for me
Easiest solution for me was to download remote desktop app on my phone and connect to remote server. Install windows updates on remote server and I was able to connect again from my pc
Login into https://portal.azure.com
Navigate to the Azure Virtual Machine tab and go to the VM that is giving this error
Now under operations, select the Run Command option which will give you the option to run a PowerShell script
In the PowerShell script section, type in the below two lines and click on run
REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2
Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord
Now on your own machine (client machine), follow the below steps:
On the client that has the CredSSP update installed, run gpedit.msc, and then browse to Computer Configuration > Administrative Templates > System > Credentials Delegation in the navigation pane.
Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.
If needed, please restart the server and now when you try to RDP into your Azure VM you will be able to login and complete the connection. Please note that it is highly recommended to patch your VMs and follow the latest guidelines that are mentioned in the Microsoft Support Article or blog
This issue can be resolved, just use this below command
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2
I had the same issue. My server didn't have the option.
Encryption Oracle Remediation
But I solved it by unchecking
Allow connections only from computers with network level authentication
under system properties as shown in figure.
Related
We have Windows Server 2019 and I am trying to enable IIS feature on it but getting this error 'The WS-Management service cannot process the request. The service is configured to not accept any remote shell requests.'.
i have enabled remote shell access, but still i'm getting same error
Any help would be appreciate. Thank you.
This error occurs when AllowRemoteShellAccess is disabled for a group policy, you can try below steps to slove the issue:
Open Local Group Policy Editor (gpedit.msc).
Open Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components >Windows Remote Shell.
Double-click AllowRemoteShellAccess.
Set its value to Enabled.
Click OK.
Open a CMD window.
Run the following command: gpupdate/force.
I recently purchased an SSL certificate for my website. I ran some tests with sslLabs.com and it gave a warning about two ciphers that are enabled: TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_MD5. My website is on a shared server so I am not sure that they can disable these just for my website. I was wondering if there is any way to disable ciphers with the web.config file or a similar file that stores server properties? Thanks in advance! I am on a Windows Server using ColdFusion if that helps.
In my case I disabled the RC4 in the Microsoft Azure Cloud.
Basically I disabled it in my machine (Windows Registry) and then export that piece to a file.
Then you attach this file to your project and set the "Copy to Output Directory" to "Copy always".
Create a DisableRc4.cmd command file and attach it to the project as well with the copy always.
Add the following code into it:
#echo off
regedit.exe /s DisableRc4Cipher.reg
EXIT /B 0
In the end and in my case, it was just necessary to add it to the ServiceDefinition.csdef
Hope it helped after so long time.
Last week there was a blog post update which will disable RC4 cypher by default on cloud services. https://azure.microsoft.com/en-us/blog/azure-services-ssl-tls-cipher-suite-update-and-removal-of-rc4/
This update should be rolling out this month and if the operating system version is configured as automatic it will be automatically installed on the cloud service(see image below)
Next guest OS: WA-GUEST-OS-4.31_201604-01
Release date: May 2 2016
Operation system version configuration
I have a SignalR solution that is deployed to an Azure Web Role (cloud service, not Azure Web Site) and in order to ensure we can maximise the number of connections to each instance I need to make some changes various ASP.NET settings as detailed in this article: http://www.asp.net/signalr/overview/performance/signalr-performance#tuning
The appConcurrentRequestLimit and requestQueueLimit settings were easily changed with a startup task that uses APPCMD to make the relevant changes. However, the maxConcurrentRequestsPerCPU setting resides in the aspnet.config file which cannot be changed via the same mechanism.
I have tried updating that file directly with a startup task (just a basic file replacement for now), however it seems to get replaced by the Azure runtime after the startup tasks have completed and so the change is lost. I can RDP into the machine and make the change manually so I have seen that it works however that is not sustainable for a service that we expect to scale up and down on demand.
Any ideas on how to change this setting in an Azure environment would be appreciated!
I ended up using the following registry based approach which allowed me to change the maxConcurrentRequestsPerCPU setting without using aspnet.config
I added the following usage of the REG command line utility to my existing startup.cmd (already in use for calling APPCMD to change other settings):
REG ADD HKLM\SOFTWARE\Microsoft\ASP.NET\4.0.30319.0 /v MaxConcurrentRequestsPerCPU /t REG_DWORD /d 10000
REG ADD HKLM\SOFTWARE\Wow6432Node\Microsoft\ASP.NET\4.0.30319.0 /v MaxConcurrentRequestsPerCPU /t REG_DWORD /d 10000
This will configure both 32 and 64 bit application pools, although I only needed 64 in this instance.
So I've backed myself into a corner - I wanted an application or command to run when a user logged in over RDP to a server. As per a best-practice suggestion on a Microsoft site, I set up this program to run under group policy rules and now I have a dilemma:
I log into my server via RDP, the default program launches and then immediately logs me out without a chance for me to do anything.
How can I get into the box again to change this setting? Server is Windows 2008 r2 with terminal services installed on a remote IP.
Could you just remove\edit the GPO, wait a bit, and then reboot the server? You could still send it the "shutdown /m \computername". You could also use psexec to remotely run "gpupdate /force" before rebooting.
If you set that up as local group policy, then you can try opening mmc, choosing the Group Policy editor, and pointing it to that machine to edit the policies. In more detail:
Start --> Run --> mmc
File --> Add/Remove Snap-in
Under the Standalone tab, click Add...
Choose Group Policy Object Editor
In the following wizard, click the Browse button
Click the "Computers" tab, select the Another computer radial button, and type the name or Browse to the remote computer
Click OK, then Finish, then Close, and finally OK
Also you could maybe edit/add a logon script that runs "shutdown -a" to abort logoff/shutdowns, but that may not work due to timing.
You didn't mention if this was Domain, or local, but those options should take care of either.
To debug some code, I would like to view the Windows event log of a remote machine (target is Windows2003). With mmc.exe I can add the event log for a remote machine, but only if I have sufficient permissions. For this remote machine, they do not want to give me permissions to log in remotely (or admin privileges for that matter). Is there a specific permission I can be given to view the event log and not much else?
On newer Windows versions (Windows 7, Windows Server 2008...) you can simply add the corresponding account to the built-in group Event Log Readers.
Source: Jane Lewis's Weblog on TechNet, Giving Non Administrators permission to read Event Logs Windows 2003 and Windows 2008
This source also describes an alternative if you need more fine-grained control.
(The OP asked for Windows 2003, where this method doesn't work, but as Windows Server 2003 is no longer supported, people might be interested in this method.)
For the security log, users need the privilege "Manage auditing and security log"
For the system and applciation logs you should be able to read them as just a guest unless they have set the RestrictGuestAZccess value under the following registry keys:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application
One Option is to get a local ID that is on the remote local admin group.
Next, from your system, map to a drive on the remote server using the new remote local ID.
Create a new MMC from the Windows Run start menu - by typing in MMC /a
Add the EventView Snap-in
When it prompts you for local or remote server - put in the Host name of the server that you mapped to.
Tip: Windows uses established secure connection - if it can. Hence the map a drive trick work VERY well.
Please Note: I use this trick with WMI query(s) - hence the query never fails do to a timeout issue.
Joshua Flanagan outlined a process to delegate rights through modifying the security descriptor of the event logs.
Please add the domain user (without admin rights) to the "Event Log Readers" group on the target server. Then, from the source server, you can use the standard user credentials to access and read the event logs on the target.
If you could enable web access to the server then you could use an eventlog viewer page that I published a while ago. This would allow the administrators to run the website with just enough permissions to see the eventlog without granting you an account to login...