News Contact Company



June 11, 2012
June 2012 Newsletter

Having trouble reading this email? View it in your browser.

TrueSec

News and Geek Stuff

June 2012

In the midst of the biggest Microsoft US techie event "TechEd 2012" in Orlando, comes a short newsletter with contribution from our MVP's. 
If you are attending TechEd, I assume you wont miss the opportunity to meet with Johan, Mike, Kent, Hasain or Marcus during or after their sessions. Kent, Johan and Mike will also do book signing in the bookstore.

Summer is usually a slow period for most business' but not so much for us. Our popular Geek Week is running in Redmond mid July. Mike & Johan will take you thru  5 days at Microsoft Campus, with you in the driver seat for System Center 2012 journey. Hotel and meals included!

Kent is back in Minneapolis running his Mastering System Center ConfigMgr2012 class end of July. This is the best ConfigMgr 2012 class in the market with one of the absolute formeost ConfigMgr MVP's there is as instructor. If you are serious about your training, this is it.

Lite Management Solution (LMS) Released!

TrueSec have finally released LMS to market, the easy and intuitive way to fully manage your Microsoft Endpoint Protection without SCCM.

The 2 major benefits with LMS are that it does not depend on domain membership to manage computers and it uses internet protocol (SSL secured) for client server communication. This means that you can manage all your computers from a single console even if the computer is in DMZ, traveling (and connected to the internet) or at a home office. These are only a few benefits among many.

Several companies are already running LMS in production and over 200 have downloaded the free version (10 client limit) for evaluation.

Get your free version or purchase LMS at http://lms.truesec.se

 

See how you can fully manage Endpoint Protection without SCCM today!

 

 

 

 

johan-arwidmark-soft-mugshot.png

Johan Arwidmark:

Sign your unsigned drivers - Damn it!

mikael-nystrom-soft-mugshot.png

Mikael Nystrom:

New properties in MDT 2012

Kent Agerlund

Installing a secondary site in ConfigMgr 2012

Sign your unsigned drivers - Damn it!
 

The drivers saga continues...

For a driver to be ranked correctly by the windows 7 setup it should be signed, and for Windows 7 x64 deployments it really needs to be signed. However, sometimes vendors don't provide signed drivers, or you need to modify a driver for a specific device, and when you do, you break the signing. The solution is to sign the driver yourself.

In this example you sign an unsigned driver for Windows 7 named b57nd60a.inf (yes, it's the Broadcom NetXtreme Desktop driver) for the fictive company ViaMonstra. The scenario is that you have modified the b57nd60a.inf file so that the signing is now broken.

This means if you for example try to add the driver to the Windows 7 driver store using pnputil -a b57nd60a.inf you will be met by the following.






Signing drivers - Overview

- Get the tools
- Create the certificate and private key
- Create the catalog file
- Sign and timestamp the driver
- Install the certificate


Signing drivers - Detailed steps

Again, in this example you sign an unsigned driver named b57nd60a.inf for the fictive company ViaMonstra. Remember that the scenario is that you have modified the b57nd60a.inf file so that the signing is now broken.


Step 1 - Get the tools

- Go to www.microsoft.com/downloads, download and then install the Windows SDK for Windows 7

- Go to www.microsoft.com/downloads, download and then install the Windows Driver Kit 7.1.0



Step 2 - Create the certificate and private key

- Create a folder named C:\ViaMonstraDriversCert

- Start the command prompt and type the following commands, press Enter after each command.

cd /d "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin"

makecert -r -sv C:\ViaMonstraDriversCert\ViaMonstraDrivers.pvk -n CN="ViaMonstra" C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer


Assign a password of P@ss0wrd


cert2spc C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer C:\ViaMonstraDriversCert\ViaMonstraDrivers.spc

pvk2pfx -pvk C:\ViaMonstraDriversCert\ViaMonstraDrivers.pvk -pi P@ssw0rd -spc C:\ViaMonstraDriversCert\ViaMonstraDrivers.spc -pfx C:\ViaMonstraDriversCert\ViaMonstraDrivers.pfx -po P@ssw0rd


Step 3 - Create the catalog file

- Create the C:\ViaMonstraDriversCert\Broadcom folder and copy the b57nd60a.inf and b57nd60a.sys file to it.

- Start the command prompt and type the following commands, press Enter after each command.

cd /d "C:\WinDDK\7600.16385.1\bin\selfsign"

inf2cat.exe /driver:"C:\ViaMonstraDriversCert\Broadcom" /os:7_X64 /verbose



Running inf2cat.exe


Step 4 - Sign and timestamp the driver

- Create the C:\ViaMonstraDriversCert\Broadcom folder and copy the b57nd60a.inf file to it.

- Start the command prompt and type the following commands, press Enter after each command.

cd /d "C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin"

signtool sign /f C:\ViaMonstraDriversCert\ViaMonstraDrivers.pfx /p P@ssw0rd /t http://timestamp.verisign.com/scripts/timstamp.dll /v C:\ViaMonstraDriversCert\Broadcom\b57nd60a.cat




Running the Signtool


Step 5 - Install the certificate


To trust the certificate on a single computer (current signing certificate is private, and not yet trusted by the operating system) start the command prompt and type the following commands, press Enter after each command.

certmgr.exe -add C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer -s -r localMachine ROOT

certmgr.exe -add C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer -s -r localMachine TRUSTEDPUBLISHER


Note: you can also use certutil to install the certificate

Now when you try running pnputil -a b57nd60a.inf you will be met by the following:





Enterprise configurations - Group Policy

Using certmgr or certutil to install certificates may be cool, but deploying certificates using group policy makes more sense for the enterprise. To create a group policy do the following:

Using Group Policy Management, create a new group policy and link it to an OU where you have a test machine.

Computer Configuration / Windows Settings / Security Settings / Public Key Policies / Trusted Root Certification Authorities

Import the C:\ViaMonstraDriversCert\ViaMonstraDrivers.cer certificate

Also import the certificate in the Trusted Publishers container



References:

MSDN docs on driver ranking:

How Windows Ranks Drivers (Windows Vista and Later)
http://msdn.microsoft.com/en-us/library/windows/hardware/ff546225%28v=vs.85%29.aspx


/ Johan

 

 

New properties in MDT 2012

There are some new properties in MDT 2012 that can be useful and even more to come in update 1. Yesterday in our Preconference Michael Niehaus did a demo of the capability to use runbooks from System Center Orchestrator 2012 directly from within a task sequence that was really cool. So with that you can skip many of the web services and database struggling, since Orchestrator is much more focus on IT pros’. Anyhow, here is a bunch of new properties that could make your deployment process a bit better.

ApplyGPOPack=YES/NO

In MDT 2012 there is a new function that will apply a local GPO during the deployment. In MDT 2012 there are four templates that will be applied automatically. If you open the templates folder in the deployment share you will see the following folders

If you don’t want them for some reason (not tested and verified) you can disable them using ApplyGPOPack=NO. I do however recommend you to download Security Compliance Manger 2.5 and import them and then verify that all security settings are correct according to your environment

HideShell=YES/NO

HideShell means that the desktop (explorer) does not show up until the deployment process is done, this will make it bit more complicated to interfere with the computer while it is being deployment. If you are deploying Windows 8 you should set this to YES otherwise the Metro UI will cover the deployment process UI and it will very hard to see if a deployment process is running

DisableTaskMgr=YES/NO

This one works in conjunction with HideShell, since HideShell does not prohibit the user to press ctrl-del and start the task manager, but this one does. My recommendation is to use this after you have verified that your deployment process works since it will also make it a bit harder to troubleshot some scenarios

OnBattery=True/False

This one is very nice to use, the new version of the gather process will now expose if we are running on battery and as you understand it is not a good idea to deploy a new OS on a machine that runs on battery, so modifying your customsettings.ini file like the example below will block any attempt to deploy a OS on a machine that runs on battery.

[Settings]
Priority=ByIsOnBattery, Default
Properties=MyCustomProperty

[ByIsOnBattery]
SubSection = ByIsOnBattery-%ByIsOnBattery%

[ByIsOnBattery-True]
OSInstall=N

[Default]
OSInstall=Y

/mike

 

 

Installing a secondary site in ConfigMgr 2012

Reasons for installing a secondary site server in ConfigMgr 2012 have been somewhat limited to very few scenarios. I recommend installing secondary sites when you have:

·        More than 500 clients in a remote location

·        Need a local Management Point

·        Need a local Software Update Point

·        Need a local State Migration Point

Run the Prerequisites Checker

You should always run the prerequisite checker before starting any secondary site installation. The benefit of doing that is the ability to catch errors upfront. Below I’m running the prerequisites checker to verify that my future secondary site server CM05 is ok.

1.      Log on to the primary site server and open the command prompt as Administrator.

2.      Navigate to the ConfigMgr 2012 installation media.

3.      Run this command from the .\SMSSETUP\BIN\X64 folder:

prereqchk.exe /SEC  cm05.SC2012.Local.com /INSTALLSQLEXPRESS /Ssbport 4022 /Sqlport 1433

 


4.     
You can also verify the process by reading the C:\prereq.log file on the site server



Now you might be wondering what the prerequisites are. The answer to that is simple, run the prerequisites checker and fix all the issues. There will be an explanation for each missing prerequisite.

 

Install the Secondary Site Server

1.      Navigate to the Administration workspace, Site Configuration, Sites.


2.     
Click Create Secondary site on the ribbon.

3.      On the Before You Begin page, click Next.

4.      On the General page, configure these settings and click Next:

a.      Site Code: PS2

b.      Site Server Name: CM05.SC2012.Local

c.      Site Name: Secondary site, Copenhagen

d.      Installation folder: D:\Program files\Microsoft Configuration Manager\


5.     
On the Installation Source Files page, select Copy installation source files over the network from the parent site server and click Next.

6.      On the SQL Server Settings page, keep the default settings and click Next.

 

7.      On the Distribution Point page, configure this setting and click Next:

Install and configure IIS if required by Configuration Manager: Enabled

8.      On the Drive Settings page, configure these settings and click Next.

a.      Drive space reserve (MB): 1024

b.      Primary content library location: D

c.      Primary package share location: D



Notice: You can still use the NO_SMS_ON_DRIVE.SMS file if you want to exclude specific drives from being used as Contentlibrary.

9.      On the Content Validation page, configure these settings and click Next:

a.      Validate content on a schedule: Enabled

10.   On the Boundary Groups page, leave Add the local boundary group, remove the checkmark in Allow fallback source location for content and click Next.

11.   On the Summary page, read the summary and click Next.

12.   On the Completion page, click Close.

Verify the installation

1.      You can monitor the installation by reading the Hman.log file on the primary site server.


2.     
You can also monitor the bootstrap.log, configmgrsetup.log on the new secondary site server.


Post SQL Server Express Configurations

ConfigMgr automatically installs SQL Express 2008 R2 SP1 on the secondary site server. This version should be upgraded to SQL Server Express 2008 R2 SP1 CU6.

1.      On the secondary site server, stop these three services:

a.      SMS Agent host (the Management Point service)

b.      SMS Executive

c.      SMS Site Component Manager

2.      Open a command prompt with administrative permissions and run SQLServer2008R2-KB2679367-x64.exe /Action=Patch /IAcceptSQLServerLicenseTerms /AllInstances /Quiet Notice that this is a quiet installation, if you want to monitor the installation process use the Task Manager or remove the /quiet command line.

3.      After the upgrade is finished, restart the three ConfigMgr services and the SQL Server (CONFIGMGRSEC) service.

Verify the Secondary Site Installation

You can monitor and verify the status of the secondary site in the ConfigMgr console.

1.      In the Administration workspace, select Site Configuration, Sites.

2.      The secondary site server State is listed as Active.


3.     
Open the Monitoring workspace and select Site Hierarchy. Here you see a Hierarchy diagram and the overall status of the sites. You can also select a geographical view - nice.


4.     
In the Monitoring workspace, select Database replication.

 






/Kent

 

 

 

 

 

 

 

 

 

Where to find us......

 

Mastering System Center Operations Manager 2012 with Kare Rude Andersen

Minneapolis

July 19-22

Deployment Geek Week with Johan Arwidmark and Mikael Nystrom

Redmond, WA

July 16-20

Mastering System Center Config Mgr 2012 with Kent Agerlund

with Chris Nackers    

Minneapolis


New York City

July 30 - Aug 2


August 13-16

MVP Combo-The ultimate MDT2012 and ConfigMgr2012 training    
with Johan Arwidmark and Kent Agerlund 

New York City

August 27-31

Full schedule at http://www.truesec.com

 

 

This message was intended for '%%emailaddress%%'
Unsubscribe | To contact us please email info@truesec.com

TrueSec Inc.
8201 164th Ave NE, Redmond, WA 98052


 




TrueSec Inc    |     +1(425) 285-4477     |     info[at]truesec.com    |     Infrastructure    |     Security    |     Pentesting    |     TrueSec Inc. Website Privacy Statement