IIS 5.0 and Revoked Certificates; NT 4.0 Boot Switches

Here’s a useful how-to that will help you keep your Web sites and Web pages secure. If you have built or are planning to build a Microsoft IIS 5.0 Web site that authenticates users with a certificate from Microsoft Certificate Services, you need to understand how each product manages revoked certificates. To ensure that a user has a valid certificate, you can instruct IIS to perform a realtime check for revoked certificates before IIS authenticates a user. Once you've done so, you would expect IIS to deny access to any user whose client certificate you're revoked in Certificate Authority (CA) beginning the next time that user attempts to log on.

However, Microsoft Certificate Services publishes the certificate revocation list (CRL) just once a week by default, and IIS compares client certificates to the current published CRL. Meanwhile, the new but unpublished CRL might contain additional revoked certificates. Thus, a user might be able to log on successfully with an invalid certificate for up to 7 days after you place his or her certificate on the CRL. To eliminate this vulnerability, you must shorten the CA publication interval for the CRL. To do so, start the Microsoft Management Console (MMC) CA snap-in, open the Revoked Certificates folder's properties, and change the publication interval to 24 hours or less, depending upon your security requirements. Microsoft Support Online article Q258727 documents this CRL behavior.

Windows 2000 Upgrade Fails to Convert System Drive to NTFS
Are you upgrading Windows NT 4.0 systems to Windows 2000 and attempting to convert the system drive from FAT to NTFS in the process? If you created an NT 4.0 system with the system preparation tool Sysprep, a bug in the Sysprep installation prevents the Win2K upgrade from converting the system drive to NTFS. Microsoft Support Online article Q256917 presents steps for reproducing this problem and indicates that the only workaround is to manually convert the drive with the Convert command (i.e., Convert c: /fs:ntfs) after you complete the Win2K installation.

Programs with Long Names Do Not Appear in the Installed List
Here’s the scenario: You install new software and decide to remove it a couple of days later. You start the Control Panel’s Add/Remove Programs applet, and the program you want to remove doesn't appear in the installed applications list. Worse yet, programs you installed weeks ago are also missing from the list. If you encounter this situation, you’re likely the victim of an Add/Remove Programs bug.

When Add/Remove Programs encounters an installed application with a Registry entry longer than 60 characters, it returns without examining the rest of the installed applications, even though more appear in the Registry. Because Add/Remove Programs enumerates only the names of applications it locates before it encounters a long Registry entry, it might omit many installed applications from the list.

As a workaround, try to uninstall the application using its uninstall utility. If the uninstall succeeds, it will remove that application's long Registry entry. Then Add/Remove Programs will properly enumerate all other installed applications. If the application-based uninstall procedure doesn’t work, you can start the uninstall manually from the command line (see Microsoft Support Online article Q247515—for the proper command). If the manual uninstall doesn’t work, you can edit the Registry to shorten the name of the offending entry. Installed programs appear in the Registry path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall. The Microsoft Support Online article provides several suggestions for removing the problem application and tips about editing the Registry entry.

NT 4.0 Boot Switches
If you have edited your Boot.ini file, you have probably seen the command-line switch /basevideo, which starts the OS in default VGA mode. If you have installed an American Power Corporation UPS on a serial port, you might have added the switch /noserial mice to the Boot.ini startup command to ensure that the UPS functions properly. As it turns out, while NT 4.0 pauses to type a series of periods across the screen during startup, the OS loads every component required to get the system up and running. If you’re really a geek, you can start NT with the /sos boot switch, which instructs the OS to echo one line for every component it loads during startup, including every driver it needs for proper system operation. Here are all the boot switches you can play with to start NT 4.0 in a variety of modes (Microsoft documents them in Microsoft Support Online article Q170756):

  • /basevideo forces the system into standard 640 x 480 16-color VGA mode, a failsafe mechanism that helps you start the system after you accidentally select an incompatible resolution or refresh rate for the installed video board.
  • /baudrate=nnnn sets the baud of the debug port, which defaults to 19,200Kbps. The typical rate for remote debugging over a modem is 9600Kbps. This switch also enables the /debug switch.
  • /crashdebug enables the COM port for debugging if NT crashes.
  • /debug enables the kernel debugger so that you can perform remote debugging through a COM port. Unlike /crashdebug, /debug uses the COM port whether or not you are debugging.
  • /debugport=comx selects a specific COM port for the debug port--the default port is COM2. This switch also enables the /DEBUG switch.
  • /maxmem=nn selects the amount of memory NT uses at startup, which is helpful when you're checking for bad memory chips.
  • /nodebug disables the kernel debugger and can cause a system crash if the system runs any code that contains a hard-coded debug breakpoint.
  • /noserialmice:comx disables the mouse port check for a COM port. You can specify multiple ports separated with commas. If you don't include a specific serial port, the switch disables all ports for mouse devices. You use this switch primarily with a UPS that connects to a serial port. If this option isn't available when NT starts and the OS tries to detect a mouse on the COM port where a UPS is connected, the UPS accidentally initiates its shutdown mode.
  • /sos causes the loader to print the name of loaded modules. When NT comes up, it shows the names of the drivers as they load instead of displaying dots.
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish