News Contact Company



September 2010 Newsletter

Having trouble reading this email? View it in your browser.

TrueSec

News and Geek Stuff

September 2010

This month we are adding news from our SCCM expert Kent Agerlund, Microsoft MVP. Kent has been in the SCCM field since the early beta stages way back then (code name Hermes). If you are looking to sharpen the saw in this filed, there are still seats available for Kent’s “Mastering SCCM2007 SP2R2/R3” in Long Beach later in October. Details at the bottom of this mail, as usual.

I would also like to take the opportunity to tell you about two new class': “Unleash the Power of MDT 2010 Lite Touch” two days packed with tips and tricks for a successful Lite Touch deployment and Power Shell Masterclass with the master himself, Thomas Lee.

This month:

 johan-arwidmark-soft-mugshot.png

Multicasting - not only for operating system deployment  

 Johan Arwidmark

 mikael-nystrom-soft-mugshot.png

“There’s an app for that”
Remote Desktop Manager

Mikael Nystrom

 marcus-murray-soft-mugshot.png

New massive vulnerability threatens ASP.NET websites all over the world!

 Marcus Murray

 kent-mugshot.jpg

To use Task Sequencer in SCCM 2007 for deployment


Kent Agerlund


Multicasting; not only for operating system deployment

In my work I have the good fortune of presenting a training every once in a while, and for those trainings I normally prepare the classrooms myself. The challenge in previous years was not to deploy the OS (that I know how to do  :) ), but rather to distribute all the virtual machines for the class in a timely fashion. Back then I normally used a bunch of external hard drives with an automated scripted that copied and imported my virtual machines into HyperV, but no more...

Why? well, There is a quicker way... The Multicast feature in WDS can be used to transfer any file over the network. This is how you do it.

Step 1 - Create the WDS name space (enabling a folder for multicast)

In this example I have stored compressed (winrar) version of my virtual machines in a folder called D:\Exported_VMs on my server. One of the vm's is named DC01.rar.

So we need to create a new namespace name for files in the D:\Exported_VMs folder (note that the folder needs to exist to create the namespace). Use the following command

WDSUTIL /New-Namespace /NamespaceType:AutoCast /Server:MDT01 /FriendlyName:"Really Large Files" /Namespace:"Really Large Files" /ContentProvider:WDS /ConfigString:D:\Exported_VMs

Step 2 - Get the files via multicast on the client

Then, on the client, to get the large files via multicast First, allow the wdsmcast.exe in the firewall rules (inbound rule), and run the following command.

wdsmcast.exe /verbose /transfer-file /server:MDT01 /namespace:"Really Large Files" /SourceFile:"DC01.rar" /DestinationFile:"C:\VMs\DC01.rar" /Username:TSLAB\BuildAccount /password:"P@ssw0rd"

Note that target folder must exist, otherwise wdsmcast fails.

The wdsmcast client runs best, and is only supported, in WinPE, but you can also start it in the running operating system. That however is not supported and has proven, at least in my testing, not being as reliable as running it in WinPE.

Regards / Johan

 

-There’s an app for that:
Remote Desktop Manager


Sometimes magic happens, and sometimes someone do a really nice application, nope, not talking about the “apps” that every kid has to have these days.
I’m talking about an application the really, really helps me day in and day out. It is a free download from Microsoft, it has been an internal project and finally some was “allowed” to release it to the web (RTW).

It is called Remote Desktop Manager and it makes it possible to arrange all the different RDP connections in to one tool, you can organize all the different locations into groups, and then you can have different settings per group or per server, you can even over ride settings for different servers.

You download it from Microsoft.com/download and search for RDCman or click this link

First thing you do is to create a file, this is going to contain all settings, servers and maybe also passwords, so keep it save

The you create groups and in groups you then add servers. The big thing about groups is that you can store configuration in the group and that means that the 400 servers that are in the group is inheriting settings like RDSGateway or Name and Passwords and that’s super.

You can also connect and disconnect a group of servers, move them around (not by drag/drop, instead you get properties and you will see object inheritance, just modify that)

Here is a quick look at it

screenshot-micke-4.jpg

I have done a blog post on this with more screenshots and some more info and details and you will find it here http://itbloggen.se/cs/blogs/micke/archive/2010/09/21/the-application-of-the-year-or-maybe-the-whole-decade.aspx

Mikael Nystrom – TrueSec
MVP Windows Server  - Setup/Deployment

New massive vulnerability threatens ASP.NET websites all over the world!

Friday last week Microsoft confirmed a really scary vulnerability in the way ASP.NET encrypts sensitive cookie data.

Some early reports states that 25% of all websites in the world are vulnerable!!

The result is sometimes devastating and in many scenarios hackers can use the bug to get access to sensitive data or impersonate administrators.

What´s even more scary is the fact that the vulnerability was presented in a crypto-conference in year 2002 and it´s more than likely that this has been known in closed circles for many years.

Another important thing to understand is the fact that it’s not a Microsoft-specific bug. The vulnerability itself lies in how various encryption algorithms use padding  to fill out blocks of data. I will not explain all the details since you can read a great article about is here: http://blogs.microsoft.co.il/blogs/linqed/archive/2010/09/19/padding-oracle-asp-net-vulnerability-explanation.aspx

The most important thing to understand from an ASP.NET perspective is that you can use this attack to decrypt encrypted data in cookies and encrypt your own modified data. In effect you can for example put ADMINISTRATOR into a session cookie instead of JOE.

We are currently analyzing this vulnerability in our lab and my colleague Johannes is creating tools for identifying the vulnerability on servers over internet and PoC attack tools for demonstration purpose. I think I will demonstrate this in one of my sessions at TechED Europe.

So, I guess you want my recommendations?..

Read the blog post in the link above to understand the issue, and how to mitigate it.


Download this tool to see if your own webservers are vulnerable :)

http://www.asp.net/media/782788/detectcustomerrorsdisabledv30.zip

  1. Stay tuned for updates in the Microsoft advisory:
  2. http://www.microsoft.com/technet/security/advisory/2416728.mspx


Be careful out there!

/Marcus Murray, Security MVP, TrueSec Security Team.

To use Task Sequencer in SCCM 2007 for deployment

Lots of administrators have used the Task Sequence over the last years for operating system deployment. With good reason, the feature is pretty powerful and allows administrators to have full control of almost all aspects of the operating system deployment process. In Configuration Manager 2007 you’ll find the task sequence as part of the Operating system deployment feature.

Starting from vNext (next version of Configuration Manager), the task sequence will be placed as an independent feature in the Software Library Wunderbar. Moving the task sequence feature away from the Operating System deployment feature makes perfectly sense since you can also use the feature for “normal” software deployment scenarios.

I still use the old fashion Software distribution feature in ConfigMgr for the majority of my software deployments. However from time to time I run into scenarios, where a Task Sequence clearly provides we with more control compared to the traditional approach. Some of those scenarios are:

1. Deployment where I need to uninstall an old application prior to installing the new one. Often the challenge is that not all computers have the old application installed.

Create a new empty custom task sequence and add a Install software step.

kent screen shot 1.png

Select the Uninstall program for the application.

Click Option, click Conditions and select the Install Software condition.

Select the MSI file you want to remove on the client computer and click OK

kent screenshot 2.png  

Add a second Install software step to the task sequence. Select the software package you want all computers to install.

2. Role based deployments, where different departments must have specific software.

Check my previous blog post for that solution

3. Hardware specific deployments, one example is VPN software that only should be deployed to laptops.

  • For this solution I recommend creating a MDT toolkit package and run the Gather step prior to the Install VPN software step.
  • Click Option, click Conditions and select the Variable condition.
  • Type Islaptop as variable name and True as the value

kent screeshot 3.png

In common for all 3 scenarios is the use of conditions.

Best regards

Kent Agerlund
Configuration Manager MVP

Where to find us

Come meet us at any of our labs. Below is a where we will hold labs during the next 2 months

Coming Labs in the US

Mastering SCCM 2007 with Kent, Long Beach

October 27-29  

Power Shell Master Class, Thomas Lee, New York City November 15-17

Zero Touch Deployment with Johan, New York City                                         

November 15-17

Unleash the power of MDT 2010 Lite Touch,
with Johan in New York City
Lite Touch Deployment with Mikael, Boston
Zero Touch Deployment with Johan, Boston

November 18-19

November 29-December 1
November 29- December 1

For complete schedule listing please go to www.truesec.com

 


Unsubscribe
| To contact us please email info@truesec.com


</

 




TrueSec Inc    |     +1(425) 285-4477     |     info[at]truesec.com    |     Infrastructure    |     Security    |     Pentesting    |     TrueSec Inc. Website Privacy Statement