New Microsoft Attack Surface Analyzer

Posted in Malware, Microsoft, Security, Tools on 2011/03/03 by CRCerr0r

Still in Beta, but promising…

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=E068C224-9D6D-4BF4-AAB8-F7352A5E7D45

Advertisements

How to integrate Remote Desktop Services and SharePoint

Posted in MOSS 2007, Remote Desktop Services (RDS), SharePoint on 2011/02/15 by CRCerr0r

I just finished setting up an RDS farm and, as part of the setup, I needed to setup the RDWeb (Remote Desktop Services Web Access) and integrate it with our SharePoint 2007 intranet portal. I was surprised to find out that the process of integrating RDS with SharePoint was rather tedious and not very well documented. I found a few articles, including one on TechNet that explained the process, however they were either incomplete or geared toward setting up SharePoint and RDWeb on the same server.

My situation (and from the many forum posts I read, it seems this was the case for many others) was different – I needed to setup a separate installation of RDS (and make it redundant see post here) and then integrate it with SharePoint. After piecing together a few different articles, blog posts and forum posts and a healthy amount of educated (and some not so educated… 🙂 ) guesses I finally got it to work. Here is how…

First – the environment. This was setup on a total of 8 servers:

  • 2 front end IIS servers running the Remote Desktop Web Access role only (setup with Windows NLB for load sharing and redundancy)
  • 2 middle tier boxes running Remote Desktop Licensing and Remote Desktop Connection Broker (setup as a Windows Cluster, for redundancy). One important thing to note is that the RemoteApp and Desktop Connection Management service was also clustered as it is an integral part of the application list population function for the front end IIS boxes and the SharePoint web part
  • 2 Session Host servers (load balanced with Windows NLB and setup in an RDS Farm)
  • 1 SharePoint front end server
  • 1 SharePoint DB server (not really related to the setup directly, but a part of the environment nevertheless)

All servers are Windows 2008 R2 Standard 64-bit, except the two middle tier clustered boxes, which were Windows 2008 R2 Enterprise 64-bit, because of the clustering. This is very important as it makes a BIG difference in some of the steps, especially in GAC registration (because of Windows 2008 R2) and certain paths I list (because of the 64-bit edition). If you have different setup, change details accordingly.

Here is the meat. This assumes you have a functional RDS environment, i.e. you can open applications via the standard RDWeb web site and that the RDWeb web site is setup with Windows Authentication, not Forms… If you have not done that, here is how:

Edit the C:\Windows\Web\RDWeb\Pages\web.config file:
– un-comment <authentication mode=”Windows”/> section
– comment out the <authentication mode=”Forms”> section.
– comment out the <modules> and <security> sections in the <system.webServer> section at the end of the file.

Now to the web part setup…

1. Edit the web.config of the SharePoint site you will be adding the RDS web part to, adding the following, in one line, to the SafeControls section. This can be the root site, or a sub site. Find the path to the file system from IIS manager:

<SafeControl Assembly=”TSPortalWebPart, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35″ Namespace=”Microsoft.TerminalServices.Publishing.Portal” TypeName=”*” Safe=”True” AllowRemoteDesigner=”True” />

2. Create images directory structure and secure it properly:

mkdir “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\wpresources\TSPortalWebPart\6.1.0.0__31bf3856ad364e35\images”

mkdir “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\wpresources\TSPortalWebPart\6.1.0.0__31bf3856ad364e35\rdp”

cacls “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\wpresources\TSPortalWebPart\6.1.0.0__31bf3856ad364e35\images” /T /E /P NetworkService:F

cacls “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\wpresources\TSPortalWebPart\6.1.0.0__31bf3856ad364e35\rdp” /T /E /P NetworkService:F

3. Copy TSPortalWebPart and TSPortalWebPart.Resources DLLs from a server running the “Remote Desktop Web Access” role:

xcopy C:\Windows\assembly\GAC_64\TSPortalWebPart c:\temp\TSPortalWebPart /d /e /c /i /y

xcopy C:\Windows\assembly\GAC_64\TSPortalWebPart.Resources c:\temp\TSPortalWebPart.Resources /d /e /c /i /y

4. Copy the two directories to your SharePoint server’s c:\temp

5. Login to the SharePoint server console as administrator

6. Open Task Manager, go to Processes tab and click Show Processes from all users

7. Kill ALL Explorer.exe instances for your session

8. Go to File, New Task (Run…) and open an Explorer.exe instance (this makes it run as admin and no, it does not work if you just right-click on Explorer and choose Run as administrator)

9. Drag and drop the c:\temp\TSPortalWebPart\6.1.0.0_en_31bf3856ad364e35\tsportalwebpart.dll and c:\temp\TSPortalWebPart\6.1.0.0_en_31bf3856ad364e35\TSPortalWebPart.resources.dll into the GAC (C:\Windows\assembly)

10. Verify the TSPortalWebPart and TSPortalWebPart.Resources directories are created under c:\Windows\assembly\GAC_MSIL\ (do a dir c:\Windows\assembly\GAC_MSIL\)

11. Copy the remaining files into the GAC directory created by dropping the two DLLs in

xcopy c:\temp\TSPortalWebPart\6.1.0.0_en_31bf3856ad364e35 c:\Windows\assembly\GAC_MSIL\TSPortalWebPart\6.1.0.0__31bf3856ad364e35 /d /e /c /i /y

xcopy c:\temp\TSPortalWebPart.Resources\6.1.0.0_en_31bf3856ad364e35

c:\Windows\assembly\GAC_MSIL\TSPortalWebPart.Resources\

6.1.0.0__31bf3856ad364e35 /d /e /c /i /y

(the above three lines are actually one command, just concatenate them before executing. For some reason the blog editor is chopping off the end if they are all together…)

12. Recycle the site’s app pool

13. Populate the web part gallery

#In the upper-right corner, on the Site Actions tab, click Site Settings.
#Under Galleries, click Web Parts.
#Under the Web Part Gallery heading, click New.
#Select the check box next to Microsoft.TerminalServices.Publishing.Portal.TSPortalWebPart, and then click Populate Gallery.

14. Create images directory under the website root and copy all images from \TSPortalWebPart\ to it (PNG, GIF, JPEG)

15. Add the user account of the SharePoint web site App Pool into the TS Web Access Computers group on the server where RemoteApp and Desktop Connection Management service is running (it should already have the names of the front end Remote Web IIS servers). In my case it is the clustered middle tier.

16. Add the web part to the SharePoint site

17. In the web part choose RemoteApp and desktop Connection Management for Populate the Web Part from option and enter the name of the server/cluster where the service resides

Your web part should now have icons from the RDS Session Hosts.

Enjoy! 🙂

Migrating Small Business Server 2003 to Small Business Server 2008 (SBS 2008)

Posted in Microsoft Exchange, Small Business Server on 2011/01/11 by CRCerr0r

I recently installed a Small Business Server 2008, migrating content and mailboxes from a Small Business Server 2003 installation. I came across a few issues that I thought would post here in case they are helpful to someone else…

Issue 1:

BlackBerries (through Verizon Wireless) stopped getting mail after the upgrade was complete. iPhones and Android phones did not have issues, just BBs. “Peeling the onion” I realized that BlackBerry uses the Outlook Web Access URL to login to the mailbox and get mail, while the iPhones and Android phones use Microsoft ActiveSync (as ALL normal modern devices should). The problem lies in the fact that the URL changed from https://SERVER-URL/Exchange in Exchange 2000 (on SBS 2003) to https://SERVER-URL/owa in Exchange 2007 (on SBS 2008). The Blackberries apparently keep trying the old URL and fail miserably.

After many calls to Verizon and BlackBerry Technical Support and predatory forcing of data plan upgrades the BBs still did not get connected. In the BlackBerry web site they would get setup, but eventually the little check mark next to the mail profile would turn into a circle with a cross through it. So I gave up that route.

I decided to set them up with an IMAP profile. One of the devices setup without issues after I enabled the IMAP client access on Exchange and created a Client Mail connector for them to be able to send mail. The other device failed with an error “This POP server is not supported as it does not have sufficient capabilities. Please try a different POP server.”. Very helpful. 😦 Afer more calls to Verizon and more changed to the plan and asking me to force a “routing table update” on the phone and blah, blah, blah, still nothing. So I decided to see if the same account would be able to setup the mailbox for the device that worked. It did. So it was not the BlackBerry service, or the account plan or none of that nonsense. It had to be something with that mailbox.

I tried setting it up through Outlook thinking that it would give me a little more sensible error. It didn’t… But I thought I’d share what Outlook gave me in case someone else comes across the same error:

Connection is closed. 15
Protocol: IMAP
Server: SERVER-URL.com
Port: 993
Error Code: 0x800CCCDD

So I proceeded… I followed this article to enable IMAP logging (by the way this article has a really nice explanation of Exchange 2007 logs) and then tried again. Here is the result:

2011-01-11T12:45:11.464Z,,0000000000EA8015,0,192.168.1.10:993,99.35.169.191:50126,+,,
2011-01-11T12:45:12.010Z,,0000000000EA8015,1,192.168.1.10:993,99.35.169.191:50126,>,* OK The Microsoft Exchange IMAP4 service is ready.,
2011-01-11T12:45:12.135Z,,0000000000EA8015,2,192.168.1.10:993,99.35.169.191:50126,<,1 LOGIN FLAST *****,
2011-01-11T12:45:12.135Z,,0000000000EA8015,3,192.168.1.10:993,99.35.169.191:50126,*,,”User FIRST LAST Server name SERVER.DOMAIN.local, version 1912701168, legacyId /o=First Organization/ou=first administrative group/cn=Recipients/cn=FLAST
2011-01-11T12:45:12.151Z,,0000000000EA8015,4,192.168.1.10:993,99.35.169.191:50126,>,1 OK LOGIN completed.,
2011-01-11T12:45:12.197Z,,0000000000EA8015,5,192.168.1.10:993,99.35.169.191:50126,<,2 CAPABILITY,
2011-01-11T12:45:12.197Z,,0000000000EA8015,6,192.168.1.10:993,99.35.169.191:50126,>,* CAPABILITY IMAP4 IMAP4rev1 AUTH=NTLM AUTH=GSSAPI AUTH=PLAIN IDLE NAMESPACE LITERAL+,
2011-01-11T12:45:12.197Z,,0000000000EA8015,7,192.168.1.10:993,99.35.169.191:50126,>,2 OK CAPABILITY completed.,
2011-01-11T12:45:12.244Z,,0000000000EA8015,8,192.168.1.10:993,99.35.169.191:50126,<,3 SELECT INBOX,
2011-01-11T12:45:12.260Z,,0000000000EA8015,9,192.168.1.10:993,99.35.169.191:50126,>,”3 BAD Duplicate folders Drafts, Journal, Notes, Tasks were detected in the mailbox. Therefore the user’s connection was disconnected.“,
2011-01-11T12:45:12.260Z,,0000000000EA8015,10,192.168.1.10:993,99.35.169.191:50126,>,* BYE Connection is closed. 15,
2011-01-11T12:45:12.260Z,,0000000000EA8015,11,192.168.1.10:993,99.35.169.191:50126,-,,Local

So that was great! Easy fix! The user did indeed have those duplicate folders and after deleting them in Outlook (it only lets you delete the ones that are not needed) the account setup fine through BlackBerry.com. 🙂

Issue 2:

Outlook keeps popping up an authentication prompt. This one I am almost certain I have solved (if there is more, I will update the post). It seems the users were getting the prompt almost every 5 min. It was saying “Welcome back to remote.external-server-url.com” I saw a lot of 401.1 and 401.2 errors in the IIS logs of the SBS Web Applications web site. In addition, the Outlook Autodiscover test was throwing a 0×80040413 erro error… After some digging I came across this post that pointed to Rollup 9 for Service Pack 1 for Exchange 2007. Since SP 2 is already out, I just downloaded that and installed it. If you do have to do that on a SBS 2008 server, you also need to download this tool and use IT to install or otherwise your install will fail.

Also, keep in mind that the SP install tool has a few known issues (see the KB article of the installation tool) like resetting SSL on the default web site and apparently (which was not documented, but I experienced first hand) it resets the logging configuration for IMAP (enabled in the C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe.config) and the X.509 Certificate Name in the Server Configuration – Client Access – POP3 and IMAP4 – IMAP4 – Authentication tab to the default server.domain.local certificate name. Bummer.

Issue 3:

QuickBooks Database Server Manager does not start. Well, apparently it is not meant to run on a Windows 2008 server. After installing it it copied all the files and created/updated a QBDataServiceUSer20 user account, created the QuickBooksDB20 service, but it failed to make sure the NTFS permission on the .\Program Files\Intuit\QuickBooks 2010 are properly setup so the QBDataServiceUSer20 user has access to it. It does not by default… So if you try to start it it fails with “The system cannot find the file specified”. Updating the permissions and opening the appropriate ports (TCP 55338, 8019, 10180) takes care of the issue.

Issue 4:

Installing SQL 2008 Standard on the SBS 2008 Premium server fails with “rule “SQL Server 2005 Express tools” failed. The SQL Server 2005 Express tolls are installed. To continue, remove the SQL Server 2005 Express Tools”. After some digging and looking at some posts on similar issues it turns out renaming the

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft SQL Server\90\Tools\ShellSEM key

to

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft SQL Server\90\Tools\ShellSEM.old

solves the issue. Oddly enough, the setup log shows this key being the culprit:

2011-01-15 12:35:25 Slp: Sco: Attempting to create base registry key HKEY_LOCAL_MACHINE, machine
2011-01-15 12:35:25 Slp: Sco: Attempting to open registry subkey
2011-01-15 12:35:25 Slp: Sco: Attempting to open registry subkey SOFTWARE\Microsoft\Microsoft SQL Server\90\Tools\ShellSEM
2011-01-15 12:35:25 Slp: Rule ‘Sql2005SsmsExpressFacet’ detection result: SQL 2005 Ssms EE installed=True
2011-01-15 12:35:25 Slp: Evaluating rule        : Sql2005SsmsExpressFacet
2011-01-15 12:35:25 Slp: Rule running on machine: SERVER_NAME
2011-01-15 12:35:25 Slp: Rule evaluation done   : Failed
2011-01-15 12:35:25 Slp: Rule evaluation message: The SQL Server 2005 Express Tools are installed. To continue, remove the SQL Server 2005 Express Tools.

But I think because the box is 64-bit the key is masked.

 

Hope this helps someone out there and saves them a few hours of hair pulling. 🙂

A short list of good DNS Tools sites

Posted in Management, Tools on 2010/11/14 by CRCerr0r

A short list of cool DNS Tools sites. This list is definitely not complete, but it is a good start… 🙂

http://network-tools.com/ – nice DNS and network-related tools

http://www.mxtoolbox.com/ – very clean and effective tool

http://www.dnsqueries.com/en/ – offers a nice thorough report
http://iptools.com/ – variety of one-off tools
http://www.intodns.com/ – another nice through report offered here
http://dnssy.com/index.php – once again… report. 🙂
http://www.openspf.org/ – cool site if you want to learn more about SPF. Also has a nice wizard that guides you through the syntax of your SPF record
http://www.kitterman.com/spf/validate.html – SPF record validation tools, both live and staged.

SharePoint 2010 Tools

Posted in Uncategorized with tags , on 2010/11/07 by CRCerr0r

A short list of companies and tools they offer to complement SharePoint 2010 migration, administration, security, auditing and more.

Idera – Idera SharePoint Security Manager, formerly a product of iDevFactory; Sonar Performance Management, formerly a product of Binary Wave

Axceler – Davinci Migrator; ControlPoint

Quest Software – Server Administrator for SharePoint

MetaLogix Software Corp – MetaLogix Migration Manager for Blogs and Wikis; SharrPoint Site Migration Manager

AvePoint – DocAve

Tzunami Inc – Tzunami Deployer for content migration

The full article is available in August’s edition of Redmond Magazine and redmondmag.com/Schwartz0810

ForeFront 2010 Beta (FEP) installation hurdles

Posted in ForeFront Endpoint Protection, Microsoft on 2010/10/07 by CRCerr0r

I recently needed to troubleshoot some installation issues on a ForeFront 2010 install. During the install a few errors came up and after some digging on the net, a Microsoft Support call, some SQL and network trace digging I finally got the thing to install.

Here is a highlight of the issues, some error message excerpts and what I did to resolve them, hopefully it helps someone…

1. Issue: The installer could not figure out/acknowledge that SQL was installed on the DB server (FEP and SQL were on two separate Windows Server 2008 boxes).

Resolution: It turns out turning OFF UAC on the SQL server helped this. For some reason SQL could not execute the queries the FEP installer was asking for (via a series of stored procedures that checked installation paths, disk space, service status, registry keys, etc.)

2. Issue: Installer could not access Reporting Services even though installing user was a local administrator on Reporting Services server

Actual error message: “Verification(Verifying SQL Reporting Services prerequisite) failed
failed to communicate with the SQL reporting web service

failed to delete folder with exception: System.Web.Services.Protocols.SoapException: The item ‘/FepSetupVerificationDire382e28e-db6b-480d-b48a-9ab209f3245b’ cannot be found. —> Microsoft.ReportingServices.Diagnostics.Utilities.ItemNotFoundException: The item ‘/FepSetupVerificationDire382e28e-db6b-480d-b48a-9ab209f3245b’ cannot be found.
   at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.Forefront.EndpointProtection.Configure.Utility.ReportService.ReportingService2005.DeleteItem(String Item)
   at Microsoft.Forefront.EndpointProtection.Configure.VerifySrsServer.ReportDeploymentVerification()”

Resolution: Added the installing account as a Content Manager on Reporting Services’ site (MS article here)

3. Issue: Installer refused to continue due to duplicate SPNs.

Actual error message: “Verification(Verifying SQL Server prerequisite) failed
Error: Setup cannot determine the SQL Integration Service version.
Microsoft Forefront Endpoint Protection 2010 requires Microsoft SQL Server Integration Services 2005 Enterprise or Standard edition with Service Pack 2 or higher or Microsoft SQL Server Integration Services 2008 Enterprise or Standard edition or higher.
Make sure that the component is installed, running and autostarted on server ‘SQLSERVERNAME’.

Error: There are one or more duplicates of the following service principal names found in the Active Directory Domain Services: mssqlsvc/SQLSERVERNAME:1433.”

Resolution: Deleted an inactive SPN tied to mssqlsvc/SQLSERVERNAME:1433 (see related post here)

I ran

setspn -Q mssqlsvc/SQLcomputername:1433

(the string mssqlsvc/SQLcomputername:1433 is what comes up in the FEP install log as an error). BTW, the -Q parameter is available on Server 2008.

The above step listed the two duplicate names and all the info to find the accounts it is associated with:

CN=First User,OU=Service Accounts,DC=MyDomainName,DC=local
        MSSQLSvc/SQLcomputername:1433
        MSSQLSvc/SQLcomputername.MyDomainName.local:1433
CN=Second User,OU=Service Accounts,DC=MyDomainName,DC=local
        MSSQLSvc/SQLcomputername:1433

I logged on to the SQLcomputername and found that it was the First User that was being used by SQL as a service account. So that leaves the Second User to be the problematic one. Then I ran:

setspn -D MSSQLSvc/SQLcomputername:1433 SecondUserID.

Hope this helps someone… 🙂

URL Check Service

Posted in Malware on 2010/08/22 by CRCerr0r

Check to see if a URL is safe, without visiting it…

https://ers.securecloud.com/reputation/query?locale=en-US

http://reclassify.url.trendmicro.com/onlinequery.aspx

http://www.siteadvisor.com/