News Contact Company



October 2010 Newsletter

Having trouble reading this email? View it in your browser.

TrueSec

News and Geek Stuff

October 2010

In this October issue, Marcus elaborates on the subject that has been headline news around the globe this month: Stuxnet. Important and useful thoughts from our security expert. We will soon post the dates for Marcus class Hacking the Windows Platform as well as Fighting malware with Forefront. Two very important and popular labs.
Our infrastructure gurus, Johan, Mikael and Kent are as usual sharing their latest experiences from the field.
Both Johan and Mikael will run their very popular deployment labs in New York and Boston in November. Find the class schedule at the bottom of this mail.

This month:

 johan-arwidmark-soft-mugshot.png

Johan Arwidmark:
Insert Computers Atuomatically into the MDT Database 





 mikael-nystrom-soft-mugshot.png

Mikael Nystrom:
Enable TPM in a task sequense for HP computers

 marcus-murray-soft-mugshot.png

Marcus Murray:
Stuxnet a glimpse of future threats

 kent-mugshot.jpg

Kent Agerlund:
Installing a secondary site


Insert Computers Automatically into the MDT Database

Some time ago, I got an email from fellow deployment MVP and very good friend Mikael Nystrom. The email was not very long, unusual for being Mike who loves to write (and talk), and very to the point. The email was something like this:

Hi Johan,

I’m at the airport; on my way to New York
I need to have the deployment wizard (MDT 2010 Lite Touch) inserting info to the database
I need it ten minutes ago… or at very latest when I land in New York

The “ten minutes ago” thing turned out to be difficult to fulfill (time travelling is still on my bucket list), but the final statement gave me almost 8 hours to come up with something, and this was more than I needed.

First, as Mikael very well knew, MDT 2010 Lite Touch has a nice deployment wizard, prompting for all sorts of deployment information. The problem is: by default it doesn't automatically add the information you specify in the deployment wizard into the MDT database.

Here is a solution that will do just that...

This sample will inject the computer name you specify in the deployment wizard to the OSDComputerName and Description field in the database, but it can easily be extended to add more information.

Step-by-step instructions

  1. Download the sample files and copy InsertDB.ini to your Deployment Share \ Control folder.
     
  2. Using SQL Management Studio, modify the first line in InsertComputerName.sql script to match your database name, and then execute the InsertComputerName.sql script to create the InsertComputerName stored procedure
     
  3. Assign execute permissions on the InsertComputerName stored procedure to the user you use to run the Lite Touch installation. The user also needs read/write permissions to the database.

    johan a screen shot 1 newsletter 5.png

Setting the permissions on the InsertComputerName stored procedure

4. Modify your rules to ask for the computername (SkipComputerName=NO)
 

5. In the Task Sequencer, add an extra Gather action, name it Insert Computer Name, and configure it for full processing with the InsertDB.ini rules file

johan a screen shot 2 newsletter5.png

Configuring the Task Sequence

Note: To see the newly added computer entry after the Insert Computer Name actions has executed, you need to close and open the deployment workbench. The Deployment Workbench does not understand that you added info to the database outside the UI  J

/ Johan

Footnote: Johan Arwidmark, when not presenting trainings for TrueSec Inc., is the Chief Technical Architect with Knowledge Factory.


Stuxnet - a glimpse of future threats

I spend a lot of time with the vulnerability researchers in my team. It´s always very interesting to see how they can reverse engineer software and find flaws in applications. What worries me the most is not the fact that we sometimes find critical errors in software that can be used to compromise systems.
No, I´m worried about the fact that if we can find then, then other people can find them too.

Not long ago we and other researchers started to analyze the Stuxnet malware and we noticed something really scary.The people who created Stuxnet had knowledge of at least four unknown vulnerabilities in Windows, and on top of that they had deep knowledge of the Siemens WinCC SCADA control systems including a hard-coded “secret” connection password. (Well, I don’t know how secret that password really was, we found out that it was posted on the internet in 2008,  a  long time before Stuxnet was released… )

Depending on who you are, a malware attack focusing on a nuclear power plant in Iran might or may not be very interesting, but there is a certainty that is interesting to each one of us;

A new era of malware is born and it will affect us all, whether we like it or not.
Attacks like Stuxnet shows that if our business, organization or IT-environment is interesting enough to someone there is a possibility we will be attacked by evil code that is extremely hard to detect and mitigate. Like in the Stuxnet case It might attack vulnerabilities in our platforms that there is no patch for.

 Another fact is that Stuxnet rapidly spread to other countries and to other networks. That teaches us that we might be attacked by this kind of malware even if our business isn´t very interesting.

Nevertheless our computers might become infected and remotely controlled by some criminal organization.

As a security consultant I wish I had a nice quick fix for this problem that I could sell, but in the reality it´s just not that easy.

 The most common reasons that malware hits a company and spreads internally is not because they have the wrong antivirus-solution of firewall.
It´s usually because:

-        We are still using old operating systems and applications.

-        The workstations usually has a very relaxed security configuration.

-        We have system dependencies like the same admin passwords one every client.

-        The users or select important users still run as admins.

-        We accept the fact that our users execute untrusted code on their systems.

-        We do not have proper segmentation between internal systems.

-        We are not delegating administrative access according to least privileges.

-        We are not monitoring systems the right way to detect when something is wrong.

-        We are not teaching our users how to use the computers securely.

 So I guess we still have some work to do!

Marcus Murray

Enable TPM in a task sequence for HP computers

A long time ago I was having a chat with my friend and colleague Johan Arwidmark (which happens to know some stuff around deployment) about TPM Chip and how to enable them using some kind of script, we came up with the conclusion that it would be “challenging” to enable the chip silently since documentations around TPM clearly states that it should not be silent, the user should be the one saying -Yes, please. However, in reality that is not the smartest thing for one simple reason and that is when we deploy machines using our corporate standard image, we really don’t like to stare at the deployment for hours just to be able to press F1 to continue, so most customers enable the TPM chip before starting the deployment phase, and that kind of works, but…

A week ago Johan sent me a blog post which states that if you use a Dell box it is possible, I immediately called Johan.

[Mike] -You, know it should be possible with HP too…
[Johan] -If you do a blog post on that, you will be really famous (Well, not sure about that though…)

Anyway, since Johan “really” need this blog post J I had to do something and first was of cause to contact friends at HP in Houston, Texas, (To translate that, I sent an email to Greg Starks) and said, -Hey, Dell can do this, why can’t you”. One day later a bunch of “stuff” was in my inbox and one hour later it worked like a charm (of everything I got, I used the textile called TPMEnable.REPSET)

Basically what you need is BiosConfigUtility.EXE and that is a part of HP System Software Manager, you can DL that from: ftp://ftp.hp.com/pub/softpaq/sp49501-50000/sp49507.exe

Now you need to have a file called TPMEnable.REPSET and that looks like this:

micke screenshot 1 newsl 5.png
Now, you can run:

BIOSConfigUtility /SetConfig:TPMEnable.REPSET /NewAdminPassword:"Password1"

And, WOW, TPM is enabled J

Next up, is just to put it in a TS.

To please Johan, I did a blog on this one with pictures and all and since some of you may have a Dell computer, I’ll give you both links.

For HP:

http://itbloggen.se/cs/blogs/micke/archive/2010/10/18/enable-tpm-via-task-sequence-on-hp-boxes.aspx

For Dell:

http://myitforum.com/cs2/blogs/gramsey/archive/2010/07/30/how-to-enable-trusted-platform-module-tpm-on-dell-latitude-optiplex-and-precision-workstations.aspx

Best Regards

Mikael Nystrom – TrueSec
MVP Setup/Deployment

Installing a secondary site

Installing a secondary site might seem like a straight forward process; and with a little planning that is not far from the truth. My latest remote site was on a server located on the other side of the world. I had a few challenges:

  • Very poor bandwidth
  • Large number of packages and images (approx. 150 GB)
  • SQL server is configured using a non-standard port

To solve the challenge here is what I had to do.

  • Prior to installing I copied all pck files from the central site server to a USB drive and shipped the drive with a colleague to “far far away”.
  • Install Windows 2008 R2 server with the latest patches.
  • Install and configure IIS according to documentation.
  • Install and configure WDS according to documentation.
  • Install the Configuration Manager 2007 Toolkit 2 (Yes, you will need Trace32.exe to read log files).
  • Install SQL 2008 R2 Client tools
    • Configure a x86 alias for Configuration Manager to use my custom port SQL port
    • Configure a x64 alias for WDS to use my custom SQL port
    • You can use Netstat –a to verify the port being used to establish the connection
    • More info on this can be found in this post.
  • Installed and configured the secondary site server.
  • Created a small package on my central site server and distributed in to my new secondary site server.
  • Copied all compressed PCK packages to d:\SMSPCK on the local secondary site server
  • Copied PreloadPkgOnSite.exe from the Configuration Manager v2 toolkit to D:\SMSPKG.
    • The tool will work right out of the box with most packages but, for some packages (where the package source id and compressed package version id is not identical) the tool will write the wrong package id to the database and package replication will fail. For that reason you must identify the packages with unmatched id’s and run preloadpkgonsite.exe /updatepackageid [id number].
  • To save some time you can run this PowerShell script (written by Greg Ramsey). The script will check the database for versions and write the correct syntax to a bat file. Before running the script you must replace PROVIDER and Sitecode with the names of your Provider server and sitecode.

$pkgs = get-wmiobject sms_package -computer PROVIDER -namespace root\sms\site_Sitecode
$pkgs | foreach {
    if (test-path @("D:\smspkg\" + $_.PackageID + ".pck"))
    {
        $output +=  @("PreloadPkgOnSite.exe " + $_.PackageID + " /UpdateStoredPkgVersion " +  $_.StoredPkgVersion)
    }
}
$output | out-file -filepath "D:\SCCM Install\preloadpck.bat" -encoding ascii 

  • Run the preloadpck.bat to start the package replication
  • After the replication is finished you will need to add a distribution point to the new packages. This can easily be done using the Copy packages wizard in the console or by using the DP utility tool from Cory Becht. The cool part about this tool is that it can also be used to remove packages from a DP.

    When packages are added to the DP the compressed pck files will be decompressed locally at the secondary site server using only very little bandwidth. You can monitor this process by reading the distrmgr.log file on the secondary site server.

Where to find us

Come meet us at any of our labs. Below is a where we will hold labs during the next 2 months

Coming Labs in the US

Final Call!!!Mastering SCCM 2007 with Kent, Long Beach

October 27-29  

Power Shell Master Class, Thomas Lee, New York City November 15-17

Zero Touch Deployment with Johan, New York City                                         

November 15-17

Unleash the power of MDT 2010 Lite Touch,
with Johan in New York City
Lite Touch Deployment with Mikael, Boston
Zero Touch Deployment with Johan, Boston

November 18-19

November 29-December 1
November 30- December 2

For complete schedule listing please go to www.truesec.com

 


Unsubscribe
| To contact us please email info@truesec.com


</

TrueSec Inc. 8201 164th Ave NE Redmond WA 98052

 




TrueSec Inc    |     +1(425) 285-4477     |     info[at]truesec.com    |     Infrastructure    |     Security    |     Pentesting    |     TrueSec Inc. Website Privacy Statement