News Contact Company



February 21, 2011
February 2011 Newsletter

Having trouble reading this email? View it in your browser.

TrueSec

News and Geek Stuff

February 2011

The Deployment Geek Week in Seattle sold out in a very short time and we had to turn down many of you that did not make it into this session. It told us that there is a big need for this kind of “overall” deployment training but still on a high technical level. The interest was not only from the US but we have several of the delegates flying over from Europe. That led us to schedule two more “Deployment Geek Week” sessions:

London, UK June 6-10 and Seattle July 18-22. Registration is now open for these sessions.

Kent Agerlund’s article below, covers some of the new features in Config Manager 2012. He is also spending some time on this next version of SCCM in his class “Mastering SCCM 2007 SP2 R3”. If you want to polish your skills in SCCM this is the class for you. Next opportunity is in March in New York City. See training schedules at the bottom of the mail as usual.

Are you also looking after the security aspect of the network in your company? Then I assume you haven’t missed the articles that our Marcus Murray has issued on this topic. He is one of the world’s most sought after speaker/consultant/instructor in this field. Marcus will be running his “Hacking the Windows platform” in Amsterdam in June. This is an ever so important and eye opening lab that constantly gets updated.  Make sure to reserve a seat for yourself and/or your colleague.

New! Deployment Workshop in 6 European cities with Mikael and Johan.

Don’t miss this one day workshop on the deployment process. It’s a short version of our popular labs in the deployment area: Lite Touch and Zero Touch as well as guidance what tools to use for a successful roll out. You will leave this day with documentation, videos and tons of tips and tricks from the deployment experts. Read more and register for this Deployment A-Z workshop


 

johan-arwidmark-soft-mugshot.png

Johan Arwidmark:

MDT-Drivers-PowerShell is king

 mikael-nystrom-soft-mugshot.png

Mikael Nystrom:

MDT and OU's

marcus-murray-soft-mugshot.png

Marcus Murray:

Crimeware on the rise

 kent-mugshot.jpg

Kent Agerlund:
The new application model in Configuration Manager 2012

MDT-Drivers-PowerShell is king

If you have read any of my articles on MDT and drivers you know that, for most environments, I like to have total control of my drivers (rather than the Total Chaos method which is default in MDT).

This means that I normally create a more detailed folder structure in the deployment workbench, that matches the drivers folder that I have on disk. Of course I could use old school DriverPaths method on MDT to avoid importing the drivers all together, but I kind of like the single instance store in MDT, and being able to use additional filter if I want to.

Here is a powershell script that imports drivers into MDT from a folder structure on disk...

Download the Import Drivers From File System Script

The structure on disk looks like this:

johan 2.png

After running the script, it will look like this in the deployment workbench

johan 1.png

You need to edit the following information in the script to reflect your environment

$DriverStore = "C:\Drivers"
$MDTDSRoot = "C:\MDTBuildLab"
$PSDriveName = "DS001"

Happy Scripting…

/ Johan

Crimeware on the rise!

I have spent some time lately analyzing various different trojans and bots that are focusing on stealing money by collecting credit card numbers or logging into online bank accounts.

One thing that I think is important do understand is that these Trojans are more common than most people understand, and that the reason for it is that no on benefits from the exposition.

The criminal using the software wants to stay under the radar as long as possible and the bank on the other side does not want to scare the customers from using their services. The result is that very little information regarding real attacks ever reaches the public.

Even if you might or might not be covered for your loss in case you ever get targeted I can assure you that it´s not a pleasant experience. Recovering from a stolen identity, stolen credit card numbers or illicit withdrawals from your bank account is painful, time consuming and intrusive to your privacy.

Therefore I would like to share some info about the popular crime ware today:

The most effective ones today are called SpyEye, Zeuz and Carberp.

They are often created by one person/group of people and then sold to other persons/groups of people who will actually use them.

They crime ware typically consists of a command and control server who often has a web-based interface for the criminal to administer/remote control the targets, often they have a module-based system so that additional plugin can be installed for additional functionality.

They also have a builder who will create a custom Trojan or bot that will later be installed into target systems. Many of the builders today can generate unique bots that are undetectable to antivirus and on some of these versions the detection rate is as low as 30-35% even months after the bots has been released to “the market”

The bots are often controlled simultaneously and some common functions today are:
-VNC remote GUI control.
-Extract certificates even if marked as not exportable.
-Password Stealer
-Keylogger
-Customized banking plugins that can hijack valid logins to certain online banks.

marcus pic.jpg

A screenshot of SpyEYE GUI.

 

So, what can we learn from this?

Well, the trick is to be proactive.

Do not browse the dark alleys of the internet logged on as Admin, run as regular user while exposing yourself to external services and networks.

Make sure your computers are always fully patched and it counts for all the third-party software and plugins as well.

Use a new and updated version of latest antivirus or even better, consider whitelisting using applocker or similar for controlling binaries on your system.

Enable the built-in firewall and configure the rules to be restrictive.

..and be suspicious. The world is not all evil, but it´s not all good either. Other people than you want to run your computers so please be alert and question strange behavior.

The crime-ware industry is growing and their tools keep getting better and better, please try not to support them by letting them take your money or computing power.

Stay safe!

/Marcus





The new application model in Configuration
 
Manager 2012

With beta 2 just around the corner it’s time to start some serious CM2012 testing. Personally I have been playing around with the product for almost a year by know, and I’m pretty impressed. Especially the new application model is a feature worth waiting for.

With CM2012 you will have two different application objects; the old traditional CM2007 packages and the applications created using the new application model. An application in CM2012 consists of 3 objects:

The application metadata

feb kent 01.png

2.      One or more deployment types.

3.      A deployment (aka an advertisement).

The real power lies within the deployment type. You can have multiple deployment types within a single application e.g. a MSI installation, App V installation or even multiple MSI installations using different transforms files. Within a deployment type you have:

  1.      Requirement rules
  2.     Dependencies
  3.     Detection methods
  4.     Installation commands
  5.     The content

Requirement rules

Requirement rules are evaluated before installing the application. There are 3 different requirement rules:
1.      User

An example is primary device. By using this rule you can control that the deployment only begin if the user is logged on the defined primary device.
feb kent 2.png

2.      Machine

An example is Total physical memory. The installation will only begin if the required amount of memory is present.
feb kent 3.png
3.      Global conditions
Global conditions are custom created rules that can be used in multiple application deployment types. An example is the minimum required company rules for any given desktop computer (domain membership, minimum free disc space, specific operating system etc.)
feb kent 4.png

Dependencies

Dependencies are required applications that are needed in order to successfully install. In CM2007 we have often used a task sequence or a scripted solution to detect and install dependencies. With CM2012 you just select the depended application and it can be installed automatically.

feb kent 05.png

Detection methods

With detection methods you can easily detect if the application is already installed. In the current beta release applications can be detected by the MSI code or by running a custom script.

feb kent 6.png

Installation command

They are still the same as previous version. You will however find some in new features in here as well, like uninstall command, return code control. Especially the control with return code is very useful. I have seen many examples with CM2007 where an application is installed correctly but due to a missing return code, the status message was running or even failed.
feb kent 7.png

The content

The content is the binaries, and as with CM2007 I recommend that all source files are kept on another file server.

The deployment

The deployment (formerly known as the advertisement) allows you to target applications to end-users while at the same time require approval from a manager.
 

feb kent 8.png

Software that is deployed to end users will be available from the web self-service portal. In this example an approval is required. Once approved; the end user can install the application.
feb kent 9b.png

feb kent 10c.png
The administrator approves the request.
feb kent 10.png

The software is immediately ready for installation.

feb kent 11b.png

I hope this article has inspired you to learn more about Configuration Manager 2012. I’m thrilled to announce that I will run the first Mastering Configuration Manager 2012 class May 30, in Stockholm.

/Kent



MDT and OU's

I got a question some time ago, it was something like this:

-Hi Mike, just a short question, we can’t get the MachineObjectOU to work since we have a bunch of OU’s that are named using Swedish characters. Do you have any ideas?

And yes, ideas I do have, trust me. So I started playing around and I did discover that MDT does not really like the Unicode format at all, MDT works perfectly fine using ANSI.

I also did some research on Internet and I did discover that there was people asking for this, but no answers. After spending some time in MDT, creating scripts with different levels of success my brain begun to work, A of memory from the past pops up, didn’t Active Directory handle that somehow…and yes, it does. But before we go into that, let’s see how we can put a computer in the correct OU.

Alternative 1:

You can use a property called MachineObjectOU and when in use it could look something like this in customsettings.ini

[Settings]
Priority=MacAddress, Default
Properties=MyCustomProperty

[00:15:1a:1b:1c:1d]
OSDComputername=PC001
MachineObjectOU=OU=ComputersA,OU=Company,DC=viamonstra,DC=com

[Default]
OSinstall=Y

Alternative 2:

If you use the wizard you can use “DomainOUs” in customsettings.ini, that way you will be presented with a list of OU’s to pick from, looks something like this:

[Settings]
Priority=Default
Properties=MyCustomProperty

[Default]
OSinstall=Y
DomainOUs1=OU=ComputersA,OU=Company,DC=viamonstra,DC=com
DomainOUs2=OU=ComputersB,OU=Company,DC=viamonstra,DC=com

Alternative 3:

One other option is to use an xml file called “DomainOUList.xml”, you create it in notepad and save it in the scripts folder in MDT and it should look something like this:

<?xml version="1.0" encoding="utf-8"?>
<DomainOUs>
<DomainOU>
OU=ComputersA,OU=Company,DC=viamonstra,DC=com
</DomainOU>
<DomainOU>
OU=ComputersB,OU=Company,DC=viamonstra,DC=com
</DomainOU>
</DomainOUs>

But, what if I have spaces in my OU name?

Easy, it works perfect, just type in the name of the OU including spaces, like this:

DomainOUs1=OU=This OU has Spaces,OU=Company,DC=viamonstra,DC=com

But, what if I have Swedish characters in my OU name, like ÅÄÖ?

Easy, replace the characters according to this: Å=A, Ä=A, Ö=O, like this:

The OU is named “Vård och Omsorg” in Active Directory and if that is the case, it should look like this:

DomainOUs1=OU=Vard och Omsorg,OU=Company,DC=viamonstra,DC=com

I can’t remember what the function in Active Directory is called, but I know it works. You could test this easy, create a OU called “Östra skolan” and the try to create a OU at the same location called “Ostra skolan”. Can’t be done, “object already exist”

/mike




Where to find us......

Mastering SCCM 2007 SP2 R3 with Kent Agerlund

New York City

March 16-18

Deploying Windows 7 using MDT 2010 and SCCM 2007 SP2 with Michael Petersen

Chicago

March 16-18

Mastering MDT and WDS with Mikael Nystrom

Chicago

April 4-6

Deployment Geek Week with Johan Arwidmark and Mikael Nystrom

Redmond, WA

March 7-11 Sold Out

Mastering SCCM 2007 SP2 R3 with Kent Agerlund

New York City

March 16-18

Deploying Windows 7 using MDT 2010 and SCCM 2007 SP2 with Johan Arwidmark

New York City

April 12-14

Full schedule at http://www.truesec.com

This message was intended for '%%emailaddress%%'
Unsubscribe | To contact us please email info@truesec.com

TrueSec Inc.
8201 164th Ave NE, Redmond, WA 98052


 




TrueSec Inc    |     +1(425) 285-4477     |     info[at]truesec.com    |     Infrastructure    |     Security    |     Pentesting    |     TrueSec Inc. Website Privacy Statement