PXE Booting Shadow Protect

If you’ve purchased a copy of StorageCraft’s ShadowProtect and have a copy of their ShadowProtect CD, you may not realise that the ISO contains a WinPE WIM image that you use to PXE boot ShadowProtect over the network


Currently, we’re using Altiris 6.9 for image deployment and use the Altiris PXE service, but the ShadowProtect BOOT.WIM will work with any PXE boot server that supports WinPE

To add the ShadowProtect boot image in Altiris, open the PXE Configuration Utility, and add a New Boot Menu Option


From here you can select the ShadowProtect BOOT.WIM but I found that to be unreliable in Altiris 6.9. I ended up getting it to work by adding an Altiris WinPE boot image that it had created, and replaced the Altiris boot image with the ShadowProtect BOOT.WIM in Windows Explorer


To replace the default Altiris BOOT.WIM, take note of the “Final Location on PXE Server” on the menu option you’ve just created and browse to the file location for your deployment server, in our case

C:\Program Files\Altiris\eXpress\Deployment Server\PXE\Images\MenuOption163\X86PC\sources


Simply replace the existing BOOT.WIM with the file from the ShadowProtect ISO and you’re finished

Next time you network boot a device, press F8 at the PXE menu to see all the menu items and ShadowProtect will be there!

The ShadowProtect ISO has drivers included for a lot of network cards, but if your device is fairly recent you may need to add NIC drivers after the ISO has loaded before you can backup a disk over the LAN

Radius – Server 2008 R2 NPS

We’ve OLYMPUS DIGITAL CAMERA         been using NPS on Server 2008 for a while now and its been perfect for handling 802.1x authentication (EAPTLS) and radius auth from the HP WESM in the 5400zl. The radius setup for the HP Wireless Edge Services was pretty easy, it only needs radius clients for the Primary WESM and any Redundant WESM’s.

Now that we’re adding another 50-70 E-MSM422 AP’s for the MSM765 controller we need to add radius clients for each AP. After a conversation with Adam (@DJADSA) we worked out that we were going to hit the 50 radius client limit in Server 2008 Standard. Adam showed me a couple of neat tricks with their NPS configuration that would save us a tonne of time and are new additions to R2!

The first trick was adding a subnet range for Radius Clients instead of adding a radius client for AP individually. Adding the IP/CIDR and shared secret will let all devices in the range talk to the NPS server.


The next tip from Adam was with the Accounting in NPS. We’d tried to get SQL logging to behave in Server 2008 a few times and failed miserably. The NPS application in 2008 would connect to a SQL database but wouldn’t create the structure etc. There was a sql script on the web that would create it for you but we didn’t have any luck getting it all to work properly. 2008 R2 has a new wizard for setting up NPS accounting and the final stage of the wizard gives you the option of creating the SQL structure of the database. very tidy


With SQL logging enabled it give us the option of writing a web part or two for SharePoint to let staff know which users are connected where, and lets us easily run scripts to find client/authentication problems.

MSM765 SNTP Time Sync


This week we’ve been reconfiguring our MSM765 wireless controller and adding some new features for Students and guests to the School. With our old ZL WESM we were able to have a VLAN on the wireless network with an HTML based login, which allowed the students to use their own machines on the wireless network with their AD credentials. We wanted to replicate this setup on the MSM by using HTML-based user logins and still use their AD logins. We hit a problem when we tried to configure the Active Directory Authentication on the controller because the time on the controller wasn’t in sync with the 5400 chassis or the domain!

When we check Controller –> Management –> System Time, we could see the the time was incorrect, but there was no option to change it or specify an NTP server. The command ling reference for the controller (MSM7xx-CLI-RG-May09-5992-5933.pdf) gave a few clues on how to set the SNTP server and get the controller connected to our Windows time server

Connecting the terminal to the 5400 with the controller (MSM is in Bay I)

BGSCore(config)# services  I 2
BGSCore(msm765-application-I)> enable
BGSCore(msm765-application-I)# conf
BGSCore(msm765-application-I)(config)# ntp protocol sntp
BGSCore(msm765-application-I)(config)# ntp server 1
BGSCore(msm765-application-I)(config)# ntp server

The time sync’d straight away and made the connection to AD without a hitch


Sonicwall’s Application Firewall and blocking BitTorrent

We’ve just updated the firmware on our NSA 4500 to and have started playing with the Application Firewall and DPISSL (Deep Packet Inspection). The 4500 is a Layer 7 firewall and the application firewall feature lets you do some pretty tricky filtering. We’ve noticed that some of the student machines coming in for repair have bittorrent clients installed. At the moment that sort of traffic is blocked by our ISA firewall/proxy which is the gateway for the Student Netbook VLAN, but we want to remove that over the next few months because it causes a bottleneck for heavy traffic, like heavy ClickView use. When we remove ISA we can either use the Sonicwall or ACL rules on the ProCurve 5400 (or both) to filter the traffic between the netbooks and the rest of the world. After the firmware update with the addition of the DPISSL it seemed like a good chance to see how good the filtering was on the NSA4500.

Before creating the new application firewall policy, I had to create an object for the bittorrent traffic. The Sonicwall has an IDP category for all P2P traffic which has signatures for many P2P applications. You can block traffic for particular applications, eg only block Azureus and allow other bittorrent clients


With the Application object defined, we can create the policy. In this case we wanted to stop all bittorrent traffic, however, its possible to excluded addresses and or users, which would be handy with the SSO. The rule will look for any traffic deemed to be P2P going through the sonicwall and will drop the packets. nice and easy


Any requests that match the rule are blocked and can be checked in the log view, which can be filtered by application firewall


Setting up uTorrent on a test machine and queuing up some files showed that the rule was working properly and not allowing any traffic to get through. The sonicwall not only blocked the file transfer but also the attempts to look for other peers etc

The combination of the application firewall and the DPISSL would also prevent this traffic from running over secure ports or ssl vpn type setups.

Application firewall rules can also be configured to shape traffic to/from any site on the web. At the moment we’ve configured a rule to shape traffic to megaupload and other download sites that work over port 80, and depending on Facebook traffic that could be a contender too. Another type of rule that was described in some sonicwall promotional guff was a rule to catch IE6 traffic and redirect it to a warning page to upgrade your version of IE. That rule sounds like a good idea, I think that might be my next one

Windows GPO: Disable Adobe Updater for CS3 and CS4

We’ve known for a while that Adobe updates are too frequent and too large and annoying when you have a couple of hundred machines on the network with the Master Collection installed. Recently, we installed Viewpoint to give us reporting from our Sonicwall firewall, and we saw the impact that Adobe updates had on our internet connection and it was staggering. Adobe updates and Apple iTunes updates were the bulk of our traffic, which is no mean feat when we have 900 Students in the Senior School on Facebook.

Web Usage Report from Viewpoint

Luckily, Adobe have a registry key that can be used to enable/disable the Adobe Updater, and pushing the entry out to clients via Group Policy seems like the sensible option

On Windows XP or Windows Vista

  1. Using Regedit.exe, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe
  2. Create a new Key in this folder named "Updater"
  3. Create a new DWORD value within this Key named "Enterprise with a value of "1"

To try it out, I created the registry entries on my local machine and imported the entries into a new GPO with the Registry Wizard (Right Click on Registry in the Computer Configuration, and select New –> Registry Wizard)

Registry Keys imported into GPO

Registry Entries, Action set to Update

It’s important to remember to still update the Adobe applications, especially Acrobat and Flash. The Sophos Security Threat Report 2010 highlights the need to keep these two applications up to date. Malicious code can be executed from flash files embedded in PDF documents, Sebastian Porst has a superb write up on dissecting the Adobe/Flash exploit here, if you’ve got 10 minutes grab a coffee and read up.

You can download the Acrobat Updates manually from Adobe, and push them out to clients with msiexec.exe, check AppDeploy for specifics with your version of Acrobat, but something like this would do the trick

msiexec /p "%installdir%\AcroProStdUpd910_T1T2_incr.msp" /qn /norestart REINSTALL=ALL REINSTALLMODE=omus

msiexec /p "%installdir%\AcrobatUpd912_all_incr.msp" /qn /norestart REINSTALL=ALL REINSTALLMODE=omus

Which is from the Adobe forums and push it out with a script or via GPO

Random AD User Account Lockout

user-account-control-icon The last few weeks we’ve had a problem with one of our IT Staff user accounts where it would regularly get locked out during the day. We suspected some of the Students were trying to guess the password for the account and were probably hoping to get around our web content filter….

This made me realise, we’ve never really looked for account lockouts and and where/why/how they might be happening on the network. I wasn’t excited about scouring the security event logs on our domain controllers to find the info I needed. A quick search brought up the Account Lockout and Management Tools from Microsoft which has been around since 2003, but was new to me. I probably should have been a bit sharper on that one.

One of the applications in the download is that LockoutStatus. This app will take the AD username and return the lockout status and bad password count on each DC for that user.


After finding the lockout status if the user you then use the EventCombMT app to search the event logs of the domain controllers. EventCombMT can search the event logs for any event ID but to find events with login issues, I limited the search to the Security logs on the DC’s with event ID’s 529 644 675 676 and 681. More info on usage here


EventCombMT produces a text file for each server with the results of the search:

644,AUDIT SUCCESS,Security,Wed Apr 14 10:21:08 2010,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: zdjb     Caller Machine Name: STNB4200ZKLC     Caller User Name: IDM$     Caller Domain: TEACH     Caller Logon ID: (0x0,0x3E7)   

644,AUDIT SUCCESS,Security,Wed Apr 14 10:08:14 2010,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: zdjb      Caller Machine Name: STTB2710ZJLW     Caller User Name: IDM$     Caller Domain: TEACH     Caller Logon ID: (0x0,0x3E7)  

Straight away I could see the two machines that were causing the account lockout and after calling them back into the Service Desk so we could see what was going on. We were able to work out that it was the Sophos Auto Update causing the problem because these machines had been using the credentials  of this account, with an old password, for receiving updates instead of the update account we normally use.

Solving the problem of the account lockout has prompted some new strategies for monitoring the network that we hadn’t considered before. Now that we have the tools, we can regularly search the event logs for bad passwords on Administrator accounts and follow up the results. Also, we may have started the ball rolling on a project to create more user accounts in AD for different network services. It was lucky that we’d found Sophos was the culprit, but next time it could be difficult to find old credentials being used in an Altiris job for example. By creating different user accounts for services like Sophos, Altiris Jobs, SQL, Exchange and Intranet applications it will help narrow down a search next time we have a password problem and will make it easier to change these passwords on a regular basis.

ProCurve – Front-Panel Security & Authentication

I was looking for some ProCurve documentation on AAA security and stumbled across the Hardening ProCurve Switches White Paper and found a few nice things to add to our ProCurve config.

Password Clear Protection – Front-Panel Securitylogo_procurve_networking_by_hp
ProCurve devices utilize the Reset and Clear buttons on the front panel to help users reset the switch configuration to factory default or to reset the console password. This capability creates a security risk anywhere it’s impossible to  prevent physical access to the switch. ProCurve makes it possible to disable this functionality to protect from malicious use of these features.

There are two components to front-panel security: “password clear” and “factory reset.” Both must be disabled to fully secure the device.

In the switch’s default mode, a malicious user can utilize the front-panel clear button to reset a console password stored locally on the switch. To disable this feature, issue the command:

ProCurve Switch(config)# no front-panel-security password-clear

The other capability built into ProCurve switches is the ability to reset the switch configuration to the factory default mode:

ProCurve Switch(config)# [no] front-panel-security factory-reset

Executing this command prevents reset of the switch configuration by use of the front-panel Reset and Clear buttons.

It’s critical to understand that disabling these features severely restricts administrator options if the password is lost or forgotten. Before making these changes, users are strongly encouraged to review all considerations outlined in the Access and Security Guide for your model.
Authentication – Server-Supplied Privilege Level
Login privilege level instructs the switch to accept the authenticating user’s command level (manager or operator) that is supplied by the server. This allows manager-level users to skip the login context and proceed immediately to enable context, thus eliminating the need for a manager-level user to login twice.

To allow the switch to accept the privilege level provided by the server, use the following configuration command:

ProCurve Switch(config)# aaa authentication login privilege-mode

To supply a privilege level via RADIUS, specify the “Service-Type” attribute in the user’s credentials.
• Service-Type = 6 allows manager-level access
• Service-Type = 7 allows operator-level access
• A user with Service-Type not equal to 6 or 7 is denied access
• A user with no Service-Type attribute supplied is denied access when privilege mode is enabled

– The Radius Authentication for switch access sounds interesting. If our Staff are using their network credentials to access the switch config, or contractors that are working on the network, we can easily enable/disable their access to the switches without hassle and letting everyone know the Manager/Operator passwords

Mic Check // Oh Wait a minute now…

Over the last 12 months since we’ve installed our J9051A ZL Wireless Edge Services Module (WESM), we’ve had some intermittent issues with some of our wireless notebooks causing the WESM to freak out and run at 100% CPU and boot all of our wireless stations of the Wireless network. These notebooks work fine on the WLAN 99% of the time but every now and then they freak out and cause problems with the TKIP integrity check.

The notebooks that we’ve had trouble with have had either an Intel or Broadcom wireless NIC:

  • Acer 3230 with WLAN: integrated Intel® PRO/Wireless 2200ABG
  • HP 1100 Tablet with WLAN: Intel PRO/Wireless LAN 2100 3B Mini PCI
  • Motion Computing Tablet with WLAN: Broadcom Wireless

We have many other 3230’s on the WLAN and one other Motion tablet that are identical to the machines that we’ve had issues with, but no other machines have caused the TKIP failure. We’ve updated drivers for the wireless NICs and installed all Windows updates and still haven’t been able to correct the problem?

When the TKIP failure occurs the CPU on the WESM hits 100%, see below, while it tries to perform the TKIP Countermeasures. TechDuke has a great explanation of the TKIP Message Integrity Check (MIC), and explains that when a wireless station fails the MIC, or Michael, hash check twice within 60 seconds then all wireless stations are booted off the wireless network for a minute and forced to reconnect/re-authenticate. Zack de la Rocha was way ahead of his time when he wrote Mic Check, he explains the MIC failure perfectly…

Rage Against The Machine – Mic Check (The Battle of Los Angeles (1999))
Mic Check
Oh Wait a minute now
Ha ha ha
Come on
Wait a Minute Now

The Diagnostic page on the WESM showing that the CPU had been running at 100%, as soon as we disabled Dial-in access in Active Directory for the offending notebook we broke the Radius authentication and the WESM went back to running as normal.

Wireless Edge Service Log

   1: Feb 06 11:27:46 2009: %CC-4-TKIPCNTRMEASSTART: TKIP countermeasures started on wlan 1
   2: Feb 06 11:28:15 2009: %MGMT-4-OTHERREQQUED: request queued in delegated requests
   3: Feb 06 11:28:46 2009: %CC-4-TKIPCNTRMEASEND: TKIP countermeasures ended on wlan 1
   4: Feb 06 11:28:47 2009: %CC-4-TKIPMICCHECKFAIL: TKIP message integrity check failed in frame on wlan 1
   5: Feb 06 11:28:47 2009: %KERN-3-ERR: mic check failure <00-13-CE-04-FB-4A>. (pkt_len 360 prio: 0) rx: <2B-2B-02-DC-00-FF> calc: <A7-CE-2B-B8-45-C6>.
   6: Feb 06 11:28:51 2009: %CC-4-TKIPMICCHECKFAIL: TKIP message integrity check failed in frame on wlan 1

Checking the message log on the WESM, we could identify which machine was failing the MIC and which WLAN they were connected to. Line 5 shows the MIC check failure and the MAC address of the offending machine.


We traced the offending MAC address back to its owner via the DHCP console and disabled Dial-in access for the computer and on the user account of its owner. This causes WLAN Radius authentication to fail the EAP-TLS auth because a valid certificate and dial-in access are required for access to that particular WLAN.

Currently we’re still running the original firmware wt.01.03 that came with the ZL module, but will update to wt.01.15 shortly and test these machines on the WLAN to see if the updated firmware can handle integrity check failure with a little more grace than the original firmware.

Scripting Switch Configuration Backup

Here’s is a short VBS script which telnet’s into your ProCurve switch and sends a config backup to your TFTP Server. The code can easily be changed to telnet into pretty much any device that supports configuration via telnet.

This code is a modified version of a snippet posted on the VBForums

Dim objShell
Dim objNetwork

Set objNetwork=CreateObject("WScript.Network")

strTitle="Telnet Demo"
strDefaultUser=objNetwork.UserDomain & "\" & objNetwork.UserName

strComputer=InputBox("What server or device do you want to connect to?",_
If Len(strComputer)=0 Then WScript.quit


Set objShell=CreateObject("wscript.shell")
'Start Telnet
objShell.Run "Telnet " & strComputer
'Give app a chance to get started
WScript.Sleep 5000
objShell.AppActivate "Telnet " & strComputer

'Send login credentials
objShell.SendKeys strUsername & "~"
WScript.Sleep 2000
objShell.SendKeys strPassword & "~"
WScript.Sleep 2000

'Send commands
WScript.Sleep 200
objShell.SendKeys "~"
WScript.Sleep 200
objShell.SendKeys "copy startup-config tftp "& strComputer &"_config.txt"
WScript.Sleep 1000
objShell.SendKeys "~"

'give lengthy commands time to finish
'WScript.Sleep 10000

'make sure we get window again
objShell.AppActivate "Telnet " & strComputer
'run another command
'objShell.SendKeys "net share"
'WScript.Sleep 200
objShell.SendKeys "~"

'Close session
'make sure we get window again
objShell.AppActivate "Telnet " & strComputer
objShell.SendKeys "exit"
WScript.Sleep 200
objShell.SendKeys "~"
objShell.SendKeys "exit"
WScript.Sleep 200
objShell.SendKeys "~"
WScript.Sleep 200
objShell.SendKeys "y"
objShell.SendKeys "~"
WScript.Sleep 200
objShell.SendKeys "~"

Save this text in a .vbs file and run via “cscript switchbak.vbs“ from the command line

If your modifying the script to run on something other than a ProCurve switch ,you may have to tweak/add/remove the Sleep and SendKeys ”~” . Using the SendKeys and the tilde will send a carriage return to the telnet session

Also, if you’d like to run this script you will need a TFTP server, free download from Solawinds

To make the back script a useful tool I’ve set it to run and query an MS SQL database to get the addresses for our ProCurve switches and have scheduled it to run regularly. I will post an update with how I’ve set that up sometime soon. The Script is essentially the same but I’ve removed the prompt for the device address and added the database connection query, will post the details shortly

If you have setup the ProCurve Manager then you may find this post redundant, but, I’ve found it to be a handy script to have, and send backup config files to a server where they are easily accessible in a disaster, hopefully…


Recently we updated our auto-proxy setup for the network when we rolled out our ProCurve installation with different VLANs and subnets etc. With the new setup we had the opportunity to create a guest VLAN for Student internet access where they use their own machines over our network. However, we needed to give the Students a different proxy address to other machines on the network. I thought I’d take some time and create a post to outline the steps involved to setup auto-proxy and the reasons why it such a good thing.

In the past we’d force proxy settings through Group Policy which was fine for Internet Explorer but not as successful with other web browsers. That used to be OK, but now everyone has the web at home and that doesn’t work too well when they still have the proxy address from work in their preferences.

For the auto proxy to be a success you need a DNS server with an entry for WPAD pointing to a web server, and obviously, a proxy server for web traffic. This is really easy to setup, and will let your users run their preferred browser while still running through your proxy.


Create a new DNS host record for WPAD to point to the server that will host the wpad.dat and or proxy.pac files:
Alias name: WPAD
Fully Qualified Domain Name: WPAD.morecowbell.com.au
Fully Qualified Domain Name for target host: webserver.morecowbell.com.au

If your network clients support receiving their proxy address through DHCP you can set the autoproxy file under option 252. Note: the string value is in lower case

Set option 252 ClassID with String Value http:/wpad/wpad.dat

If your web server is something like IIS 6 that can be particular about MIME types then you will have to manually create the MIME types for the proxy config files:
.dat application/x-ns-proxy-autoconfig
.pac application/x-ns-proxy-autoconfig

The code below is the JavaScript which makes up the wpad.dat or proxy.pac file. We are able to assign a different proxy for the students and guest machines by using isInNet to check which subnet the client IP belongs to and return a proxy address for that subnet. Lines 4 and 7 below check if the client is connected via one of the guest VLANs/subnets and assigns the proxy address. All other network clients receive an address from the range are assigned the proxy address from line 10.

   1: function FindProxyForURL(url,host)
   2: {
   3:     if(isPlainHostName(host) || isInNet(dnsResolve(host),"","")) {
   4:         return "DIRECT";
   5:     } else if (isInNet(myIpAddress(),"","")) {     // Guest Wireless
   6:         return "PROXY";
   7:     } else if (isInNet(myIpAddress(),"","")) {     // Guest Wired
   8:         return "PROXY";
   9:     } else {
  10:         return "PROXY; DIRECT";
  11:     }
  12: }

Future updates include adding some proxy exclusions for intranet and other internal webs using shExpMatch:

if (shExpMatch(url,”*.morecowbell.com/*”)) {return “DIRECT”;}

The WPAD and Pac file need to be in the root of the default web site in IIS. If you try and move the files to another site in IIS then the connection to the file is broken, even if the path is still valid. This quirk has something to do with different browsers sending different information to the web server when they request the auto proxy. This is from Wikipedia:

“When automatic proxy detection is used, Internet Explorer sends a “Host: <IP address>” header and Firefox sends a “Host: wpad” header. This is unexpected behavior, therefore, it is recommended that the wpad.dat file be hosted under the default Virtual Host rather than its own.”

OSX Auto Proxy

The auto proxy in OSX seems to be only semi-automatic… from experience with some of our Apple machines on campus, you have to manually set the address for the auto proxy file under Safari –> Preferences –> Advanced –> Proxies: Change Settings and manually enter http://wpad/proxy.pac

More Info

FindProxyForURL has more information and examples