Alexander’s Blog

Microsoft Office SharePoint Server (MOSS) 2007 has a feature called ViewFormPagesLockdown, or some people simply refer to it as the SharePoint lockdown feature. Fortunately, the feature also works with SharePoint Server 2010.

The lockdown feature is useful if you have a site collection that is configured for Anonymous access on a Publishing site and you want to lock it down so Anonymous users don’t have access to the Forms page (e.g. http://ServerName/Pages/Forms/AllItems.aspx). You might also be able to take advantage of this feature in another way. For example, if you ever run into an issue on a Publishing Portal configured for Anonymous access where users are unable to post comments (which are stored in a List) on a blog site then the lockdown feature can be disabled, which will result in allowing Anonymous users to post comments. Normally, people won’t have problem posting comments on a blog site unless it is a Publishing site, in which case they will get a prompt to enter user credentials. In such a scenario you can disable the lockdown feature.

NOTE: By default, all publishing sites have the ViewFormPagesLockdown feature enabled.

You can either use stsadm.exe or PowerShell to enable this feature. I prefer to use PowerShell. If you want more detailed information on how to use stsadm.exe, Microsoft’s Tyler Butler has documented it here for MOSS 2007.

With PowerShell, you can easily enable to disable this feature. Here are the instructions.

1. If you are unsure whether the lockdown is enabled, use the following PowerShell command to find out the answer.
   get-spfeature -site SiteCollectionURL
   e.g. get-spfeature -site http://www.winnetusergroup.com

   

2. Look at all the features listed and see if ViewFormPagesLockdown is enabled. If you see it listed then it is enabled, otherwise ViewFormPagesLockdown is disabled.
3. The lockdown feature can be enabled or disabled. To enable it first run the following command.
   $lockdown = get-spfeature viewformpageslockdown
4. Now execute the following command to enable it.
   enable-spfeature $lockdown -url SiteCollectionURL
   e.g. enable-spfeature $lockdown -url http://www.winnetusergroup.com

   
   
   NOTE: To disable the lockdown feature replace the word enable with disable. For example:
   disable-spfeature $lockdown -url SiteCollectionURL

5. At this point you can verify that the feature is enabled by running the following command. Look for the ViewFormPagesLockdown entry in the list. If it exists, the lockdown feature is enabled.

   
   
   

6. According to Microsoft, if Anonymous Access is configured for the site then you need to first disable it and then re-enable it. To enable/disable Anonymous Access in SharePoint Server 2010 go to Site Actions, Site Permissions and click Anonymous Access icon on the ribbon.

When working with Microsoft Hyper-V, it is helpful to understand the difference between the Saved State and a Snapshot. Here is a brief explanation of both.

Snapshot

A snapshot can be taken whether the virtual machine (VM) is running or not. It is a point in time of the state of a VM. You can revert back to a previous point in time whenever there is a need. For example, if you plan to install a service pack, you can take a snapshot before you install the service pack and if things go wrong, you can revert to the point in time before you installed the service pack. It is similar to the System Restore concept in Microsoft operating systems. A snapshot consists of three components:

1. A single xml file for the VM configuration. This includes all the settings that you configured for the VM, such as memory, number of processors, description of the VM, etc.
2. A memory save state file.
3. A difference disk, which is a file that ends with the extension .avhd. There will be a separate .avhd file for each snapshot.

Saved State

A Saved state is a point in time of a running VM, however, unlike a Snapshot, a Saved state can only take place on a VM that is running. Also, a Saved state can be restored only once (as long as you have not applied a Snapshot since the system state was saved). This is different than Snapshot because a Snapshot can be restored multiple times. In fact, you can go back and forth between different Snapshots to the exact point in time when the Snapshots were taken.

Taking a Snapshot

To take a Snapshot, simply right-click a VM in the Hyper-V console and select Snapshot. The VM may be running or shutdown. You may also delete a Snapshot, whether the VM is running or not.

Saving the State

To save the system state, right-click the VM while it is running and select Save. Your VM will appear to be shutdown. To resume, you simply right-click the Saved VM and select Start.

As great as Snapshots are, keep in mind that according to Microsoft if you have more than three Snapshots for a VM, you may experience performance degradation. However, the degradation will depend on the amount of RAM and processors that are available and how you have configured the system resources.

A lot of my students ask me if they can get a copy of the Hyper-V virtual image that they use in class to do labs. The answer to that question is no. Microsoft does not allow training centers to distribute those images because of licensing requirements. However, Microsoft was kind enough to allow people to download a free 180-day evaluation version of Windows Server 2008 R2 Enterprise as well as Windows Server 2008 Server Core edition.

The evaluation period is 180-days (6 months), which is a long time to evaluate and experiment with the product. This is perfect for developers, testers, trainers, and students.

You can download the images here.

Microsoft recently posted this Knowledge Base article 2588513: Vulnerability in SSL/TLS could allow information disclosure. The actual Security Advisory is posted here. According to the advisory:

“Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0 and TLS 1.0, affecting the Windows operating system. This vulnerability affects the protocol itself and is not specific to the Windows operating system. This is an information disclosure vulnerability that allows the decryption of encrypted SSL/TLS traffic. This vulnerability primarily impacts HTTPS traffic, since the browser is the primary attack vector, and all web traffic served via HTTPS or mixed content HTTP/HTTPS is affected. We are not aware of a way to exploit this vulnerability in other protocols or components and we are not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.”

There are at least two mitigating factors:

1. The attack must make several hundred HTTPS requests before the attack could be successful.
2. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Workaround

Microsoft offers the following workaround. In Windows 7, disable the TLS 1.0 protocol and enable TLS 1.1 and TLS 1.2 because they are not affected. Unfortunately, in Windows XP the Internet Explorer doesn’t offer TLS 1.1, or TLS 1.2.

NOTE: Neither Mozilla Firefox nor Chrome supports TLS 1.1 and TLS 1.2. Therefore, your best bet is to use Internet Explorer 9 on Windows 7 or Opera 10, which also supports TLS 1.2.

In Internet Explorer 9, go to Tools, Internet options, and on the Advanced tab clear the TLS 1.0 check box and select the TLS 1.1 and TLS 1.2 check boxes. Your screen should look something like this.

Does Fix It Really Fixes Things?

If you use the Fix it solution in the KB article that automatically creates a restore point and then supposedly fixes the problem, you will notice that it DOES NOT clear the TLS 1.0 box. I am not sure why when the entire hoopla has to do with TLS 1.0 and SSL 3.0 in the first place. All it does is enable TLS 1.1. Perhaps enabling TLS 1.1 takes precedence and therefore TLS 1.0 is not used but I don’t feel comfortable using any scripts or wizards created by a vendor because there is no way for me to know exactly what the wizard does behind the scenes. Besides, I have been burned in the past by one of Microsoft’s wizard that installs a security template so I am pretty hesitant when it comes to wizards. I’d much rather make the change manually so I can reverse the process manually if necessary.

One challenge that you might have to face is whether the Web sites you visit support TLS 1.1 and later or not. Until there is a solution (remember this is only a workaround) I would rather implement the workaround just to be on the safe side and take my chances with Web sites not supporting the newer version of TLS.

As a best practice, always sign out of the Web site and then close your browser to ensure that your SSL/TLS session is properly terminated.

Today a friend of mine called me and said that all of a sudden all his text messages have disappeared on his HTC EVO 4G. I did a little research on this issue and discovered that it appears to be a bug in the Android operating system (OS), rather than HTC EVO 4G because there are thousands of people reporting this error with different phones running Android OS (HTC EVO, Incredible, Droid, etc.).

Because Google, the maker of Android, does not have a fix for this bug at this time, even though they have known about this bug for a long time, all you can do at this time to prevent from potential disaster is backup your text messages if they are important to you. Resetting, rebooting, and other similar solutions don’t seem to help. The tech support for cell phone providers don’t know what to do so they may just tell you to reset your phone. It’s like you complaining that you accidentally deleted a file and would like to recover it and the tech support telling you why don’t you format your hard drive. Hello? that will wipe out all your data and everything on your computer. All kidding aside, I do sympathize with the tech support because they are not responsible for fixing bugs in Google’s operating systems. They only hope that you won’t lose your text messages again in future after the reset but unfortunately people still have the same problem after resetting their phones.

According to my research, Google is aware of this issue since December 26, 2009 and has listed this bug as a high priority (no kidding). The case number is 5569: http://code.google.com/p/android/issues/detail?id=5669. As of today (October 1, 2011) Google does not have a fix for this bug in almost two years. If you have an Android phone and have not run into this issue, you are lucky like me (I have an HTC EVO 4G). If you have lost your text messages there is not really much you can do. If you haven’t, here’s my recommendation on what to do.

Download the FREE SMS Backup+ app from the Android Market which will allow you to backup all your text messages and your call logs. Although there are lots of other similar apps, I like this particular app. It connects you to your Gmail account and backs up all your text messages in a Gmail Label called SMS (you can choose a different label if you want). Obviously, you can print, forward, or do whatever you want once they are in Gmail. If you use Microsoft Outlook, you can add your Gmail account as a POP3 or IMAP account in Outlook and receive all your text messages from SMS Backup+ in your Outlook Inbox. If you want to automatically move them to a different folder, just set up an Outlook rule. Here are a couple of screenshots from the Android Market Web site.

You can configure SMS Backup+ to automatically back up your messages at a regular interval using the Auto Backup feature. At this time the apps let you  backup both SMS and MMS messages, however, you can only restore SMS messages. Another nice feature is that you can also backup your Contacts to Gmail, if you want, otherwise just backup text messages. I think this app is way better than relying on your cell phone provider (Sprint, Verizon, etc.) to restore your messages or contacts.

If you are not worried about getting your text messages disappearing then you may not be interested in this post. However, be aware that one issue reported on HTC Forums is that if you send a message and notice that suddenly all your text messages have disappeared, all the people who received your message may also have their messages completely disappear. It’s like your messages committing a team suicide of sorts. This behavior makes you wonder if it is related to some kind of virus. At this point we don’t know for sure. Talking about antivirus, you might want to install an antivirus app on your smartphone, if you haven’t already. For example, you can download and install the free AVG antivirus app from the Market.

When you backup the messages and contacts for the first time you will connect to your Gmail account and will be asked to allow SMS Backup+ access to your Google account. According to the developer, the app will not have access to your password or other personal information. Depending on the number of text messages and contacts it can take hours so it might not be a bad idea to first delete any unwanted text messages and contacts and then start the back.