Monthly Archives: March 2014

Microsoft Server 2003, Microsoft Server 2008, Microsoft Server 2008R2, Microsoft Server 2012, Microsoft Server 2012R2, Microsoft Windows 7, Microsoft Windows 8, Microsoft Windows XP

Clear Temporary Internet Files for All Users

Leave a comment

I came across this utility from the folks over at Ctrl-Alt-Del Consulting which is great for reclaiming space taken by users temporary internet files stacking up over time. I’ve found it especially helpful on terminal servers with hundreds of users. Download their free tool ICSweep here:

http://www.ctrl-alt-del.com.au/CAD_Utils.htm

Once downloaded, extract it to the root of C:\. Open an administrative command prompt and cd to the “C:\ICSweep” directory and reference the following switches:

Usage:
ICSweep [/ALL|/TIF|/TMP] [/?]

  /ALL   -   Delete both Temporary Internet Files and Temp files
  /TIF   -   Delete Temporary Internet Files only (Default)
  /TMP   -   Delete Temp files only
  /SIZE  -   Report the size of both Temporary Internet Files
             and Temp files in each profile NOT in use. This
             switch will also report the total size of
             both Temporary Internet Files and Temp files NOT
             in use. It DOES NOT DELETE any files.
  /?     -   show this help file

Microsoft Server 2008, Microsoft Server 2008R2, Microsoft Server 2012, Microsoft Server 2012R2

Setting Up FTP-over-SSL With IIS7 (FTPS)

Leave a comment

 PART I – Server Setup

1) Install IIS Web Service role with all FTP Features selected:

2) Create folder you want to use as your FTP root landing point (i.e. D:\FTP)

3) Set permissions to allow anonymous access. Open command prompt as administrator and run the following command (using whatever folder path you created):

ICACLS “D:\FTP” /Grant IUSR:R /T

4) Open IIS. Right-click Sites and Add FTP Site:

5) Name your site and specify the FTP folder you created as the Content Directory:

6) Choose IP/Port and SSL settings below:

7) Specify Authentication and Authorization Information. In this example, we will give ‘Administrator’ full read/write access:

8) Create self-signed certificate. Select your server name in IIS Manager > Create Self-Signed Certificate in the right-hand pane. Complete the wizard, naming the certificate whatever you want:

9) Select your new FTP site under the Sites node, and select FTP SSL Settings. Select the certificate you just created. Select Custom for the SSL Policy, specify Require only credentials for the Control Channel and Allow for the Data Channel. Click Apply to save settings:

10) Edit bindings of the FTP site, and add port 990:

This should complete the setup of the server if you are using it internally. If you need to access it through a firewall (i.e. Cisco ASA) over the Internet, there are additional settings that need to be configured:

PART II – Firewalls, Ports, and External Access

11) Select the server name in IIS Manager > select FTP Firewall Support. Specify your passive port range and the external IP address this server uses. In this example I only specify one port (5000) so that I only need a single access list line on my firewall for a single port. Replace xxx.xxx.xxx.xxx with whichever public address your server uses. Click apply:

12) Now the firewall changes. This example uses Cisco ASA with a single external static address. The principals are the same with other firewalls. Insert the following commands:

//Create the object-group
object-group service FTPS
service-object tcp-udp eq 5000

//Permit the control and data ports with an access list
access-list outside_in extended permit tcp any interface outside eq 990
access-list outside_in extended permit object-group FTPS any host PUBLIC_SERVER_IP

//Specify your static NAT to internal FTP server
static (inside,outside) tcp interface 990 INTERNAL_SERVER_IP 990 netmask 255.255.255.255
static (inside,outside) tcp interface 5000 INTERNAL_SERVER_IP 5000 netmask 255.255.255.255

13) IMPORTANT: Open the services console (services.msc) on the FTP server and restart the Microsoft FTP Server service. This will bring passive port change made above online. Skipping this step will make you bang your head against the wall because it’s all setup correctly, it’s just not handing out the right passive ports when you connect.

PART III – Connecting with FTP Client

14) I use FileZilla for this example. It’s easy, free, lightweight FTP client that can do FTP over SSL. Open FileZilla > File > Site Manager and create a new profile with the following settings:

15) You should now be able to establish this connection. When you attempt you will be prompted if you want to trust the certificate (because it is self-signed), which you’ll want to do, and should be presented the directory listing on the FTP server:

Fortigate, Fortinet

Fortigate 60D – Enable Disk Logging

Leave a comment

**UPDATE: This only works for 60D’s running 5.0.7 or earlier. Disk logging on the lower end models has been disabled in the 5.2.x code base. You either log to RAM (which is reset upon device reboot, or log to FortiCloud where you can get 1GB of space free upon signup***

To enable logging to local disk on Fortigate, it is a combination of GUI settings and CLI commands to run.

1) Go to System > Config > Advanced. Allocate a portion of the local disk to be utilized for logging. I chose to alot 2GB:

2) Go to the Policy section. Find the policy you want to log and confirm have logging enabled and to Log All Traffic Sessions:

3) Go to Log & Report > Log Config > Log Settings. Select Disk and choose the Disk in the GUI preferences as the log to display:

4) Open CLI and run the following commands to enable and review you disk logging settings:

fgt-01 # config log disk setting
fgt-01 (setting) # set status enable
fgt-01 (setting) # show
config log disk setting
set status enable
set log-quota 2048
end

 

If you run into formatting and allocation issues with your disk, check the following CLI values:

– Validate disk status: get system status
– Format disk: execute formatlogdisk
– Reboot device, re-run set status enable commands above