網域DC時間錯誤造成client電腦時間也錯了

 一台虛擬機DC的時間被設定成與底層hyperv系統同步，結果與正確的時間差了一分多鐘。

PDC的時間是正確的，所以並不是所有client電腦的時間都錯了，就看是抓到哪台DC做時間同步。

時間錯誤的DC一開始就直接用NTPCLOCK這個小工具調整成對的時間，但沒多久又變回錯的時間，在該伺服器執行"w32tm /query /configuration"，有看到有一區"VMICTimeProvider"的設定，enable=1，這就是設定成與底層hyperv系統同步的地方。

直接找到HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider ，把enable改成0就好，不用重開機，然後在用NTPCLOCK調成正確時間就行了。

Client端如果不想等重開機做時間同步的話，可以下指令直接強制同步。

要用系統管理員執行cmd，然後輸入 w32tm /resync就可以開始同步了，時間不會馬上就變正確的，而且會慢慢的縮小與正確時間的差距，所以要等一下。

可以開啟client的時鐘，如果是client的時間是比較慢，就會發現秒數有時後會跳的比較快，然後慢慢跟上正確的時間。

Domain Controller Time Error Causing Incorrect Client Computer Time

The time of a virtual machine Domain Controller (DC) was initially set to synchronize with the underlying Hyper-V system, but it ended up being more than a minute off from the correct time.

The time displayed on PDC files was accurate, indicating that not all client computers had incorrect time settings. It depended on which DC the clients synchronized their time with.

Initially, the DC with the time error was adjusted using a small utility called NTPCLOCK to set the correct time. However, after a short while, it reverted back to the incorrect time. When running the command "w32tm /query /configuration" on the server, the configuration showed a section called "VMICTimeProvider" with enable=1, indicating synchronization with the underlying Hyper-V system.

To resolve this, the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\VMICTimeProvider was located, and the "enable" value was changed to 0. There was no need to restart the server. Afterward, the correct time could be set using NTPCLOCK.

For client computers that didn't want to wait for a reboot to synchronize their time, a command could be executed to force synchronization. By running cmd as an administrator and entering "w32tm /resync," the synchronization process would begin. The time wouldn't immediately become correct but would gradually narrow the gap with the accurate time. Patience was required.

Observing the client's clock, if the client's time was slower, one would notice that the seconds occasionally jumped ahead and slowly caught up with the correct time.

弱點掃描 Vulnerable' cipher suites 處理

在用弱點掃描軟體做伺服器弱點檢查時，有些主機有下列這個弱點被掃出: 

Vulnerable' cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

'Vulnerable' cipher suites accepted by this service via the TLSv1.1 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

'Vulnerable' cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

就是有3個TLS的連線協定用了不安全的密碼套件TLS_RSA_WITH_3DES_EDE_CBC_SHA。

網路上比較多的解決方法是用IISCrypto這套軟體，免安裝，直接在伺服器上執行，它會列出很多種連線協定跟密碼套件，把你不要的取消勾選按下套用，重開機，就好了。

也有人說要去改機碼，只是比較麻煩，用IISCrypto比較快。

所以我就在查了一下IISCrypto跟改機碼差在哪，結果是一樣的，IISCrypto背後的方式也是改機碼。

所以就決定自己用改機碼的方式在處理:

因為三個連線協定都是用同一個有問題的密碼套件，因此直接先停用這個密碼套件看看。

原本在Chiphers底下是沒有Triple DES 168，就直接新增，加入這段機碼

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]

"Enabled"=dword:00000000

好了之後不用重開，直接在掃一次，就沒有這三個弱點出現了。

When conducting a vulnerability scan to check for server weaknesses, some hosts may exhibit the following vulnerability:

Vulnerable cipher suites accepted by this service via the TLSv1.0 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

Vulnerable cipher suites accepted by this service via the TLSv1.1 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

Vulnerable cipher suites accepted by this service via the TLSv1.2 protocol:

TLS_RSA_WITH_3DES_EDE_CBC_SHA (SWEET32)

These vulnerabilities involve the usage of insecure cipher suites, specifically TLS_RSA_WITH_3DES_EDE_CBC_SHA, across all three TLS connection protocols.

One commonly suggested solution found online is to use a software called IISCrypto. It can be executed directly on the server without installation. IISCrypto provides a comprehensive list of connection protocols and cipher suites, allowing users to deselect undesired options, apply the changes, and then reboot the server.

Another approach involves modifying the registry, although this method is considered more cumbersome compared to using IISCrypto, which is faster.

After researching the differences between IISCrypto and registry modification, I discovered that they achieve the same result, as IISCrypto utilizes changes to the registry behind the scenes.

Therefore, I decided to handle the issue by modifying the registry myself:

Since all three connection protocols employ the same problematic cipher suite, the first step was to disable this specific cipher suite.

Initially, the "Triple DES 168" option was not present under the Chiphers section, so I added it directly by inserting the following registry key:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]

"Enabled"=dword:00000000

After applying this modification, there was no need to restart the system. Running another scan revealed the absence of the aforementioned three vulnerabilities.

永豐 shioaji api 登入後只有證券帳號 沒有期權帳號

跟期貨營業員確認已申請好了shioaji的api後，在python下指令要列出帳號清單，發現都只有證券帳號，沒有期權帳號，有點怪。

後來上了永豐api官方的telegram去發問，才知道原來當初在申請api key的時後，因為只有證券戶，期貨戶還沒開好，所以申請api key的過程，只有證券戶可以勾選，所以用那組api key登入時就只有證券帳號可以用。

重新在申請一次api key，勾選期權選項後，登入測試就有列出期權帳戶了。

Greenbone Security Assistant 掃描錯誤 : Interrupted at 0 %

之前建了一台 Greenbone Security Assistant做弱點掃描，都很正常，掃完就沒管它，過了快一個月，要在掃一些之前掃過的主機時，工作開始後沒多久就會出現"Interrupted at 0 %"的錯誤，重試幾次都一樣，也沒找到什麼資訊，直接重開機吧。

然後就好了!!!!

Greenbone Security Assistant Scanning Error: Interrupted at 0%

Previously, I set up a Greenbone Security Assistant for vulnerability scanning, and everything was working fine. Once the scans were completed, I didn't pay much attention to it. After almost a month, when I tried to scan some hosts that were previously scanned, I encountered an error shortly after starting the scan, stating "Interrupted at 0%". I retried several times, but the error persisted, and I couldn't find any helpful information. Eventually, I decided to restart the machine.

And guess what? The issue was resolved after the restart!

突然連不到共用資料夾 error code:0x8007003

 某電腦突然無法連線到任何共用資料夾，不管是windows分享的或nas分享的。

直接ping分享的主機名稱或ip都有通，但要連資料夾都會出現0x8007003的錯誤。

查了一下，原來是dns client這個服務被關閉了，預設應該要是自動才對，把這個服務在啟動後，問題就解決了。

Suddenly unable to connect to the shared folder error code: 0x8007003

A certain computer suddenly cannot connect to any shared folders, whether they are shared through Windows or NAS.

Directly pinging the hostname or IP of the shared host is successful, but when trying to connect to the folders, an error with the code 0x8007003 appears.

Upon investigation, it was discovered that the DNS client service had been disabled. It should be set to automatic by default. After starting this service, the issue was resolved.