Saturday, April 23, 2005

MOM Admin Console may fail with Windows Server 2003 SP1

Quote -
A problem has been identified in the MOM Administrator Console. After Microsoft Windows Server 2003 has been upgraded to Service Pack 1, the Administrator Console may fail when the Computer Groups node is selected. This fix resolves the issue.
Symptoms
When affected by this issue, the Administrator Console may fail with “The remote procedure call failed” error message. This will occur when the MOM 2005 Management Server is running on a server that has Microsoft Windows Server 2003 Service Pack 1 installed.

Wednesday, April 20, 2005

SMS and MOM are NOT going to merge

New directions for System Center! System Center is now a brand for number of products. Read it from the horse's mouth from the MMS press room. Or from the WinInfo Daily UPDATE. You can find it on the net here, and I just realized, that I can get it as RSS feed instead of by email.

Deploying MOM agent on WS2003 SP1 problem

Read the short titled ;) The Microsoft Operations Manager 2005 agent does not install on computers that are running Windows XP with Service Pack 2 (SP2) and Windows Server 2003 with Service Pack 1 (SP1) kb for more information.
Shortly, if you are running Windows Firewall, you have either to do a manual setup - or tweak the firewall to allow pushing the agent.

After the release of SCW, the articles start getting plastered with Important These steps may increase your security risk. These steps may also make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to, or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you choose to implement this process, take any appropriate additional steps to help protect your system. We recommend that you use this process only if you really require this process.
The funny thing is though - if just the programmers did check what they received from the network, no per-computer firewall was ever necessary. The claim above must mean that the programmers at Microsoft is not there yet... (but anyway this is how it was before SP1)

First run of SCW failed

My first run of Security Configuration Wizard (SCW) on my first Windows Server 2003 SP1 system failed. Needless to say, my first system is a virtual system. First, I created a new policy and saved it. Next, I re-ran the wizard to apply the policy. It failed - could not get an endpoint to the Windows Firewall Service it said.

I quickly figured out the reason. My server has two network cards. One is bound to a Microsoft loopback adapter on my host. The card could not get an IP address, so it was in the 'limited or no connectivity' state. I disabled the NIC and the wizard could complete. The state prevented the wizard from applying the policy.

The behavior is not consistent. If I disabled the NIC, applied the policy, removed the policy, enabled the NIC and applied the policy - I could not reproduce the error. Even after rolling back the policy and restarting the server, I could not reproduce the error message...

I'll try it on another server another day.

Branding Explorer running as admin account #2

There is an - perhaps better - alternative to identifying your admin windows than the one I mentioned in my earlier post. Thanks to Aaron, who is doing a lot of blogging on this subject, I have adjusted my bat file to use branding bitmaps as well. Aaron suggested this method in "RunAs" basic (and intermediate) topics below the section Some tips and tricks. Aaron seems to get his idea from someone called Keith.
The updated bat does it all. I have kept the old title branding stuff that uses html redirect. If you have multiple administrative accounts, you may want to differentiate between them. The bat file creates a yellow bitmap so I know I have one that can be used. One of my design goals was to have it all in one bat file (maybe I should have used one script file - some other time maybe). The bat file generates all the necessary stuff. The bat file got too big to fit in here, so you can download it instead. Another problem using cut&paste to transfer bat files is that the process seems to change some characters. You may not be able to see the difference in Notepad - but if a bat file or script fails in strange ways, that could be the reason. Consequently, I provide the file as a download.

Tuesday, April 19, 2005

Branding Explorer running as admin account.

You know by now, that you should not be running as local administrator. Instead you should use runas, when administrative permissions are needed.
Running different programs, often does not pose problems, simply start the program – but running stuff involving Explorer does. My favorite way of using Explorer is by using Internet Explorer. I do a “%programfiles%\Internet Explorer\Iexplore.exe” and enter c:\temp or whatever in the address bar.
The next problem is to keep track of whether an Explorer windows is privileged or not. I would like to brand the windows, so it is clear which mode I’m in. I tried to change window colors and themes, but they all seem to be global. Finally, I came up with Internet Explorer branding. If you change “HKCU\software\Microsoft\Internet Explorer\Main\Window Title”, the text will appear on the title bar. There is just one problem – if you start iexplore with a file system path argument, the branding does not appear. Note that all command lines are bulleted so wrapping does not confused you. The command –


will have the branding. This –

  • "%programfiles%\Internet Explorer\Iexplore.exe" c:\temp
will not.
Can this be overcome? Yes. Use an html file that redirects to the file system path. In this way iexplore starts with html and uses the branding.
I have wrapped it all up in this bat file, which I call exp.bat –


  • set url=%1
  • reg add "hkcu\software\microsoft\internet explorer\main" /v "Window Title" /d "%userdomain%\%username%" /f
  • set html=%temp%\explorer-redirect.htm
  • echo ^<html^>^<head^>^<meta equiv="REFRESH" content="0; URL=file:%url%"^>^</head^>^</html^> > %html%
  • start "" "%programfiles%\Internet Explorer\Iexplore.exe" %html%
Use it this way -
  • Exp c:\temp

Monday, April 18, 2005

Windows Server 2003 SP1 Compatibility

Microsoft has released a Knowledge Base article on programs that work and (more interestingly) programs that doesn't work with SP1 (Seen on Bink.nu).

Thursday, April 14, 2005

Exchange server 2003 SP2 will be supported on virtual servers

As Per previously wrote Exchange Server isn't currently supported on Virtual Servers - but this will change in the future. According to this KB article regarding "Windows Server System software not supported within a Microsoft Virtual Server environment" it will be supported when SP2 for Exchange has been released.

Wednesday, April 13, 2005

Microsoft USB Flash Drive Manager

Came across this interesting download. Abstract -
Use this application to backup and restore presentation, pictures, songs and applications from and to USB Flash Drive devices and take them with you. Use USB Flash Drives to store personal data, to keep your network configuration and to share information with your friends. Microsoft USB Flash Drive .
Read more by following the download link.

Put Windows Installer 3.1 into your baseline

Building a new PC platform? Consider adding the newly released Windows Installer 3.1 to it to avoid updating it later. Get is here. Read more in KB 893803.

Batch job argument ramblings

You have to learn something new every day. I just did that again today. I learnt two things –
  1. shift has not influence on %*
  2. getting rid of quotes in arguments can be done in an easier way than I used to – or can it?
Take this example: I want to execute a bat file, use the two first arguments and collapse the rest into one. Thought I could do it with:
Set arg1=%1
Set arg2=%2
Shift
Shift
Set rest=%*
But no – does not work :(

Used to get rid of quotes with
Set arg=%1
Set arg=%arg:"=%


Found in the help, that it can be done with
Set arg=%~1
And I was happy to find an easier way but only for a short while. If there are embedded quotes it does not work, so my old method is still the best :)

If you are not aware of the other stuff %~ can do, consult Help and Support Center on your PC. A useful feature is this:
Set BatFileDirectory=%~dp0
Copy "%BatFileDirectory%\somefile.exe" somewhere


Back to the %*. How can it be done? Try this – other clever ways are welcome –
set arg1=%1
set arg2=%2
set rest=
:restloop
set onevalue=%3
if defined onevalue (
if defined rest (

set rest=%rest% %~3
) else (
set rest=%~3
)
shift /3
goto restloop
)
set rest=%rest:"=%
A warning: If the input contains parenthesis, you have to make a goto-based implementation instead of the multi-line if.

Exchange 2000/3 Security vulnerability

Snippet from MS-05-021 -

A remote code execution vulnerability exists in Microsoft Exchange Server that that could allow an attacker to connect to the SMTP port on an Exchange server and issue a specially-crafted command that could result in a denial of service or allow an attacker to run malicious programs of their choice in the security context of the SMTP service.

Further info and links for download can be found here

How to prevent chkdsk from running on a cluster resource

I had a customer calling me tonight with a problem on their Windows 2000 Cluster (They had to bring it down due to maintenance of their SAN and when it was brought online one of the groups failed to come online).
The disk resource was in a state of 'Online pending' and it was impossible to stop it (As you might now a resource in a pending state can't be configured or brought in a offline, online or failed state - either through the GUI or through the Cluster command).
It wasn't immediately appearent what the problem was either from looking in Eventviewer or in the cluster log (Found in %SystemRoot%\Cluster\Cluster.log). But we remembered that last time the Cluster was brought down (Due to a power failure) the Cluster wanted to run a Chkdsk on the largest volume (1.2 TB RAID 5 - I don't even want to guess how long that takes - maybe some of you have experience in that ?).
Furthermore, we could see that it created a log file called ChkDsk_Disk1_SigXXXXXXX.log. We then found that each time that the disk resource was being started it brought up an empty Command Prompt (Named Chkdsk) on the Console (Not at the RDP connection ;-) - but it didn't seem to start running and the logfile stopped growing after a few minutes. Additionally, the Disk's drive letter and description dis- and reappeared from the Parameters tab on the disk resource.
We tried to stop the Cluster Service (Net Stop ClusSvc) which timed out so I ended up killing the process with Kill.exe (TaskKill in Windows Server 2003). When we restarted the Service the Disk Resource once again ended in a state of online pending.

Due to the critical nature of this Cluster, we had to find a way to bring this resource online without needing to run ChkDsk. There are basically two settings/registry keys that defines how Chkdsk is run on a Cluster one is SkipChkdsk (Value of 1 means Skip - 0 is default) and the other one is ConditionalMount (If SkipChkdsk equals 0 - then a value of 0 will fail the disk resource and the default value of 1 will run 'Chkdsk /f' against the resource before bringing it online). As the Disk resource in question was in a pending state I was unable to configure it through the Cluster.exe command 'Cluster Clustername res "Disk X:" /priv ConditionalMount=1' so I had to once again "kill" ClusSvc and then change the registry key containing this setting. All registry keys for a Microsoft Clusters resources are contained within the HKLM\Cluster\Resources\'GUIDs' keys - and I found the correct key by searching for the correct description of the disk resource and verifying that it had the correct disk signature (Found by using Diskpart - Detail Disk) and changing the ..\Parameters\ConditionalMount REG_DWORD value to 0. After this I restarted the Cluster Service and the disk resource failed immediately. After this I used the "correct" way to set the SkipChkdsk value namely through the Cluster command and brought the Disk resource and the group online (Remember you cant configure these properties when the resource is 'pending' or the cluster service is stopped).

Problem solved (Well not really - more like symptom solved - I guess we need to revamp the Cluster when we upgrade it to 2003 SP1 anyway).

More resources can be found here and KB article 223023 describes the ConditialMount and SkipChkdsk in further detail.

Tuesday, April 12, 2005

Two-Factor Authentication: Too Little, Too Late

Two interesting essays/posts on two-factor authentication and their limited usage (At least according to well-known security expert Bruce Schneier). The first article/essay discusses his view on the limitations of two-factor authentication (Doesn't prevent Phishing and Trojan attacks) and the second post gives further explanation of his original essay (And includes some interesting comments too)

Friday, April 08, 2005

Internet Zone is stored along a downloaded file

This is cool and fun stuff! At least for me :)
Stumbling on the article called
Description of how the Attachment Manager works in Windows XP Service Pack 2 when looking for other stuff, it caught my attention when I read this: When you save files to your hard disk from a program that uses the Attachment Manager, the Web content zone information for the file is also saved with the file. For example, if you save a compressed file (.zip) that is attached to an e-mail message to your hard disk, the Web content zone information is also saved when you save the compressed file. Later this The Web content zone information is saved together with the files only if the hard disk uses the NTFS file system, made me realize, that the information must be saved in an NTFS stream. I set on to reveal the information saved, so I started by using Streams from Sysinternals to list the steams -
C:\> streams TweakMCE.msi

NTFS Streams Enumerator v1.1
Copyright (C) 1999 Mark Russinovich
Systems Internals - http://www.sysinternals.com

TweakMCE.msi:
:Zone.Identifier:$DATA 26


Seeing the contents of a steam is not straightforward, but more can do it. Note the file name syntax -

C:\> more < zoneid="3">
Finally, the zone number can be translated to a name with reg -
C:\> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ ..

CurrentVersion\Internet Settings\Zones\3" ..
/v DisplayName

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Internet Settings\Zones\3
DisplayName REG_SZ Internet


Windows 2000 -> 2003 upgrade kills DNS replication of secondary DNS zones!?

I just want to tell you about an odd little problem that I found during a Windows 2000 to Windows 2003 domain upgrade project with one of my customers (Actually my all-time favourite customer ;-) The project included consolidation of their Domain Controllers/DNS Servers in to fewer servers and upgrading a Top Level Domain and later their primary domain. During our planning/testing phase, we decided to in-place upgrade the excess servers to Windows Server 2003 before demoting them and reinstalling the servers on new iron ('Cause in our experience 2003 handles the process of demoting a DC much better than Windows 2000).When we upgraded the Domain Controllers in our lab environment, we found that the secondary DNS zones on these servers didn’t receive any updates from their primaries. Oddly there weren’t any errors during normal operation or when using “Transfer from Master”; but zone transfers first started working when we deleted/recreated the secondary zones. At first we thought this was a “lab error” – but during the real world implementation we checked this again and found the same problem (Although this time we found that “Reload from Master” and a little patience also solved the problem).

Wednesday, April 06, 2005

Using a custom view from an SMS report

This is possible to create you own custom view in SQL and use it in an SMS report. Just did it. Could not find any info on it, so the method might be unsupported. This is how you do it -
  • Create the view in the SQL Database (SMS_sitecode)
  • Use a name that does not conflict with existing or future names and that follows the SMS conventions. E.g. v_MyCompany_name
  • From the view permission, enable select access to the webreport_approle
In the SMS report SQL you can now reference the view. Note that it does not appear in the list. I do not know how that can be done. Also beware of any security side-effects. Depending on what you do in the view, you may be able to bypass the SMS security so the report user could get access to data he/she should not see.
This is completely unsupported, so the risk is on you!

Friday, April 01, 2005

SMS Scripting Guide

Was released the other day. Get it from MS Downloads. Contains some very good examples. One I found particular useful was the Status Filter Rule example. Add it to your scripting arsenal.