A blog covering Azure, Hyper-V, Windows Server, desktop, systems management, deployment, and so on …
I will be available for work from the 15th of May. I’ve just wrapped up a MOM 2005 project followed by a short SMS 2003 R2 project. I’m going to be attending the Minasi Forum 2007 Meetup and then follow that up with a little time off.
Please check out my CV/Resume, the content of this blog and my whitepapers if you are interested. You can contact me via email (Website<AT>highwaycsl.com). I won’t be responding to work mail while I am at the Forum meetup.
The USMT toolkit enable you to capture a user state (profile, settings, files e.g. documents) from a PC during a migration and then restore it onto the user’s new PC. Microsoft has released a new version of this kit.
A great example of how you can use this kit in an automated way is with Operating System Deployment (OSD) in SMS 2003 (via a free feature pack) or with Configuration Manager 2007. You can create a task sequence that includes a step to identify and store the user state on a dedicated file share. The user’s PC can be rebuilt with a new OS build and then the user state is restored. If all goes well, the user won’t be missing any files or data!
MS have released a document on how they deployed OM 2007 to manage their network. I’d suggest you give it a read.
The Register reported today that there is an outage on the RIM network that is preventing messages from being transferred to/from Blackberry devices in North America.
For me, this provides another reason no to use Blackberry. Personally, I’d not be happy with transferring messages over a 3rd party organisations servers. I also don’t like the idea of installing some software on my Exchange servers that increases complexity AND requires a license/subscription per user. Now, you have the fact that an outage on their network will prevent your messages from being transferred.
The solution? Use the push email functionality that was introduced as of SP2 for Exchange 2003 and is native to Exchange 2007. There is no additional software, no additional licensing and it grants you control over your Windows enabled PDA/phone devices. Furthermore, it uses your Internet connection and nothing else. You won’t care if Blackberry’s network goes down because no one else’s network or servers are involved in your message transfer.
So keep it simple and use the functionality that is there in the software you already own!
Credit: The Register.
Microsoft Security have seen some attacks on this vulnerability "in the wild" over the last few days. It is not widespread yet. MS is still working on a fix and hope to issue it in the May Patch Tuesday bundle. If you are concerned then check out the article that I linked to a few days ago by Jesper Johansson. MS also included some work arounds in their original security alert.
Microsoft has released an update that bundles all of the fixes to Exchange 2007 since its release. They are highly recommending that it is installed on all E2007 servers.
Dell have updated their Inventory tool for managing Dell computers using SMS 2003 (SP1 or later). This will enable you to manage BIOS versions, Dell management software and drivers using SMS 2003 on Dell computers.
It uses the old Inventory Tool method:
I wonder if Dell and HP have started looking at Configuration Manager 2007? It doesn’t natively use the Inventory Tool approach for software updates. Instead it uses Deployment Packages and a new Client Agent. 3rd party catalogs can be imported into CM 2007 using the System Center Updates Publishing tool … it’s similar to the Custom Update Publishing Tool in SMS 2003 R2’s Inventory Tool for Custom Updates.
Microsoft has issued an alert over a vulnerability in Windows 2000 SP4, Windows 2003 SP1 and SP2 DNS. You can safely assume that if you are not running a supported version of these OS’s (previous to these service packs) then you are affected.
Jesper Johansson has posted a blog entry showing how to apply Microsoft’s recommended mitigation action to a large number of computers via a server listing and a command line configuration. It’s up to you if you wish to apply this change. My advice is to do it if you feel if you are seriously at risk. Make sure you have fully tested and have a back out plan that is also tested. In the end, it’s up to you what you do!
The Microsoft Security Response team has said that they are working around the clock to develop a working and stable fix that they can deploy to close the vulnerability off.
The Register is reporting that, according to Panda Software (AV company), the two most common families of malware that are causing infections are Sdbot and Gaobot. I suggest that you follow those links to read over what is causing this havoc.
Lets look at a few things.
Both of these forms of malware are OLD. Microsoft has old software updates that are relevant to these malware products. This is not a new story. Nimda, SQL Slammer and Blaster all used vulnerabilities that MS had released updates for many months in advance. These days, there are no excuses for not maintaining patch levels. You’ve got a free solution like WSUS, SMS 2003 Inventory Tool for Software Updates and HFNetChk Pro all available to use. Don’t fall into the trap that thinking updates are only necessary for MS products. I only read today that 3 Cisco Wifi products had found to be vulnerable. Many UNIX/LINUX’s have updates but they are never applied. More importantly, every now and then you hear of problems with Checkpoint … funny … I can’t remember hearing of any problems on ISA 2004 or ISA 2006 🙂
Seeing as these products are old, you’d think that AV would protect people. I can’t recall how many sites with Symantec or Norton I’ve visited where they’ve had problems with agents becoming orphaned or updates were failing. And what’s worse? These organisations accept these behavior and continue to subscribe to these "solutions". My suggestions? A) Replace these products with better solutions. Check out AV-Comparatives for an idea how these companies rate. And ask around. Don’t just accept the word of a salesman or some marketing bluff. B) Use a third party solution to audit your AV status. I’ve used SMS in the past to audit the DAT files of Trend Micro OfficeScan, even though I had useful reports from the product itself.
Control access to non-relevant services. What do I mean? These products are spread by the likes of IRC … that’s a chat tool that is full of the sorts of advertising that … shall we say … isn’t child friendly. What has this product got to do with doing your work? For the vast majority of organisations it is totally irrelevant. The solution is to set up your firewall(s) to only allow necessary outbound traffic from limited resources and to install a proxy server with proxy filtering software. Using these you can control what is being done over your Internet link. Depending on your jurisdiction and agreements with employees, you may even be able to monitor and report on their activity. Check this out with all necessary lawyers/solicitors before attempting this.
How did this software install itself? I can’t say for sure but it sounds like it requires local administrator access. The truth is, most malware is pretty dumb. It usually requires local admin access to install. For years experts, including MS, have been saying that ordinary users should be running without admin access and admins should be running using "least privilege". What’s that? If you are a domain admin, do you really need to be logged into your PC as a domain admin to read your mail or surf the net? Instead, why don’t you run a virtual machine (using one of the free products out there) on your PC that has all of your admin tools on it? Log into your PC as an ordinary user and into your virtual machine as a admin/domain admin. Your risk is limited and you have not made your job any more complicated. In fact, it’s probably easier because VM’s are mobile and can be quickly replicated or reset to a previously known acceptable state. And there’s better news if you have Windows Vista. By leaving UAC enabled, you can log in as admin but still not run anything as admin unless it’s required and been OK’d by you when the OS asks. E.G. you are browsing the net and a website tries to run a program on you PC without you initiating it. It will require admin access, thus elevating it’s rights. You’re actually logged in as an admin but you’re not actually using those rights. The OS will request a rights change from you. You’ll know something is wrong and can prevent the program from running.
Finally, you can take things a step further and lock down your desktop network. Group Policy is a simple and quick way to accomplish this. Lock down features of Windows that are not required or are considered a realistic risk. You can use security templates to control rights assignment. Make sure you understand this technology before trying it out! You can use tools such as Desired Configuration Management from SMS 2003/CM 2007 to audit machine configurations. And you can also use the SMS 2003 R2 Scan Tool for Vulnerability Assessment or the free Baseline Security Analyser to audit security configurations of your PC’s and servers against MS best practices.
I hope you can see that a few simple things will protect you. Considering that these two families of malware are so effective, it would indicate that not everyone is listening to the advice.
Credit: The Register.
SCCP 2007 is now available on MS Connect for public beta testing. SCCP offers you the ability to model and simulate loads and scalability for Exchange Server 2007 and Operations Manager 2007. You can also introduce "what if" scenarios, e.g. what happens if a server is removed.
SCCP is the first component you should encounter when adopting Microsoft’s Dynamic Systems initiative (DSI). DSI is a new approach that uses automation and built in knowledge to support the entire infrastructure lifecycle. You’ll likely have read or heard about how MOM and SMS fit in to this … they are key components but ideally, they should come later.
The starting point is modeling. You build a model using a tool that advises you on best practices, scalability and performance. You can introduce scenarios such as growth, redundancy and disaster. Using this model you can architect your infrastructure with predictable results.
Currently, SCCP only support Exchange and OM but we can expect future releases to include other tools. We’ve seen Excel spreadsheets for modeling AD design so don’t be surprised to see that taken to the next level. Also, I wouldn’t be surprised to see Visual Studio (if it already doesn’t do it) to include a modeling solution for business applications, including web servers, SQL servers, clusters, etc.
Taking you model, you architect and deploy your infrastructure. You then can monitor it using OM 2007 – it includes a service modeling feature where your business application (consisting of many devices, servers or applications) is considers as a single offering or service.