Friday 8 December 2017

Moving TFS 2015 databases to a new server

We have an on-premise Team Foundation Server (2015) which we use for our source control.  Everything is installed on the one vm; TFS and SQL Server (also SQL Reporting Services and Analysis Services but we don't actually use them).
Our plan was to move the database to a new server, including the TFS Configuration database.  This was so that we could uninstall SQL Server.

The steps taken:
  • As it was a virtual machine we were able to create a snapshot of it before we moved anything, always good just in case a rollback is required.
  • Login to the vm as an account with full TFS permissions
  • Open the administration console window and select Team Project Collections, then Detach the collection.
  • Close the administration console when completed.
  • Perform a SQL backup of the TFS_ databases.
  • Restore the SQL backups to the new SQL Server
  • Grant the TFS Service account DBO access to the databases and add any logins.
  • Stop IIS, open a command prompt:
    •  IISReset /Stop
  • Stop the TFS Services:
    • Team Foundation Ssh Service
    • Visual Studio Team Foundation Background Job Agent
    • Visual Studio Test Controller
  • Open a (elevated) command prompt
    • CD C:\Program Files\Microsoft Team Foundation Server 14.0\Tools
    • TfsConfig registerDb /sqlInstance:<NewSQLServer> /databaseName:Tfs_Configuration
    • Note: If the command prompt hangs, give the TFS Admin account higher SQL permissions. 
  • Open the administration console window and select Application Tier, then Reapply account.

  • Disable the SQL Server services (to be sure that it is not being used).
    • SQL Server
    • SQL Server Agent
    • SQL Server Analysis Services
    • SQL Service Integration Services
    • SQL Server Reporting Services
  • In the TFS Administration Console select Team Project Collections and Attach the collection:

Wednesday 12 April 2017

Stop remembering passwords!

I have heard a number of times recently of people unwittingly giving away their passwords or reusing passwords on different websites.  With the number of websites being hacked increasing if one site that you have created an account with uses poor security then your email address and password will be known, hackers will then try other websites with that username and password.  If you reuse the password they will have access.
I recently heard that someone had their Facebook account compromised (as they reused the password) and they tried to get money from their Facebook friends.

So don't reuse passwords!  I mean it!

Ok, but this means
"I will need a different password for each website that I use, that's ridiculous, I can't remember them all!"
This is where Password Managers come in.

So what is a Password Manager?
A password manager is an application that remembers all of the passwords for you.  Most of them will automatically register when you have logged in or changed a password to a website and it will pop up and ask if you want to save or update it.  This works really well when you are using a PC but not so well (in my opinion) when on a mobile device.
All of the passwords that are stored in the password manager need to be secured by, yes you've guessed it - a password!
However, I dislike the phrasing here, they should be protected by a passphrase rather than a single word.  The longer a password the more secure it is, using numbers and special characters does help but it is the length that makes it harder to crack.

So when creating a passphrase it should be something that you'll remember and fairly secure and contain letter, numbers and digits.
This video (from Google) gives an idea of how to create secure passwords:

There are a number of different password managers around but I'll limit this to just three (as I don't have enough time to review them all).

KeePass (free)
KeePass works really well if you log in from one device all the time and you want full control over where your passwords are stored, personally I think it also works best on a PC rather than a mobile device.

It works by creating your own vault which is where you store the passwords and you have to maintain them.  It requires you to remember to add the passwords it the vault and update them if the password has changed.
You can create folders and store the entries where you like.

The downside to KeePass is when you want to use it with multiple devices such as mobile phones.  As the vault is stored in a file for it to be on a mobile device this needs to be available using Dropbox or a similar tool.  When I did this I had problems with the database being overwritten as it wasn't in sync and I lost entries.  This led me to look for another tool.

LastPass (free and paid for mobile use)
I was introduced to LastPass by a friend and I've been quite happy with it.
When I first installed the extension into Chrome it took me through a process and took all of the passwords from Chrome and had an import mechanism to extract any passwords from Chrome and importing from KeePass was fairly straight forward (from what I can remember now).
When used on a PC LastPass will automatically populate the username and password if it knows the password, so normally I just need to hit login and the job is done.
Also when I need to create an account it abstracts away the password process and automatically stores the new entry if you choose to.
If you want to use LastPass on a mobile device you need to upgrade to the premium version, the cost for this is $12 for a year.
The mobile version uses an App (free to download) that has a browser in built that has the functionality to populate usernames and passwords when you browse to website in the same way it does when you use a PC.
If you are using a separate mobile app you need to copy and paste the password which involves flicking between the apps which is a bit of a pain but I believe this is a common problem between all password managers (maybe less so if the app uses google or facebook logins).
With LastPass it is possible to arrange how the sites are stored and to create a shared area, allowing a single username and password to be used by two or more people.

I feel obligated to say LastPass has recently come under some criticism as some faults have been found in the way they store passwords:  ttps://
Personally I think any review of security is a good thing and LastPass have been very quick to respond and resolve the issues raised.

1Password (free and paid for)
I haven't actually used 1Password but my understanding is that they are very similar to LastPass.
The premium version is $2.99 per month (billed annually) so it is fair bit more expensive than LastPass but it is recommended by a number of people including Troy Hunt who is a industry recognised security researcher.

I urge everyone to use a password manager and not to re-use passwords.
With so many websites being hacked if you reuse a password it won't be long before someone else knows your password.

Have I been Pwned?

If you suspect or are paranoid Troy Hunt has a website where you can enter your email address and it will inform you if it has been exposed by a breach (a website that has been hacked).

As a final word, don't trust anything!  If an email or webpage looks to good to be true, it probably is!
If someone on facebook suddenly asks you to take payment for something on ebay and send them the money, think twice and speak to the person.