Another step forward; writing a Gold GAIC paper

Posted on August 3, 2008 by Chris Mohan

On the 7th of July 2008, I decided to turn my hand at a topic that’s out of my comfort zone; writing a long technical paper for a public audience.

What brought about this madness wasn’t a desire to avoid painting the rest of the house or for public acclaim, neither of which is likely to happen, it was to try something I know I’m weak at and get better at it. Going down the SANS path to do this gives me the advantage of having: a time line, an adviser, targets and the goal of getting in to the SANS reading room.

I’m attempting to get a couple hundred words written five days in the week and aim to have a finished draft of around 40 pages. It’s going to be base on using virtual machines as incident response platforms in corporate Windows environment, when you can’t trust the systems around you. The virtual lab(s) I’m using for the paper’s center piece are almost done, so I can get so real, hands on information in to the paper.

Deadline is the 7th of December!

IIS Critical Problem Management Workshop

Posted on May 8, 2008 by Chris Mohan

Spent the last two days bonding with IIS 6, finding out how it works, then how it should work and keeping it working despite loonie applications attempting to stuff it up and shoot it down in flames.

The training was split in to day one of the architecture of Windows/IIS 6, the features and components of IIS 6. Day 2 cover the tools for debugging and analysis IIS.

The class was taken through it paces by Tristan K an Ms Escalation Engineer in the Sydney Global Technical Support Centre.

The poor bugger.

Training isn’t his day job, but despite some baaaad jokes, he made complex topics understandable, avoided putting the class asleep, kept things zipping along and kept it enjoyable. We had a couple of topic major detours, but they were pretty darn interesting diversions and well worth the visit. Tristan nailed the questions thrown at him and elaborated on them without blinking, sadly, that impressed me no end.

The first day topics cover a few things I didn’t know and went a lot deeper in to the wacky world of IIS 6 than I normally consider sane. Picked up a couple of pearls of wisdom that will make some things easier in the day job.

Day 2 was going well and picked up some awesome details on SPN’s when the topic turned to debuggers. It was like taking a stepping off in to deep water with several large bricks tied to each limb.

The journey, plummeting to the bottom, was fascinating, if some what incomprehensible and full of hex. Attempting to reach the surface, things weirdly started to make sense or sort of. Tristan ran through the core free debuggers provided by Ms and how to use them to pull useful info out of applications and their operations. The value of this is vast, if I can make the time to learn the Win32 architecture and fit the pieces together.

I was a bit disppointed that we didn’t have any take away practice labs to play with once the course had ended

It made me realise how much there’s still to learn out there. Foolishly, our trainer gave us his email address. Mu-ha-ha. I give him a week after I send my first email on how I stuffed up something with a debugger and what does it all mean anyway but he puts me on the spam filter…..

The path to MCSE 2008: Exam 1, 070-620

Posted on May 4, 2008 by Chris Mohan

In a bout of madness, I booked in the 070-620 TS: Windows Vista, Configuring exam with the vague thought that I need to get the studying for the new Ms Os seriously underway, rather than mucking around with it on VM’s.

Upgrading from MCSE 2003 to 2008 or MCITP: Enterprise Administrator (sooo much more fun to say…) is three exams. Vista, then two about all the new features in 2008 and how to use them.

There are two Vista exam I could have taken, neither really seemed appropriate for “Enterprise admin’s” so I picked the configuration one. RTFM would have been a great place to understand what they actually are testing on, but hey, I run Vista at home, and sort of know what I’m doing.

Wrong.

The exam is for those that work with home users or very small companies that don’t use Vista on a domain.

I had found one of the MsPress books
MCTS Self-Paced Training Kit (Exam 70-620): Configuring Windows Vista™ Client by Ian McLean and Orin Thomas. Orin lives in Oz, so if I failed, my plan was to track him down and make him do the re-sit for me

The book wasn’t too bad and I enjoyed Ian’s, who’s English, comments. I half expected a line starting with “In the good old days..”, but the antidotes are well worth the read.

The book covers how to use Vista (if it never goes on a domain), how to use all the built in software (we all ditch the second we install Office) and to use all the home features (you’d never let on a company network). All of which makes you wonder why it’s part of the Enterprise admin’s exam, but hum-ho.

The lads did a nice job of putting in real world commentaries and suggestions which were nice touches.

Anyhow, I rushed in to do the exam, as Real Life™ doesn’t just stop when I fancy doing an exam and I have this Forefront project going on amongst other things.

Top tip: make sure you put the right date of the exam in the calendar. I manage to arrive an entire day early. Oops.

I then turned up on the right day and finished the exam in about 45 minutes. There was about 6 questions of the 56 I had no idea about, the topics were in the book, but I must have passed out when looking at them. Using the old Sherlock Homes deduction method got me through thoses. To be honest any thing to do with faxing isn’t a fun topic for me, the few I had on Media Centre I had to flash back to watching a friend set up his Xbox with Vista Ultimate. Kevin, you legend, I think that got me past the finishing post

Those desperate to pass, the book cover all the objectives nicely and hands on practice with Vista Ultimate with following the actual practices in the book is very helpful and should get you over the 700 pass mark easily.

Passing the Forefront 070-557 exam

Posted on April 18, 2008 by Chris Mohan

Few days ago, thought “what the heck” and booked in the 070-557 exam.

I’ve built enough labs and worked with the software for a while now and was feeling fairly confident I’d do okay.

The exam wasn’t what I expected or perhaps I over estimated what the questions would be. To be fair, the Ms Exam prep was pretty spot on for what you needed to understand.

The questions were fairly straight forward and if you’ve built a few Forefront systems, got them working correctly and read the guides published by Microsoft for Forefront I’d say you’d have a very decent chance of passing. The deployment and adminstration guide for Forefront and the user guides for Exchange and SharePoint where the most useful for real life and the exam prep.

You’ll have to have installed and configured the Exchange and SharePoint protection as well. You’ll need to understand some of the more obscure settings, but hey, it’s a test. If you don’t have access to test on these go an play on Ms excellent Virtual Labs they cover all three major components of the product. I spent a bit of time mucking around on the features in the virtual labs when my own labs weren’t available and found them excellent sandboxes to muck around in.

Not quite the full 1000, but close enough. A pass is a pass anyway

Microsoft Certified Technology Specialist: Microsoft Forefront Client and Server – Configuration

That’s one tick off on the study list.

What FCS shouldn’t Scan

Posted on February 17, 2008 by Chris Mohan

Have being digging around and looking for best practices on what not to scan, such as SQL and Exchange databases and the like.

Found this little gem in the depths of Ms Kb files:

Nice additional services covered here

Read it, print it then apply the separate policies to your server OU’s!

For Exchange 2007 more options = more complicated changes = File-Level Antivirus Scanning on Exchange 2007

TEST, TEST, TEST before putting it into production

Simple guide ripped from the above link:

Windows systems in general
• Microsoft Windows Update or Automatic Update related files
• The Windows Update or Automatic Update database file.

This file is located in the following folder:

%windir%\SoftwareDistribution\Datastore
Exclude the Datastore.edb file.
• The transaction log files.

These files are located in the following folder:

%windir%\SoftwareDistribution\Datastore\Logs
Exclude the following files:
• Edb*.log

Note The wildcard character indicates that there may be several files.
• Res1.log
• Res2.log
• Edb.chk
• Tmp.edb

Domain Controllers

pretty much the entire %windir%\ntds directory for AD

1. %systemroot%\sysvol Exclude
2. %systemroot%\sysvol\domain Scan
3. %systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory Exclude
4. %systemroot%\sysvol\domain\Policies Scan
5. %systemroot%\sysvol\domain\Scripts Scan
6. %systemroot%\sysvol\staging Exclude
7. %systemroot%\sysvol\staging areas Exclude
8. %systemroot%\sysvol\sysvol Exclude

Exchange Servers

The core list of files that should be exempted are all .edb files, .log files, .chk files, and STM files

IIS

%systemroot%\IIS Temporary Compressed Files

ISA (shouldn’t have AV on the ISA as IT’S not supposed to be used to do any thing other that protect the network!)

exclude the ISALogs

SharePoint
• Drive:\Program Files\SharePoint Portal Server
• Drive:\Program Files\Common Files\Microsoft Shared\Web Storage System

SQL

•SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension

SMS

Well look through the link and work out if it’s causing grief – http://support.microsoft.com/kb/327453/

For the more paranoid, I’d use direct path names to each file.Use folders only of those systems that generate files on the fly, such as databases

Building a one-topology FCS server

Posted on February 17, 2008 by Chris Mohan

Well, to keep myself amused decide to build a second version of the lab.

Getting the other needed files downloaded for FCS

MMC 3.0 x86

GPMC (SP1)

.Net Framework 2 (SP1)

Windows Update Agent 3.0 x86

Windows Update Agent 3.0 x64

WSUS 3.0 x86

ISA 2004 Hardening Guide

Then on the existing WSUS server, exporting the data files and then import them on the new server. From a great Ms blog post:

WSUS: Moving Files and Metadata from one server to another

The WSUS command line reference

To make life easier when declining superseded WSUS 3.0 updates

In the WSUS MMC, on the Update screen right click on the title bar and select Supersedence. This will allow you to arrange all the various updates in to order.

Highlight all the superseded updates and decline them

Getting in to the mindset of the 70-557 exam

Posted on January 28, 2008 by Chris Mohan

Having a fairly good lab in place and having played with the technologies, though I’d read the exam objects for Forefront 70-557

Exam topics covered

The following list includes the topics covered on this exam. The percentage indicates the portion of the exam that addresses a particular skill.

•	Deploying client agents and policies (32 percent)
•	Configuring server products (34 percent)
•	Maintaining the infrastructure of the client and server (25 percent)
•	Monitoring protection status and activity (8 percent)

It seems pretty straight forward, until I flipped back to the top section and notice the following gems:

The typical candidate should have knowledge of the following products and technologies:

•	Active Directory
•	Windows Server Update Services (WSUS)
•	Microsoft SQL Server 2005
•	Microsoft Operations Manager
•	Microsoft Exchange Server 2007
•	Microsoft Office SharePoint Server 2007
•	Microsoft Live Communication Server
•	Instant Messenger security

Okay, WSUS, MOM and AD are fair game, I can also understand the SQL 2005 part, but lumping in Exchange, SharePoint and live communications server in to the exam?

Yes, these products need protection, but surely they if they are part of the exam, shouldn’t a section exist in the skills measured section? A quick bit of searching on the net has confirmed my fears. Ms has left out the study topic, but included both the Exchange and SharePoint parts in the exam. Server Protection..Forefront™ Server Security Products

Hold on…. could Configuring server products (34 percent) actually mean cover those two options as well?

Oh yes it does. Delightful. Glad the folks the write the exams give us a the full story on what we should study for ….

I know that separate software exists for protecting Exchange and SharePoint which is under the Forefront banner, so I guess it time to kill another tree and print out the documentation of both those products.

Best of both Virtual worlds – making Vmware and Ms Virtual Server friends

Posted on January 17, 2008 by Chris Mohan

In a moment of madness I found myself needing to run both Vmware Worksation and Microsoft’s Virtual Server. I wasn’t too keen on the idea of running them on the same box.

I just went with the simply solution. Vmware on one machine, Virtual Server on another, a handy piece of crossover RJ45 Ethernet cable (a hub or a switch work wonderfully too!) and used the spare network card in both machines. These new dual nic motherboards, you have to love them!

Unticked all features on the NIC settings, such as TCP/IP, File and Print Sharing and Client for Ms Networking.

In Vmware – Virtual Network Editor – Host Virtual Network Mapping bound the second NIC to VMnet6 – then bind that interface to the VM images

In Virtual Server -Virtual Network – Create a new network adapter or on the physical compute, select the second NIC and give it a pithy name (06 Internal) -then bind that interface to the VM images

Fired up a VM on each machine and then the moment of truth-

ICMP PING …. reply -TTL 128…IT LIVES!

Mu-ha-ha!

Kicked off the new empire building, VM’s spring up on both machines. Have a happy little Windows domain running, with ISA’s load balanced firewalls!

Wahoo! – Beats watching the junk on TV….

RFC 1918 gives everyone a class A network for home, who am I to say no to a network of 16 million machines

Security for a day

Securing Windows networks or giving it a go in Australia…

Category Archives: Study