Sunday, July 12, 2015

Setting up SharePoint 2013 on Azure

I was planning to have a blog on configuration of SharePoint on Windows Azure from a long time but was not able to get time, but finally I managed to start the same.
At least there will be 4 minimum steps for setting up but can extend based on how large infrastructure you want to set-up.

  • Setting up and configuring Network Components
  • Setting up and configuring Domain Controller
  • Setting up and configuring SQL Server
  • Setting up and configuring SharePoint server 2013

So before we start with the above process let’s look into the architecture of what we plan to develop.

So on a high level we have above 1 Virtual Network, 1 Affinity Group, 3 cloud services, 2 VM Machines with their corresponding Availability set.

Setting up and configuring Network Components

Now starting with the first step of creating and configuring the Network Component. Things that we are planning to do here are as follows

Setting up the Affinity Group

When you use an affinity group, Windows Azure will keep all services that belong to your affinity group running within the same data center as close as possible to each other to reduce latency and increase performance.
How to do this.

  1. Log on to the Management Portal.
  2. In the navigation pane on the left, click Settings, and then click Affinity Groups at the top of the page.
  3. On the Settings/Affinity Groups page, click Add at the bottom of the page. If you are creating the first affinity group for this subscription, you can click Add an Affinity Group.



  4. On the Specify affinity group details page, enter the following information, and then click the check mark.

    • Name: Enter a name for this affinity group.
    • Description: Enter a description for this affinity group
    • Region: Select the region where this affinity group is to be located.


  5. Once created it will display as below on the Settings > Affinity screen


Setting up Windows Azure Storage Account

Virtual Machines that are provisioned in Windows Azure are stored in the world-wide cloud-based Windows Azure Storage service. In terms of high availability, the Storage service provides built-in storage replication capability. In addition, Windows Azure Storage provides a geo-replication feature for also replicating your VMs to a remote data center region.

Now how to create a storage account

  1. Log on to the Management Portal.
  2. Click Create New, click Storage, and then click Quick Create.
  3. In URL give a name in lowercase for the storage account name. I gave storageaccsp2013.
  4. In affinity group select the Affinity group you created earlier.
  5. In Replication, select the desired level of replication for your storage account. The recommended replication option is Geo-Redundant replication, which provides maximum durability for your data.
  6. Click Create Storage Account.

Note: When you create a VM storage account gets created automatically and hence it is not necessary to create it but it is good practice to have one created.

Register a DNS Server in Windows Azure

You may need to allow VMs and role instances you create to communicate with other VMs and role instances. Although this communication can be done by using IP addresses, it is much simpler to use hostnames that can be easily remembered. However, these hostnames must be resolved to IP addresses in some way to establish communication.

Now how to create a DNS Server

  1. Log on to the Management Portal.
  2. Click Create New, click Network Services, and then click Virtual Network and then Register DNS Server.
  3. Complete the DNS Server fields as follows:
    • NAME: DNSSP2013
    • DNS Server IP Address: 10.0.0.4

Setting up the VPN Network

A virtual network is a network overlay that you can configure in Azure. VMs and services that are part of the same virtual network can access each other. However, services outside the virtual network have no way to identify or connect to services hosted within virtual networks unless you decide to configure that specific type of connection, as in the case of VNet to VNet configurations. This provides an added layer of isolation to your services. Azure Virtual Network also lets you extend your network into Azure and treat deployments as a natural extension to your on-premises network.

Just like a real network, the virtual network needs a range of IP addresses (known as an address space) to assign to virtual machines that you place within it. The virtual network also supports subnets, which need their own address spaces, derived from the virtual network address space.
Extract from: https://msdn.microsoft.com/en-us/library/azure/jj156007.aspx

  1. Log on to the Management Portal.
  2. Click Networks and then click “Create a Virtual Network”
  3. In the Virtual Network Page 1 provide the Name and Region of the VPN.I provided
    • Name: VNSP2013
    • Location: Southeast Asia



  4. In the Page 3 of the Virtual Network select the DNS Servers and VPN Connectivity. We already created the DNS Server earlier choose those.


  5. Lastly in the Page 3 of the Virtual Network select the Virtual Network Address Space and create subnets for the farm.
    First thing why subnet: Subnets as a way to partition networks into logical segments for greater ease of administration. When subnets are properly implemented, both the performance and security of networks can be improved.
    As per our architecture we will be creating three Subnets
    • First for DC/AD VM (DCSubnetSP2013)
    • Second for SharePoint Web Server VM (WebSubnetSP201)
    • Third for Database Server VM (DataSubnetSP201)



  6. After completing these details click on the Ok arrow and after some time the VPN will be provisioned.

Planning the Cloud Service

A cloud service in Azure is a logical container within a virtual network for hosting virtual machines. Cloud services are typically used to group virtual machines by role, based on functionality that occurs at the cloud service level.

Some important points about cloud Service

  • Cloud services and the virtual machines within them can be started and stopped separately.
  • Cloud services can load balance endpoints. For example, a cloud service can load balance requests to two or more SharePoint web servers contained in it.
  • You can export and import a cloud-service configuration. The configuration controls monitoring, remote access, and other settings for the virtual machines contained in the cloud service.
  • You can use a cloud service to auto-scale roles (grow computing resources dynamically), but this is not supported by SharePoint. Do not create additional cloud services for this purpose.
Extract from: https://msdn.microsoft.com/en-us/library/azure/jj156007.aspx

So as we are planning for three Virtual Machines which will also serve different functionalities hence advised to have 3 cloud service.
  • AD/DNS
  • APP/Web Server
  • Database Server
Now to configure the Cloud Service

  1. Log on to the Management Portal.
  2. Click Create New, click Compute, and then click Cloud Service and then Quick Create.
  3. Provide the URL and Affinity group of the Cloud Service
    • URL: CSADDNSSP2013
    • Region/Affinity Group:AGSP2013 (We created this earlier)

  4. Similarly as above create Cloud Service for other Items. After the creation you will have 3 cloud services.

  5. This completes the first part of setting up the Network infrastructure for the VM’s.

Saturday, June 6, 2015

Windows Server Machine: How to disable SSL v3 Protocol



Now in the last article “Are you POODLE secure? Does your server still Supports SSL version 3” we discussed on the POODLE attack and we learned that best prevention is to disable SSL v3 and SSL v2 protocol if they are still enabled.(Note: Unless your site can work only on IE 6 or older browsers. I don’t think this will be the case for most of the sites.)

Now coming to how we disable the SSL v3 and SSL v2. (Please note we are going to make changes into the registry, and hence it is always advisable to take backup of your registry before making any changes.)

Also the steps discussed here are tested on Windows server 2008RT and should also work for windows server 2012.
  1. Open the Registry Editor and run it as administrator.
  2. For example, in Windows 2008:
    1. On the Start screen type regedit.exe.
    2. Right-click on regedit.exe and click Run as administrator.

  3. Once the Registry Editor window is open, go to the path below
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
Disabling SSL 2.0
  1. When you open SSL 2.0 folder you will see just one subfolder called Client we need to add new one called Server, so in the tree structure 1) Right-click on SSL 2.0 folder, and in the pop-up menu, click New > Key. 2) Name the new Key , Server
  2. Now under SSL 2.0, 1) right click on Server, and in the pop-up menu, click New > DWORD (32-bit) Value. 2) Name the value Enabled
  3. Now this disables SSL 2.0
Disabling SSL 3.0
  1. In the navigation tree, right-click on Protocols, and in the pop-up menu, click New > Key. Name the Key SSL 3.0
  2. In the navigation tree (Left Side), (Red Highlighted in pic below)
    1. Right-click on the new SSL 3.0 key that you just created, and in the pop-up menu, click New > Key.
    2. Name the Key as Client
    Repeat the same process in the navigation tree (Left Side), (Green Highlighted in pic below)
    1. Right-click on the new SSL 3.0 key that you just created, and in the pop-up menu, click New > Key.
    2. Name the Key as Server.
  3. Now under SSL 3.0, 1) right click on Client, and in the pop-up menu, click New>DWORD (32-bit) Value. 2) Name the value DisabledByDefault
  4. In the navigation tree, under SSL 3.0, select Client and then, in the right pane, double-click the DisabledByDefault DWORD value and in the Edit DWORD (32-bit) Value window, in the Value Data box change the value to 1 and then, click OK.
  5. In the navigation tree, under SSL 3.0, right-click on Server, and in the pop-up menu, click New > DWORD (32-bit) Value. 2) Name the value Enabled

Now just restart your Windows server.

You have successfully disabled the SSL 2.0 and SSL v3.0 protocol.

Thursday, June 4, 2015

Are you POODLE secure? Does your server still Supports SSL Version 3


Lately we performed a scan on an internet portal using the website: https://www.ssllabs.com/ssltest/analyze.html and must tell you the scan was eye opening and Jaw dropping. Most important SSL 3.0 was supported and because of this Poodle



POODLE stands for (Padding Oracle On Downgraded Legacy Encryption), In this by using a series of connection failures between a browser and website, an attacker can trigger what is called a “downgrade dance” where the browser eventually falls back to using the SSL 3.0 protocol to maintain communications. When this happens, the attacker can use the exploit within SSL 3.0 to grab sensitive data.


Let’s understand by the diagram above as to how it works on a high level
  1. You use your browser to access a site and provide secure details believing TLS 1.2 is there to protect and your request is passing through it.
  2. Hacker does the downgrade or fallback on the earlier. That is, even if both the server and client support more modern protocols, as long as they're willing to support SSLv3, an active attacker can force them to use this old, terrible protocol. In many cases this fallback is transparent to the user.
  3. Now the request is send through the old SSL 3.0 protocol.
  4. Server respond by using the same SSL 3.0 which because of its flaws, the response can be intercepted and then attacker can hijack sessions and confidential information

The key issue is the integrity of the padding on SSL 3.0 block ciphers. This padding is not verified by the protocol. This will allow an attacker to alter the final block of the SSL cipher if the hacker can successfully hijack the connection from an end user to the Web server.

There are a couple of caveats to the vulnerability; for the attack to work, the attacker must be on the same wireless network as you or in the path of your communications (as shown above), and your client must be running JavaScript.

This vulnerability in SSL 3.0 that can be exploited to steal certain confidential information, such as cookies. By exploiting this vulnerability, an attacker can gain access to things like passwords and cookies, enabling him to access a user’s private account data on a website.


How to stop poodle attack
I have not seen till now any way to patch SSL 3.0 against the POODLE, but still why to take risk when you can handle it by disabling SSL 3.0 altogether.

Only if you rely on older browsers like IE 6 and others which still use SSL 3.0 then you have to think else I believe disabling SSL 3.0 altogether is a way to go.

So one backup plan involves preventing the "downgrade dance" that makes the Poodle attack possible. That patch, called TLS_FALLBACK_SCSV, basically forces the browser to inform the server when it offers a weaker security protocol, as it might during a "downgrade dance" attack. That allows the server to reject the connection. Unfortunately, the TLS_FALLBACK_SCSV workaround is only effective when both browsers and servers have been patched.

Please do check the coming article on: **COMING SOON** Windows Server Machine: How to disable SSL v3 Protocol

Monday, June 1, 2015

BASICS OF CONTENT QUERY WEBPART: PART 1

CQWP has been around from ages but still I find it a most important component for any developer to rollup content over several different scopes, anywhere from a single list or library, to multiple list or libraries across an entire Site Collection.

CQWP is used for aggregating content from multiple data sources across your Web site, and then present it all in one place. On top of this you can present the information with your own custom UI by manipulating XSLT and CSS.

In this multi-part series I will be dwelling into various aspects of the CQWP

PART 1: Basics of CQWP

Part 1 : BASICS OF CONTENT QUERY WEBPART

In this part we will learn how to configure and customize the CQWP. This part is intended to the audience who have little or no experience with the CQWP.

  1. Adding CQWP to the Site
  2. Choosing Source or place from where data will be fetched.
  3. Learning the Additional Filters
  4. Presentation Section (Presenting the CQWP)
Adding CQWP to the Site

So let’s start by adding CQWP to our site.

  1. Open your SharePoint site and click the Site Actions drop-down and select Edit Page.
  2. Click on the Add a Web Part Link which open the Web part Gallery and then follow numbering to include the webpart.


  3. This will add the webpart and now to configure the webpart click “Edit the webpart” as shown

Choosing Source or place from where data will be fetched.
  1. Expand the Query Category in the Web Part Property Pane. This is basically used to choose your source and define list and content type based on that. There are three sources to choose from.
Learning the Additional Filters.

You can filter the data based on the columns/properties of the List. For E.g. I have a list “External News” with a column called “News Category” where I have category like “Political” and “Business”, now by default when I connect my list to CQWP then it will show all the items of the list as shown fig 4


So now if I want to show the “Political” news category then do as below, this will filter out the based on the “News Category” Political.



In SharePoint 2010, 2 new more advanced and dynamic way of filtering were introduced

PageFieldValue: Based on the field value present on the Page Layout, it will filter the items on the Content Query list. Let’s understand by example.
I have a Page Layout field called “Title” and based on the value of the Title I want to filter the “News Category” column of the List “External News”.
Now If I keep the page Title as “Business” and also changed the Content Query Filter as shown below then based on the page Title the data will be filtered from the List.



PageQueryString: This one I like the most. Let’s keep the same example. Define the filter as shown below [PageQueryString:] . Now using the variable name just pass the query string as shown below.
Using the query string parameter is better when you want to show different sets of results in a web part without having to make a new page for each different results set.


Presentation Section (Presenting the CQWP)
  1. Grouping and Sorting: You can select the column by which you want to group and sort the data.

    For e.g. I want to group the data based on the “News Category” column and sort based on “Created” column also u can tell whether you want to sort in Ascending or Descending order and limit the number of items to display.
  2. Styles: These define what information and how that information is displayed. I always feel styles section as a great value add to the CQWP. You can define style for the Group Style and Item Style, these styles are XSL templates, not CSS styles. You can create your own XSL templates. How to create styles will be part of the later series but just to show their power here is a small example.

    E.g. In the earlier list if I want to show the description of the title (In the list I have a column called Notes) and have the group heading as large text then this can be done as below.

Note: The “Fields to do display” section fields will change based on the “Item Style” you choose and you need to provide the column name from your list to display items.

I hope this walkthrough helps people configure and use the Content Query Web Part. Rest of the Article’s on other functionalities of the CQWP will be coming soon.

I'd be interested to hear and see examples of how people are using the web part. So, post your comments!