The conference was the first edition of this virtual, worldwide conference and consisted of tracks in both Polish and English.   
After reviewing the different tracks I decided to go for the securitytrack that sounded very promising, and belive me it really went above and beyond my expectations..

The first Session Thomas Shinder heldt on DirectAccess and Microsoft Forefront Unified Access Gateway 2010 was a good walkthrough of the technologies and possibilities Microsoft provides for remote access.

The second was a great and detailed explanation by Tomek Onyszko on how Kerberos authentication works.

The next session was called Cybercrime: The Gathering Storm! By Andy Malone, and I must admit that this was the session I was most looking forward to.
A description of the latest trends regarding cybercriminal sophistication, the impact of the credit crunch and Chinese ”hacking schools” and their latest targets.
Packed with demos of the tools available for information gathering, Phishing site “generators”, and other malicious tools a cybercriminal has in his toolbox.
This session was truly amazing and I am happy to be able to link to the same presentation held at TechEd earlier this year.

I would like to share some experience I have had recently with doing some volunteer community work, creating and running a computer class for Immigrant Women in Oslo.

Background
Last autumn my employer Steria had a vision of trying to help out in the local community by sharing some of the skills and resources the company possesses.
A local organization called the Church City Mission who does community work was contacted, and there were discussed different ways that the company might contribute.
The Church City Mission came up with the idea that we could hold computer classes for users of a center focusing on health and family-care they ran, with many immigrant women among the users.  
Many of whom are lacking basic computer skills.

An email was sent out to all Steria employees in Norway asking for people to contribute.
I decided to join in and see what this was all about.
At the first meeting with the volunteers I accepted the task of creating the class material, as well as holding the class for a group of Somali women (with an interpreter).
In parallel with this class we held classes in Arabic for Iraqi women and in Urdu for a group of Pakistani women, these classes where held by volunteer Steria employees who speak these languages.

All classes were held at the same time in different conference rooms at the Steria HQ in downtown Oslo. The classes were divided into three sessions, The first two (Basic Computer Use / Internet -use and Internet / e-mail use) where held with one week apart. We then had a intermission where the participants were given the opportunity to get a Steria-consultant home, for anything from support with getting internet working at home or practicing the new skills on their own PC. After this there was one last session where one part were repetition and one part in which  we discussed the experiences the users have had since the last session and helped out with what the participants found challenging.

Creating the class material was rather fun, and the most challenging part was to block out all the things people with basic computerskills take for granted, things we actually do more subconsciously  than consciously, and actually make sure I explained everything I would do, so that the users would be able to understand everything.

The Classes
We started out explaining the most important keyboard keys, like space, shift  and enter, and moved on to learn how to use the mouse, clicking, right-clicking and double-clicking.
We used mspaint to create a painting to rehearse clicking, but there are online tools as well.
The biggest lesson here is that this takes time– double-clicking is hard the first time!

We moved on by showing the Google site, which is a clean site without a lot of distracting and confusing stuff.
There we practiced writing short sentences in the search box, remembering spaces, capital letters and such.
We then moved on to search for a dentist in the area, remembering to explain and show the scroll bar on the right side of the browser window.
We continued to search for other things, like phone numbers and addresses and then some more searches using Google in the participants own language,
showing both the regionalized Google search sites and installing the Google task-bar so that we could use the “translate” function to translate Norwegian newspapers into Arabic and other languages.

The next session we did some repetition before we set up the participants with Gmail-accounts and practiced sending and receiving mail, and attaching the painting we created in the first session.
In the last session we did some more repetition, before we spent the rest of the day finding online news and entertainment sources in the women’s own language.

Home-help
The home-help offer was received with great enthusiasm and several of the women in all the classes signed up to have a consultant come to their home to fix and explain stuff.

Being able to come to the homes of these families and fix little issues, that had stopped them from using their computers and the Internet, was a great experience that I will never forget.

“Customer” feedback
The feedback we got from the participants through the Church City Mission contained a degree of gratitude that is almost embarrassing to repeat – the women felt empowered and skillful.
They had increased their positions both in their communities and families, and felt capable of paying their bills with online banking and communicating with schools and others though email.

They felt lifted out of isolation.

The success of the endeavor was noticed and appreciated by upper Steria management,  the Norwegian newspaper Aftenposten also made a peace on the classes.

When we now are about to start with season two, many more Steria employees have volunteered to contribute.  
We have already decided the dates for season three to be held this autumn.

Just do it
This kind of projects are fun and rewarding and shows that it is possible, with relatively little effort, to make a real impact both on the lives of others and maybe on society as well?

If you are interested in trying to do something similar, make contact with a local volunteer organization that does community work, and ask what you and your company do to contribute.

Here two links you might find helpful in creating material for such a class:

This is a great online class teaching the basic skills for surfing and using email:
http://www.abcpc.no/english/index.html

Microsoft‘s help and & how-to has a lot of well explained tips (remember to use a windows version that the participants may have at home)
http://windows.microsoft.com/en-US/windows/help

A lot of people have a handful of passwords that they keep re-using for more than one personal online account.
This is a habit that is as understandable as it is dangerous, since we are constantly creating more and more  online accounts and remembering unique passwords and where they should be used is not an easy task.
Even though most of us have been fine reusing the same half-dozen-or-so passwords over and over again for years, I think the days of innocence are coming to an end, as recent studies by  Kaspersky Lab shows that “Password reuse opens door to ID theft” .

Passwordmanagers are well and good but they have one big problem  – you are helpless when you do not have access to it.

Ever since I first started getting serious about stopping reusing the same password for more than one online account, I have been looking for a scheme  that would make it easy to remember passwords for accounts I use a lot, while at the same time keeping them all unique, so that one compromised password would not give away the login information for half a dozen other accounts.
The second thing I had to do was finding a way to securely store the passwords so that they could be retrived whenever I needed them.
Lastly I had to create a list of all the accounts I have, and starting changing the passwords to unique ones.

The answer to the first two I found in this article by Sean over at F-secure.

In his article he explains a scheme that will let you create a unique password where 
One part of the password will identify where it should be used,
One part of the password is unique for the account
The last part of the password will be a pin-code that will be the same for all passwords – this last part you will memorize.

The list can be written down on a post-it and stored in your wallet for easy access.
Without the pin-code it is worthless to anyone but you.

I decided to give it a try, with a modified version of his scheme, and started changing my accounts, and sure enough -after a while you will remember the ones you use regularly, the rest are always with you in your wallet.

The biggest problem is actually to never fall back to old sins and start reusing passwords again, and the fact that the post-it’s will get worn out after a while.

This is fixed by getting “Roboform-Pro”,   a regular passwordmanager -but with online synchronization between several machines, and a web interface that can be accessed from anywhere..

Every time you create a new account the app springs to life and asks to save it, maybe generate a new password, and it is then synchronized to the cloud and with your other machines the next time you use them.

Your passwords can be accessed though a web  interface accessable from anywhere, all protected by up to 256bit AES encryption if you make a long master password.

- And for us that have become accustomed to having all our passwords in our pocket, it even has a lovely little IPhone app that you can synchronize as well.
Check them out on www.roboform.com 

When you have a list of all your accounts there is suddenly a whole lot easier to actually change  your passwords every once in a while to..

When working as a consultant, its not unusual to come across  customers who for some reason has chosen to do things in a way that is not in accordance with established “Best Practice”.

Often the customer will tell you that it is because of some unique characteristic of his solutions and environment, and that the decision not to honor the best practice is based on previous experience of internal staff, and/or other external consultants. The rationale behind the decisions might have been true in the past , but may not be true anymore.
However- the details of the previous experience is not known, – but someone once made this decision, so it must have been based on some rational reason, – right?

The customer is sometimes unwilling to re-evaluate these decisions, and over time they can evolve into myths.
These myths strengthens the customers belief that he has unique concerns, and the result can be crippling on the customers ability to make changes in their environments and reach a higher IT maturity level.

To challenge established truths it takes a combination of competence,  guts and trust that it takes a long time to establish.

To challenge an established practice  adopted by the entire industry it takes the three qualities mentioned, -only in huge quantities..

So when someone was going to tell IT-Pros that they have been wasting their time creating unique machine-sid’s for years, I guess Mark Russinovich from Microsoft is one of the few who can do it.

Looking at his post The Machine SID Duplication Myth where he announces the retiring of his own NewSID tool, and reading all the comments on his findings he is getting from people , I guess It might take some patience to..

He concludes that it is not a problem to have several identical machine SID’s on the same network, since the only way it would be is if  Windows ever references the machine SIDs of other computers.

“For example, if when you connected to a remote system, the local machine SID was transmitted to the remote one and used in permissions checks, duplicate SIDs would pose a security problem because the remote system wouldn’t be able to distinguish the SID of the inbound remote account from a local account with the same SID (where the SIDs of both accounts have the same machine SID as their base and the same RID).
However as we reviewed, Windows doesn’t allow you to authenticate to another computer using an account known only to the local computer.
Instead, you have to specify credentials for either an account local to the remote system or to a Domain account for a Domain the remote computer trusts. The remote computer retrieves the SIDs for a local account from its own Security Accounts Database (SAM) and for a Domain account from the Active Directory database on a Domain Controller (DC).
The remote computer never references the machine SID of the connecting computer.

In other words, it’s not the SID that ultimately gates access to a computer, but an account’s user name and password: simply knowing the SID of an account on a remote system doesn’t allow you access to the computer or any resources on it. As further evidence that a SID isn’t sufficient, remember that built-in accounts like the Local System account have the same SID on every computer, something that would be a major security hole if it was.

The New Best Practice

It’s a little surprising that the SID duplication issue has gone unquestioned for so long, but everyone has assumed that someone else knew exactly why it was a problem.
To my chagrin, NewSID has never really done anything useful and there’s no reason to miss it now that it’s retired.
Microsoft’s official policy on SID duplication will also now change and look for Sysprep to be updated in the future to skip SID generation.”

So there you go..

Read Mark Russinovich’s article here.

Aaron Margosis further clarifies the distinctions on machine vs domain sid’s on his blog

Johan Arwidmark from TrueSec has released a new version of his excellent Deployment CD.

The CD covers Lite-Touch Deployments using the Microsoft Deployment Toolkit and Zero-Touch Deployments using System Center Configuration Manager 2007. The first version covered these topics using MDT 2008 while the new edition uses MDT2010 and SCCM Sp2 R2.

The CD consists of step-by-step Guides and Video Tutorials:

Lite Touch Deployments   (Deployment without ConfigManager 2007, just the free tools):

• Installing the server for MDT 2010 Lite Touch
• Creating a Windows 7 reference image using Lite Touch
• Deploying a Windows 7 image using Lite Touch
• Dynamic Settings, creating and using the deployment database

Zero Touch Deployments   (Deployment with ConfigManager 2007 SP2 R2):

• Installing the server for MDT 2010 Zero Touch and ConfigManager 2007 R2
• Creating a Windows 7 reference image using ConfigManager 2007 SP2
• Deploying a Windows 7  image using ConfigManager 2007 SP2
• Dynamic Settings, creating and using the deployment database
  

Additional Presentations:

• New features in MDT2110
• Upgrading MDT 2008 to MDT 2010
• Migrating Windows XP to Windows 7 (MDT 2010 Lite Touch – Refresh

This Cd is a really great resource for getting up to speed with OSD using ComfigManager 2007 and/or  MDT2010

To get your free copy, go to deploymentcd.com, fill out the registration-form and you will receive a download-link in the mail.

To get The Microsoft Deployment Toolkit 2010 , the Soluiton Accelerators Quick Start Guides and more check out the Deployment Technet site.

The Deployment Guys Blog are also a great resource for info on OSD with ConfigManager and/or MDT2010

The System Center team has today announced the plans for the upcoming SCCM 2007 R3.

The added features are mostly about power management,  a feature I think captures the zeitgeist in a great way.

In these times of financial crisis, IT-departments are looking to cut costs, and are at the same time encouraged to “think Green IT”

The upcoming release of the SCCM 2007  R3 can help IT-departments address both these concerns – by providing tools for power management for SCCM 2007 clients.

A PC that uses less energy both costs less and pollutes less.

The System Center team sums up the new features like this:

A. Help the organization plan a power strategy by monitoring current power state and consumptions and reporting on machine utilization trends, current power settings and current energy consumption

B. Enable the Administrator to easily create, deploy and enforce specific power settings using the existing ConfigMgr infrastructure
−Ability to set peak and non-peak schedules
−Ability to remediate settings if changed
−Ability to opt out machines from power policy

C. Provide the business meaningful report formats that are relevant to Power Management

The release are planned for Q1 2010.

Click here for a sneak peak of the reports
(and check out the “environmental impact report” at the end -pretty cool I think).

.

I have written them so that they now look for the use of the local administrator account on the servers, the scripts can therefore be helpful if you are going to disable this account in your environment (which you should..)
I made three scripts to accomplish this task, one “ping-script” to get a list of servers to check, one to check for services and one to check for scheduled tasks.

The first one is a general “ping-script” that asks for some naming characteristic for the servers you want to query for,
This can be adjusted to meet your naming convention:
If you have a naming convention like this “SQLHQ012″ and you want to list all SQL servers = type SQL at first prompt ($_criteria1), enter – * on the second+ enter.
For all servers at HQ = * on the first prompt,enter – HQ on the second ($_criteria2) + enter
The script will then ask Active Directory by running DSQuery (dsquery computer -name $_criteria1$_criteria2*)
- omitting all machine accounts with “PC” or “NB” in its name.
The script then pings all the machine accounts it has found and creates a list for onlineservers and one for offlineservers.
The lists are created in the same dir as the script is executed from. Ignore screen messages for servers that can not be reached..

____________________________________________________________
del AllServers.txt
del OnlineServers.txt
del OfflineServers.txt
$_criteria1 = Read-host “Enter a unique 1st part of machinenames you want to Query or * to use 1st part as wildcard”
$_criteria2 = Read-host “Enter a unique 2nd part of machinenames you want to Query or * to use 2nd part as wildcard”
dsquery computer -name $_criteria1$_criteria2* -o rdn -limit 0 | where { $_ -notmatch ‘PC’ -And $_ -notmatch ‘NB’}>>serverliste_tmp.txt
(Get-Content serverliste_tmp.txt) |
Foreach-Object {$_ -replace “”"”, “”} |
Set-Content AllServers.txt
del serverliste_tmp.txt
$Servere=Get-Content AllServers.txt
Foreach ($_ in $Servere)
{
$ping = new-object System.Net.NetworkInformation.Ping
$Reply = $ping.send($_)
if ($Reply.status –eq “Success”)
{Write-Output “$_” >>OnlineServers.txt}
else
{Write-Output “$_” >>OfflineServers.txt}
$Reply = “”
}
____________________________________________________________

The second one is a one-liner that gets a list of servers from the file “onlineservers.txt” in the same folder as the script,
Runs a WMI query against all servers in the list and creates a webpage “services_that_uses_specific_account.html”
This webpage lists all servers and the services that uses the account in question.
Change “*\Administrator” to any account you want to check before you disable or delete it

Dependencies:
The script needs the file onlineservers.txt containing one servername per line in the folder the script is executed from.

____________________________________________________________

get-content onlineservers.txt |ForEach-Object {gwmi win32_service -computerName $_| where {$_.StartName -like “*\Administrator”}} | select __Server,name,startname |convertto-html | out-file services_that_uses_specific_account.html
____________________________________________________________

The third one runs Schtasks.exe to get details for all scheduled tasks on all servers in the serverlist “onlineservers.txt”
it then searches through these details for any instance of the word “Administrator”.
All lines that contains this word are then written to the file Servers_with_tasks_as_local_administrator.csv
This file is already prepared with one line containing the description of the different parts of the output.
To search for tasks running as any other user, simply change the word “Administrator” to whatever account you want.

Dependencies:
The script needs the file onlineservers.txt containing one servername per line.
The script also need the file templatefile.csv for descriptions of the output
Both files must be present in the same folder that the script is executed from

____________________________________________________________
Copy templatefile.csv tasks_as_specific_user.csv
$Servere=Get-Content onlineservers.txt
Foreach ($_ in $Servere)
{
Schtasks.exe /query /s $_ /v /FO CSV |select-string -pattern “Administrator” | Add-content ‘tasks_as_specific_user.csv’}
____________________________________________________________
The templatefile CSV and all the other scripts can be downloaded from my SkyDrive:

Go to my SkyDrive to get the scripts

Check_account_use_before_disable.zip contains all the scripts in this post.

Features include:

• Management of critical Hyper-V services that affect virtual machines and host server functionality
• Management of host server logical disks that affect virtual machine health

• Full representation of virtualization in a single Hyper-V host server, including virtual networks, virtual machines, and guest computers

• Monitoring of virtual machine hardware components that affect availability

Get it here!

Today I was notified by a coworker that a database running on a VM in our test lab was acting up and that the event-log was filled with error messages like these:
____________________________________________________________
“SQL Server detected a logical consistency-based I/O error: incorrect checksum (expected: 0xdadadada; actual: 0×6d6d6d6d). It occurred during a read of page (1:4232) in database ID 5 at offset 0×00000002110000 in file ‘C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\DATA\databaseName.mdf’. Additional messages in the SQL Server error log or system event log may provide more detail.
This is a severe error condition that threatens database integrity and must be corrected immediately. Complete a full database consistency check (DBCC CHECKDB). This error can be caused by many factors; for more information, see SQL Server Books Online.”
____________________________________________________________
pretty scary stuff If you ask me..
So the first thing I tried was to start query analyser and run
DBCC CHECKDB (‘databaseName’)
That however only gave me this error message.
____________________________________________________________
Msg 8967, Level 16, State 216, Line 1
An internal error occurred in DBCC that prevented further processing.
Contact Customer Support Services.
____________________________________________________________
So – doing some searches on the web I stumbled across a couple of sql forums that advised to restore from backup.. well – since the DB in question was used in a lab for development, I have to admit to not having a resent backup at hand.  This DB was not used for any System Center product. We could recreate the DB from scripts but I wanted to make an attempt at fixing it first.

-The command I will be using will delete the corrupt parts of the DB so be aware this is a last resort solution, If you do have a backup – use that to restore the DB…

So what I did was this:
I first made a backup of the database and put it on another server.
I then ran chkdsk /f on all drives on the server – rebooting to allow for checking the system drive.
After the server came up I put the db into single-user mode ( right click db\properties\options\restrict access= “single user”
I then used this command
DBCC CHECKDB (databaseName, REPAIR_ALLOW_DATA_LOSS)
It reported that it had fixed some but not all of the errors so I ran it again..
This time I got no errors.
Last i ran DBCC CHECKDB (‘databaseName’) once again – this time with noe errors.
I put the database back into multi-user mode (same procedure as last time ( close queries first))
I then rebooted the server for good measure ..
Everything now looks fine – Now I’m just curious to see if any  issues  might arise as a result off the corrupt data that’s been deleted.

I believe you will need a Microsoft Live Account associated with a Microsoft Partner to log in.
Configuration Manager:
http://social.technet.microsoft.com/Forums/en-US/partnersystemcentercm

Operations Manager:
http://social.technet.microsoft.com/Forums/en-US/partnersystemcenterom