“WannaCrypt”–Patch first and then verify depreciation of SMBv1

May 15, 2017

Due to ongoing “WannaCrypt” attacks highly recommended to review if you rely on SMBv1, this feature is installed by default but mostly not in use anymore. WannaCrypt threat uses publicly available exploit code for the patched SMB vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. The exploit code used is designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this exploit attack. The said vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017

image

image

“WannaCrypt” Attacks – If you have automatic updates enabled or have installed the update, your systems are protected against this attack. We encourage to install the update as soon as possible

Please check out below guidelines:

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt

https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

https://blogs.technet.microsoft.com/mmpc/2016/05/18/the-5ws-and-1h-of-ransomware/

MS17-010 for Windows 2012 R2 – KB4012216 direct download here

MS17-010 for Windows 2016 – KB4013429 direct download here

You can verify what SMB version your servers are using with “Get-SmbConnection | fl Servername,Dialect”

if you want to uninstall SMBv1 you can do this by running below command but you should verify first

Get-WindowsFeature | where {$_.Name -match "FS-SMB1"} | Remove-WindowsFeature

if you want to remove that on a bunch of servers a.e. in a cluster you do something like this

Here is some more guidance on how to enable/disable a specific SMB version –> https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/

https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect/

Stay secured!

Ramazan

System Center–Version

March 31, 2017

Below you can find a quick summary to identify the version by the build number, added also latest download links

Operations Manager

SCOM 2012 UR1 7.0.8560.1021
SCOM 2012 UR2 7.0.8560.1027
SCOM 2012 UR3 7.0.8560.1036
SCOM 2012 UR7 7.4.4337.0
SCOM 2012 SP1 UR1 7.0.9538.1005
SCOM 2012 SP1 UR2 7.0.9538.1047
SCOM 2012 SP1 UR3 7.0.9538.1069
SCOM 2012 SP1 UR4 7.0.9538.1084
SCOM 2012 SP1 UR5 7.0.9538.1106
SCOM 2012 SP1 UR6 7.0.9538.1109
SCOM 2012 SP1 UR7 7.0.9538.1117
SCOM 2012 SP1 UR8 7.0.9538.1123
SCOM 2012 SP1 UR9 7.0.9538.1126
SCOM 2012 R2 UR1 7.1.102626.1009
SCOM 2012 R2 UR2 7.1.10226.1015
SCOM 2012 R2 UR3 7.1.10226.1037
SCOM 2012 R2 UR4 7.1.10226.1046
SCOM 2012 R2 UR5 7.1.10226.1052

Virtual Machine Manager

SCVMM 2012 UR1 3.0.6019.0
SCVMM 2012 UR2 3.0.6040.0
SCVMM 2012 UR4 3.0.6055.0
SCVMM 2012 UR5 3.0.6057.0
SCVMM 2012 UR6 3.0.6060.0
SCVMM 2012 UR7 3.0.6062.0
SCVMM 2012 SP1 3.1.6011.0
SCVMM 2012 SP1 UR1 3.1.6018.0
SCVMM 2012 SP1 UR2 3.1.6020.0
SCVMM 2012 SP1 UR3 3.1.6027.0
SCVMM 2012 SP1 UR4 3.1.6032.0
SCVMM 2012 SP1 UR5 3.1.6038.0
SCVMM 2012 SP1 UR6 3.1.6046.0
SCVMM 2012 SP1 UR7 3.1.6084.0
SCVMM 2012 SP1 UR9 3.1.6099.0
SCVMM 2012 SP1 U10

3.1.6108.0

SCVMM 2012 SP1 U11

3.1.6109.0

SCVMM 2012 R2 3.2.7510.0 
SCVMM 2012 R2 UR1 3.2.7620.0
SCVMM 2012 R2 UR2 3.2.7634.0
SCVMM 2012 R2 UR3 3.2.7672.0
SCVMM 2012 R2 UR4 3.2.7768.0
SCVMM 2012 R2 UR5 3.2.7895.0
SCVMM 2012 R2 UR6 3.2.8002.0
SCVMM 2012 R2 UR7 3.2.8071.0
SCVMM 2012 R2 UR8 3.2.8117.0
SCVMM 2012 R2 UR9 3.2.8145.0
SCVMM 2012 R2 UR10 3.2.8169.0
SCVMM 2012 R2 UR11 3.2.8224.0
SCVMM 2012 R2 UR12 3.2.8292.0
SCVMM 2016 RTM 4.0.1660.0
SCVMM 2016 RTM UR1 4.0.1968.0
SCVMM 2016 RTM UR1 (Hotfix1) 4.0.1968.10
SCVMM 2016 RTM UR2

4.0.2043.0

SCVMM 2016 RTM UR2.1

4.0.2051.0

 
Checkout also below links for KB articles related to System Center family:
List of Public Microsoft Support Knowledge Base (KB) Articles for System Center 2012 Virtual Machine Manager (VMM 2012)
List of Public Microsoft Support Knowledge Base Articles for System Center 2012 Virtual Machine Manager Service Pack 1
List of Public Microsoft Support Knowledge Base Articles for System Center 2012 R2 Virtual Machine Manager
 

SCOM-Agent Failover

March 29, 2017

Operations Manager is the monitoring component from the System Center suite. Honestly one of the best and broadest monitoring solutions I saw so far. There is a ton of product knowledge inside the management packs. I’m using SCOM now for a while and based on my experience the most important rule when it comes to monitoring be sure you read the management pack guides Smile Next is to tune and tweak the management packs to your specifics.

Agents do have by nature ability to failover if you have SCOM large deployment where more than 1 management / gateway server exists. in case you have regional requirements you can configure the failover based on your needs

How to configure Gateway Failover?

#Set all Gateway Servers to use PRI_MS and Primary and FAILOVER_MS as Failover
$primaryMS = Get-SCOMManagementServer | where {$_.Name –match "SCOMMS1"}
$failoverMS = Get-SCOMManagementServer | where {$_.Name –match "SCOMMS1"}
$gatewayMS = Get-SCOMManagementServer | where {$_.IsGateway -eq $true}
Set-SCOMParentManagementServer -GatewayServer: $gatewayMS -PrimaryServer: $primaryMS
Set-SCOMParentManagementServer -GatewayServer: $gatewayMS -FailoverServer: $failoverMS

How to configure Agent Failover?

#Agents reporting to "SCOMGATEWAY1.DOMAIN.COM" – Failover to "SCOMGATEWAY2.DOMAIN.COM"
$primaryMS = Get-SCOMManagementServer | where {$_.Name –eq "SCOMGATEWAY1.DOMAIN.COM"}
$failoverMS = Get-SCOMManagementServer | where {$_.Name –eq "SCOMGATEWAY2.DOMAIN.COM"}
$agent = Get-SCOMAgent | where {$_.PrimaryManagementServerName -eq "SCOMGATEWAY1.DOMAIN.COM"}
Set-SCOMParentManagementServer -Agent: $agent -PrimaryServer: $primaryMS
Set-SCOMParentManagementServer -Agent: $agent -FailoverServer: $failoverMS

How to verify?

#Verify Failover for Agents reporting to "SCOMGATEWAY1.DOMAIN.COM"
$Agents = Get-SCOMAgent | where {$_.PrimaryManagementServerName -eq "SCOMGATEWAY1.DOMAIN.COM"}
$Agents | sort | foreach {
Write-Host "";
"Agent :: " + $_.Name;
"–Primary MS :: " + ($_.GetPrimaryManagementServer()).ComputerName;
$failoverServers = $_.getFailoverManagementServers();
foreach ($managementServer in $failoverServers) {
"–Failover MS :: " + ($managementServer.ComputerName);
}
}
Write-Host "";

[Quick] F5 BIGIP-How to configure RDGateway load balancer?

March 28, 2017

Windows is usually good enough for simple network load balancing methods, networking people know what challenges are when you load balance a specific workload. WNLB is good but limited in the ability to analyze data streams and then decided based on conditions. F5 or few other hardware load balancers a.e. Kemp are doing a amazing job here and they come into play where WNLB stops

here is an quick example how you can configure RD Gateway load balancing services on F5. There is an iApp template which you can import and makes it way more easy as many of the required settings are already there. You can get the template from download.f5.com –> BIGIP –> iApp. Download the zip and import only the RDS template

image

If you are going to terminate SSL connection on your F5 you have to import certificate incl private key onto the BIG-IP system. While the BIG-IP system does include a self-signed SSL certificate that can be used internally or for testing, we strongly recommend importing a certificate and key issued from a trusted Certificate Authority for processing client-side SSL. For information on SSL certificates on the BIG-IP system, see the online help or the Managing SSL Certificates for Local Traffic chapter in the Configuration Guide for BIG-IP Local Traffic Manager available at http://support.f5.com/kb/en-us.html.

as next, we can start creating the Application services in F5 with the iApp template we imported earlier. Application Services –> Create –> select template “f5.microsoft_rds_remote_access.V1.0.2”

image

to enable new RDP 8.0 features we have to choose “Windows 2012 R2” which will basically enable UDP traffic –> http://blogs.msdn.com/b/rds/archive/2013/04/09/get-the-best-rdp-8-0-experience-when-connecting-to-windows-7-what-you-need-to-know.aspx

Next is key and do depends on your specifics of your implementation, details what each question does can be found in deployment guide

image

image

SSL – I’m going to let the RDG servers handle SSL encryption which will basically just passthrough the traffic based on algorithm “least connection”. There are plenty of different load balancing algorithms available for my needs “least connection is just fine”.  there are also ways how you can stick connections to a users but that’s another story

image

image

Voila Smile sure that’s not all but should give just a high level overview and provide some useful context, hope this helps. Please see down below for getting more details on this

Deployment Guide – RDGateway
https://f5.com/solutions/deployment-guides/microsoft-remote-desktop-gateway-services-big-ip-v114-ltm-afm-apm

K16340: Microsoft Remote Desktop Gateway servers iApp template
https://support.f5.com/csp/article/K16340

Deploying Remote Desktop Gateway Step-by-Step Guide
http://technet.microsoft.com/en-us/library/dd983941%28WS.10%29.aspx

Deploying F5 with Microsoft Remote Desktop Services
https://www.f5.com/pdf/deployment-guides/f5-microsoft-remote-desktop-services-dg.pdf

Powershell-How to query memory state via Get-WMIObject

March 27, 2017

here is a simple example how WMI queries can be call’d from powershell. this one is just an example and you can extend this by any system property like processors, available memory or even include disk space informations. all is about your needs and of course your creativity

$x = read-host -prompt "Please enter the machine name " 
""
$colItems = get-wmiobject -class "Win32_ComputerSystem" -namespace "root\CIMV2" -computername $x

foreach ($objItem in $colItems){
$displayGB = [math]::round($objItem.TotalPhysicalMemory/1024/1024/1024, 0)
$totalsockets=$colItems.NumberOfProcessors
write-host "Total Physical Memory:" $displayGB "GB"
write-host "Total CPU (Sockets) found:" $totalsockets
write-host "Model: " $objItem.Model
}

$colItems2 = get-wmiobject -class "Win32_Processor" -namespace "root\CIMV2" -computername $x

foreach ($objItem2 in $colItems2){
write-host "System Name:" $objItem2.SystemName
}
""

image

an example from a previous post, here I do calculate the memory pressure on a cluster node to identify oversubscribed hosts which can lead perf issues

image

Get-WMIObject
https://technet.microsoft.com/en-us/library/ee176860.aspx

WMIBrowser
https://wmie.codeplex.com/

the WMIBrowser is really useful when you do not know exactly what properties are available and how to call them

image

WMI is really powerful and nearly every Windows property can be called from there – Ok I see how you are thinking about all the creative ways now…Happy scripting Winking smile

SCOM Datawarehouse-Event31551 Failed to store data in the Data Warehouse

March 15, 2017

After I updated the SQL management pack to latest release we did saw below error related to SCOM DW system

Failed to store data in the Data Warehouse. The operation will be retried. Exception ‘SqlException’: Login failed for user ‘SCOMAccount’

image

since the latest SQL management pack update there are now new SQL RunAs profiles and one which is called “Data Warehouse SQL Server Authentification Account”. In my case the SCOM Action account was entered here and this is no permission on SQL to login so above error is correct. adding the right account fixed the issue and DW was back healthy state and data now gets pushed out of the OperationalDB to DW

image

image

again and again but reading the SQL management pack is a must for having a healthy SQL monitoring which is usually business critical databases

Microsoft System Center Management Pack for SQL Server
https://www.microsoft.com/en-US/download/details.aspx?id=10631

…Stay tuned and happy SCOM’ing!

SCOM Reporting Services-rslogon failed

March 15, 2017

After you change password for your service accounts for SCOM you can hit below issue if you have custom reports

image

There are few areas where passwords has to be updated in SCOM. beside the RunAs accounts you also have to update SQL reporting services credentials stored on your SQL server. Run the SQL reporting services configuration manager to update the credentials for RS (see below article to get more detailed steps)

image

If you still hit report error like below, highly like you have stored separate credentials credentials to accessing data sources. so I verified the new RunAsProfiles for SQL and make sure password is correct. Still I couldn’t get my reports. In this environment we also have lots of own custom reports which have do store own credentials for accessing databases.

so lets verify this Smile 

Open http://SCOMRS/Reports and select the report which failed above with “rsLogonFailed” –> Data Sources –> Test Connection

image

Gotcha! this report is using separate credentials to access databases. if possible, you should avoid this and use the shared datasource option for your reports

image

as a key in SCOM, review the management guide for SQL to get better understanding around security. sometimes the permissions to monitor SQL instances have to be granular and restricted to the minimum to monitor health of an SQL server (a.e. highly secure networks like DMZ). I do highly recommend to checkout the SQL server management pack guide especially since the latest release there are new RunAs profiles which allow better and granular control

Microsoft System Center Management Pack for SQL Server
https://www.microsoft.com/en-US/download/details.aspx?id=10631

Below are some useful resources related to this topic

How to Change the Windows Service Account Password for the SQL Server Reporting Service
https://technet.microsoft.com/en-us/library/hh456426(v=sc.12).aspx

How to Change the Credentials for the Action Account
https://technet.microsoft.com/en-us/library/hh456432(v=sc.12).aspx

How to Change Credentials for the System Center Management Configuration service and System Center Data Access service
https://technet.microsoft.com/en-us/library/hh456438(v=sc.12).aspx

How to Change the Reporting Server Execution Account Password
https://technet.microsoft.com/en-us/library/hh456428(v=sc.12).aspx

Windows Server 2016 Scalability

August 26, 2016

For those of you who haven’t been able to keep up with all of the new scenarios and features Windows 2016 is introducing, no worries! here are just a few of the top scenarios and features I have been asked about in Windows Server 2016

image

Scale Out File Server with Storage Spaces Direct (RDMA) for Hyper-converged infrastructure

this will be a tradition broker! Windows Server 2016 Datacenter introduces Storage Spaces Direct, which enables building highly available (HA) storage systems with local storage. This is a significant step forward in Microsoft Windows Server software-defined storage (SDS), as it simplifies the deployment and management of SDS systems and also unlocks the use of new classes of disk devices, such as SATA and NVMe disk devices, that were previously not possible with clustered Storage Spaces with shared disks. Windows Server 2016 provides a hyper-converged solution by allowing the same set of servers to provide SDS through Storage Spaces Direct (S2D), and also by serving as the hosts for virtual machines using Hyper-V.

For more information on this area, please reference Storage Spaces Direct in Windows Server 2016 Technical Preview.

Shielded virtual machines

Virtualization security is a major investment area in Windows Server 2016 Hyper-V. In addition to protecting hosts or other virtual machines from a virtual machine running malicious software, we also need to protect virtual machines from a compromised host. Since a virtual machine is just a file, we need to protect it from attacks via the storage system, the network, or while it is backed up. This is a fundamental need for every virtualization platform today, whether it’s Hyper-V, VMware, or any other. Quite simply, if a virtual machine gets out of an organization (either maliciously or accidentally) that virtual machine can be run on any other system. Protecting high value assets in your organization such as domain controllers, sensitive file servers, and HR systems is a top priority, which is why we’ve made this scenario a top priority in Windows Server 2016. Quite simply, nothing like it exists in the market.

Containers

Windows Containers provide operating system-level virtualization that allows multiple isolated applications to be run on a single system. Two different types of container runtime are included with the feature, each with a different degree of application isolation. Windows Server Containers achieve isolation through namespace and process isolation while Hyper-V Containers encapsulate each container in a lightweight virtual machine. Curious to learn more? Be sure to reference this documentation piece on Windows Containers

stay tuned and happy testing… more to come soon on that end Winking smile

F5 BIGIP–java.lang.OutOfMemoryError

August 19, 2016

BIGIP one of the best hardware load balancers I used but sometimes the default configuration can’t fit with the way how you do utilize the BIGIP. java.lang.OutOfMemoryError – To mitigate receiving this message, you can use the provision.tomcat.extramb database variable to increase the maximum amount of Java virtual memory available to the tomcat process

Note: F5 recommends an initial increase of 20 MB, but it may not resolve all instances of the error message. If the java.lang.OutOfMemoryError errors continue, repeat this procedure, gradually increasing the value of <MB> until you no longer view the error message

https://support.f5.com/kb/en-us/solutions/public/9000/700/sol9719.html

Impact of procedure: Allocating additional memory to Apache Tomcat may impact the performance and stability of the BIG-IP system. You should perform this procedure only when directed by F5 Support after considering the impact to Linux host memory resources.

image

Azure Powershell Part 2-Create VM

June 7, 2016

in previous post “Azure Powershell Part 1” we setup and establish a connection to Azure through Powershell, now we try to create a new VM in Azure

after we established the connection and entered relevant subscription information my your session you will be able to run from here

Step 1: Determine the ImageFamily
First you need to determine the ImageFamily or Label value for the specific image corresponding to the Azure virtual machine you want to create. You can get the list of available ImageFamily values with this command.

there is a bunch of Images out there and total list of ImageFamily you can get with Get-AzureVMImage | select ImageFamily –Unique

image

Once you identified the image you want to deploy, copy the ImageFamily name for next step

$family="<ImageFamily value>"
$image=Get-AzureVMImage | where { $_.ImageFamily -eq $family } | sort PublishedDate -Descending | select -ExpandProperty ImageName -First 1

In my scenario I will use “Windows Server 2012 R2 Datacenter” please pay attention

image

Please note in some cases, the image name is in the Label property instead of the ImageFamily value. If you didn’t find the image that you are looking for using the ImageFamily property, list the images by their Label property with this command –> Get-AzureVMImage | select Label –Unique

Step 2: Build your command set for VMDeploy
Build the rest of your command set by copying the appropriate set of blocks below into your new text file or the ISE and then filling in the variable values and removing the < and > characters

$vmname="<machine name>"
$vmsize="<Specify one: Small, Medium, Large, ExtraLarge, A5, A6, A7, A8, A9>"
$vm1=New-AzureVMConfig -Name $vmname -InstanceSize $vmsize -ImageName $image

the value vmsize basically defines the instance class with which you classify the hardware properties of your VM. more details on “Sizes for Cloud services” 

now I want to connect this VM to a existing VMSubnet and assign also a static IP. Get-AzureVNetConfig returns back a XML structure, to get more data you can use fl to see what contains inside the XML

image

here I see I have a VMSubnet called “MyLabNetwork” and CIDR is 10.0.0.0/8 (Class A). checking which IPs are available you can use Test-AzureStaticVNetIP run following query

image

good state, so we now know VMSubnet name, subnet range and we confirmed the IP is available

so all together total script to deploy new VM would look like this

###Step1 Add your Account
$userName = "<your organizational account user name>"
$securePassword = ConvertTo-SecureString -String "<your organizational account password>" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($userName, $securePassword)
Add-AzureAccount -Credential $cred
###Step1 END

###Step2 Set your subscription and storage account
$subscr="<subscription name>"
$staccount="<storage account name>"
Select-AzureSubscription -SubscriptionName $subscr –Current
Set-AzureSubscription -SubscriptionName $subscr -CurrentStorageAccountName $staccount

###Step2 END

###Step3 – Determine ImageFamily and Build VMDeploy CommandSet
$vmname="MyLAB2012R2"
$family="Windows Server 2012 R2 Datacenter"
$vmsize="Small"
$vm1=New-AzureVMConfig -Name $vmname -InstanceSize $vmsize -ImageName $image
$cred=Get-Credential -Message "Type the name and password of the local administrator account."

$vm1 | Add-AzureProvisioningConfig -Windows -AdminUsername $cred.Username -Password $cred.GetNetworkCredential().Password
Test-AzureStaticVNetIP –VNetName "MyLabNetwork" –IPAddress 10.0.0.50
$vm1 | Set-AzureStaticVNetIP -IPAddress 10.0.0.50
$vm1 | Set-AzureSubnet -SubnetNames "MyLabNetwork"

###Step3 END

image 
image

till here, we “only” passed the values but didn’t really create the VM, the final command New-AzureVM is required to kick on the real deployment in Azure

New-AzureVM –ServiceName "<short name of the cloud service>" -VMs $vm1

image

Once deployment started you will see it in your Azure dashboard

image

image

more parameters are available for New-AzureVM commandlet here

Parameter Set: ExistingService

New-AzureVM -ServiceName <String> -VMs <PersistentVM[]> [-DeploymentLabel <String> ] [-DeploymentName <String> ] [-DnsSettings <DnsServer[]> ] [-InternalLoadBalancerConfig <InternalLoadBalancerConfig> ] [-ReservedIPName <String> ] [-VNetName <String> ] [-WaitForBoot] [ <CommonParameters>]

Parameter Set: CreateService

New-AzureVM -ServiceName <String> -VMs <PersistentVM[]> [-AffinityGroup <String> ] [-DeploymentLabel <String> ] [-DeploymentName <String> ] [-DnsSettings <DnsServer[]> ] [-InternalLoadBalancerConfig <InternalLoadBalancerConfig> ] [-Location <String> ] [-ReservedIPName <String> ] [-ReverseDnsFqdn <String> ] [-ServiceDescription <String> ] [-ServiceLabel <String> ] [-VNetName <String> ] [-WaitForBoot] [ <CommonParameters>]

Password need to comply with following security standards else deployment will fail because of password policy, also only following usernames “Admin1, Administrator, Admin”"…” can be used. to use custom admin names you need to use Add-AzureProvisioningConfig -Windows -AdminUsername "<Custom Admin Username>" -Password <YOURPASSWORD>

if you modify $creds you have to pass that again to VMs config

$vm1 | Add-AzureProvisioningConfig -Windows -AdminUsername "<Custom Admin Username>" -Password <YOURPASSWORD>

image

Quick Tipp, in case you run into any issues during deployment of VM you can use –debug which helps to determine why deployment is failing to proceed

Windows Azure Management Cmdlets
http://msdn.microsoft.com/en-us/library/windowsazure/jj152841

Sizes for Cloud Services
https://azure.microsoft.com/en-us/documentation/articles/cloud-services-sizes-specs/

Azure Limits and Quotas
https://azure.microsoft.com/en-us/documentation/articles/azure-subscription-service-limits/

Should I choose cloud services or something else?
https://azure.microsoft.com/en-us/documentation/articles/cloud-services-choose-me/

there are tons of options available when you are creating Virtual Machine in Azure like a.e Domain Join, additional disk, StaticIP (DIP) for more details around configuration possibilities check out the commandlet “Add-AzureProvisioningConfig”