David Brooks – Republicans Can’t Pass Bills

Link

There are many different flavors of freedom. For example, there is freedom as capacity and freedom as detachment.

Freedom as capacity means supporting people so they have the ability to take advantage of life’s opportunities. You encourage your friend to stick with piano practice so he will have the freedom to really play. You support your child during high school so she will have the liberty to pick her favorite college.

Freedom as detachment is giving people space to do their own thing. It’s based on the belief that people flourish best when they are unimpeded as much as possible. Freedom as detachment is marked by absence — the absence of coercion, interference and obstacles.

Back when the Republican Party functioned as a governing party it embraced both styles of freedom, but gave legislative priority to freedom of capacity. Look at the Republicans’ major legislative accomplishments of the past 30 years. They used government to give people more capacities.

In 1990, George H.W. Bush signed the Americans With Disabilities Act, which gave disabled people more freedom to move about society. In 1996, Republicans passed and Bill Clinton signed a welfare reform law that tied benefits to work requirements so that recipients would develop the skills they need to succeed in the labor force. In 2003, Republicans passed a law giving Americans a new prescription drug benefit, which used market mechanisms to give them more control over how to use it.

These legislative accomplishments were about using government in positive ways to widen people’s options. They aimed at many of the same goals as Democrats — broader health coverage, lower poverty rates — but relied on less top-down mechanisms to get there.

Over the past few decades Republicans cast off the freedom-as-capacity tendency. They became, exclusively, the party of freedom as detachment. They became the Get Government Off My Back Party, the Leave Us Alone Coalition, the Drain the Swamp Party, the Don’t Tread on Me Party.

Philosophically you can embrace or detest this shift, but one thing is indisputable: It has been a legislative disaster. The Republican Party has not been able to pass a single important piece of domestic legislation under this philosophic rubric. Despite all the screaming and campaigns, all the government shutdown fiascos, the G.O.P. hasn’t been able to eliminate a single important program or reform a single important entitlement or agency.

Today, the G.O.P. is flirting with its most humiliating failure, the failure to pass a health reform bill, even though the party controls all the levers of power. Worse, Republicans have managed to destroy any semblance of a normal legislative process along the way.

There are many reasons Republicans have been failing as a governing party, but the primary one is intellectual. The freedom-as-detachment philosophy is a negative philosophy. It is about cutting back, not building.

A party operating under this philosophy is not going to spawn creative thinkers who come up with positive new ideas for how to help people. It’s not going to nurture policy entrepreneurs. It’s not going to respect ideas, period. This is not a party that’s going to produce a lot of modern-day versions of Jack Kemp.

Second, Republican voters may respond to the freedom-as-detachment rhetoric during campaigns. It feels satisfying to say that everything would be fine if only those stuck-up elites in Washington got out of the way. But operationally, most Republicans support freedom-as-capacity legislation.

If you’re a regular American, the main threats to your freedom are illness, family breakdown, social decay, technological disruption and globalization. If you’re being buffeted by massive forces beyond your control, you don’t want legislation that says: Guess what? You’re on your own!

The Republicans could have come up with a health bill that helps people cope with illness and nurtures their capacities, a bill that offers catastrophic care to the millions of American left out of Obamacare, or health savings accounts to encourage preventive care. Republicans could have been honest with the American people and said, “We’re proposing a bill that preserves Obamacare and tries to make it sustainable.” They could have touted some of the small reforms that are in fact buried in the Senate bill.

But this is the Drain the Swamp Party. The Republican centerpiece is: “We’re going to cut your Medicaid.”

So now we have a health care bill that everybody hates. It has a 17 percent approval rating. It has no sponsors, no hearings, no champions and no advocates. As usual, Republican legislators have got themselves into a position where they have to vote for a bill they all despise. And if you think G.O.P. dysfunction is bad now, wait until we get to the debt ceiling wrangle, the budget fight and the tax reform crackup.

Sure, Donald Trump is a boob, but that doesn’t explain why Republicans can’t govern from Capitol Hill. The answer is that we’re living at a time when the prospects for the middle class are in sharp decline. And Republicans offer nothing but negativity, detachment, absence and an ax.

Let’s Encrypt – Zero SSL Online Wizard

 

Background

In this exercise we will use ZeroSSL Online Wizard to process a new Let’s Encrypt SSL Certificate.

 

Let’s Encrypt – Client Option

From the list of Client Options for Let’s Encrypt, we have ZeroSSL.

 

ZeroSSL Windows

ZeroSSL has two options for utilizing ZeroSSL on Windows.

One option is through scripting and the other is thru a browser based wizard.

Because of reasons that we will have to cover in another post, our only option based on our targeted OS,  MS Windows 2003, is the Wizard option.

 

Processing

Outline

  1. Using IIS Manager, Request Certificate
  2. Using IIS Manager, Configure virtual folder
    • .well_known\acme-challenger
      • Mime Type ( extension-less files )
  3. Access ZeroSSL’s Website
    • Access Wizard
    • Submit Request
      • Paste generated CSR unto right side of request
      • Receive Domain Certificate
      • Press OK
    • Verification Process
      • Select Verification process ( HTTP or DNS )
      • Process Verification
    • Receive Certificates
      • Machine Certificate
      • Certificate Authority Certificate
  4. Using IIS, Accept Certificate
  5. Using IIS, Review Accepted Certificate

 

Request Certificate

Hopefully, you have already installed IIS on your targeted machine.

Steps

  1. Launch IIS Manager
  2. Access Website
  3. Access the “Directory Security” tab
    • Click the “Server Certificate” button
  4. The Wizard starts
    • The “Welcome to the Web Server Certificate Wizard” window appears
      • Click the Next button
    • The “IIS Certificate Wizard – Server Certificate” window appears
      • Choose the “Create a new certificate” option button
    • The “IIS Certificate Wizard – Delayed Or Immediate Request” window appears
    • The “IIS Certificate Wizard – Name and Security Settings” window appears
      • Change Certificate Name from “Default” to friendly,  pertinent name that will make it easy to associate and identify later
      • Change Bit Length from 1024 to 4096
    • IIS Certificate Wizard – Organization Information
      • Entered “Organization” Information
      • Entered “Organization Unit” Information
    • IIS Certificate Wizard – Geographical Information
      • Choose Country
      • Entered State
      • Entered City
    • IIS Certificate Wizard – Certificate Request File Name
      • Enter a filename to save the “Certificate Request” file under
    • IIS Certificate Wizard – Request File Summary
      • Review Request Summary

Image

Window – Default Web Site Properties // Tab – Directory Security

Welcome to the Web Server Certificate Wizard

IIS Certificate Wizard – Server Certificate

 

IIS Certificate Wizard – Delayed Or Immediate Request

IIS Certificate Wizard – Name and Security Settings

IIS Certificate Wizard – Name and Security Settings – Initial

 

IIS Certificate Wizard – Name and Security Settings – After

IIS Certificate Wizard – Organization Information

 

IIS Certificate Wizard – Geographical Information

 

IIS Certificate Wizard – Certificate Request File Name

 

IIS Certificate Wizard – Request File Summary

IIS Certificate Wizard – Completing the Web Server Certificate Wizard

Configure .well-known\acme-challenge

 

Steps

  1. Using Windows Explorer or Command Shell, create new folder under the root folder
    • Example
      • c:\inetpub\wwwroot\.wellknown\acme-challenge
  2. Register new mime-type for extension-less files
  3. Validate extension-less files are handled
    • Temporarily enable directory browsing
    • Create extension-less files under .wellknown\acme-challenge
    • Using web browser access folder and access extension-less files

 

Images

acme-challenge Properties

 

acme-challenge Properties – Mime Types – Adding Extension-less file

 

acme-challenge Properties – Mime Types

Validate Extension less file are handled

Access ZeroSSL Website

https://zerossl.com/free-ssl/#crt

Details

On the Details Tab

  • Enter fields
    • Email (optional)
      • Email to correspond and inform of pending expiration
    • Paste your Let’s Encrypt key
      • If you already have a Let’s Encrypt Key, please paste it
    • Domains ( Only if you have no CSR)
    • Paste your CSR or leave it blank to generate
      • We have a CSR we generated using IIS Manager
    • Verification
      • Verification Choices
        • HTTP Verification
        • DNS Verification
      • We chose HTTP
    • Accept ZeroSSL TOS
    • Accept Let’s Encrypt SA (PDF)
  • We pasted the generated CSR
  • And, clicked on the Next button
  • Account Key
    • The system stays busy for a while, as the Account Key is generated
    • Once generate the Account key is placed in the Account Key text box
  • Click the next button

Image

ZeroSSL : Free SSL – Home Page

 

ZeroSSL : Free SSL – Free SSL Certificate Wizard

 

Details

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Details

 

 

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Details  – CSR Pasted

CSR Pasted

Here we paste the “Certificate Request” ( CSR ) we generated earlier.

 

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Generate Account Key

 

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Account Key Generated

Verification

Verification  – Guidance

On the Verification Tab, for each Domain that we submitted on the Details tab, we are given guidance per:

  • Domain Name
  • Filename
  • File Content

Screen Shot

Verification – Initial

Verification  – Implementation

On the Verification Tab, for each Domain that we submitted on the Details tab, we are given guidance per:

  • Access WebSite root folder
    • Usually C:\inetpub\wwwroot
  • Create sub-folder .well-known \ acme-challenge
  • For each domain
    • Create file
    • Add file contents

Verification – Created File

Verification – File Contents

Verification – Link Clicked

 

Receive Certificate

In this section, we use IIS Manager to receive the Certificate.

Steps

  1. Launch IIS Manager
  2. Access Web Site
  3. Access the “Directory Security” tab
    • Click the “Server Certificate” button
  4. The Wizard starts
    • The “Welcome to the Web Server Certificate Wizard” window appears
      • Click the Next button
    • The “IIS Certificate Wizard – Pending Certificate” window appears
      • Choose the “Process Pending Request and install the certificate” option button
    • The “IIS Certificate Wizard – Process a pending Request” window appears
      • A lone text box asking for the certificate filename
        • The filename being asked for is the one generated by our Certificate Authority ( CA )
            • Enter or paste the file name
            • Or click on the browse button to navigate the File System ad select the file
    • The “IIS Certificate Wizard – Process a Pending Request – SSL Port” window appears
      • Accept or Change the SSL/HTTPS Port Number
    • The “IIS Certificate Wizard – Process a Pending Request – Certificate Summary” window appears
        • Review the Certificate Summary
          • Issued to :-
            • Internet :- FQDN
            • Intranet :- Computer Name
          • Issued By :-
            • Let’s Encrypt Authority X3
          • Expiration Date :-
            • For “Let’s Encrypt Authority X3”, 3 months from Issue Date
          • Intended Purpose :-
            • Server Authentication
            • Client Authentication
          • Friendly Name
            • Friendly Name
      • The “IIS Certificate Wizard – Process a Pending Request – Completing the Web Server Certificate Wizard” window appears

Image

Window – Default Web Site Properties // Tab – Directory Security

Welcome to the Web Server Certificate Wizard

IIS Certificate Wizard – Pending Certificate Request

certReceived_PendingCertificateRequest_20170720_1148PM

 

IIS Certificate Wizard – Process a Pending Request

certReceived_ProcessAPendingRequest_20170720_1149PM

IIS Certificate Wizard – Process a Pending Request – Browse

certReceived_PendingCertificateRequest_Open_20170720_1150PM

IIS Certificate Wizard – Process a Pending Request – File Selected

certReceived_ProcessAPendingRequest_20170720_1150PM (Brushedup)

 

IIS Certificate Wizard – Process a Pending Request – SSL Port

 

certReceived_PendingCertificateRequest_SSLPort_20170720_1151PM

 

IIS Certificate Wizard – Process a Pending Request – Certificate Summary

certReceived_PendingCertificateRequest_CertificateSummary_20170720_1152PM (BrushedUp)

 

IIS Certificate Wizard – Process a Pending Request – Completing the Web Server Certificate Wizard

certReceived_PendingCertificateRequest_Completing_20170720_1152PM

 

IIS Certificate Wizard – Process a Pending Request – Completed Web Server Certificate Wizard

certReceived_PendingCertificateRequest_Completed_20170720_1153PM

 

Review Certificate

In this section, we use IIS Manager to review the Certificate.

Steps

  1. Launch IIS Manager
  2. Access Web Site
  3. Access the “Directory Security” tab
    • Click the “View Certificate” button
  4. The “Certificate” window appears
    • Window – Certificate // Tab –  General
      • Issued To
      • Issued By
        • Let’s Encrypt Authority X3
      • Valid from
        • Valid from Begin to End Date
        • In our case 7/20/2017 thru 10/18/2017
    • Window – Certificate // Tab –  Details
      • Issuer
          • Let’s Encrypt Authority X3
      • Valid from
      • Valid To
      • Subject
        • Common Name
      • Public Key
        • Length
        • In our case 4096
    • Window – Certificate // Tab –  Certification Path
      • Certificate Path
        • Issuer
        • Issued To
      • Certificate Status :-
        • This certificate is OK

Certificate – View – General

certView_General_20170720_1143PM (Brushedup)

 

Certificate – View – Details

certView_Details_20170720_1154PM - (BrushedUp)

 

Certificate – View – Certificate Path

certView_CertificatePath_20170720_1154PM (BrushedUp)

 

References

  1. Certificate Requests
    • Specifications
      • Bit Length
        • Is it possible?
          Link

SQL Server Agent Roles

Background

We are evaluating using BMC’s Control-M, our corporate IT Job Management tool.

And, wanted to see what we will have to do to get it to work against SQL Server Instances.

 

SQL Server Agent Roles

In SQL Server, jobs are managed through SQL Server Agent.

PreDefined Roles

SQL Server Agent has predefined security roles.

SQL Server Management Studio ( SSMS )

Jobs are saved in the system database, msdb.

To view the roles, please do the following:

  1. Launch SQL Server Management Studio (SSMS)
    • Connect to the SQL Server Instance
    • Choose System Databases
    • From the list of System Databases, choose msdb
    • Within the msdb database, transverse to Security \ Roles \ Database Roles
    • The SQL Server Agent roles are noted having names that start with SQLAgent

       

 

Permission Set

Let us dig deeper into these roles and see what they afford us, where they are different, and what is the minimum we can get away with.

Concentric

The roles are listed in increasing order of privileges assigned.

More precisely as Microsoft would say it, they are concentric.

Looked up the term concentric and here is how it is defined:

They are of or denoting circles, arcs, or other shapes that share the same center, the larger often completely surrounding the smaller.

And, so we can see that MSFT’s documentation is very useful, and here it is in verbatim:

Link
The SQL Server Agent database role permissions are concentric in relation to one another — more privileged roles inherit the permissions of less privileged roles on SQL Server Agent objects (including alerts, operators, jobs, schedules, and proxies). 

Tabulated

Role Definition Details
SQLAgentUserRole Members of SQLAgentUserRole have permissions on only local jobs and job schedules that they own.  a) Have permission on owned jobs
SQLAgentReaderRole SQLAgentReaderRole includes all the SQLAgentUserRole permissions as well as permissions to view the list of available multiserver jobs, their properties, and their history. Members of this role can also view the list of all available jobs and job schedules and their properties, not just those jobs and job schedules that they own. a) List all jobs – their properties, schedules, and executionhistory
SQLAgentOperatorRole SQLAgentOperatorRole is the most privileged of the SQL Server Agent fixed database roles. It includes all the permissions of SQLAgentUserRole and SQLAgentReaderRole. Members of this role can also view properties for operators and proxies, and enumerate available proxies and alerts on the server. a) Manage ( enable or disable jobs, edit job steps )

b) They can execute, stop, or start jobs

c) Delete job execution history

 

Which Role?

For system jobs we do not want an external job manager as SQL Server Agent is able to do so sufficiently.

We only want an external job manager for specific jobs.

Let us review the predefined system roles and judge their appropriateness for what we have in mind:

  1. SQLAgentOperatorRole
    • Affords all roles to all jobs
    • Too much for us
  2. SQLAgentReaderRole
    • (+)
      • Able to create and and manage own job
      • Read privileges on all jobs; their steps, schedule, and run history
    • (-)
      • Job Management does not need to view job data nor review job run history
        • A bit much for our targeted need
  3. SQLAgentUserRole
    • Requirements
      • (+)
        • Create own jobs
        • Run owned jobs
          • Existing jobs ownership can be re-assigned
      • (-)
        • Job has be owned
          • We have to review what is the ramification of changing job ownership for each specific job

 

Follow Up

Our follow-up task is to review the impact of changing job ownership for specific jobs.

 

References

  1. Microsoft
    • SQL Server Agent Fixed Database Roles
      Link
    • Implement SQL Server Agent Security
      Link

 

General Vincent K. Brooks

Background

In an age where voices can be reduced to soundbites, cliques and inflammatory comments and categorization.

In general finding the worst in each other and blanket statements about “what we have seen before“.

And, those buckets are based on National Origin and Religion.

How do we go forward?

And, so we ask ourselves how do we go forward or are we are just in a maze of bad choices, which leads to stillness, and assumption of a fetal position.

As I was watching an interview yesterday, I heard the name of Vincent Brooks.  I googled on his name and found a couple of freely and broadly accessible videos on youtube.

 

Video

  1. General Brooks discusses his biggest challenges and biggest successes in Iraq.
    Uploaded On :- 2011-May-4th
    Link
  2. GEN Brooks message
    US Pacific, 4 Star General
    Uploaded On :- 2013-July-22nd
    Link
  3. LTG Brooks West Point Visit.mov
    Lt. Gen. Vincent K. Brooks, Commander of 3rd Army, returns to his Alma Mater to speak to the Corps of Cadets about Army Leadership.
    Uploaded On :- 2012-April-10th

    Link

 

Indepth

GEN Brooks message, US Asia Pacific

  1. Command Video for Team 6
  2. Team Qualities
    • True test of a team is not missing a beat even as we change command
  3. Truly blessed to return the Four Star general to Asia Pacific since 1974
  4. Media
    • Another channel for me to air directly
    • It is not substitute to see and hear in person
  5. Opportunity
    • Training
      • Training our own and our partners and friends
    • Professionalism
      • Exporting professionalism
      • Your Professionalism will be available to our partners
        • Qualities
          • Be yourself
          • And, give each task your best effort
  6. Challenges
    • Fiscal Challenges
      • Fiscal challenges we have has a nation
        • Every dollar we are given, we have to stretch
        • Take care of our people and realize that we are fortunate to have the ones we have
    • Changing Culture
      • We can not allow practices that undermine our pride and the pride we feel as an Army
      • Eliminate Sexual Harassment and Sexual Assault
        • Actions that leave trauma in unit and members of our team
        • Have a culture where this experiences are not able to occur
        • To do
          • Start with yourself
          • Allow others to make it go away
          • Set example for others to see
        • zero tolerance
        • Trust
    • Gratitude
      • Thanks for welcoming my wife and I

 

Webprofusion Ltd – Certify The Web – Day 1

Background

Security is being in the news a lot lately.

In this post, we will talk about using SSL, specifically reaping SSL certificates from LetsEncrypt.Org via “WebProfusion Ltd – Certify the Web“.

LetsEncrypt.Org

Client Options

Here are the Client Options available for Windows

Link

WebProfusion Ltd – Certify GUI –
(.Net, WinForms )

In this post, we will go with WebProfusion Ltd – Certify the Web.

 

Requirement

Outline

  1. Network
    • DNS
  2. Website Availability
    • Website Availability Test
  3.  Software
    • Microsoft .Net v4.5
  4. Microsoft IIS
    • Bindings

Network

DNS

DNS Requirement

From a networking standpoint, the LetsEncrypt validation servers have to able to connect to the originating computer.

That rules out the following:

  1. Servers that are not reachable over the Internet
    • Servers that only have local IP Addresses

 

DNS Server Names

Here are a couple of popular DNS Servers:

Vendor Link DNS-1 DNS-2
Verisign  Link  64.6.64.6  64.6.65.6
Google  Link  8.8.8.8  8.8.4.4
OpenDNS  Link  208.67.222.222  208.67.220.220

 

DNS Validation
nslookup

On MS Windows, we can use nslookup to validate.

Syntax

Here is the syntax


nslookup [FQDN] [dns-server]

Sample – DNS – Google ( 8.8.4.4 & 8.8.8.8 )
Code

nslookup web.labDomain.org 8.8.8.8 

Output

Sample – Verisign ( 64.6.64.6 & 64.6.65.6 )
Code

nslookup web.labDomain.org 64.6.64.6 

Output

 

Website Availability

Website Availability Test

Here are some availability tools:

  1. Uptrends

 

Uptrends.com

Go to https://www.uptrends.com/tools/uptime.

Intentionally entered an invalid URL, in this case upTimeTest.cnn.com

Uptrends.com – Sample

uptimeTest.cnn.com

We entered a FQDN that we know is not available.

hyattHouse.com

We entered hyattHouse.com and we are able to successfully validate.

 

Software

Microsoft .Net Framework v4.5

Although the software can be installed without first installing .Net v4.5, it can not be used.

If one tries to do so, the user is prompted to install .Net 4.5.

BTW, .Net v4.5 has its own requirement in terms of minimal OS.  And, those are:

  1. Windows 2003
    • .Net v4.5 can not be installed on MS Windows 2003
  2. Windows 7
  3. Windows 2012

 

Microsoft IIS

IIS – Site Bindings

Internet Information Server ( IIS )

Site Bindings

We can use IIS Manager and access the Site Bindings

Site Bindings – Original

 

Site Bindings – Add Binding

Click on the “Add..” button.

Add each hostname or alias that you will like to generate certificate for.

Please add only http entries.

The https will be added for you.

 

Site Bindings – After adding
  
Explanation

In the screen above, we have added the hostname that we will like exposed.

 

Download

Downloaded “Certify The Web” from the Vendor’s website.

As of 2017-July-15th, the current version is V2.0.7-beta4.

Installation

ScreenShots

License Agreement

Image

 

Select Destination Location

Image

Explanation

  1. 9 MB

 

Select Start Menu Folder

Image

 

Ready to Install

Image

Installing ….

Image

Complete the Wizard

Image

 

Usage

Launch “Certify the web“.

Initial Screen

Empty Canvas

New Certificate

Click the “New Certificate” button.

Managed Sites – New Certificate – Options

Image

Explanation

  1. Select IIS Site
    • Chose the IIS Site
  2. Name
    • The Name is only figurative
  3. Primary Domain Name
    • Please choose the Domain Name
    • If none shown, please visit the TroubleShooting section
  4. Alternative Domain Subject Name
    • All of the hostnames registered in the Site Bindings are listed

 

Managed Sites – New Certificate – Advanced

 

 

Explanation

  1. Auto create/update IIS bindings ( use SNI )
    • Chose to use SNI
      • Please read more about SNI ( Server Name Indication )
      • As always Wikipedia is a good source and here is the Link

 

Once you are comfortable with your choices, please click the Save button.

 

Request Certificate

Here are the steps for actually requesting a certificate.

Saved Certificate Request

Here is the screen once a Certificate is Requested.

Image

 

Certificate Received and Installed

Image

Explanation

  1. In the image above, our request has been validated, a certificate has been issued, and installed on our machine.

 

Troubleshooting

Primary Domain Name

Primary Domain Name – Empty

In the example that follows we just installed the Application and we are trying to add a “New Certificate”.

New Certificate

Error – “A primary domain must be selected”

Explanation:

  1. The error message states “A Primary Domain” must be selected
    • The reason is because we have not selected “Primary Domain Name

 

Remediate:

To fix, please …

  1. Launch IIS Manager
  2. Access Site
  3. Under Sites, select the Web Site
  4. In the Action Panel
    • Under Edit Site, Choose Bindings…
  5. In the “Site Bindings” window
    • Review listed Site Bindings
    • If not listed, click the “Add” button
      • The “Site Binding” window appears
        • In the Host name text box, add the host’s “Fully Qualified Domain Name

 

Summary

If you are running at a minimum MS Windows 7 ( desktop)  or 2012 ( server ), you should consider “Certify The Web“.

There is a lot more as this is only Day ONE.

 

References

  1. Certify The Web
    • Home Page
      Link
    • Docs
      Link
    • Getting Started
      Link
    • Issues
      • Issues – does not give list of possible domains #83
        Link
  2. Server Name Indication
  3. Browser – SSL
    • Google Chrome
      • Akemi Iwaya
        • Akemi Iwaya – How Do You View SSL Certificate Details in Google Chrome?
          Link
  4. DNS Servers – Public
    • Lifewire
      • LifeWire – Free & Public DNS Servers
        Link