CentOS check and install available security updates

1. To install the yum-security plugin

yum install yum-plugin-security

2. To list all available security updates without installing them

yum updateinfo list sec available

To get the count

yum updateinfo list sec available | wc -l

3. To install available security updates

yum -y update --security

To only install the packages that have a security errata use

yum update-minimal --security -y

To install a security update using a CVE reference

yum update --cve <CVE> (e.g. yum update --cve CVE-2008-0947)

Refer to:
https://access.redhat.com/solutions/10021
https://www.thegeekdiary.com/centos-rhel-6-how-to-list-or-install-only-security-updates-with-yum/

CentOS 配置源为 USTC

 CentOS 软件源：
https://mirrors.ustc.edu.cn/help/centos.html


EPEL 源：
http://mirrors.ustc.edu.cn/help/epel.html

Disable Firefox update notification

To add a policy, follow the steps:

1. Go to the firefox installation directory (for any supported OS).
2. Create a directory called distribution.
3. Change directory into distribution.
4. Create a file called policies.json. And paste this code

{
    "policies": {
        "DisableAppUpdate": true
    }
}

    Save the file, and quit the editor.

5. Restart Firefox if it's already running.
6. To confirm, you can go to the URL about:policies and check if there's an entry like this

Policy Name     Policy Value
DisableAppUpdate    true

RDP running over TLS v1.2

Part 1:

Disable other Protocols with IIS Crypto

Part 2:

1. Start the registry editor by clicking on Start and Run. Type in "regedit" into the Run field (without quotations).
2. Highlight Computer at the top of the registry tree.  Backup the registry first by clicking on File and then on Export.  Select a file location to save the registry file.
Note: You will be editing the registry.  This could have detrimental effects on your computer if done incorrectly, so it is strongly advised to make a backup.

3. Browse to the following registry key:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
4. Right click on the Protocols folder and select New and then Key from the drop-down menu. This will create new folder.  Rename this folder to TLS 1.2.
5. Right click on the TLS 1.2 key and add two new keys underneath it.
6. Rename the two new keys as:
• Client
• Server
7. Right click on the Client key and select New and then DWORD (32-bit) Value from the drop-down list.
8. Rename the DWORD to DisabledByDefault.
9. Right-click the name DisabledByDefault and select Modify... from the drop-down menu.
10. Ensure that the Value data field is set to 0 and the Base is Hexadecimal.  Click on OK.


11. Create another DWORD for the Client key as you did in Step 7.
12. Rename this second DWORD to Enabled.
13. Right-click the name Enabled and select Modify... from the drop-down menu.
14. Ensure that the Value data field is set to 1 and the Base is Hexadecimal. Click on OK.
15. Repeat steps 7 to 14 for the Server key (by creating two DWORDs, DisabledByDefault and Enabled, and their values underneath the Server key)
16. Reboot the server.

升级 FortiGate 固件后打不开 Web 控制台

旧固件版本：5.4.4
新固件版本：5.6.2

1. 进入 CLI
2. 重置 HTTPS server 证书为 "Fortinet_Factory"

config system global
set admin-server-cert "Fortinet_Factory"
next

VirtualBox "Call to WHvSetupPartition failed"

解决方法：关闭 Hyper-V

管理员权限打开PowerShell，执行以下命令后重启：

bcdedit /set hypervisorlaunchtype off

给 RDP 安装证书

准备工作：

1. 安装 Root CA

2. 安装 Intermediate CA
3. IIS 安装签发好的证书

方法一： (PowerShell)

Open a PowerShell console (Runas administrator) on your RD Session Host. Type/paste the commands below:

This command displays the thumbprint of the certificate, copy it to a text file or something similar:

Get-ChildItem "Cert:\LocalMachine\My"

This is a variable to set the WMI path to the RD Session Host RDP listener (Where the certificate needs to be changed):

$PATH = (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices)

Finally this is the command to change the active certificate on the RDP listener:

Set-WmiInstance -Path $PATH -argument @{SSLCertificateSHA1Hash="thumbprint"}

The "thumbprint" above, is the value you noted earlier, just insert it between the ".

参考：
https://social.technet.microsoft.com/Forums/en-US/bcedb97f-b86f-485a-a39f-579f947cf367/how-install-ssl-certificate-for-rds-on-windows-server-2016?forum=winserverTS

https://serverfault.com/questions/444286/configure-custom-ssl-certificate-for-rdp-on-windows-server-2012-and-later-in-r


方法二：

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash="thumbprint"

参考：
 https://blog.brankovucinec.com/2016/12/06/how-to-install-custom-certificate-on-rdsh-server/

理解 Cisco ACL Vlan 的 in 和 out

1.

2.

An access-list applied outbound to a vlan interface filters traffic going TO machines on that vlan.
An access-list applied inbound to a vlan filters traffic coming FROM machines on that vlan.

 参考：
https://community.cisco.com/t5/switching/acl-direction-when-applied-to-a-vlan-on-a-switch/td-p/1423652 

Hyper-V 里 AD 作为 NTP server 小坑

源为 "VM IC Time Synchronization Provider" 并且无法修改


解决方法：
在 Hyper-V 的设定中关闭 “Time synchronization”



另外注意 Hyper-V 的时间是否正常：
Hyper-V 默认开启“Time synchronization” 源为 "VM IC Time Synchronization Provider"，说明 AD server 的时间源是 Hyper-V，只需要保证 Hyper-V 的时间是准确的，关闭 “Time synchronization” 不是很有必要性。
推荐：外部时间源 -- Hyper-V -- AD -- Others

参考：
https://mikefrobbins.com/2010/05/17/active-directory-and-server-time-synchronization-problems-with-hyper-v/

Windows 10 离线安装 .NET Framework 3.5

1. 准备 Windows 10 的安装光盘 / ISO 镜像

2. 打开 cmd.exe, 执行命令（ x: 为驱动器盘符）

DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:x:\sources\sxs

x:\sources\sxs 中起作用的是以下两个文件，也可复制出来并修改上述命令的相应路径
microsoft-windows-netfx3-ondemand-package~31bf3856ad364e35~amd64~~.cab
Microsoft-Windows-NetFx3-OnDemand-Package~31bf3856ad364e35~amd64~en-US~.cab
（以上 Windows 10 是英文版）
 注意： 这两个文件必须跟安装系统的ISO文件里的一样，否则会报错

参考：
https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/deploy-net-framework-35-by-using-deployment-image-servicing-and-management--dism
（页面最底部）

Linux 开机启动服务

开机启动服务：

chkconfig --add test
chkconfig test on

查看开启的服务列表：

chkconfig --list

参考：https://www.thegeekstuff.com/2011/06/chkconfig-examples/