Monday, December 14, 2009

Robocopy and Server 2008 Script Error

If you are going to use Robocopy with Windows Server 2008 as a script you are going to run into a few errors. The first is that you have to allow the account you are using to execute the script to be allowed to log on as a batch job.

Local Security Policy > Local Policies > User Rights Assignment > Log On As A Batch Job > Add User or Group

Next add the user account to the Backup Administrator's group in Computer Management > Local Users and Groups

You will also need to tweak the job in Task Scheduler to have the following things: Select "Run whether user is logged on or not" and check "Run with Highest Privileges". If you do not select the "Run with Highest Privileges" check box then you will get the following error:
-------------------
ERROR : You do not have the Backup and Restore Files user rights.
***** You need these to perform Backup copies (/B or /ZB).

ERROR : Robocopy ran out of memory, exiting.
ERROR : Invalid Parameter #%d : "%s"

ERROR : Invalid Job File, Line #%d :"%s"
--------------------
That box is the equivalent of right click, "Run As Administrator" on the command prompt window.

Wednesday, July 8, 2009

Weird Event Log Event

This box has a dying systemboard and one of the error messages I saw in the Event Log I have never seen before...

Error Source: i8042prt
Type: Information
EventID: 12

Description: The ring buffer that stores incoming mouse data has overflowed (buffer size is configurable via the PS/2 mouse properties in device manager).

Tuesday, July 7, 2009

Bulk DNS Update via CSV File

So here is the scenario:

All of my DNS static entries are going to get nuked and changed to a completely different IP space (yes, the computers too). However since this is such a massive task and we have minimal time to make the change we would like to complete as much ahead of time as we can. All of my DNS servers are DCs running AD-Integrated Zones. The only way I can think of to do this ahead of time is by creating a spreadsheet and filling in the hostnames and the new IPs and then on the day of the IP change import the new records into DNS. So, the question is how exactly can I update the DNS tables on an AD Integrated Zone using a script or file import?

Here is what I found:
The simple answer is you can't :) However there is a workaround...
1. Export your DNS information to a CSV File
2. Modify the DNS information to show the correct IP information. I acomplished this by using Excel Spreadsheets sent to users to be filled in with the new IPs. Then using SQL I imported the Spreadsheets into a database and then scripted a massive UPDATE statement on the master DNS list. Then exported the updated master DNS list as a TAB DELIMITED file.
3. Next I needed to remove all my DNS Servers except one. Pick one to keep, uninstall DNS on all others.
4. On the remaining DNS Server I changed all my zones from Active-Directory Integrated Zones to Primary using the following: (right click on each zone) > Properties > General > Change Type > (Uncheck) "Store the zone in Active Directory"
5. Repeat for all zones
6. Keep the "Load Zone Data on Startup" at "From Active Directory and registry"
7. Open the DNS zone files (.dns) located in c:\windows\system32\dns\
8. Modify the DNS zone file with your new information keeping the proper TAB Delimited format.
9. Reboot the DNS server, this is gonna take a while but if you don't you are going to get an error like "the specified directory partition does not exist".
10. Open DNS Manager again and move all of your zones back to AD-Integrated Zones. Steps are the reverse of Step 4.
11. Reinstall DNS on all the other DNS Servers that we uninstalled on Step 3.
12. Once DNS is installed on all the other DNS Servers check to make sure that they have the latest DNS entries. They should and at this point you are done.

Piece of cake :)

Friday, June 19, 2009

Good 'ole UPS

This replacement laptop keyboard was shipped from HP to one of my Field Users via UPS Ground. It's one of those new "bendable after being run over by a truck" types :)



Hope this made you laugh; we need to more often...

Friday, June 5, 2009

Converting .WMV to .MP3

Here is a great little tool that I just discovered after finding out the Audacity was not a good tool to convert .wmv files to .mp3. Very easy to use and fast...

WinFF
http://winff.org/html/

It appears to have quite a bit of conversion options so if you are doing any conversions check it out.

Friday, May 29, 2009

Exchange 2007 Merge Fails with "Operation was cancelled" error

During an Exchange 2007 restore I was attempting to do a merge from the RSG into my target mailbox and ran into an error. The error occurs in the Application Event Log after the Exchange Wizard reports that the operation was successful. The error text is the following:

Source: Exchange Migration
Event ID: 1008
Category: Restore Mailbox
Description:
The restore-mailbox task for mailbox 'XXXX' failed.
Error: Failed to copy messages to the destination mailbox store with error:
The operation was cancelled.

As odd as this sounds the fix is to skip the wizard and run the same commands in the EMS (Exchange Management Shell) directly. Here is the syntax:

Restore-Mailbox -identity "Target Mailbox" -RSGDatabase "Recovery Storage Group\RSG Datastore" -RSGMailbox "Mailbox to be restored" -TargetFolder "Folder in -Identity to place data in" -BadItemLimit "Int32"

Wednesday, May 27, 2009

Serv-U FTP Server 8.0 Windows Authentication Changes

It appears that there is a change in the new version of Serv-U FTP Server that affects Windows Authentication. This change is that the Windows AD user must be a member of the "Domain Users" AD Group or Serv-U FTP Server will give you an Access Denied error upon connection. In the past you just needed an AD User account and could assign it to a "No Permissions" group so that it could only be used for FTP, however that is no longer the case.

Wednesday, May 20, 2009

Adobe Download Location

Need an .MSI of an Adobe product?
ftp://ftp.adobe.com/pub/adobe/

Thursday, May 14, 2009

The Internet is broken...

It looks like there was a rather serious issue with the Internet earlier this morning. The most obvious symptom was that all the Google Apps as well as www.google.com were unavailable from 8:53am MST to 11:15am. At this point it appears that it might have been an issue with the pipe going to Google. Here is a tracert of what we were seeing:

C:\Users\xxxx>tracert www.google.com

Tracing route to www.l.google.com [74.125.93.104]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms xxxxxx.xxxxx.xxxx[xx.xx.0.1]
2 <1 ms <1 ms <1 ms xx.xx.0.1
3 <1 ms <1 ms <1 ms xx.xx.0.9
4 4 ms 4 ms 4 ms xxx.xxx-1-0.xxxx-cust1.dnvr.uswest.net [xx.224.x
x.17]
5 4 ms 4 ms 4 ms cls-core-02.inet.qwest.net [205.171.152.94]
6 30 ms 32 ms 31 ms dap-brdr-03.inet.qwest.net [67.14.2.85]
7 30 ms 30 ms 30 ms 192.205.36.45
8 49 ms 48 ms 49 ms cr2.dlstx.ip.att.net [12.122.87.54]
9 48 ms 48 ms 49 ms cr1.attga.ip.att.net [12.122.28.173]
10 48 ms 48 ms 48 ms 12.123.22.5
11 * * * Request timed out.
12 * * 293 ms 72.14.233.54
13 * * * Request timed out.
14 287 ms * * 209.85.254.239
15 * * * Request timed out.
16 * * * Request timed out.
17 287 ms * 288 ms qw-in-f104.google.com [74.125.93.104]

Trace complete.

Everything looks good at this point, but it really makes you appreciate having Google.

Also, here are some tools to help out when taking a look at outages like this:
1. http://www.internettrafficreport.com/
2. http://isc.sans.org/
3. http://www.internetpulse.net/

Wednesday, April 29, 2009

Random Reboots on HP Hardware - Error ID 57

We have a server (BL460c) that we upgraded the drivers and firmware on and now it is rebooting every couple hours. The Event Log has a warning with an ID of 57. The description is "NetFN 0x36, command 0x2 timed out" This is solved by downgrading both iLO drivers.

1. HP ProLiant Integrated Lights-Out Management Interface Driver for Windows Server 2003/2008 x64 Editions to version 1.13.0.0
2. HP ProLiant iLO 2 Management Controller Driver for Windows Server 2003 x64 Editions to version 1.8.0.0

Thursday, April 16, 2009

Chuck Swindoll on lust and controlling the mind

I really appreciate Chuck Swindoll for several reasons. First and foremost is the fact that he preaches like it is, no matter how hard the subject and that he practices what he preaches. That is probably what I want most to be remembered as. Here is a lesson that he recently presented at DTS on lust and purity in the mind. A very important yet terribly difficult lesson that you won't hear even in most churches since it is so convicting. If this message does not effect you or you think that it does not apply to you then you really need to get help; it will make your life so much better.

http://www.dts.edu/media/play/?MediaItemID=7fd7e223-479d-4183-ac94-ec74649a6d7a

If you are looking for help feel free to contact them at 469-252-5200.

Wednesday, April 15, 2009

ARP Poisoning in a Production Environment



Here is a sanatized email the I sent last night that has a very interesting problem that we ran into at work. Never ran into ARP Poisoning before...
-------------------------

Sent: Thursday, April 16, 2009 12:21 AM
To: XXXXX XXXXX
Subject: ARP Poisoning

Ok, so here is 12 hours of work boiled down into a couple sentences of “what happened” …

Basic Topography: 10.70.0.1(hop1) > 10.50.0.1(2) > 10.50.0.9(3) > Internet(4) > Destination(5)

MAC Address for 10.50.0.1 = XX:XX:XX:XX:b4:23

Scenario: We isolated the issue (mainly by completely replacing 10.70.0.1 (ISA 2006) & 10.50.0.1 (Core Router) to no avail) so that we knew that traffic was going from 10.70.0.1 out to the internet, hitting the destination and generating response traffic. This response traffic made it to the firewall but died before reaching back to the 10.70.0.1 ISA server. This leaves 10.50.0.1 and 10.50.0.9 as the only possible culprits for the missing traffic. After replacing 10.50.0.1 we discovered that the traffic still exhibited the same behavior and we realized that the chances of 2 Routers both being bad was really remote so we focused on the firewall. Taking a packet trace with the network up and another when the network was dead we found a very subtle difference in the packets. While the network was operating normally the packets were flowing from the firewall to the core router using the level 2 routing address’ of:

Src: XX:XX:XX:XX:ea:b0 - dst: XX:XX:XX:XX:b4:23
When the network was broken the level 2 flow of inbound packets was like:
Src: XX:XX:XX:XX:ea:b0 - dst: 00:0c:29:a9:d2:25

So what we have at this point is ARP Poisoning where another machine on the 10.50.x.x is impersonating 10.50.0.1 which is the Core Router; the result of this is that all traffic coming inbound from the internet (hop3 > hop2) was getting redirected to the mystery machine (hop3 > hop_blackhole) with the mac of 00:0c:29:a9:d2:25. Going from switch to switch we tracked the mac to MachineNameX. After unplugging the machine from the network and clearing the ARP cache on the firewall traffic immediately started working normally and the network is happy. Check out the cool wireshark screenshot attached… now you know what ARP poisoning looks like.

Bottom line: Wireshark is awesome, the 10.50.x.x switches have a command “show bridge address-table” which shows you the mac address’ that are associated with each port on the switch, 2 heads and 4 eyes are better than 1 head and 2 eyes… and sleep is overrated.. :)

Monday, April 13, 2009

Backing up a MAC Server automatically

Scenario: You run a Windows environment and all of the sudden have a couple Apple XServes that get added and then need backed up.

You are the responder: I will be backing this XServe up to a Windows File Server where the files will then be picked up to go to tape.
Step 1: Create the appropriate file share on the Windows box and and assign the proper permissions to it. Give it a unique AD Service Account since the password is stored in plain text in the backup scripts.
Step 2: Create a folder on the Apple that will be the mount point for your smbfs to the Windows File Server
Step 3: Create a batch file on the Apple that looks like this:

#!/bin/bash
cd /Volume/FoldertoBackup
/sbin/mount_smbfs //ADuserName:ADPassword@WinFileServer/ShareToSaveFilesTo /MyAppleMountPoint
tar -cf backup-servername-`date '+%d-%B-%Y`.tar /Volume/FoldertoBackup
cp backup-servername-`date ' +%f-%B-%Y`.tar /MyAppleMountPoint
umount /MyAppleMountPoint

Step 4: Test the script and see if it works when launched manually. If you cut and paste it from here you will need to use dos2unix to fix the hidden EOL characters since they are different from standard unix EOL.

Step 5: Automate with Crontab
a. 00 04 * * 02 /var/backups/backup_script.sh
This will execute the backup_script.sh file every Tuesday at 4am.

Step 6: You're done... sort of... Now you need to create a script to clean up the backup files after X amount of days on the Apple so you don't lose too much disk space. You can also edit the tar command to do differential backups if you so choose...

Wednesday, April 8, 2009

Cisco ASA 5510 - Disable Specific Alerts

We get a ton of false positives on one specific alert on our ASA. The alert is a "No Translation Group Found" that happens when somebody brings a laptop from home and attempts to create a connection before getting the proper IP settings from DHCP. The alert looks like this:

<163>%ASA-3-305005: No translation group found for tcp src (InterfaceName):(IPAddress/Port) dst (InterfaceName):(IPAddress/Port)

We wanted to disable just this one alert so that we do not get so many false positives. After trying several things to no avail I finally opened a support case with Cisco and got a quick and easy fix. To acomplish this all that you need to do is type in:

ciscoasa(config)# no logging message 305005

and to re-enable it all you need to do is type:

ciscoasa(config)# logging message 305005

That was easy!

Wednesday, March 18, 2009

You learn something new every day. Cisco ASA 5510 Lessons.

1. The IPS module is not configured by default to bind to an interface. Found at (in the ASDM) Configuration > IPS > Policies > IPS Policies. I created a new policy that is now bound to the backplane interface using a new set of Event Action Rules (see below), now the IPS is dropping packets and creating alerts as it should.

2. To allow Instant Messenger you need to do two things:
  1. Allow IM in the firewall class maps. Configuration > Firewall > Objects > Class Maps > IM > Add. From here you can allow Yahoo! or MSN IM if you use the default criterion. You can also use Services Criterion to block certain features of IM such as Chat, Conference, File Transfers, Games, Voice Chat and Web Cam.
  2. Tweak the IM rules in the IPS module to allow and deny the traffic that you want.

3. The email alerting is configured using both the IPS and Device Management sliders. Make sure that you can reach the email server's IP from your device or put in a static route to your email server, otherwise you will never get your email alerts :)

4. Event Action Rules are important to your IPS. They define the levels of risk and what to do with the three different levels: HIGHRISK, MEDIUMRISK, LOWRISK. Create your Event Action Rule and then use it via your IPS Policy.


Tuesday, February 24, 2009

Adobe Vulnerability APSB09-01

In Adobe's bulletin released last Friday there are 3 solutions to reduce your chances of getting exploited. The first is to disable JavaScript in Adobe Reader by going (in Adobe) Edit > Preferences > JavaScript and unchecking the "Enable Acrobat JavaScript" option. That is fine for the everyday user but not quite a good fix for an enterprise of any size. To accomplish this I found a script located on the internet and modified it to disable Acrobat's JavaScript.

I built the batch file to do a few things including:
a. Add a HKLM key at HKLM\Software\Adobe\Acrobat Reader\8.0\JSPrefs
b. Add a DWORD value under that key called "bEnableJS" with a value of 0
These two steps disable Acrobat JavaScript for all users except those people who have clicked the box manually and created other keys under HKCU.

Next I attempt to change the HKCU values (if generated) to 0 thus disabling the Acrobat JavaScript for all users.

Below is the script:

-------------------------Start Script ---------------------------------
setlocalset regpath=%SystemRoot%\system32\reg.exe
set keypath=Software\Adobe\Acrobat Reader\9.0\JSPrefs
set valuename=bEnableJS
:: update current user
set hive=HKCU
set key=%hive%\%keypath%
:: Add a Master Disable for all users by using HKLM
%regpath% add "HKLM\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /f >nul
%regpath% add "HKLM\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /v %valuename% /d 0x00000000 /t REG_DWORD /f >nul:: Remove Javascript for all individual who have explicitly enabled it.
%regpath% add "%key%" /v %valuename% /d 0x00000000 /t REG_DWORD /f >nul:: update all other users on the computer, using a temporary hive
set hive=HKLM\TempHive
set key=%hive%\%keypath%:: set current directory to "Documents and Settings"
cd /d %USERPROFILE%\..
:: enumerate all folders
for /f "tokens=*" %%i in ('dir /b /ad') do ( if exist ".\%%i\NTUSER.DAT" call :AddRegValue "%%i" ".\%%i\NTUSER.DAT")endlocalgoto :EOF:AddRegValue
set upd=Yif /I %1 equ "All Users" set upd=N
if /I %1 equ "LocalService" set upd=N
if /I %1 equ "NetworkService" set upd=Nif %upd% equ Y (
%regpath% load %hive% %2 >nul 2>&1
%regpath% add "%key%" /v %valuename% /d 0x00000000 /t REG_DWORD /f >nul 2>&1 %regpath% unload %hive% >nul 2>&1
)
-----------------------End Script--------------------------
Note: Change all instances of "8.0" to "9.0" in the script for it to work with Acrobat Reader 9.0



Feel free to modify and use the script but like everything else, test it before you put it into production. I take no responsibility for what you do with it and any results that it might cause.

Thanks to the guys at http://www.ureader.com/ for the original script that I modified to get this running.

Windows Server 2003 Cannot Execute Network File

On Windows 2003 Servers by default you cannot double click on an exe that is located on a file share or you will get the following error:

"Windows cannot access the specified device, path, or file. You may not have the appropiate permissions to access this item."

To get around this issue you can copy the file to your local drive, right click on the file and select properties. On the bottom of the General screen you will see a warning that the file is from another computer (This file came from another computer and might be blocked to help protect this computer) click "Unblock" and you can now execute the file.

or Uninstall the "Internet Explorer Enhanced Security Configuration".

Windows Server 2003 VM Running Exchange with Random Bluescreening

I have a Microsoft Exchange 2007 server (x64) that was originally on a physical piece of hardware. However we have P2V'd it into a guest on a VMware ESX host and it seems to be running normally except for one little detail: It bluescreens every 15 or 20 days with the following information:

Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Date: 1/31/2008
Time: 8:34:36 AM
User: N/A
Computer: SMTP2
Description:Error code 00000000000000d1, parameter1 0000000000000019, parameter2 0000000000000002, parameter3 0000000000000001, parameter4 fffffadfd99f4e5b.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Data:0000: 53 79 73 74 65 6d 20 45 System E0008: 72 72 6f 72 20 20 45 72 rror Er0010: 72 6f 72 20 63 6f 64 65 ror code0018: 20 30 30 30 30 30 30 30 00000000020: 30 30 30 30 30 30 30 64 0000000d0028: 31 20 20 50 61 72 61 6d 1 Param0030: 65 74 65 72 73 20 30 30 eters 000038: 30 30 30 30 30 30 30 30 000000000040: 30 30 30 30 31 39 2c 20 000019, 0048: 30 30 30 30 30 30 30 30 000000000050: 30 30 30 30 30 30 30 32 000000020058: 2c 20 30 30 30 30 30 30 , 0000000060: 30 30 30 30 30 30 30 30 000000000068: 30 31 2c 20 66 66 66 66 01, ffff0070: 66 61 64 66 64 39 39 66 fadfd99f0078: 34 65 35 62 4e5b

It seems fairly random and there is not a whole lot to go on as far as troubleshooting... I found a MS patch (kb950772) that is supposed to fix "A computer that is running an x64-based version of Windows Server 2003... randomly restarts and then generates a Stop Error" After applying the patch the box seems stable and has yet to throw a stop error.

Patch Details at: http://support.microsoft.com/kb/950772

Monday, February 23, 2009

Allowing PPTP Through Cisco ASA 5510

Pretty simple fix for a Cisco ASA5510 that does not allow PPTP traffic.

>Config t
>class-map inspection_default
>Policy-map global_policy
>class inspection_default
>inspect pptp
>service-policy global_policy global
>write

Cannot Connect to Cisco ASA 5510 with ASDM

So, we have a couple Cisco ASA 5510 security appliances that we are working on. Here is the catch, when you attempt to connect to them using the ASDM tool downloaded from the device (or the CD from Cisco, or a download from Cisco's website) you get a connection error "ASDM cannot read the configuration from the ASA". After ensuring that the networking was indeed correct and I could reach the device I discovered (after several hours) that the ASDM is java based and that the version of java that I was using (Java 6 Update 11) was simply too new for the ASDM. To fix this I had to downgrade my java to Java 5 Update 17 and bingo, the ASDM could now talk to the ASA.

Next I was able to upgrade the via the ASDM the ASA's Software and ASDM software. Once updated to the newest versions (8.01 and 6.1551 respectivly) I was able to re-download the ASDM client from the device and use the newest java version.

IT Security Top 10 Tips for 2009

I got to help write the Top 10 Security Tips for 2009 for our employees and this is what we came up with. I think it is a good security overview for the normal everyday user.

#10 Wifi: As you travel around you will frequently see “Free Public Wifi” in your list of available wireless networks. This is almost always a VIRUS on someone’s computer trying to get you to connect so it can infect you also. Think of this as the “free public used gum” stuck under your desk. DO NOT ‘connect’ to it for any reason. Never connect to any Wi-Fi you do not fully trust; unless of course you like hackers using your identity or credit cards…

#9 Fake News Emails: Never click on any links in an email from CNN or MSNBC, or any other "news alerts" that you have never subscribed to. No matter how realistic it looks. Usually they start with a very absurd or weird story such as "Britney Spears killed in a car accident or Bigfoot found in new jersey, etc.." Even if you have subscribed to news alerts it is best to be cautious when following links.

#8 Fake “tracking number” Emails: If you get a "UPS tracking " attachment never ever open these attachments, they are virus's. They also appear to come from FedEx, USPS, etc… A valid tracking email will never have an attachment.

#7 Fake “Greeting Cards”: Never open a email postcard (Hallmark e-card is the most popular) unless it’s your birthday and it’s from someone you expect it from. This is the main delivery mechanism of most of our virus’s today. Also, an e-card will never have an attachment with a .exe extension.

#6 Lock your Desktop when not in use and have a screensaver password. Also lock your mobile devices (phone) with a password. If you don’t lock the doors then it does not make much sense to bar the windows. Don’t make it easy for hackers or others who would want to cause damage.

#5 Fake Instant Messages: Many people here use IM to communicate. It is a great tool but you need to be suspicious of hyperlinks; even if the link appears to be from your friends or coworkers. When a computer gets infected by a virus it is not uncommon for it to steal the address book and email/IM all of that persons contacts with the same virus. Best rule of thumb: Don’t follow hyperlinks

#4 Don’t put every CD you get mailed or USB key you find lying in the parking lot into your PC, they can “auto-install” a virus onto your PC or do many other nasty things. You didn’t just win a free prize, this is like the “free used gum”; besides it is a very well known technique for hackers and pen-testers alike. Again, don’t make it easy for the bad guys.

#3 Make sure you have Antivirus Installed and make sure that it has recent definitions, if you AV software is not updating, it is almost as good as not having it at all. In today’s day and age antivirus is a must…. well maybe not if you don’t have an internet connection…

#2 Keep your software up to date. Do your Microsoft Updates and software updates for all the products that you use. This includes software like Adobe, VMware and whatever else you use. As the famous ex-hacker Kevin Mitnick suggests “Update your OS religiously and be vigilant in applying all security patches released by the software manufacturer.”And the #1 thing Everyone should do in 2009 is:

#1 Backup everything you use. Make sure you have it somewhere else, on an external hard drive, a file share, somewhere. Don’t assume that anyone else (even IT) is backing that data up. If you have a question if a file share is being backed up please contact the IT Department, otherwise assume it is not. One Worm or Trojan or drive crash can wipe out 100% of your data forever, don’t let it happen to you.

A Great Listen (or should I say "A Great Lesson"?)

As I am a bit under the weather and not at work today I have been trying to do something constructive with my time. I found an excellent message by Dr. Ron Rhodes recorded at the Dallas Theological Seminary Chapel Service last week. It is an excellent message on "How to Make a Point Without Impaling Someone Upon It." The message is located at: http://www.dts.edu/media/play/?MediaItemID=c0c46e57-1e9b-49e4-9bc5-d75977a35f91

I hope that it is as much a blessing to you as it is to me. Now, the difficult part, actually living it...