Monthly Archives: August 2008

Sharpoint 2007 – securing the Central Administration site with SSL

Posted on by
Reply

After a “friendly discussion” with a development group, I pointed out the minor problem of SharePoint’s Central Administration site running in HTTP and all those usernames and passwords traveling in clear text across the wire. A quick demo with Wireshark got the message across, but they looked blankly at me on how to lock down the site.

*sigh*

After the SSL has been placed on the site run this at the cmd prompt

stsadm -o setadminport -ssl -port 443

Then set the web site to use require SSL.

The  of the steps here, but  remember with IIS 6  1 SSL cert per IP address, unless you have a wild card cert!

When Forefront Ignores BITS settings for WSUS Updates

Posted on by
Reply

For those who like to keep their network links from hitting 100% utilization need to keep the following in mind:

Forefront clients normal run in background mode for updates from a WSUS server, so it will use the BITS settings, which you hopefully have applied by a GPO to all your machines. Background Mode , using BITS, is a slow, controlled, steady stream of data.

That is unless you do the following which puts Forefront/WSUS into Foreground Mode.

Foreground Mode uses all available bandwidth to download the updates.

1) Hitting the Scan Now button in the Forefront Console

2) Hitting the check for Updates button in the Forefront Client

3) Selecting Check for Updates before Scanning in the Forefront Console GPO setting

Why is this bad?

Forefront clients normally download a delta file which is between 500kb and 1 Mb. This keeps the definitions up to date. However, once the definitions get out of date, which is anything up to two to three weeks old, the Forefront client will download the entire definition file of 30MB

Across a LAN , who cares? But across the WAN? Planning your WSUS and OU infrastructure with GPO policy and placement suddenly becomes a lot more important, especially if you have a large fleet of laptops at remote sites with poor bandwidth.

Data Protection Manager (DPM) 2007 and Forefront hiccup

Posted on by
1

Found a odd bug with DPM and Forefront. Forefront detects a virus and puts in to a manual clean mode. DPM stops synchronizing until the file is manually cleaned.

Background

Users folders are being redirected to a server; My Documents, Profiles etc. The user machines are only set to quick scans.

The server does a full scan, out of hours, of all the files on the server. It detects compressed files containing infected files (in .zip/.rar/.iso/etc and tries to clean them. It fails to clean or remove the infected file and places an alert in MOM and on the server in question (the big red cross on the Forefront icon is displayed) DPM  ’07 tries to back up the file but appears to stop. Forefront has “locked” access to the file. Until manual action is taken, in this case the compressed file is deleted from the user’s My Documents, Forefront fails to clean it and DPM won’t backup the server. Once the file is deleted and Forefront confirms the system is clean again, DPM continues on it happy way of replicating the data.

Microsoft have been informed and we’re waiting on an answer.

—- Update——

After building a lab or two and talks with Ms (thanks Lee!) discovered the new client build 1.5.1958.0 KB956280 fixes the problem. Have deployed it to a number of previous problem sites and DPM is behaving itself nicely.

SANS 401 Mentor course in Brisbane – starts Feb ’09

Posted on by
Reply

One of the great opportunities of taking courses are meeting great people.

During the six day madness of the Canberra SANS conference, I met a host of top folk. One of those people, Ashley Deuble , who took the 401 track with me, is now mentoring the SAN 401 track in Brisbane. It starts on Tuesday, February 10, 2009 and well worth getting excited about for those who want to learn about security in IT.

He passed the exam with flying colours and I’m sure will bring his own experiences, flare and passion to mentoring the sessions.

Ashley did a fab blog posting on taking the 401 exam and even has a comment and further tips from Stephen Northcutt, SANS CEO!

Details are as follows:

Date: Tuesday, February 10, 2009
Meeting Time: 6:00 PM – 8:00 PM
Where:

CS Energy
Level 21
66 Eagle St
Brisbane Qld, Australia 4001

Go to the SANS web site and Book it in now. Early bird discounts are avaliable.

Top local security training for you Queenslanders out there in BrisVegas!

Demos Happen {Here} Comp

Posted on by
Reply

Well, very interesting night and despite the room being filled with any sysadmin’s natural enemy, the dreaded cowboy developers, it was great fun.

I was the seventh one up (out of 11 presenters) and had spent most of my time listen to SQL or coding based talks. I actually leaning a number of things and it was much more fun having a live presenter walking through their stuff.

I decided to split from my carefully plan script and took on a persona of a demented sysadmin (BOFH). I spent a good 5 minutes ranting and telling bad jokes, 2 minutes of demo-ing File server resource manager, 3 minutes telling off developers and 4 minutes filling in the rest of the FSRM story. So much for sticking to the 10 minute time line. Oops. Managed to get a few laughs, a couple of points across and numerous death threats for the large assembled group of developers. :-)

After all that Tatham Oddie won the demo comp, with an excellent presentation. His style was very calm, clear and well practiced. Something to aspire to or, at least, attempt next time around.

I’m now the proud owner of a bright orange teeshirt. Still somewhat confused on what Roger was thinking on the colour, but I’m sure it made him laugh.

Well worth the time and energy to be part of the community!

Fab night and thanks again to both Roger and Andrew for judging and kind words.

National Community Demonstration Competition – State Finals!

Posted on by
Reply

I received an email today:

Demos Happen Here – State Finals

Dear Chris

Congratulations!! We are excited to advise that your demo has been chosen to proceed to the next round of the demo competition – the State Finals.

We received several incredible entries in the National Community Demonstration Competition, and now it is your turn to strut your stuff and present live at the State Finals.

I now have to stand up in front of a judging panel and group of other very worthy peers to give the FSRM presentation again!

The rest of the field is here and there’s some excellent presentations. I was hoping to be the only infrastructure focused one up there but I see Ken Schaefer has sneeked two great presentations in at the last minute! Ken does some top talks and always seems to be one step ahead of the pack.

Really looking forward to see it goes and learn a couple of presentation tips and tricks from the others there!

All this from make a bit of free time to join a user group and being part of the community!

Update Forefront Client KB952265

Posted on by
Reply

Ment to post this when the patch surfaced on 23rd July 2008.

It takes the engine to Client Version:  1.5.1955.0 from Client Version:  1.5.1941.0 if you check the about details

KB952265

Basically fixes a couple of things Forefront can break if you it’s running on a web server, SharePoint, WebDav, IIS7 or a 2008 server with Hyper-v. So not massively essential to get out there, for most of us.

It requires a reboot if you apply the patch by running the .exe Not so much fun for those in us in Ops role without of hours only reboot windows.

However, if you extract the files from the .exe you’ll find the new mp_ambits.msi.

This doesn’t require a reboot to install. Hurra!

You should also replace  the old ones in you Forefont deployment points/shares. There’s one for x86 and x64. Don’t get them mixed up.

Oh, and for those using Forefront and Windows 2008 core read this for trying to install the update kb955884

Forefront and Windows 2000 Installations

Posted on by
5

Got nailed with two odd install error while pushing out Forefront to old 2000 systems

Odd Problem One

The dreaded GDI+ error:

This product requires GDI+. Please load the Windows 2000 Security Software PreRequisite Pack.

gdiplus+ error on Windows 2000

gdiplus+ error on Windows 2000

But I have! and the GDIPLUSS.DLL is in the %systemroot%\system32 directory too!

So after attempting a bunch of things got this to work (yes, using the magic of batch file!)

Download and extracted gdiplus.dll to the forefront distribtion point and created this batch file to create the directory “C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware” and copy the gdiplus.dll there. Forefront installed without further issue!

Example

REM
REM Create GDIPLUS.DLL path
MD “C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware”
REM
REM Copy GDIPLUS.DLL locally
copy .\GDIPLUS.DLL “C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware”
REM

Odd problem two

Attempting to install on an old 2000 server and Forefront continued to fail. Check the log and it was failing at the MOM agent install. All that was there was momagent.msi 3: -2147287037

Helpful.

So eventually copied all the Forefront install files to the C drive and re-ran the install locally. Worked without issues.

I know look forward to deleting that server and attempting to get back the hour of my life searching the internet with out any luck.

Forefront and MOM agents not playing nice on the MOM console

Posted on by
Reply

These annoying errors keep popping up in my Forefront MOM console from Forefront MOM agents on random machines around the network.

Error in the MOM Console

Type: Warning
Provider Name: Application
Event Number: 21294

Description:

The response processor was denied to execute a response. The action account the MOM Agent is using doesn’t have enough privileges. Returned error message: Access is denied.

Type: Warning
Provider Name: Application
Event Number: 21245
Provider Type: Event Log
Source: Microsoft Operations Manager
Category: MOM Agent

Description:

The response processor failed to execute a response. The response returned the error message: The object exporter specified was not found.

Ms have a paper on these typical errors

http://technet.microsoft.com/en-us/library/bb643197(TechNet.10).aspx

My fix to sort out 50+ alerts of these in one fell swoop:

From the MOM console sort the errors by type, select them, right click and copy select text. Drop it in to a test editor, clean it up and get a list of all the computer names.

Drop the computer names in to a text file,each on their own line and save (FailedTargets.txt)

To cheat and do a copy of quick fixes, my “Superior” batch skills came to the fore and I knocked this up with PSexec. Could have been done with SMS, login scripts or a proper script but quick and dirty …

Example:

psexec.exe to @FailedTargets.txt -c MOMclient.bat

MOMclient.bat contents

REM Sets the correct dependence on the MOM service

sc config mom depend= rpcSs/eventLog/winmgmt

REM Stops then starts the MOM service on the target machine

net stop MOM

net start MOM

Another step forward; writing a Gold GAIC paper

Posted on by
1

On the 7th of July 2008, I decided to turn my hand at a topic that’s out of my comfort zone; writing a long technical paper for a public audience.

What brought about this madness wasn’t a desire to avoid painting the rest of the house or for public acclaim, neither of which is likely to happen, it was to try something I know I’m weak at and get better at it. Going down the SANS path to do this gives me the advantage of having: a time line, an adviser, targets and the goal of getting in to the SANS reading room.

I’m attempting to get a couple hundred words written five days in the week and aim to have a finished draft of around 40 pages. It’s going to be base on using virtual machines as incident response platforms in corporate Windows environment, when you can’t trust the systems around you. The virtual lab(s) I’m using for the paper’s center piece are almost done, so I can get so real, hands on information in to the paper.

Deadline is the 7th of December!