Monday, October 19, 2009

That's the brakes.

Yesterday I put brakes on the Hyundai. One of the Caliper slider pins was rusted solid. :( I heated it up with a torch, applied PB blaster, and beat the crap out of it. The replacement pin and boot was $50. Conveniently I just bought a new hammer that has a longer handle. The extra leverage helped a lot. It was supposed to be for teaching Derek blacksmithing, but now I might keep it.

The garage is pissing me off. It's time to get that shit cleaned up.

arg.

-ellie

Wednesday, September 16, 2009

SQL Network (Transport) Level Encryption. (TDS)

By default, Microsoft SQL connections only encrypt the login credentials. Everything else can be sniffed right off the wire. Sql 2008 (and some earlier versions) allow you to do encrypted SQL connections pretty easily. Here is how.

You will need:
Sql server (well duh!)
A certificate server or "MakeCert".
On Windows server 2008, "WinHttpCertCfg".

MakeCert is a tool to "easily" make a self-signed certificates without installing a full Certification Authority. It is part of the Windows SDK available from here. I am on XP, but downloaded the Windows Vista version, Ran Setup and DE-selected all of the items except for the SDK. Total download size was about 18mb.

Since my SQL Server is Windows 2008, I also needed WinHttpCertCfg. This tool is needed on Server 2008 to set permissions for the Private Key. More on that in a second. That is available here.

So, lets get to work.

First, you need your database server's FQDN. This is the windows FQDN, not your internet FQDN. Right-Click "Computer" or "My Computer" and write down the "Full computer name:" On Server 2008 this is on the "System" pane. On prior versions of windows this is on the Computer Name tab.

Next you get to make your certificate. If you have a domain CA, go request a computer certificate, install it, and skip down to the "Assigning permissions to the service account" step. If you don't have a CA, we can use MakeCert.

The command for makecert is:
C:\Program Files (x86)\Windows Resource Kits\Tools\makecert -r -pe -n "CN=yourhost.yourdomain.com" -b 01/01/2000 -e 01/01/2036 -eku 1.3.6.1.5.5.7.3.1 -ss my -sr localMachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 c:\MyCertificate.cer

The certificate will be saved to c:\MyCertificate.cer.

Now we import the certificate to the Local Machine's Personal store.
Start -> Run -> MMC.
File -> Add/Remove Snap-in -> Certificates -> Add -> Local Computer -> Next -> Finish -> Ok.
Expand Certificates and Right-Click the "Personal" Store. Select "Import".
Browse to c:\MyCertificate.cer -> Next. There is no password -> Next -> finish.

Almost Done. Now we need to give the SQL service account permissions to the private key of the Cert.
Pop open your command prompt and run this command. You need to substitute the appropriate Server FQDN (yourhost.yourdomain.com) and the SQL Service account. (SqlServiceAccount).

C:\Program Files (x86)\Windows Resource Kits\Tools\winhttpcertcfg.exe -g -c LOCAL_MACHINE\My -s yourhost.yourdomain.com -a SqlServiceAccount

Next, Enable the Sql Encryption.
Start -> All Programs -> Microsoft SQL Server 2008 -> Configuration Tools -> Sql Server Configuration Manager.
Expand "Sql Server network Configuration" and Right-click Protocols for MSSQLSERVER. Select Properties.
On the Certificate tab, Select the yourhost.yourdomain.com certificate.
On the flags tab, Select "Force Encryption=Yes"
Click ok.
Click ok to close the warning message.

Finally you need to restart the SQL Server service.

Viola! Network Encryption is done.

MS KB316898 is the reference for this topic.

For the record, this is a "weak" security measure. It only does encryption. It still can be defeated with a man-in-the-middle attack, because SQL doesn't verify the certificates.

Hth,
Elizabeth Greene

Tuesday, June 16, 2009

Datestamps in batch files. (Unix and Dos)

In Linux, naming a file after todays date is pretty easy.

# Note: These are backticks, not quotes.
# They are on the same key as your tilde ~.
ls > `date %Y-%m-%d.`txt

To get the possible formatting options, run the man date command.

In Dos it is pretty easy too, once you know the trick.

dir > %date:~-4,4%-%date:~-7,2%-%date:~-10,2%.txt


An Explanation:
The %date% environment variable contains the current date. Go ahead, test it. Pop open a command prompt and run echo %date%. The ":~-4,4" part does the cool thing. ":~" says "we want a substring". The "-" says "work from the end of the string backwards. The "4," says start at the fourth character, and the final "4" says give me four characters.

Cheat sheet!





Date PartCode
Day of week (3 letter abbr.)%date:~0,3%
Day%date:~-10,2%
Month%date:~-7,2%
Year (2 digits)%date:~-2,2%
Year (4 digits)%date:~-4,4%


HTH,
-Ellie

Tuesday, June 2, 2009

Goodbye, Adios, Au revoir, Ciao, Sayanora..

The company I work for is centralizing all IT operations. From a business perspective, it makes sense. The data center and development staff are all in one location, etc.

Unfortunately I really wasn't up for relocation with the kids being in school, et al.

So, today I was downsized as part of the IT centralization. :(

They gave me a nice severance package, and I wish all them the best. Now I have to find a new gig. If anyone needs an adept Jane-of-all-trades network engineer, please email me at Elizabeth.a.greene@gmail.com

Thanks,
Ellie

Friday, May 22, 2009

Making the AVG batch file into a single-file exe.

In my previous post, I made a batch file to automatically install AVG. Previously I would zip this .bat+.ini+.exe combination and send it to the Users. In a perfect world, the users open the zip and run the batch file. In the real world, the users will run the executable instead of the batch file. Even when it is named NoNotThisFilePlease.exe. This time I am going to make it user resistant. I am going to wrap it into a single .exe installer.

There are a number of commercial self-extracting installer products out there. I really like Paquet Builder. Unfortunately it is $50. That is about $40 more than I'm willing to pay.

To do this for FREE you need the 7-zip installer and "7z Library, SFXs for installers, Plugin for FAR Manager" from the 7-zip download page. Also you may optionally want Resource Hacker. This lets you change the .EXE icon to something pretty.

Procedure:
  1. Install 7-zip.
  2. Open the folder with the batch file and files.
  3. Compress the files into archive.7z
    1. Select the require files
    2. right-click, 7-Zip, Add To Archive.
    3. Name the 7-zip file archive.7z.
    4. The avg installer is already well compressed so the best compression method for it is just "store". It makes decompression fast too.
  4. Open the 7-zip extras package and copy 7zSD.sfx and config.txt into the same directory as the archive.7z folder. The config.txt file is in the /installer directory.
  5. Edit config.txt and change it to run your batch file. Here is my example.

    ;!@Install@!UTF-8!
    Title="GlobalOptions AVG8 Distributable v1.0"
    BeginPrompt="Do you want to install AVG8?"
    RunProgram="AVGSetup.Bat"
    ;!@InstallEnd@!
  6. Finally "compile" the self-extracting EXE. This is actually just concatenating the files together.
    1. Open a command prompt.
    2. Change to the directory with archive.7z, 7zsd.sfx, and config.txt
    3. Run this command.
      copy /b 7zSD.sfx + config.txt + archive.7z AvgSetup.exe

That's it. That command copies the .sfx "stub", the config file, and the archive into a single .EXE file.

Finally and optionally the .exe needs a pretty icon. :D For Anti-virus software I am rather fond of this one. "Symbol". Note: it is not free for commercial use.

To change the icon:
  1. Open ResHack.exe.
  2. File-> Open -> open the executable.
  3. Expand the "icon" group and expand Icon 1.
  4. Right-click the icon and select Replace Resource.
  5. Click "Open File with new Icon".
  6. Navigate to your .ico file.
  7. Click Replace.
  8. Save the executable.


That's it,

I hope this helps,

-Ellie

One-Click AVG Installer

AVG is my current favorite Antivirus product. It does what I need it and generally stays out of the way. Unfortunately the version upgrade from 7.5 to 8.0 has no upgrade path for our 160 users that are A.) Remote B.) Not on a domain and C.) not on a VPN.

Thanks so much Grisoft. Really, Thanks.

So anyway I installed the new datacenter software, AVG Admin 8 and got it all setup. For the users in AD we rolled it out and now we have to figure out how to upgrade all the remote users.

I went through the AVG wizard to create an installer. That got me a batch file and a .ini file for the installer. I edited the batch file and .INI to install it with our preferences. When finished I ended up with a .bat file that the users can run to install the app.

AvgSetup.bat

@ECHO OFF
echo This application will automatically install AVG 8.0.
echo Please wait. This window will automatically close
echo when the installation is complete.

SET SETUP="%CD%\Setup\avg_ipw_stf_all_85_339a1525.exe"
%SETUP% /SCRIPT_FILE "%CD%\AvgSetup.ini" %1 %2 %3 %4 %5 %6 %7 %8 %9
echo.
echo.
Echo Setup is complete. If the AVG icon is not visible on your taskbar, then please reboot your PC now.
pause


AvgSetup.ini

LICNO: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
RESTART:
KILL_PROCESS_IF_NEEDED:
QUIT_IF_INSTALLED:
NAME: "MyCompany"
COMPANY: "MyCompany"
DCPATH: "avg.example.com:4158"
NOAVGTOOLBAR:
ADD_FEATURE: fea_AVG_HttpScanner
ADD_FEATURE: fea_AVG_SafeSurf
ADD_FEATURE: fea_AVG_SafeSearch
ADD_FEATURE: fea_AVG_Exchange_plugin
ADD_FEATURE: fea_AVG_EMC
ADD_FEATURE: fea_AVG_Office_2000_plugin
ADD_FEATURE: fea_AVG_Cl
NO_WELCOME:


That's it. Now we have a one-click installer for a fully configured AVG application.

Check out my next post for how to make this a user-resistant install.

Friday, April 3, 2009

Exchange 2007 POP/IMAP between Active Directory sites .. with solution!

As a follow up to the previous post, Pop and Imap can work between sites as well. The referenced paper says they can't, but it is incorrect.

To enable Imap between a CAS server and Mailbox server in 2 separate AD sites, edit this file
C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe.config

and change this line to true.
<add key="AllowCrossSiteSessions" value="false" />



POP3 is eerily similar.

To enable Pop3 between a CAS server and Mailbox server in 2 separate AD sites, edit this file
C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopIma\Microsoft.Exchange.Pop3.exe.config

and change this line to true.
<add key="AllowCrossSiteSessions" value="false" />



Note to Microsoft: A quasi-legible text based configuration file. Thank you!

Thursday, April 2, 2009

Exchange 2007 OWA between Active Directory sites .. with solution!

Exchange.
Owa.
2 separate sites.
2 separate internet connections.
Site A has the mailboxes.
Site A's internet connection goes down.
Site B's internet connection is fine, and the ds-3 between the sites is fine.

I try to connect to OWA in Site B and I get...

"For best performance, connect to https://SiteA.mydomain.com/owa"

YOU HAVE GOT TO BE FREAKING KIDDING ME! ARGH!

Ok. A google search and check the Exchange Blog comes up with this link.
Understanding Proxying and Redirection

According to this paper a couple of things are at work. First off, Exchange is trying "Redirection" to send me to the OWA host in my active directory site. You can disable redirection by removing the "External Url" from the OWA service in Exchange manager.

Click webmail. Username/password. Does it work?

... Nope, same results.

(Wait for Active directory replication....)

Testing again. Click webmail. Username/password. Does it work?

... Nope. New Results. A great two line error message that tells the user to tell their Exchange administrator that there is no available OWA server in the same site as the mailbox. Also, an event is logged in the event viewer.

(OMG! A descriptive error and an event gets logged?! Obviously this part of the code was outsourced. ;) )

Anyway, back to the paper again. Exchange Owa won't access a mailbox in another AD site. It just won't do it and there is no convincing it otherwise.

The options are:
1. Setup an ISA server to intelligently load balance Owa access. (no.)
2. Move the Servers into the same AD site. (no.)
3. Enable "Proxying". (this sounds promising.)

OWA Proxying takes the request from SiteB's owa server and relays it internally to SiteA's owa server. That is great if SiteA's internet connection goes down, but does jack-diddly-squat for our availability if SiteA's OWA server goes kaput.

Some redundancy is better than none, right? Let's configure proxying.

Here are the Gotchas.
1. Redirection has to be disabled. (Remove those ExternalURL's)
2. Communication is via https. (This is okay, I put the internal names on our UCC ssl cert.)
3. Authentication for the OWA sites has to be set to Windows integrated.

WTH?! The users just got used to pretty forms based authentication. You go to all the trouble of building a proxy subsystem and you can't relay the credentials?! Another show stopper. Grr.

So my options are to setup 2 more owa servers with integrated authentication. Get 2 more names on our ssl cert, and set it up. That's great and all, but exchange licenses don't grow on trees.

Solution!
I played with it for a while and came up with this solution. It is functional, but not really elegant in my opinion.

In both sites, I opened IIS and created a new website called OwaProxy. I set the site to use the same ssl certificate as the "real" OWA sites, but bind to port 444 instead of 443. In the powershell console, I created a new \owa directory with Integrated Authentication.

(here is the command)

New-OwaVirtualDirectory -Name "OwaProxy" -ExternalAuthenticationMethods WindowsIntegrated -ExternalUrl $null -Internalurl https://sitea.mydomain.local:444/owa -Owaversion exchange2007 -websitename "OwaProxy"


After the OWA Websites/virtual directories are created in both sites, there are two more gotchas. First, it still didn't work until I opened the Exchange Management console and changed the authentication type from forms to WindowsIntegrated. This is a bug, Imho, as we explicitly set the authenticationmethod to integrated in powershell. It gets configured properly in IIS too, but here you have to change it with the GUI.

The second gotcha is an easy one. Any of this cross-site stuff is dependent on Active Directory, so you have to wait for (or force) ad replication before your changes take effect.

That solved it. I could now access my 1GB SiteA mailbox from SiteA or SiteB. We have a 45mbps ds-3 between sites, and there was a 2-3 second pause after logging in to SiteB's owa server. I can live with that.

Please leave a comment if this helps.

Thanks,
Ellie

Monday, March 30, 2009

csvde to excel Human readable LastLogon or LastLogonTimestamp

I was given the task of making a human legible report of Users, OUs, and Last Login Times. Easy enough right? I logged in to one of the servers as an admin and ran


F:\>csvde -r "(objectClass=user)" -f output.csv
-l cn,givenName,sn,n,ou,lastLogon

* note.. all that is on one line. I wrapped it because blogger was cutting it off.

That worked great, but excel choked on the dates. It turns out this is because the dates are not "normal" timestamp dates. "Normal" timestamps are based on the number of seconds since midnight on 1/1/1970. The timestamps in Active Directory in UTC format, a 64 bit number based on the number of nanosecond since 1/1/1601 divided by 100! For even more complexity, Excel's dates are based on the number of days since 1/1/1900. Arrgh.

As theoretical knowledge goes, that is all fine and good.. but how do we use it in excel?

The formula to convert from Active Directory LastLogon or LastLogonTimestamp is:


=IF(C2>0,C2/(8.64*10^11) - 109205,"")


Explanation:
  • C2 is the cell that contains the Timestamp.

  • The If() statement hides the value if the user has not logged in.

  • (8.64*10^11) is the number of nanoseconds in a day divided by 100.

  • 109205 is the number of days, including leap days, between 1601 and 1900. (Remember, 1900 is when excel dates "start")



That's it. Paste in your formula and format it as a date, or date/time. The times returned are in GMT. All of the other solutions I saw in my google searches pointed to a vbScript solution. Please leave a comment if this helps you.

Thanks,
Ellie

P.s. If you want it in Central US time (GMT-6), subtract 0.25 (That is 6 hours divided by 24 hours in a day). For Eastern time (GMT-5), subtract 0.208333333 .. (5/24).

Tuesday, March 17, 2009

Rpc over http and UCC SSL gotchas

Here is a quick note for those using UCC certificates for RPC over Http. The name of your rpc/http server has to be the common name of your ssl certificate, an alternative name will not work. Between this bug, the IPv6 bug, and the complete lack of any logging facilities, I am starting to get the feeling that this service was written by an intern. (and not a good one)

Wednesday, March 11, 2009

SOLVED: Blackberry Internet Service (BIS duplicate messages from Exchange

A number of my users have been reporting duplicate messages on their Blackberry handhelds when we reconfigured them to use our shiny new Exchange 2007 Servers. After some digging, a message was being re-delivered to the handheld every time the message was A.) Marked Read, B.) Replied to, C.) Found in a search. This occurs only with Blackberry Internet Service (BIS) users connecting to the Exchange server with IMAP.

As it turns out, Exchange is changing the IMAP message ID every time one of the above actions occurs*. This causes RIM to see the message as new and re-transmit it to the handheld.

The options to fix it are..

Switch BIS to POP3 instead of IMAP. But then deleted items sync won't work.
Switch to Blackberry Enterprise Server. $5k in software fees, more depending on your user count.
Switch BIS to OWA..

That last option is the most promising. Unfortunately, with Exchange 2007 and forms based OWA authentication (the default), the normal url https://example.com/exchange doesn't work. Neither does https://example.com/owa.

What does work... the magic bullet for BIS+OWA on Exchange 2007 is..
http://example.com/exchange/you@example.com

I have not found this tidbit on any forums or documentation, and I really hope it helps someone.

Good Luck,
Ellie



* Constructive criticism for Microsoft. You stupid cod-flogging idiots. Why in the name of potato would you do such a thing?! Did you even _look_ at the RFC? This is what IMAP flags are designed to do. Please, please fix this, print the RFC and use it to flagellate the committee that designed this AND the committee that approved it.

Friday, March 6, 2009

Upgrating old Ubuntu Lts server's ssh

A minor Ubuntu annoyance today.. I have an old Ubuntu LTS server that tripped a nessus scan because the openssh version was too old.

I did an apt-get upgrade, but the ssh packages wouldn't upgrade, failing with this error...

root@bna-fw1:~# apt-get upgrade
Reading package lists... Done
Building dependency tree... Done
The following packages have been kept back:
linux-image-server openssh-client openssh-server


I checked in the /etc/apt directories looking for some reason why it was held back to no avail.. Then I checked dpkg -l openssh-server but the package wasn't marked as held either. Then I gave up and googled it. As it turns out, upgrading ssh requires you to install the oops-sorry-we-made-ssh-unsecure-won't-happen-again package openssh-blacklist package and apt-get "upgrade" can't install a new package. This seems like an open manhole waiting to swallow any sysadmin that blindly trusts apt-get upgrade for updates..

The command to fix it and upgrade openssh-server/client is...

apt-get install openssh-blacklist



-ellie

Tuesday, January 13, 2009

Updated: Exchange 2007 Splitting OWA and Autodiscover onto two different websites.

This post explains how I split Exchange Web services and Autodiscover into two separate websites so that I could use two separate SSL certificates ($30) instead of a $300 UCC certificate.

We have a wildcard certificate (*.foo.com) for our primary domain. Since we have a metric crapton of servers it saves us loads of money.

The exact minutiae of getting Outlook Anywhere working will be another post. Suffice it to say that A.) It has a showstopper IPV4/IPV6 bug out-of-the-box and B.) Wildcard certificates do not work with Outlook Anywhere.

Happy to have that particular learning experience behind me and $15 later we had a GoDaddy certificate for newmail.foo.com. Yeah!

Now that was working it's time to setup the Autodiscover service. I set a SRV record for autodiscover to point to newmail.foo.com, but the users were getting a pop-up asking for permission to connect to it. I am an anti-popup person. So I setup autodiscover.foo.com in DNS to point to the OWA webserver. Did it work?

No.

Why?

Another SSL problem with the certificate names. "autodiscover.foo.com" != "newmail.foo.com"

ARGH!

The Microsoft solution is to use a certificate with multiple "Subject Alternative Names", also known as a Unified Communications Certificate. They cost about $300. Personally I don't like spending that for a certificate. That's why we got a WILDCARD certificate you asshats!

After a healthy dose of expletives, I set out to move the autodiscover "application" to a separate website using our existing wildcard certificate.

Here is the part where that "doing it the hard way" feeling comes in. I couldn't find any commands or options to setup the /Autodiscover application under the new website.

After about 10 minutes of trying to figure out how to copy the settings over, I ...


  1. Set another IP for the new site.
  2. Popped a hole in Mr. Firewall for http and https.
  3. Opened IIS.
  4. Created the new site.
  5. Edited the bindings to use the right ssl certificate.
  6. Stopped IIS.
  7. Opened c:\windows\system32\inetsrv\config\applicationhost.cfg in notepad.
  8. Copied <sites><Application Path> information from the default site to the autodiscover site. See update note below.
  9. Copied the <locations> information from the default site to the autodiscover site.
  10. Whispered a prayer of penance to the IT gods.
  11. Started IIS.


Update 2009-03-17: I WAS doing it the hard way! There is a powershell command to create a new autodiscover virtual directory. It is new-autodiscovervirtualdirectory.

And wow, It worked! Was I ever surprised?!

Ttfn,
-ellie

Thursday, January 8, 2009

Exchange SCR and ESE function Error

I'm running into some errors setting up SCR between our sites. I'll edit this post with the solution when I get it sorted out.


[PS] C:\Exchange>update-StorageGroupCopy -Identity Orl-exg1\Sg1 -standbymachine
lor-exg1
WARNING: Replication for storage group 'ORL-EXG1\SG1' is still suspended. If
needed, you can use the Resume-StorageGroupCopy cmdlet in the Exchange
Management Shell to resume replication.
Update-StorageGroupCopy : Seeding failed : Database seeding error: Error return
ed from an ESE function call (0xc7ff1004), error code (0x0).
At line:1 char:24
+ update-StorageGroupCopy <<<< -Identity Orl-exg1\Sg1 -standbymachine lor-exg1


It looks like it is something with the Windows firewall. Turning it off makes it work. Feature. Now to figure out what application needs to be permitted through the fw.

Tuesday, January 6, 2009

PPTP Vpn through a Linux IpTables/Netfilter firewall

I spent some time configuring a pptp vpn for one of our offices yesterday, but it kept failing to connect during testing. Each failure generated these errors in the firewall (the one I was Vpn-ing too) log.

pptpd[9078]: GRE: Bad checksum from pppd.
pptpd[9078]: CTRL: Received PPTP Control Message (type: 15)
pptpd[9078]: CTRL: Got a SET LINK INFO packet with standard ACCMs
pptpd[9078]: GRE: read(fd=7,buffer=80505a0,len=8260)
from network failed: status = -1 error = Protocol not available
pptpd[9078]: CTRL: GRE read or PTY write failed (gre,pty)=(7,6)
As my comp.sci instructor would say, "Bad Times".

The vpn connection worked from a direct-internet-connected host, so logically the VPN setup was probably right. Here in the office I am behind a Linux IpTables firewall, and I deduced that it was probably the issue. Nothing was set to block the GRE protocol though, so I was a little puzzled.

I found this TLDP post (Do not bother reading it...) on how to make pptp work through iptables. Ah-ha! It was the firewall. Then I realized that documentation was ancient. By Ancient I mean it refers to the 2.0 and "new" 2.2 kernel. The current Linux kernel is > 2.6! eep! It was probably translated from some obscure dead language it is so old.

Anyway, the solution is much simpler... Iptables has a module that allows pptp to pass through NAT. My tale of woe happily resolved with this command.

modprobe ip_nat_pptp



One more useful tidbit. You can see a list of available IpTables modules with this command..

locate netfilter | grep .ko


Good Luck,
-Ellie