Monthly Archives: March 2011

The Blog Wrap-Up for March 2011

  • %System%System32 secrets: change

    Change money, change your life? No, just change the way your terminal server behaves

  • Some new cool betas

    MS issued several absolutely awesome betas – join the programs and influence the products on their early stages

  • Delegate permissions for creating GPO objects in other domain

    You cannot delegate this permission easily, let’s do it “hard way” which is not particularly hard, actually

  • Too many smart-cards inserted. Good thing: no need to throw them away

    Do you see the message? Problem solved!

  • %SystemRoot%System32 Secrets: certreq

    Systemroot continues to reveal its secrets

  • %SystemRoot%System32 secrets: BITSAdmin

    Download files even after the connection has been lost. A bit outdated command but it still works

  • Wildcard certificates drawbacks

    They are an excellent means to simplify your life, but what can be on a flipside?

  • %SystemRoot%System32 secrets: BCDEdit

    Dual boot of W7 with FreeBSD? Easy

  • %System%System32 secrets: change

    CLIAnother old-timer here. I cannot remember when I last used it, but I guess it still can be useful in a number of situations. For example I used to use it to install new software on a terminal server or to cease users logins to it. Now I usually don’t touch terminal servers and as far as I know they have other means to complete these tasks. Anyway, Windows 2003 is still in place and we still have the command around.

    It can the following:

     

    • Change logon setting: we can turn new logons to the TS. Just change logon disable.
    • Change port mappings. I haven’t use it at all and I hope you won’t have to either, because KB article says: “Changes the COM port mappings to be compatible with DOS applications”. No way I want be anywhere near this stuff anymore =)
    • Prepare a TS for installation of a software. .ini files mapping and all that stuff. To install some software you need to change user install and you have to change user execute.

    And this is all it can… But I remember what wonderful bugs you could get in case you didn’t know the command…

    The only thing I don’t know how to explain is why it is still present on Windows 7? Does anyone know the answer? =)))

    Some new cool betas

    During the past week or so there were several messages spread about availability of betas for some products of MS and some new tools. Some of them are definitely of interest to me and, probably, for you. The first is

    VMM SSPv2 SP1

    Such a nice an abbreviation, isn’t it? =) It stands for Virtual Machine Manager Self-Service Portal v2 with SP1. Being a bit buggy, it is still a very cool application. I’m going to use it as soon as it is released, and now we are using it in a test environment.

    New features:

    • You can import machines which are not yet in SSP zone of authority
    • Expiration for virtual machines
    • Notify administrators of business units about various events
    • Move infrastructures between business units

    Quite impressive, isn’t it? Joint the beta here.

    MBAM

    I wrote about it some time ago: it’s a new addition to MDOP that can help you to manage and monitor BitLocker. Now the beta is available for the product. You can join the beta here. What it can:

    • IT can automate the process of encrypting volumes on client machines across enterprise
    • Helpdesk can reduce the time required for BitLocker PIN and Recovery Key information
    • Security officers can quickly produce reliable evidence that indicates the compliance state of individual computers or even the enterprise itself.
    • Security Officers can easily audit access to Recover Key information.
    • Windows Enterprise users are empowered to continue working anywhere knowing their corporate data is protected.

    System Center Virtual Machine Manager 2012

    Wow! W! O! W! =)

    I saw some review. It is awesome. No, really. From just creating a new VM to creating a private cloud based on VMWare. Or Hyper-V. Or both… Whatever, you can download it here. It can so much, that MS restricted benefits to somewhat bullshittish phrases. But it has ribbon as an administrator GUI. So I will definitely love it 😉

    New version of the Exchange 2010 Mailbox Server Role Requirements Calculator

    Nothing special, but if you use it, then you’d better use the new version.

    And not technical stuff: if you are an MCP, then you’ve just received new certificates (just new look, actually, not new certifications =) ) and new transcript. Just look at fabulous it:

    0550_New-Certificate-Program-Compliance-final_png-550x0

    It’s not available yet, though. But in April it will =)

    Enough for today =)

    Delegate permissions for creating GPO objects in other domain

    imageThe task is obviously necessary to complete on your way to implementing Role-Based Administration concept. And, to be honest, being in euphoria after quick acquaintance with AGPM I thought that it was no deal at all: give an account or a group a membership in some special groups including “Group Policy Creator Owners” and voila – you’ve got it. Aha. Like hell it can succeed! =) This darn group is global and thus cannot be populated with objects from other domains. And moreover, you are unable to change the fact: everything is dimmed.

    image

    At least I don’t know a way to change the group’s scope (but I noted to myself to find out everything about it). So we won’t get this easy way. Will we retreat? No way. If we can’t add our object to the group, we can create other group and grant permission to the group directly. What permissions does have “Group Policy Creator Owners” group? As far as I know to create any GPO we need permissions in two places: Policies container in AD and Policies folder in sysvol. So let us delegate the permissions for the brand-new group “Role GP Creator Owners”:

    1) in AD on Domain/System/Policies container:

    image

    image

    image

    image

    I guess, “Create All Child Objects” is a bit overkill, and we can do better (just a guess), but the “Group Policy Creator Owners” group has these permissions, so we won’t do it worse.

    2) now on a Policies folder:

    image

    image

    That’ll do the job for us. At least at did for me, but still, I recommend to check it with support if you have it. I’ll definitely do that and fix the article if it needs it.

    Too many smart-cards inserted. Good thing: no need to throw them away

    image002_thumb[2]Some time ago I used to issue certificates on Aladdin (now SafeNet) eToken  smart-cards through a CA web-nterface. Occasionally it was hard to accomplish, because when I tried to do that I received the following error:

    “Too many smart-cards inserted. please insert only one smart-card”

    Wow! But I need two:

    • one – eToken with a certificate for enrollment
    • the second – for a new certificate

    May be CA thinks that I have too much of them generally and I need throw away them? No, fortunately (they cost much when in bulk, you know) it is not the case. Moreover, there is just a simple solution to the problem: set the registry entry NoDefaultKeyContainer in HKLMSOFTWAREAladdineTokenMIDDLEWARECAPIIEXPLORE.EXE (or create one, if you don’t have it) to the DWORD value 00000000:

    That always solved the problem for me.

    Important Serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

    322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

    %SystemRoot%System32 Secrets: certreq

    CLIThe next two candidates for the series from System32 folder were bootcfg and cacls (I’m going through them alphabetically). But they are deprecated and, what’s important too, I’ve managed to learn theirs new variants. Moreover, I’ve already described BCDEdit, which is a successor to bootcfg (and I’ve managed to learn how to use the new one ;)). Therefore I’m skipping these two commands and go straight to certreq command.

    So, certreq. It is more for advanced admin use, then for general user. But still it is good to remember of it… Just in case you need to:

    • create new request for a certificate, which can be later submitted to a CA
    • submit the request to a CA
    • retrieve a certificate from a CA
    • sign a certificate request
    • and all other stuff to deal with certificates =)

    Of course, it is scriptable, but, to be honest, I’ve used it several times so far. Still it can become handy in scripting, on helpdesk and on a disconnected from your network box. So, keep in mind 😉

    Further reading:

    Certreq Syntax

    Extended explanation of it

    Advanced Certificate Enrollment and Management

    %SystemRoot%System32 secrets: BITSAdmin

    CLIAnother deprecated friend of mine. But I still like it, really. First of all because I haven’t still found enough time to get acquainted with all that *-BITSTransfer PowerShell comandlets. Second… Well, there is nothing for the “second”, naturally =) But still – it is a great command and I’d like to make a tribute to it with this article, because it is AWESOME! It is soooo powerful! Even though I used it usually just to be sure I would download the file regardless of network loss or whatever, it can do much more. Download or upload, retry these tasks, get some part of the file, set myriads of parameters, including authentication, use peer caching… Wow! =)

    But again, usually I used it to download large files. Let’s take a look at one example.

    Lets start with creating a download job:

    BITSAdmin /CREATE /DOWNLOAD DownloadJob1

    image

    You can see that the job has been created and it has been assigned some GUID you can use later (but we’ll use it’s name in this example). Also as you can see we are being constantly notified about the command deprecation =( Let’s take a look at the job:

    BITSadmin /LIST /VERBOSE

    image

    (Yeah, a LOT of information). Obviously, the job is currently empty (FILES: 0 / 0), so let’s add some files to it:

    BITSadmin /ADDFILE DownloadJob1 <URL> <PathToSavedFile>

    image

    Added successfully and created a temp file already:

    image

    Let’s add one more:

    image

    and look at the second temporary file:

    image

    They are both of 0 bytes size yet. Now, once we have two files for our job to download, we can get more info from the job:

    image

    Here we can see both our files (JOB FILES) and… Can we just wait till the files get downloaded? No, because the job is not started at the moment (STATE: SUSPENDED). We need to start it and this is easy:

    BITSADMIN /RESUME DownloadJob1

    image

    Now the job is in TRANSFERRING state, we can see how many bytes (BYTES) or files (FILES) has been transferred and so on. On this point something goes wrong and we get our network disconnected: image. Is it a problem for our downloads? Yes:

    image

    their state is TRANSIENT_ERROR. Should we worry about it? No, because as soon as network restores we’ll get our job QUEUD and then resumed automatically:

    image

    Looking at this big picture from time to time reentering /LIST command is boring, so we’ll monitor it in other way:

    BITSadmin /MONITOR /REFRESH 1

    image

    which will refresh the state for our jobs occasionally (each 1 second in the example):

    image

    As soon as we get our files transferred:

    image

    we can just go to our download location and… Oh… Wait… What’s that?

    image

    The files do have appropriate size but their names… They are still temporary =( But don’t worry, just one more little step:

    BITSadmin /COMPLETE downloadJob1

    image

    Oops. Seems like BITSadmin treats job names as case-sensitive. We should remember this, so let’s rewrite it in the correct way:

    BITSadmin /COMPLETE DownloadJob1

    image

    Here we are! The files are here and no more job to do! I’m loving it © =)

    image

    Forgive me for that useless lesson: just couldn’t resist it Winking smile

    If you are as amazed, as I am, here is some reading.

    Wildcard certificates drawbacks

    imageThat’s one of the referrers from search systems which leads users to my blog. Ok, there certainly are drawbacks, so why not? But first things first: what are those wildcard certificates?

    In order to protect communications with some web-services or web sites (not only them, actually) we use SSL certificates. I have to say, that it doesn’t, actually, mean that every site with https prefix and valid certificate is valid itself or communications with it are protected, but that’s not for today’s discussion. Anyway, SSL certificates are somewhat brilliant and somewhat ugly, but they are our reality for now and since you have many web-sites, or medium to large infrastructure which uses multitude of services protected by certificates… That’s because a certificate is issued for one particular domain name, that is microsoft.com, www.microsoft.com and technet.microsoft.com should all have different certificates for their protection. Well, in such situation you are usually bound to manage dozens and hundreds of certificates which expire, need to be renewed, need to be monitored… The hell of a job. But “security is security” and all that stuff, so you are to do it all.

    But the world wouldn’t see many inventions if not for lazy people, you know. So those lazy invented wildcard certificates. Those are issued to names like *.microsoft.com and hence can be used on any of microsoft.com’s subdomains. That solves all the problems above. Or does it? Indeed it does. But nothing comes without cost, remember? This case is not an exception from the rule. If you use a wildcard certificate in your organization you have one secret key on every your box which needs a certificate (there are services which allow you to create multiple wildcard certificates with one name, but different secret keys… But then why even bother to do that?). Statistically that does mean that you are increasing the risk of compromising this one particular certificate. Some don’t think this is a problem, well. Why bother with certificates at all, then? =) Suppose, we are not those guys and we think that compromising of the certificate for several dozen services is a problem but not very big one: we’ll just need to get one new and spread it over our sites. But, since we had this certificate compromised, we can consider any of our services as a such as well. So we need also audit these systems to find out if they are ok. And, believe me, it is very expensive.

    So, security will definitely be harmed (at least statistically). But that’s not over: you may (or may not) get many other problems.

    To sum up: I’m definitely not fond of the solution. At least for now. you may and should decide on your own. =)

    %SystemRoot%System32 secrets: BCDEdit

    CLI

    Ok, next item in our list is not to be actually very much used. Troubleshooting OS boot, creating some boot options, that’s it. But actually it is worth knowing about it. Nevertheless, what you can do with it can be quite awesome… If you need it =)

    For example, you can enable and configure EMS (Emergency Management Services) for any boot entry in your list. Or you can enable kernel debugging. Some wicked tongues tell that you can even arrange a dual boot with some other OS if you want. I’m going to check it one of these days… Someday =)

    For further reading refer to these documents:

    http://technet.microsoft.com/en-us/library/cc709667(WS.10).aspx

    http://technet.microsoft.com/en-us/library/cc731662(WS.10).aspx

    http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/BCDedit_reff.docx