The Centauri Files

Adventures in System Administration

Author: centauricw Page 1 of 2

SQL Server – Secure By Default

By

On October 10, 2025

In Microsoft SQL Server

Enhancements to SQL Server Network Connection Security Through Breaking Changes

With the introduction of SQL Server 2022, Microsoft began a new initiative known as secure by default. This initiative is in response to vulnerabilities in the Tabular Data Stream (TDS) protocol – the protocol used for data communication between a client and SQL Server – discovered by Summit Security Group which allowed a man-in-the-middle attack. As more SQL Server workloads are moved to public clouds like Azure, connections over the Internet will be become more common. Microsoft has therefore taken steps to secure the network connection between the client and SQL Server

Changes to implement secure by default revolve around encryption. Use of encryption for the connection has long been optional and the default was not to use encryption. Secure by default now requires client drivers to use encryption unless explicitly disabled, and this is a breaking change that can cause connections using default settings to fail. It’s not the use of encryption itself that is the problem. Rather it’s because the certificate used by SQL Server to encrypt the connection is validated to ensure it’s a trusted certificate. A trusted certificate is one that is issued by a trusted certificate authority. When SQL Server uses a self-signed certificate – which, by definition, is not a trusted certificate – the validation fails and the connection is not allowed.

Read More

Listing and Moving Active Directory FSMO Roles

By

On January 3, 2025

In Active Directory, PowerShell, Windows

FSMO is an Active Directory term that stands for Flexible Single Master Operation. Although Active Directory uses a multi-master enabled database, which provides the flexibility of allowing changes to occur on any domain controller, certain operation requires a single-master model where only one domain controller is allowed to process updates to prevent conflicting updates.

Read More

Domain Administrator Cannot Open Ethernet Adapter Settings

By

On November 22, 2024

In Windows

Creating a new Active Directory forest and domain on Windows Server 2019 recently, I found the domain administrator could not open Network Connections. This happened when right-clicking on the Network icon on the Task Bar to open Network & Internet Settings, selecting Ethernet, and clicking on “Change adapter options”.

This only occurs when trying to open Network Connections through Windows Settings. There are no problems opening Network Connections through Control Panel or directly by running ncpa.cpl. And it only affects the domain administrator. Other users do not experience this problem. But the domain administrator has this problem on any computer in the domain.

Read More

MariaDB root Authentication

By

On October 19, 2024

In MySQL/MariaDB

MariaDB 10.4 implemented a lot of changes to how security is done. Much of this is invisible to most users with the exception of root. The root user is now able to use socket authentication through the unix_socket plugin. It means that if you are logged in to a Linux system as root, you can log on to the MariaDB server without using a password. Note in the example below, the -p option (for “password”) is not used yet the log on is successful.

[root@linuxputer ~]# mysql -u root
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 408
Server version: 10.11.9-MariaDB-log MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

And it’s not just that you don’t need to enter a password. Even if a password is provided, it is completely ignored. In this example, a password – which is invalid – is provided, yet the log on is successful.

Read More

Windows Server 2022 SMTP Relay List Bug

By

On October 19, 2024

In IIS (Internet Information Services), Windows

It appears a bug was added the IIS SMTP Server in Windows Server 2022. After installing the SMTP Server feature, you are not able to open the properties window in Internet Information Services (IIS) 6.0 Manager with MMC (Microsoft Management Console) displaying an error.

This is because the setting for RelayIpList in MetaBase.xml is incorrect . Since the SMTP Server hasn’t been significantly changed since Windows Server 2003 – it runs in IIS 6.0 Compatibility Mode after all – how this bug got introduced is a mystery. And Microsoft has taken no steps to fix it. Fortunately, this problem is easily corrected.

Read More

DCOM Permission Errors

By

On October 18, 2024

In PowerShell, Windows

I occasionally encounter errors when trying to install a software package on Windows with the less than helpful message that the Windows Installer Service could not be accessed.

A typical search will return lots of results about reinstalling the MSI Installer service, changing registry entries, and otherwise tinkering with low-level Windows components, but the problem is actually much simpler. The user trying to run the MSI Installer has been denied rights to run it.

The MSI Installer – the Windows Installer service – is a COM (Component Object Model) component. Windows uses a large number of COM comments for the operating system. Like files, users are granted permissions to access and run COM comments. This normally is not an issue. At least it wasn’t until Windows 10/Windows Server 2016. But a bug appears to have crept into Windows that will randomly revoke a user’s permission to run one or more COM objects, the MSI Installer being one of them. Antivirus programs seems to aggravate this, but I’ve encountered the problem on systems with only Windows (or Microsoft) Defender Antivirus.

Read More

Large Send Offload and Network Performance

By

On October 5, 2024

In Linux, Networking, Windows

An issue that I’ve encountered fairly often are complaints of slow network performance, especially when transferring large files. Although there are many issues that can affect network throughput, the most common issue is related to Large Send Offload.

Large Send Offload (also known as Large Segmentation Offload, and LSO for short) is a feature that allows the operating system TCP\IP network stack to build a large TCP message of up to 64KB in length before sending to the Ethernet adapter. Then the hardware on the Ethernet adapter — what I’ll call the LSO engine — segments it into smaller data packets (known as “frames” in Ethernet terminology) that can be sent over the wire. This is up to 1500 bytes for standard Ethernet frames and up to 9000 bytes for jumbo Ethernet frames. (The actual sizes are bit larger to accommodate the overhead – header and frame check sequence – in the packet). This is designed to free up the CPU on the server from having to handle segmenting large TCP messages into smaller packets required by the frame size. Sounds like a good deal. What could possibly go wrong?

Read More

Windows Server 2012 Update Failure – 0x80072EFE

By

On October 1, 2024

In Windows

I recently built a Windows Server 2012 virtual machine to do some compatibility testing for a PowerShell script I was working on. I wanted PowerShell 3.0 to be the minimum version required for the script so it could be used with older versions of Windows. Since PowerShell is included as an operating system component, I needed an older version of Windows to use PowerShell 3.0.  Windows Server 2012 fit the bill.

After getting Windows Server 2012 installed, trying to check for updates returned error 0x80072EFE. Microsoft had updated distribution of updates, and the Windows Update Client installed with Windows Server 2012 is out of date. You must download and install the KB2937636 update. After a reboot, the Windows Update Client will install an additional update and then it will be able to search for and install updates.

Read More

Loading SQL Server PowerShell Module: SqlServer or SQLPS

By

On September 3, 2024

In Microsoft SQL Server, PowerShell

I recently created a PowerShell script to restore SQL Server databases. A customer migration required that I restore 2800 plus databases. As the data directory was in a different location on the new server, this meant using the MOVE clause in the RESTORE DATABASE command to place the data files in the correct directory. This was far too many databases to do this manually. But using PowerShell also meant using a SQL Server module.

Two modules are available for SQL Server: SQLPS and SqlServer. SQLPS is the original module. Although no longer updated, it is still included with SQL Server which Microsoft says is for backwards compatibility. It is also the module that SQL Server Agent automatically loads when a job type (or subsystem) is PowerShell. SqlServer is the new and supported module and is installed from the PowerShell gallery. This is the module Microsoft recommends you use for all new development.

Read More

IIS SMTP Server SmtpOutboundCommandSupportOptions Bug

By

On June 22, 2024

In Windows

It’s not uncommon for Windows web servers to use the IIS SMTP Server as a mail relay. It’s a smart host in that it can do the MX record lookups to find the mail server handling the recipients’ mailboxes. But there is a problem. The big mail services such as Google and Microsoft are very picky about which mail servers they will communicate with as they try to mitigate the never-ending stream of spam. To this end, they will generally only accept mail from servers that speak ESMTP (Extended Simple Mail Transport Protocol) as currently defined in RFC 5321. Use of ESMTP is considered optional, with a fallback to the older SMTP commands if one mail server doesn’t support ESMTP. But because spammers are now the primary users of older SMTP, the big mail services simply drop the connection if the sending mail server doesn’t use ESMTP.

Read More

Page 1 of 2

Next

Copyright © 2025 Charles Rutledge

Powered by WordPress & Theme by Anders Norén