So long, and Thanks for all the Sid’s

On the retiring of the NewSid tool and the creation of Myths in IT

When working as a consultant, its not unusual to come across  customers who for some reason has chosen to do things in a way that is not in accordance with established “Best Practice”.

Often the customer will tell you that it is because of some unique characteristic of his solutions and environment, and that the decision not to honor the best practice is based on previous experience of internal staff, and/or other external consultants. The rationale behind the decisions might have been true in the past , but may not be true anymore.
However- the details of the previous experience is not known, – but someone once made this decision, so it must have been based on some rational reason, – right?

The customer is sometimes unwilling to re-evaluate these decisions, and over time they can evolve into myths.
These myths strengthens the customers belief that he has unique concerns, and the result can be crippling on the customers ability to make changes in their environments and reach a higher IT maturity level.

To challenge established truths it takes a combination of competence,  guts and trust that it takes a long time to establish.

To challenge an established practice  adopted by the entire industry it takes the three qualities mentioned, -only in huge quantities..

So when someone was going to tell IT-Pros that they have been wasting their time creating unique machine-sid’s for years, I guess Mark Russinovich from Microsoft is one of the few who can do it.

Looking at his post The Machine SID Duplication Myth where he announces the retiring of his own NewSID tool, and reading all the comments on his findings he is getting from people , I guess It might take some patience to..

He concludes that it is not a problem to have several identical machine SID’s on the same network, since the only way it would be is if  Windows ever references the machine SIDs of other computers.

“For example, if when you connected to a remote system, the local machine SID was transmitted to the remote one and used in permissions checks, duplicate SIDs would pose a security problem because the remote system wouldn’t be able to distinguish the SID of the inbound remote account from a local account with the same SID (where the SIDs of both accounts have the same machine SID as their base and the same RID).
However as we reviewed, Windows doesn’t allow you to authenticate to another computer using an account known only to the local computer.
Instead, you have to specify credentials for either an account local to the remote system or to a Domain account for a Domain the remote computer trusts. The remote computer retrieves the SIDs for a local account from its own Security Accounts Database (SAM) and for a Domain account from the Active Directory database on a Domain Controller (DC).
The remote computer never references the machine SID of the connecting computer.

In other words, it’s not the SID that ultimately gates access to a computer, but an account’s user name and password: simply knowing the SID of an account on a remote system doesn’t allow you access to the computer or any resources on it. As further evidence that a SID isn’t sufficient, remember that built-in accounts like the Local System account have the same SID on every computer, something that would be a major security hole if it was.

The New Best Practice

It’s a little surprising that the SID duplication issue has gone unquestioned for so long, but everyone has assumed that someone else knew exactly why it was a problem.
To my chagrin, NewSID has never really done anything useful and there’s no reason to miss it now that it’s retired.
Microsoft’s official policy on SID duplication will also now change and look for Sysprep to be updated in the future to skip SID generation.”

So there you go..

Read Mark Russinovich’s article here.

Aaron Margosis further clarifies the distinctions on machine vs domain sid’s on his blog

Deployment CD second edition out now

Johan Arwidmark from TrueSec has released a new version of his excellent Deployment CD.

The CD covers Lite-Touch Deployments using the Microsoft Deployment Toolkit and Zero-Touch Deployments using System Center Configuration Manager 2007. The first version covered these topics using MDT 2008 while the new edition uses MDT2010 and SCCM Sp2 R2.

The CD consists of step-by-step Guides and Video Tutorials:

Lite Touch Deployments   (Deployment without ConfigManager 2007, just the free tools):

• Installing the server for MDT 2010 Lite Touch
• Creating a Windows 7 reference image using Lite Touch
• Deploying a Windows 7 image using Lite Touch
• Dynamic Settings, creating and using the deployment database

Zero Touch Deployments   (Deployment with ConfigManager 2007 SP2 R2):

• Installing the server for MDT 2010 Zero Touch and ConfigManager 2007 R2
• Creating a Windows 7 reference image using ConfigManager 2007 SP2
• Deploying a Windows 7  image using ConfigManager 2007 SP2
• Dynamic Settings, creating and using the deployment database
  

Additional Presentations:

• New features in MDT2110
• Upgrading MDT 2008 to MDT 2010
• Migrating Windows XP to Windows 7 (MDT 2010 Lite Touch – Refresh

This Cd is a really great resource for getting up to speed with OSD using ComfigManager 2007 and/or  MDT2010

To get your free copy, go to deploymentcd.com, fill out the registration-form and you will receive a download-link in the mail.

To get The Microsoft Deployment Toolkit 2010 , the Soluiton Accelerators Quick Start Guides and more check out the Deployment Technet site.

The Deployment Guys Blog are also a great resource for info on OSD with ConfigManager and/or MDT2010

SCCM 2007 R3 Announced

The System Center team has today announced the plans for the upcoming SCCM 2007 R3.

The added features are mostly about power management,  a feature I think captures the zeitgeist in a great way.

In these times of financial crisis, IT-departments are looking to cut costs, and are at the same time encouraged to “think Green IT”

The upcoming release of the SCCM 2007  R3 can help IT-departments address both these concerns – by providing tools for power management for SCCM 2007 clients.

A PC that uses less energy both costs less and pollutes less.

The System Center team sums up the new features like this:

A. Help the organization plan a power strategy by monitoring current power state and consumptions and reporting on machine utilization trends, current power settings and current energy consumption

B. Enable the Administrator to easily create, deploy and enforce specific power settings using the existing ConfigMgr infrastructure
−Ability to set peak and non-peak schedules
−Ability to remediate settings if changed
−Ability to opt out machines from power policy

C. Provide the business meaningful report formats that are relevant to Power Management

The release are planned for Q1 2010.

Click here for a sneak peak of the reports
(and check out the “environmental impact report” at the end -pretty cool I think).

.

PowerShell Scripts for finding Services and Scheduled Tasks that are using a specific account

A while ago I created some scripts that others might find useful.
The scripts where made for checking whether or not it was safe to disable a specific account, by looking for services and scheduled tasks that might be needing this account to run.
The scripts where originally made for checking win-2003 servers.

I have written them so that they now look for the use of the local administrator account on the servers, the scripts can therefore be helpful if you are going to disable this account in your environment (which you should..)
I made three scripts to accomplish this task, one “ping-script” to get a list of servers to check, one to check for services and one to check for scheduled tasks.

More

Hyper-V Management Pack for SCOM 2007 released

On Friday Microsoft made the Hyper-V Management Pack for SCOM  2007 available for download from the Microsoft Download Center.

Features include:

• Management of critical Hyper-V services that affect virtual machines and host server functionality
• Management of host server logical disks that affect virtual machine health

• Full representation of virtualization in a single Hyper-V host server, including virtual networks, virtual machines, and guest computers

• Monitoring of virtual machine hardware components that affect availability

Get it here!

Corrupt test DB with no Backup -going for the last resort

Today I was notified by a coworker that a database running on a VM in our test lab was acting up and that the event-log was filled with error messages like these:
____________________________________________________________
“SQL Server detected a logical consistency-based I/O error: incorrect checksum (expected: 0xdadadada; actual: 0×6d6d6d6d). It occurred during a read of page (1:4232) in database ID 5 at offset 0×00000002110000 in file ‘C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\databaseName.mdf’. Additional messages in the SQL Server error log or system event log may provide more detail.
This is a severe error condition that threatens database integrity and must be corrected immediately. Complete a full database consistency check (DBCC CHECKDB). This error can be caused by many factors; for more information, see SQL Server Books Online.”
____________________________________________________________
pretty scary stuff If you ask me..
More

The hard to find SystemCenter Partner forums at Microsoft

Rod Trent over at myitforum posted these links to the Config Manager and Operation Manager Partner Forums.

I believe you will need a Microsoft Live Account associated with a Microsoft Partner to log in.
Configuration Manager:
http://social.technet.microsoft.com/Forums/en-US/partnersystemcentercm

Operations Manager:
http://social.technet.microsoft.com/Forums/en-US/partnersystemcenterom

18 critical bugs fixed in MS June 09 Security Updates

Today Microsoft issued 10 security updates that patched a record 31 vulnerabilities
in Windows, Internet Explorer (IE), Excel, Word, Windows Search and other programs, including 18 bugs marked “critical.”

Of the 10 bulletins, six patched some part of Windows, while three patched an Office application or component, and one fixed a flaw in IE.

Eighteen of the 31 bugs were ranked critical, Microsoft’s most serious ranking in its four-step score, while 11 were tagged as “important,” the next-lowest label, and two were judged “moderate.”

The by far most important of the security-flaws are said to be the IE roll-up package MS09-019 witch patches eight separate vulnerabilities in Microsoft’s Internet Explorer browser.

Gregg Keizer has interviewed a bunch of well known Security Researchers from Companies such as Qualys, nCircle Network Security and Shavlik Technologies.
Eric Schultze, chief technical officer at Shavlik Technologies,  recommends getting the IIS and AD patches out there first thing too.

“The Internet Information Server (IIS) flaw affects some systems that have enabled WebDAV (Web-based Distributed Authoring and Versioning), a set of extensions to HTTP used to share documents over the Web. Schultze put the spotlight on MS09-020 because Microsoft had publicly acknowledged the bug last month in a security advisory.

MS09-018 got his attention because Microsoft pegged the Active Directory flaw as critical, and it could be exploited remotely by simply sending a server a malicious data packet. “Someone could use this to take over Active Directory, and if they do, they’d own all [an organization's] passwords,” Schultze said.”
Read the article

I guess we all better start moving over to the  final stages of the  “evaluate and plan” phase and get this one out asap..

The Internet Storm Center has published this page that Shows the individual updates relative to the CVE articles and ratings of importance

Symantec has published this video on the issues.

Symentec on June 09 MS updates

Here are the Official MS Bulletin for June 2009
http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx

I have done some searching for some feedback from  the first ones to test the updates, without to many hits so far.
Rob from the UK Windows Management User Group have done some testing without incident:
“All went swimmingly well”

Sounds Promising.

SCCM 2007 SP2 Beta Available on Connect

The most notable new features are the new Operating System Support
• Windows 7
• Windows Server 2008 R2
• Windows Server 2008 SP2
• Windows Vista Sp2

To get your hands on it you must register at Microsoft Connect.
( Right now the Service Pack  are not available.  The MS team had to pull it from the site because of some issues with the installer -but it will probably be back up any minute..)

Chris Adams and Cameron King from The Microsoft SCCM 2007 OSD engineering team have made a webcast of the presentation they held at MMS in Las Vegas this spring on how Microsoft deploys Windows 7.

The webcast is available from  Here

The Microsoft SCCM 2007 OSD engineering team have also made  a post on how to utilize BGInfo.exe from the Sysinternals Suite in OSD.
BGInfo can be used to give end-users a stylish and informative background-screen that will show the user whats going on right now and where in the overall OSD process the machine is at this time.

Check out their blog at “Cravings of OSD”

The Sysinternals Suite – The all-in-one Troubleshooting Kit

Mark Russinovich announced yesterday that the Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools that can be downloaded for free at Microsoft TechNet.

The tools are:
AccessChk, AccessEnum, AdExplorer, AdRestore, Autologon, Autoruns, BgInfo, CacheSet, ClockRes, Contig, Coreinfo, Ctrl2Cap, DebugView, Desktops, DiskExt, DiskMon, DiskView, Disk Usage (DU), EFSDump, FileMon, Handle, Hex2dec,
Junction, LDMDump, ListDLLs, LiveKd, LoadOrder, LogonSessions, NewSid, NTFSInfo, PageDefrag, PendMoves,PipeList,,PortMon, ProcessExplorer, Process Monitor, ProcFeatures, PsExec, PsFile, PsGetSid, PsInfo, PsKill, PsList, PsLoggedOn, PsLogList, PsPasswd, PsService, PsShutdown, PsSuspend, RegDelNull, RegJump, RegMon,RootkitRevealer, SDelete, ShareEnum, ShellRunas, SigCheck, Streams, Strings, SyncTCPView, VMMap, VolumeID, WhoIs, WinObj and ZoomIt.