David Brooks – Republicans Can’t Pass Bills


There are many different flavors of freedom. For example, there is freedom as capacity and freedom as detachment.

Freedom as capacity means supporting people so they have the ability to take advantage of life’s opportunities. You encourage your friend to stick with piano practice so he will have the freedom to really play. You support your child during high school so she will have the liberty to pick her favorite college.

Freedom as detachment is giving people space to do their own thing. It’s based on the belief that people flourish best when they are unimpeded as much as possible. Freedom as detachment is marked by absence — the absence of coercion, interference and obstacles.

Back when the Republican Party functioned as a governing party it embraced both styles of freedom, but gave legislative priority to freedom of capacity. Look at the Republicans’ major legislative accomplishments of the past 30 years. They used government to give people more capacities.

In 1990, George H.W. Bush signed the Americans With Disabilities Act, which gave disabled people more freedom to move about society. In 1996, Republicans passed and Bill Clinton signed a welfare reform law that tied benefits to work requirements so that recipients would develop the skills they need to succeed in the labor force. In 2003, Republicans passed a law giving Americans a new prescription drug benefit, which used market mechanisms to give them more control over how to use it.

These legislative accomplishments were about using government in positive ways to widen people’s options. They aimed at many of the same goals as Democrats — broader health coverage, lower poverty rates — but relied on less top-down mechanisms to get there.

Over the past few decades Republicans cast off the freedom-as-capacity tendency. They became, exclusively, the party of freedom as detachment. They became the Get Government Off My Back Party, the Leave Us Alone Coalition, the Drain the Swamp Party, the Don’t Tread on Me Party.

Philosophically you can embrace or detest this shift, but one thing is indisputable: It has been a legislative disaster. The Republican Party has not been able to pass a single important piece of domestic legislation under this philosophic rubric. Despite all the screaming and campaigns, all the government shutdown fiascos, the G.O.P. hasn’t been able to eliminate a single important program or reform a single important entitlement or agency.

Today, the G.O.P. is flirting with its most humiliating failure, the failure to pass a health reform bill, even though the party controls all the levers of power. Worse, Republicans have managed to destroy any semblance of a normal legislative process along the way.

There are many reasons Republicans have been failing as a governing party, but the primary one is intellectual. The freedom-as-detachment philosophy is a negative philosophy. It is about cutting back, not building.

A party operating under this philosophy is not going to spawn creative thinkers who come up with positive new ideas for how to help people. It’s not going to nurture policy entrepreneurs. It’s not going to respect ideas, period. This is not a party that’s going to produce a lot of modern-day versions of Jack Kemp.

Second, Republican voters may respond to the freedom-as-detachment rhetoric during campaigns. It feels satisfying to say that everything would be fine if only those stuck-up elites in Washington got out of the way. But operationally, most Republicans support freedom-as-capacity legislation.

If you’re a regular American, the main threats to your freedom are illness, family breakdown, social decay, technological disruption and globalization. If you’re being buffeted by massive forces beyond your control, you don’t want legislation that says: Guess what? You’re on your own!

The Republicans could have come up with a health bill that helps people cope with illness and nurtures their capacities, a bill that offers catastrophic care to the millions of American left out of Obamacare, or health savings accounts to encourage preventive care. Republicans could have been honest with the American people and said, “We’re proposing a bill that preserves Obamacare and tries to make it sustainable.” They could have touted some of the small reforms that are in fact buried in the Senate bill.

But this is the Drain the Swamp Party. The Republican centerpiece is: “We’re going to cut your Medicaid.”

So now we have a health care bill that everybody hates. It has a 17 percent approval rating. It has no sponsors, no hearings, no champions and no advocates. As usual, Republican legislators have got themselves into a position where they have to vote for a bill they all despise. And if you think G.O.P. dysfunction is bad now, wait until we get to the debt ceiling wrangle, the budget fight and the tax reform crackup.

Sure, Donald Trump is a boob, but that doesn’t explain why Republicans can’t govern from Capitol Hill. The answer is that we’re living at a time when the prospects for the middle class are in sharp decline. And Republicans offer nothing but negativity, detachment, absence and an ax.

Let’s Encrypt – Zero SSL Online Wizard



In this exercise we will use ZeroSSL Online Wizard to process a new Let’s Encrypt SSL Certificate.


Let’s Encrypt – Client Option

From the list of Client Options for Let’s Encrypt, we have ZeroSSL.


ZeroSSL Windows

ZeroSSL has two options for utilizing ZeroSSL on Windows.

One option is through scripting and the other is thru a browser based wizard.

Because of reasons that we will have to cover in another post, our only option based on our targeted OS,  MS Windows 2003, is the Wizard option.




  1. Using IIS Manager, Request Certificate
  2. Using IIS Manager, Configure virtual folder
    • .well_known\acme-challenger
      • Mime Type ( extension-less files )
  3. Access ZeroSSL’s Website
    • Access Wizard
    • Submit Request
      • Paste generated CSR unto right side of request
      • Receive Domain Certificate
      • Press OK
    • Verification Process
      • Select Verification process ( HTTP or DNS )
      • Process Verification
    • Receive Certificates
      • Machine Certificate
      • Certificate Authority Certificate
  4. Using IIS, Accept Certificate
  5. Using IIS, Review Accepted Certificate


Request Certificate

Hopefully, you have already installed IIS on your targeted machine.


  1. Launch IIS Manager
  2. Access Website
  3. Access the “Directory Security” tab
    • Click the “Server Certificate” button
  4. The Wizard starts
    • The “Welcome to the Web Server Certificate Wizard” window appears
      • Click the Next button
    • The “IIS Certificate Wizard – Server Certificate” window appears
      • Choose the “Create a new certificate” option button
    • The “IIS Certificate Wizard – Delayed Or Immediate Request” window appears
    • The “IIS Certificate Wizard – Name and Security Settings” window appears
      • Change Certificate Name from “Default” to friendly,  pertinent name that will make it easy to associate and identify later
      • Change Bit Length from 1024 to 4096
    • IIS Certificate Wizard – Organization Information
      • Entered “Organization” Information
      • Entered “Organization Unit” Information
    • IIS Certificate Wizard – Geographical Information
      • Choose Country
      • Entered State
      • Entered City
    • IIS Certificate Wizard – Certificate Request File Name
      • Enter a filename to save the “Certificate Request” file under
    • IIS Certificate Wizard – Request File Summary
      • Review Request Summary


Window – Default Web Site Properties // Tab – Directory Security

Welcome to the Web Server Certificate Wizard

IIS Certificate Wizard – Server Certificate


IIS Certificate Wizard – Delayed Or Immediate Request

IIS Certificate Wizard – Name and Security Settings

IIS Certificate Wizard – Name and Security Settings – Initial


IIS Certificate Wizard – Name and Security Settings – After

IIS Certificate Wizard – Organization Information


IIS Certificate Wizard – Geographical Information


IIS Certificate Wizard – Certificate Request File Name


IIS Certificate Wizard – Request File Summary

IIS Certificate Wizard – Completing the Web Server Certificate Wizard

Configure .well-known\acme-challenge



  1. Using Windows Explorer or Command Shell, create new folder under the root folder
    • Example
      • c:\inetpub\wwwroot\.wellknown\acme-challenge
  2. Register new mime-type for extension-less files
  3. Validate extension-less files are handled
    • Temporarily enable directory browsing
    • Create extension-less files under .wellknown\acme-challenge
    • Using web browser access folder and access extension-less files



acme-challenge Properties


acme-challenge Properties – Mime Types – Adding Extension-less file


acme-challenge Properties – Mime Types

Validate Extension less file are handled

Access ZeroSSL Website



On the Details Tab

  • Enter fields
    • Email (optional)
      • Email to correspond and inform of pending expiration
    • Paste your Let’s Encrypt key
      • If you already have a Let’s Encrypt Key, please paste it
    • Domains ( Only if you have no CSR)
    • Paste your CSR or leave it blank to generate
      • We have a CSR we generated using IIS Manager
    • Verification
      • Verification Choices
        • HTTP Verification
        • DNS Verification
      • We chose HTTP
    • Accept ZeroSSL TOS
    • Accept Let’s Encrypt SA (PDF)
  • We pasted the generated CSR
  • And, clicked on the Next button
  • Account Key
    • The system stays busy for a while, as the Account Key is generated
    • Once generate the Account key is placed in the Account Key text box
  • Click the next button


ZeroSSL : Free SSL – Home Page


ZeroSSL : Free SSL – Free SSL Certificate Wizard



ZeroSSL : Free SSL – Free SSL Certificate Wizard – Details



ZeroSSL : Free SSL – Free SSL Certificate Wizard – Details  – CSR Pasted

CSR Pasted

Here we paste the “Certificate Request” ( CSR ) we generated earlier.


ZeroSSL : Free SSL – Free SSL Certificate Wizard – Generate Account Key


ZeroSSL : Free SSL – Free SSL Certificate Wizard – Account Key Generated


Verification  – Guidance

On the Verification Tab, for each Domain that we submitted on the Details tab, we are given guidance per:

  • Domain Name
  • Filename
  • File Content

Screen Shot

Verification – Initial

Verification  – Implementation

On the Verification Tab, for each Domain that we submitted on the Details tab, we are given guidance per:

  • Access WebSite root folder
    • Usually C:\inetpub\wwwroot
  • Create sub-folder .well-known \ acme-challenge
  • For each domain
    • Create file
    • Add file contents

Verification – Created File

Verification – File Contents

Verification – Link Clicked


Receive Certificate

In this section, we use IIS Manager to receive the Certificate.


  1. Launch IIS Manager
  2. Access Web Site
  3. Access the “Directory Security” tab
    • Click the “Server Certificate” button
  4. The Wizard starts
    • The “Welcome to the Web Server Certificate Wizard” window appears
      • Click the Next button
    • The “IIS Certificate Wizard – Pending Certificate” window appears
      • Choose the “Process Pending Request and install the certificate” option button
    • The “IIS Certificate Wizard – Process a pending Request” window appears
      • A lone text box asking for the certificate filename
        • The filename being asked for is the one generated by our Certificate Authority ( CA )
            • Enter or paste the file name
            • Or click on the browse button to navigate the File System ad select the file
    • The “IIS Certificate Wizard – Process a Pending Request – SSL Port” window appears
      • Accept or Change the SSL/HTTPS Port Number
    • The “IIS Certificate Wizard – Process a Pending Request – Certificate Summary” window appears
        • Review the Certificate Summary
          • Issued to :-
            • Internet :- FQDN
            • Intranet :- Computer Name
          • Issued By :-
            • Let’s Encrypt Authority X3
          • Expiration Date :-
            • For “Let’s Encrypt Authority X3”, 3 months from Issue Date
          • Intended Purpose :-
            • Server Authentication
            • Client Authentication
          • Friendly Name
            • Friendly Name
      • The “IIS Certificate Wizard – Process a Pending Request – Completing the Web Server Certificate Wizard” window appears


Window – Default Web Site Properties // Tab – Directory Security

Welcome to the Web Server Certificate Wizard

IIS Certificate Wizard – Pending Certificate Request



IIS Certificate Wizard – Process a Pending Request


IIS Certificate Wizard – Process a Pending Request – Browse


IIS Certificate Wizard – Process a Pending Request – File Selected

certReceived_ProcessAPendingRequest_20170720_1150PM (Brushedup)


IIS Certificate Wizard – Process a Pending Request – SSL Port




IIS Certificate Wizard – Process a Pending Request – Certificate Summary

certReceived_PendingCertificateRequest_CertificateSummary_20170720_1152PM (BrushedUp)


IIS Certificate Wizard – Process a Pending Request – Completing the Web Server Certificate Wizard



IIS Certificate Wizard – Process a Pending Request – Completed Web Server Certificate Wizard



Review Certificate

In this section, we use IIS Manager to review the Certificate.


  1. Launch IIS Manager
  2. Access Web Site
  3. Access the “Directory Security” tab
    • Click the “View Certificate” button
  4. The “Certificate” window appears
    • Window – Certificate // Tab –  General
      • Issued To
      • Issued By
        • Let’s Encrypt Authority X3
      • Valid from
        • Valid from Begin to End Date
        • In our case 7/20/2017 thru 10/18/2017
    • Window – Certificate // Tab –  Details
      • Issuer
          • Let’s Encrypt Authority X3
      • Valid from
      • Valid To
      • Subject
        • Common Name
      • Public Key
        • Length
        • In our case 4096
    • Window – Certificate // Tab –  Certification Path
      • Certificate Path
        • Issuer
        • Issued To
      • Certificate Status :-
        • This certificate is OK

Certificate – View – General

certView_General_20170720_1143PM (Brushedup)


Certificate – View – Details

certView_Details_20170720_1154PM - (BrushedUp)


Certificate – View – Certificate Path

certView_CertificatePath_20170720_1154PM (BrushedUp)



  1. Certificate Requests
    • Specifications
      • Bit Length
        • Is it possible?

SQL Server Agent Roles


We are evaluating using BMC’s Control-M, our corporate IT Job Management tool.

And, wanted to see what we will have to do to get it to work against SQL Server Instances.


SQL Server Agent Roles

In SQL Server, jobs are managed through SQL Server Agent.

PreDefined Roles

SQL Server Agent has predefined security roles.

SQL Server Management Studio ( SSMS )

Jobs are saved in the system database, msdb.

To view the roles, please do the following:

  1. Launch SQL Server Management Studio (SSMS)
    • Connect to the SQL Server Instance
    • Choose System Databases
    • From the list of System Databases, choose msdb
    • Within the msdb database, transverse to Security \ Roles \ Database Roles
    • The SQL Server Agent roles are noted having names that start with SQLAgent



Permission Set

Let us dig deeper into these roles and see what they afford us, where they are different, and what is the minimum we can get away with.


The roles are listed in increasing order of privileges assigned.

More precisely as Microsoft would say it, they are concentric.

Looked up the term concentric and here is how it is defined:

They are of or denoting circles, arcs, or other shapes that share the same center, the larger often completely surrounding the smaller.

And, so we can see that MSFT’s documentation is very useful, and here it is in verbatim:

The SQL Server Agent database role permissions are concentric in relation to one another — more privileged roles inherit the permissions of less privileged roles on SQL Server Agent objects (including alerts, operators, jobs, schedules, and proxies). 


Role Definition Details
SQLAgentUserRole Members of SQLAgentUserRole have permissions on only local jobs and job schedules that they own.  a) Have permission on owned jobs
SQLAgentReaderRole SQLAgentReaderRole includes all the SQLAgentUserRole permissions as well as permissions to view the list of available multiserver jobs, their properties, and their history. Members of this role can also view the list of all available jobs and job schedules and their properties, not just those jobs and job schedules that they own. a) List all jobs – their properties, schedules, and executionhistory
SQLAgentOperatorRole SQLAgentOperatorRole is the most privileged of the SQL Server Agent fixed database roles. It includes all the permissions of SQLAgentUserRole and SQLAgentReaderRole. Members of this role can also view properties for operators and proxies, and enumerate available proxies and alerts on the server. a) Manage ( enable or disable jobs, edit job steps )

b) They can execute, stop, or start jobs

c) Delete job execution history


Which Role?

For system jobs we do not want an external job manager as SQL Server Agent is able to do so sufficiently.

We only want an external job manager for specific jobs.

Let us review the predefined system roles and judge their appropriateness for what we have in mind:

  1. SQLAgentOperatorRole
    • Affords all roles to all jobs
    • Too much for us
  2. SQLAgentReaderRole
    • (+)
      • Able to create and and manage own job
      • Read privileges on all jobs; their steps, schedule, and run history
    • (-)
      • Job Management does not need to view job data nor review job run history
        • A bit much for our targeted need
  3. SQLAgentUserRole
    • Requirements
      • (+)
        • Create own jobs
        • Run owned jobs
          • Existing jobs ownership can be re-assigned
      • (-)
        • Job has be owned
          • We have to review what is the ramification of changing job ownership for each specific job


Follow Up

Our follow-up task is to review the impact of changing job ownership for specific jobs.



  1. Microsoft
    • SQL Server Agent Fixed Database Roles
    • Implement SQL Server Agent Security


General Vincent K. Brooks


In an age where voices can be reduced to soundbites, cliques and inflammatory comments and categorization.

In general finding the worst in each other and blanket statements about “what we have seen before“.

And, those buckets are based on National Origin and Religion.

How do we go forward?

And, so we ask ourselves how do we go forward or are we are just in a maze of bad choices, which leads to stillness, and assumption of a fetal position.

As I was watching an interview yesterday, I heard the name of Vincent Brooks.  I googled on his name and found a couple of freely and broadly accessible videos on youtube.



  1. General Brooks discusses his biggest challenges and biggest successes in Iraq.
    Uploaded On :- 2011-May-4th
  2. GEN Brooks message
    US Pacific, 4 Star General
    Uploaded On :- 2013-July-22nd
  3. LTG Brooks West Point Visit.mov
    Lt. Gen. Vincent K. Brooks, Commander of 3rd Army, returns to his Alma Mater to speak to the Corps of Cadets about Army Leadership.
    Uploaded On :- 2012-April-10th




GEN Brooks message, US Asia Pacific

  1. Command Video for Team 6
  2. Team Qualities
    • True test of a team is not missing a beat even as we change command
  3. Truly blessed to return the Four Star general to Asia Pacific since 1974
  4. Media
    • Another channel for me to air directly
    • It is not substitute to see and hear in person
  5. Opportunity
    • Training
      • Training our own and our partners and friends
    • Professionalism
      • Exporting professionalism
      • Your Professionalism will be available to our partners
        • Qualities
          • Be yourself
          • And, give each task your best effort
  6. Challenges
    • Fiscal Challenges
      • Fiscal challenges we have has a nation
        • Every dollar we are given, we have to stretch
        • Take care of our people and realize that we are fortunate to have the ones we have
    • Changing Culture
      • We can not allow practices that undermine our pride and the pride we feel as an Army
      • Eliminate Sexual Harassment and Sexual Assault
        • Actions that leave trauma in unit and members of our team
        • Have a culture where this experiences are not able to occur
        • To do
          • Start with yourself
          • Allow others to make it go away
          • Set example for others to see
        • zero tolerance
        • Trust
    • Gratitude
      • Thanks for welcoming my wife and I


Webprofusion Ltd – Certify The Web – Day 1


Security is being in the news a lot lately.

In this post, we will talk about using SSL, specifically reaping SSL certificates from LetsEncrypt.Org via “WebProfusion Ltd – Certify the Web“.


Client Options

Here are the Client Options available for Windows


WebProfusion Ltd – Certify GUI –
(.Net, WinForms )

In this post, we will go with WebProfusion Ltd – Certify the Web.




  1. Network
    • DNS
  2. Website Availability
    • Website Availability Test
  3.  Software
    • Microsoft .Net v4.5
  4. Microsoft IIS
    • Bindings



DNS Requirement

From a networking standpoint, the LetsEncrypt validation servers have to able to connect to the originating computer.

That rules out the following:

  1. Servers that are not reachable over the Internet
    • Servers that only have local IP Addresses


DNS Server Names

Here are a couple of popular DNS Servers:

Vendor Link DNS-1 DNS-2
Verisign  Link
Google  Link
OpenDNS  Link


DNS Validation

On MS Windows, we can use nslookup to validate.


Here is the syntax

nslookup [FQDN] [dns-server]

Sample – DNS – Google ( & )

nslookup web.labDomain.org 


Sample – Verisign ( & )

nslookup web.labDomain.org 



Website Availability

Website Availability Test

Here are some availability tools:

  1. Uptrends



Go to https://www.uptrends.com/tools/uptime.

Intentionally entered an invalid URL, in this case upTimeTest.cnn.com

Uptrends.com – Sample


We entered a FQDN that we know is not available.


We entered hyattHouse.com and we are able to successfully validate.



Microsoft .Net Framework v4.5

Although the software can be installed without first installing .Net v4.5, it can not be used.

If one tries to do so, the user is prompted to install .Net 4.5.

BTW, .Net v4.5 has its own requirement in terms of minimal OS.  And, those are:

  1. Windows 2003
    • .Net v4.5 can not be installed on MS Windows 2003
  2. Windows 7
  3. Windows 2012


Microsoft IIS

IIS – Site Bindings

Internet Information Server ( IIS )

Site Bindings

We can use IIS Manager and access the Site Bindings

Site Bindings – Original


Site Bindings – Add Binding

Click on the “Add..” button.

Add each hostname or alias that you will like to generate certificate for.

Please add only http entries.

The https will be added for you.


Site Bindings – After adding

In the screen above, we have added the hostname that we will like exposed.



Downloaded “Certify The Web” from the Vendor’s website.

As of 2017-July-15th, the current version is V2.0.7-beta4.



License Agreement



Select Destination Location



  1. 9 MB


Select Start Menu Folder



Ready to Install


Installing ….


Complete the Wizard




Launch “Certify the web“.

Initial Screen

Empty Canvas

New Certificate

Click the “New Certificate” button.

Managed Sites – New Certificate – Options



  1. Select IIS Site
    • Chose the IIS Site
  2. Name
    • The Name is only figurative
  3. Primary Domain Name
    • Please choose the Domain Name
    • If none shown, please visit the TroubleShooting section
  4. Alternative Domain Subject Name
    • All of the hostnames registered in the Site Bindings are listed


Managed Sites – New Certificate – Advanced




  1. Auto create/update IIS bindings ( use SNI )
    • Chose to use SNI
      • Please read more about SNI ( Server Name Indication )
      • As always Wikipedia is a good source and here is the Link


Once you are comfortable with your choices, please click the Save button.


Request Certificate

Here are the steps for actually requesting a certificate.

Saved Certificate Request

Here is the screen once a Certificate is Requested.



Certificate Received and Installed



  1. In the image above, our request has been validated, a certificate has been issued, and installed on our machine.



Primary Domain Name

Primary Domain Name – Empty

In the example that follows we just installed the Application and we are trying to add a “New Certificate”.

New Certificate

Error – “A primary domain must be selected”


  1. The error message states “A Primary Domain” must be selected
    • The reason is because we have not selected “Primary Domain Name



To fix, please …

  1. Launch IIS Manager
  2. Access Site
  3. Under Sites, select the Web Site
  4. In the Action Panel
    • Under Edit Site, Choose Bindings…
  5. In the “Site Bindings” window
    • Review listed Site Bindings
    • If not listed, click the “Add” button
      • The “Site Binding” window appears
        • In the Host name text box, add the host’s “Fully Qualified Domain Name



If you are running at a minimum MS Windows 7 ( desktop)  or 2012 ( server ), you should consider “Certify The Web“.

There is a lot more as this is only Day ONE.



  1. Certify The Web
    • Home Page
    • Docs
    • Getting Started
    • Issues
      • Issues – does not give list of possible domains #83
  2. Server Name Indication
  3. Browser – SSL
    • Google Chrome
      • Akemi Iwaya
        • Akemi Iwaya – How Do You View SSL Certificate Details in Google Chrome?
  4. DNS Servers – Public
    • Lifewire
      • LifeWire – Free & Public DNS Servers