August 2010 Newsletter
Welcome back to reality; that is if you like many of us have enjoyed the summer and some time off. We are facing a hectic fall as we expect massive rollouts to Windows 7 to happen in the corporate market. It is now almost a year since it launched and history shows that 12-18 months after release is when upgrade takes off. That said, we expect to be busy running our deployment- and systems management labs.
MDT 2010 – Setting the Computer Description in AD without a webservice
Sime time ago I was onsite for a customer who wanted the computer description to be set in Active Directory as well as the local machine during deployment. The most powerful way of dealing with Active Directory and other server side components is to use a web service, but the customer wanted something simpler, like a vbscript.
That being said, I created two vbscripts, one that updated active directory with the information and one for updating the local client. The only tricky part (well except for creating the script) is that the script that updates active directory must be executed as a user with permission in Active Directory to do so. Luckily MDT supports runas another user for its custom actions.
To set this up there are three major steps.
Step 1 - Get the Computer Description value.
Built-in to MDT you have two options for this, either by enabling the “prompt-for-description” feature in the deployment wizard, or by storing the value in the MDT database
Step 2 - Store the Description value on the computer object in Active Directory
Get the sample code from http://www.deployvista.com/Repository/tabid/71/EntryId/65/DMXModule/396/Download/attachment/language/en-US/Default.aspx and add ZTISetComputerDescriptionInAD.wsf to your task sequence. Add it to the Custom Tasks group in the state restore group/phase.
Step 3 - Store the Description value on the system properties of the local computer
From the sample code, add ZTISetComputerDescriptionLocally.wsf to your task sequence. Add it to the Custom Tasks group in the state restore group/phase.
For full implementation details with screenshots and step-by-step guides, go to this link
MDT 2010 - Setting the Computer Description in AD without a webservice
Regards / Johan
Creating reference images fast, but not perfect, using WIM2VHD
Hi folks, it ”happens” from time to time that a install Windows in Hyper-V, to be honest it happens every day for different reasons of course, it’s both for testing but mostly for playing. One thing that is very handy is to be able to create reference images fast and easy and that’s what I would like to share with you this time.
When Windows Vista came around it was created as a sysprepped reference image from the beginning, I mean WOW it was a whole new ball game, so one of my question was “Is it possible to just apply the image without installing it???” and the fast answer was of course “No, you cannot” and one of the reason is that the image was captured as a D: drive, tricky to run that on a C: drive later on… Well, time goes and suddenly we have Windows 7 and I asked the same question, and now the answer was “Yes, that can be done using the correct tools”, it turns out that Microsoft has not changed the creation process, but rather “fixed” the new version of Imgex and that means that we can now just apply the image more or less, kind of fun, but not really practical… until you start thinking…
What if you don’t need any drivers and it does not need to be perfect, just ok but fast, what about virtual machines? Imagine if you could create a VHD file, mount that and apply the WIM file directly on to that and then fix the boot on that VHD file so it does boot correctly, that would be fun J. It turned out that I was not the only one, so someone at Microsoft created a small script utility called WIM2VHD
With WIM2VHD you can just apply the WIM directly on to the VHD and not just that, you can also add hotfixes, unattended.xml files, folders and a bunch of other stuff. And here is the thing; it takes about 3 minutes to create a ref image. And now when you want to create virtual machine you use the VHD file as a differencing disk or just as it is.
I did a blog post on this and if you want to know more details about this check-out http://itbloggen.se/cs/blogs/micke/archive/2010/08/25/using-wim2vhd-to-create-reference-images-for-hyper-v.aspx
The short story is this
Download WIM2VHD here
Download and install WAIK here
Run the following command from the folder where you have WIM2VHD.wsf
cscript WIM2VHD.wsf /wim:D:\sources\install.wim /sku:1
And that will give you a nice VHD file that is dynamic and is 40Gb in virtual size.
MVP Windows Server – Setup/Deployment
Vulnerability in one of our websites!
Recently we purchased a well-known forum-software for one of our Swedish community sites called ITProffs.se.
The software is called InstantASP 2010 and as a part of our process of deploying new web-services we performed a security assessment.
During the first phase of Penetration testing my colleague Shanti Lindstrom started to attack the login functions and in less than 5 minutes he discovered a very serious issue!
Due to a logical error in the login function it was possible to make a complete authentication bypass. The ONLY thing you had to do was to disable Java-script in your browser, enter a valid username into the user field of the login page and then leave the password field completely blank. We were more than surprised to see such a severe vulnerability being so easy to exploit.
Reading the customer page of the InstantASP website made it even worse, in their portfolio we saw a listing of companies like Intel, Verizon, BP, Symantec, TimeWarner, AstraZeneca, Reuters and Hugo Boss to name a few.
The fact that anyone with a little knowledge can become the admin on that site, execute code on the server, and enable java-script on all the connecting clients to these sites is really a scary thought.
We contacted the company and only 2 days later they released a patch so the problem is now fixed. I must say that this is way better than normal when we contact vendors, so even though they really shouldn´t implement such a grave error in their product, they were really fast fixing it!
(Actually your web-developers Johan & Bjorn created a quick & dirty fix in 10 minutes that completely mitigated the problem)
So, lessons learned: Please! Assess the security in your web applications. This is as important when you develop them yourself as they are when you use commercial software.
Another interesting thing is that the older version was not vulnerable to this, so the logical error was introduced during a version update.
Lesson number two is to make new assessments after any major update.
Lesson number three is that IF you are currently using InstantASP, then please patch it to the absolutely latest version containing the patch!
Be careful out there!
Marcus Murray, Team Manager, Truesec Security Team