Microsoft: Only signed drivers for Windows Vista x64

According to this Microsoft page and this Golem-Article (German), Microsoft is going to make driver signatures from Microsoft mandatory for any driver running in kernel space in Windows Vista x64. They claim security reason for this.While (faulty) drivers definitely can lead to serious (security) problems under Windows, they sometimes fulfill cruitial parts, especially in windows file system monitoring, for which there are many legitimate reasons. Having to go through the WHQL for every driver (and every minor patch) seems a little costly and time consuming to me…

Well, after all, for me it seems to be three things:

  • Additional money through additional drivers going through WHQL,
  • Anti Open-Source projects,
  • Building up the infrastructure for an (almost unbreakable) Digital Rights Management system.

Update 2007-01-23: I have to revise most points of this, as I now learned something new about it. Vista x64 will accept digitally signed drivers, but they do not necessarily be signed by Microsoft. Read more in my updated article.

Out of /dev/random?

Ever happened to run out of random numbers?

Well, if you are using Apache together with mod_ssl you can easily run into the situation that after starting up Apache, requests to it will block up to several minutes or time out. This happenes, if Apache is configured to use /dev/random as a source for random numbers which are required in the initialisation of mod_ssl and similar, if you have to few entropy information left for the generation of more secure random numbers.
As suggested in a Gentoo Forums article, you can emerge the tool sys-apps/rng-tools, which provides you with rngd, a daemon collecting entropy from hardware random number generators and feeds /dev/random with this data.

If you happen (like me) to not having a hardware random number generator on your server’s mainbord, rngd will use /dev/urandom as a source of entropy and mix it with entropy collected from your system. While this will indeed result in a certain drop of “randomness” of /dev/random, it still has major advantages by reducing the startup time of apache to several seconds, as /dev/random will not block any more.

Don’t forget to add rngd to your server’s default runlevel (rc-update add rngd default).

Windows 2003 Server as NTP client

Our Windows 2003 Server refused to sync the clock via NTP. Main reason for this behaviour is the fact that as PDC it wants to change the NTP server’s clock as well, which is normally not permitted by the NTP server and the packet is discarded.

To change the preferred server of the Windows Time service (w32time), follow these steps:


w32tm /config /manualpeerlist:<server>,0x8 /syncfromflags:MANUAL

w32tm /config /update

net time /querysntp

w32tm /resync

(source: Meinberg Funkuhren – FAQ – Windows synchronisiert nicht mit NTP (German))

Apache: Force SSL for a Directory Using .htaccess and mod_rewrite

To force SSL on a given directory using .htaccess, use the following code. It requires mod_rewrite enabled in Apache. Adjust the path in the RewriteRule to match the full qualified URL of the HTTPS-domain.


RewriteEngine On
RewriteCond %{SERVER_PORT} !443
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]

Bugzilla: Active Directory Integration

As you might have guessed from previous posts, I’m currently in the process of implementing a single-sign-on scenario within our network. Or, at least, I’m trying to have at least one single username/password combo for all internal services. Authentication is therefore realized against an Active Directory, based on a Microsoft Windows 2003 Server.

For integration of Bugzilla into the Active Directory, see this link (Update: Link is broken, for an archived version, use this link, thanks to the commenter!).

IKVM.NET: Interaction between C# and Java

A nice project, everyone coming from Java and migrating to C#:
IKVM.NET Home Page

It is a JVM implemented in .NET, contains a .NET implementation of a lot classes from the Java class libraries (JDK), compliance of 1.4 almost complete and contains tools for interop between Java and .NET.

TikiWiki and Active Directory Integration

If you want to authenticate TikiWiki agaist Microsoft Active Directory, have a look at this article.

The most interesting part in this posting is that if you are using a Windows 2003 Server, you need to patch the LDAP.php in the PEAR authentication module, as Win2k3 by default does not allow any anonymous queries against the directory.

In <tikiroot>/lib/pear/Auth/Container/LDAP.php search for the following line in function _connect():

if ((@ldap_bind($this->conn_id)) == false) {

and replace it with

if ((@ldap_bind($this->conn_id,"someuser","somepassword")) == false) {

Note, that someuser is in the form of user@domain.tld.

I also recommend to choose to authenticate your admin user against the internal database and not the LDAP (AD) container, otherwise you will lock yourself out easily.

Changing MSDE Authentication Scheme After Installation

If you are using Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) you are supposed to decide if you are going to use “integrated windows authentification” only or if you are using “mixed mode authetication”. Latter is sometimes considered less secure but if you are developing ASP.NET applications it can be easier to use a non-NT user for the connection.

If you ever tried that you are surly familiar with the “login is not associated with a trusted connection” exception when trying to access the database. Today I had to install an ASP.NET application on a server with MSDE where mixed mode authentication was not available. A quick research on the net revieled a blog entry indicating how to change the authentication scheme of MSDE after the installation.

  • Stop the MSDE service
  • Search the registry for

    HKEY_LOCAL_MACHINE\Software\Microsoft\MSSqlserver\MSSqlServer

    (for unnamed instances) or

    HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft SQL Server\Instance Name\MSSQLServer\

    (for named instances)

  • Change the key LoginMode to value 2.

Unlike a comment on the page, value 0 will not work (at least it didn’t in my case).

Opera for Free

Opera is now available for free, ads and registration have been removed.

Just gave it a quick try, and I have to say, I like it 😉 I think, Firefox is going to have to co-exist with Opera on my HDD.

Update: According to Heise.de (German), Opera has been downloaded over 1 million times within only two days, more than any previous (ad-enabled) version.