31 August 2011

Free Conficker detection and removal tool

Since November 2008 Conficker has been a problem for loads of users.  It is currently still topping the prevalent threats list at 38%.  For me the biggest problem is infected machines coming onto my network.  It would be nice to have something to give external users to check their machines before connecting to the LAN.

Sophos has a free standalone Conficker removal tool available and I thought I would check it out.

You can download it form https://secure.sophos.com/custom-tools/conficker-removal-tool.msi

Install is pretty straight forward and executing the scan is a case of launching the app and hitting the "Start Scan" button.



There is also a command line option to make it easier to automate this.


There are a few other free tools from Sophos.  You can find them here http://www.sophos.com/en-us/products/free-tools.aspx


29 August 2011

Dell PowerEdge 1850 vs. Windows Server 2008 R2

Installing 2008 R2 on Dell PowerEdge 1850 server can be tricky, but can be done .

Installation Media.
The 1850 era of server all shipped with CD-ROM drives.  So you cannot even boot of the 2008 R2 installation DVD.  You need to create a bootable USB flash drive.

Download the Windows 7 USB / DVD Download Tool from http://images2.store.microsoft.com/prod/clustera/framework/w7udt/1.0/en-us/Windows7-USB-DVD-tool.exe  Select your Server 2008 R2 ISO and select the USB drive as the destination.

BIOS
You need to configure the BIOS so that you can boot from the USB drive.  Inser you USB drive into the 1850 and start up.  At boot Time Press F2 till it indicates Entering Setup.

  • Set USB Flash Drive Emulation type to "Hard disk"
  • Change the Hard Disk Drive Boot Sequence so that the USB is above the PERC4xx adapter.

PERC RAID
During The POST phase you will see a section to configure the LSI PERC  or Power Edge Expandable Raid Controller
Press Ctrl + M - to enter the setup.

This is where you configure the drives that will be presented to the OS.  Start a new configuration and either select to create a  RAID 1  redundant disk or a spanned RAID 0 to maximise the available disk space across the two internal drives.

After you configured the drives you need to Initialise the disk.

OS Install
The storage drivers for the PERC 4/SC & PERC 4e/Si SCSI RAID controllers were included in Windows Server 2008 and Windows Server 2008x64.  In Windows Server 2008 R2 however this driver was deprecated and removed.  This leads to a problem when trying to install as no drives are available.

After long and hard searching the answer is rather simple.  Use the Windows Server 2003 x64 version of the driver.

Available directly from Dell.  

  • Open http://support.dell.com
  • Select "Start Here" form the Support for Small Businesses
  • Click Drivers & Downloads
  • Click Select Model
  • Select Servers and Storage
  • Select PowerEdge Server
  • Select 1850
  • Confirm
  • For the Operating System Select Windows Server 2003 x64
  • Expand SCSI RAID Controllers
  • Download LSI Logic Driver (Version 6.46.64)


During the install you will have to select drives.  At this point you need to load the storage driver you downloaded and extracted.  After loading you should see the adapter and then the drives available for deployment.

Conclusion
It might take a little bit of doing but you can breath new life into and old machine if you know what to do.  This allows you to sweat you old asset for a while longer while being on the latest and greatest OS.   

25 August 2011

Recover BlackBerry Messenger contacts after BBM Update

BlackBerry messenger (BBM) contacts are kept separately from your normal phone contacts.  So even if you are using BlackBerry protect http://fixmyitsystem.com/2011/05/mitigate-lost-phone-risks-with.html you cannot recover your BBM contacts.

You are advised to make a backup of your contact regularly...

During updating the BBM you might run into a problem and it might delete all your contacts and chat history.  If you have a backup file you can recover, otherwise, if you sync email you can possibly recover them from email.



  • On the Home screen or in the Instant Messaging folder, click the BlackBerry Messenger icon.
  • On the contact list screen, press the Menu key.
  • Click Options.
  • Click Restore.
  • Click Restore using email.
  • If necessary, select an email address. Click Continue.
  • Click Continue.
  • Click Continue.


23 August 2011

Transfer Bus Comparison

With newer portable hard drives starting to commonly show up on price lists and shop windows I thought it was time to update myself on the pros, the cons , and the performance of the various bus types.  The table give a very good indication of what the capabilities are.  This table is from Wikipedia and the links refer back to the various Wikis

It is very interesting to note how the newer bus types start matching or exceeding the performance of the former   server class buses such as SCSI, SAS and Fibre Channel.

Name
Raw bandwidth (Mbit/s)
Transfer speed (MB/s)
Max. cable length (m)
Power provided
Devices per channel
3,000
300
2 with eSATA HBA (1 with passive adapter)
No
1 (15 with port multiplier)
5 V/12 V
6,000
600
1
No
3,000
300
1,500
150
1 per line
PATA 133
1,064
133.5
0.46 (18 in)
No
2
6,000
600
10
No
1 (>65k with expanders)
3,000
300
1,500
150
IEEE 1394 3200
3,144
393
100 (more with special cables)
15 W, 12–25 V
63 (with hub)
786
98.25
100
393
49.13
4.5
USB 3.0*
5,000
400
3
4.5 W, 5 V
127 (with hub)
USB 2.0
480
60
5
2.5 W, 5 V
USB 1.0
12
1.5
3
Yes
SCSI Ultra-640
5,120
640
12
No
15 (plus the HBA)
SCSI Ultra-320
2,560
320
Fibre Channel
over optic fibre
10,520
1,000
2–50,000
No
126
(16,777,216 with switches)
Fibre Channel
over copper cable
4,000
400
12
InfiniBand
Quad Rate
10,000
1,000
5 (copper)
<10,000 (fiber)
No
10,000
1,250
100
10 W
7


One thing to keep in mind though, is that although the various hard drives / flash drives etc are attached to a very fast bus, it does not mean that you will get this performance.  You will most often be limited to the transfer speeds of the devices on either side of the bus.

For the full source article http://en.wikipedia.org/wiki/Serial_ATA

Apple iPhone PPTP VPN implementation

Getting an Apple device on your network can be a complicated task.  You can however very easily connect your iPhone to your network via a PPTP VPN.

VPN Settings
Because of the device limitations you can only really implement a simple VPN for them to use.  The nice thing about this is that it is such a standard that just about any device can use this VPN.  Windows XP / Vista  / Windows 7 /  Mac OS X / Android...

Configure your TMG or RAS VPN as follows:

  • Protocol  - PPTP
  • Authentication Method  - MS-CHAPv2


Configure your iPhone
The Following need to be configured on the iPhone

  • Settings
  • General
  • Network
  • VPN
  • Add VPN configuration
  • PPTP
  • Description
  • Server - Public DNS or IP
  • Account - Windows Login domain\username
  • Password
  • Encryption Level - Auto
  • Send All Traffic - On
  • Proxy
  • Auto
  • URL http://proxyserver.domain/wpad.dat
  • Save


Connect to the VPN
To connect initially you need to do the following.


  • Settings
  • General
  • Network
  • VPN
  • VPN - Slide to ON
When the VPN is connected you will see a small VPN indicator in the top right corner.

When the iPhone goes to sleep the VPN is disconnected.




Testing
There is no default DNS suffix you can specify (like you can with an Android VPN connection) so you always need to use the FQDN.  This can be somewhat of a problem if all your internal; sites are linked to with simple host names excluding the domain suffix.


To test the proxy, browse to an internet site.  Since we selected the "Send All Traffic" option, the request should be routed to your proxy.  You might be prompted for credentials.  In my case I went to a site that I have configured to block.  This verifies that the traffic is routed via the proxy.




Conclusion
The native support for a Microsoft VPN standard is very useful.  It does not allow for advanced VPN configuration, but at the very least you can connect knowing it is with secure protocols.

17 August 2011

Adding certificates to your domain using a group policy

In http://fixmyitsystem.com/2011/08/rdp-rds-unexpected-server.html I referred to using a group policy to apply the Entrust trusted certificate chain to your domain.  Here is how. It is the long way round but it should be fool proof. Since you would only need to do this one it is worthwhile.

Obtain the required certificates.
There are three ways about this.

  • If you have the certificate chain correctly installed on one machine you can export it form that machine. Skip to extracting the individual certificates.
  • If you have purchased an entrust certificate there is a nice GUI wizard  process to get the certificates.  But since not everyone has purchased a certificate I will cover the third method which can be used by everyone.
  • Retrieve the certificates form the CA's site directly. This varies form CA to CA but they all should provide this in on way or another.


Installing the certificates on the local machine
Follow the following link to the Entrust support site http://www.entrust.net/knowledge-base/technote.cfm?tn=7869



This certificate contains the chain. The following will extract the individual certificates.

  • Select and copy the certificate form the site
  • Open a text file and paste the certificate
  • Save the file as EntrustChain.cer
  • Ope the MMC on the local computer and and the certificates snap-in
  • Select Computer account - Local computer
  • Expand the tree - Trusted Root Certification Authorities - Certificates
  • Right click certificates - All tasks -Import Certificate
  • Select the .cer file you created earlier
  • Select "Automatically Select the certificate store...
  • Finish the wizard


Extract the individual certificates
Because you don't want to take any chances when creating the group policy the following is recommended



  • Open the MMC on the local computer and and the certificates snap-in
  • Select Computer account - Local computer
  • Expand the tree - Trusted Root Certification Authorities - Certificates
  • Select the Entrust.net Certification Authority (2048) certificate
  • Right click the certificates - All tasks -Export
  • Select the DER... format
  • Save the file as Entrus2048.cer
Repeat the process for the Intermediary CA



  • Expand the tree - Intermediate Certification Authorities - Certificates
  • Select the Entrust Certification Authority - L1C certificate
  • Right click the certificates - All tasks -Export
  • Select the DER... format
  • Save the file as EntrusL1C.cer

Add the certificates to a group policy
This is the most important part, and what the entire article is about.
  • Open the Croup Policy management Console
  • Create or edit an existing policy (I would suggest creating a test policy first)
  • Expand to Computer configuration - Policies -Windows Settings - Security Settings - Public key Policies
  • Select Trusted Root Certification Authorities
  • Right Click - All tasks - Import
  • Select the Entrust2048.cer file created earlier
  • Place all certificates in the following Store - Trusted Root certification Authorities
  • Finish The wizard
  • Select the Intermediate Certification Authorities
  • Right Click - All tasks - Import
  • Select the EntrustL1C.cer file created earlier
  • Place all certificates in the following Store - Intermediate Certification Authorities
  • Finish The wizard

Checking the Policy setting you should see the following

  • Apply the croup policy.
  • Check the local computer certificates on the test machine and confirm that the correct certificates are in the correct certificate stores.

Conclusion
This process will ensure that the full certificate authority chain is added to all machines that have the policy applied.  I covered how to install the Entrust certs, but the same can be done to make your private CA trusted by another company / domain etc.



14 August 2011

RDP /RDS unexpected server authentication certificate was received from the remote computer

When configuring  an RDS environment you will most probably be using a 3rd party SAN certificate to authenticate the servers.  This is used when you are using network level authentication.

I recently ran into a very interesting problem.  Some of the machines within my company could connect and work without a problem.  Others would fail at connection with the  "unexpected server authentication certificate was received from the remote computer" error.


The certificates are perfectly valid.  Connecting from the Client machines to the web interface showed the SSL cert being trusted.

It took a while to figure out what the issue was.  It turns out that the intermediary certification authorities certificate was missing from the local machine's certificate store.

  • The certificate Root is Entrust (2048)
  • The Intermediary is Entrust Certification Authority -L1C

Installing the missing certificate on the client machines resolved the connectivity issue.
It was just a "unlikely" place to look for a problem since this is after all public 3rd party trusted CA.  But it just shows that certificates can be tricky at the best of times.

To install the Entrust certificate chain follow the instructions here http://www.entrust.net/knowledge-base/technote.cfm?tn=7869

Ultimately to ensure that at least in the company we do not run into the same issue, I added the certificates with a group policy across the domain.


10 August 2011

Test SMTP relay script

When setting up an anonymous SMTP server or when you occasionally need to test certain parameters it is handy to have a script to streamline the process.

The script below will prompt for all the relevant fields:


  • FROM email address
  • TO email address
  • Subject
  • Body
  • SMTP server address



It is also quite simple to modify should you want to keep some of the fields static / edit the default values.

Save the script below as a .vbs file.


Set objEmail = CreateObject("CDO.Message")


objEmail.From = Inputbox("Spefify the FROM: address","VB SMTP","testfrom@mail.com")
objEmail.To = Inputbox("Spefify the TO: address","VB SMTP","testto@mail.com")
objEmail.Subject = Inputbox("Spefify the SUBJECT: address","VB SMTP","Message Subject")
objEmail.Textbody = Inputbox("Spefify the MESSAGE BODY:","VB SMTP","This is the email body")
objEmail.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/sendusing") = 2
objEmail.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/smtpserver") = Inputbox("Spefify the SMTP server: name or IP address","VB SMTP") 
objEmail.Configuration.Fields.Item _
    ("http://schemas.microsoft.com/cdo/configuration/smtpserverport") = 25
objEmail.Configuration.Fields.Update
objEmail.Send





02 August 2011

Using TMG link translation to overwrite absolute URL links

#Forefront -

The Problem
Applications that are required to run on an internal and external environment often use different names.  This is generally not an issue when publishing unless you run into the dreaded absolute URL.  Use an HTTP sniffer to help trace the problem like HTTP watch, Firebug or IE developer tools.

An absolute URL / link is one the contains both the host and and relative path as in:

http://myserver.domain/application/page

A relative link by contrast only supplies the link after the host name  as in:

/application/page

This allows the host to be dynamically changed through publishing without it being an issue.  The biggest problem culprit here is scripts that are used for redirection.  These most often only cater for internal use and not for external.  These may also be limited to using the host name as opposed to the FQDN.

http://myserver/application/page

Here is an example of a script that causes this kind of problem.



The application is published externally as http://cawebqa04.fixmyitsystem.com so when the http://CAWEBQA04:80/CAisd/pdmweb8.exe link is encountered navigation fails because the host name is not fully qualified.



The publishing rule
By now you probably have a publishing rule in place.  Check the following settings.

  • Form the TMG management console
  • Select firewall policy
  • Select the rules relevant to the application
  • Edit the rule
  • From the TO tab
  • Enter the public FQDN in the top text field (cawebqa04.fixmyitsystem.com)
  • Enter the internal name in the bottom text field (cawebqa04)
  • Un-check Forward the original host header...
  • Select the Public Name Tab
  • Select Requests for the following web sites
  • Add the public name  (cawebqa04.fixmyitsystem.com)
  • Select the Link Translation tab
  • Click the configure Button
  • Make sure there are no mapping specified


The fix
To resolve this issue you need to define the global some entries for global link translation and enable the link translation on the rules.

Configure the Global link translation

  • Form the TMG management console
  • Select firewall policy
  • Click Configure global link translation from the Tasks Tab
  • Select the Global mappings tab
  • Click add
  • Specify the internal URL (http://cawebqa04:80/)
  • Specify the translated URL (http://cawebqa04.fixmyitsystem.com/)
  • Select the content types tab
  • Ensure the content type that contains the absolute link is checked
  • OK
  • OK

Enforce the link translation

  • Form the TMG management console
  • Select firewall policy
  • Select the rules relevant to the application
  • Edit the rule
  • From the link translation rule check Apply link translation to this rule
  • OK 
  • Apply

Conclusion
As a best practice one should always strive to get application to use relative links.  I for one do not like to have to define loads of translation setting for an application to work internally and externally but sometimes there is no choice.