Windows GPO: Disable Adobe Updater for CS3 and CS4

We’ve known for a while that Adobe updates are too frequent and too large and annoying when you have a couple of hundred machines on the network with the Master Collection installed. Recently, we installed Viewpoint to give us reporting from our Sonicwall firewall, and we saw the impact that Adobe updates had on our internet connection and it was staggering. Adobe updates and Apple iTunes updates were the bulk of our traffic, which is no mean feat when we have 900 Students in the Senior School on Facebook.

Viewpoint_AdobeUsage 
Web Usage Report from Viewpoint

Luckily, Adobe have a registry key that can be used to enable/disable the Adobe Updater, and pushing the entry out to clients via Group Policy seems like the sensible option
http://kb2.adobe.com/cps/408/kb408711.html

On Windows XP or Windows Vista

  1. Using Regedit.exe, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe
  2. Create a new Key in this folder named "Updater"
  3. Create a new DWORD value within this Key named "Enterprise with a value of "1"

To try it out, I created the registry entries on my local machine and imported the entries into a new GPO with the Registry Wizard (Right Click on Registry in the Computer Configuration, and select New –> Registry Wizard)

AdobeGPO1 
Registry Keys imported into GPO

 
AdobeGPO2 
Registry Entries, Action set to Update

It’s important to remember to still update the Adobe applications, especially Acrobat and Flash. The Sophos Security Threat Report 2010 highlights the need to keep these two applications up to date. Malicious code can be executed from flash files embedded in PDF documents, Sebastian Porst has a superb write up on dissecting the Adobe/Flash exploit here, if you’ve got 10 minutes grab a coffee and read up.

You can download the Acrobat Updates manually from Adobe, and push them out to clients with msiexec.exe, check AppDeploy for specifics with your version of Acrobat, but something like this would do the trick

msiexec /p "%installdir%\AcroProStdUpd910_T1T2_incr.msp" /qn /norestart REINSTALL=ALL REINSTALLMODE=omus

msiexec /p "%installdir%\AcrobatUpd912_all_incr.msp" /qn /norestart REINSTALL=ALL REINSTALLMODE=omus

Which is from the Adobe forums and push it out with a script or via GPO

Outlook 2003: Can’t Create File

Just as we’re about to replace the last of our Acer notebooks with XP/Office 2003 SOE we came across this odd error in Outlook 2003 when opening an attachment.

image002

This is a file that’s emailed to Staff almost daily and without problems until this cropped up, seemingly for no reason.

After a little bit of homework, we found that it could be a problem with temporary files and had to check the path for temp files in Outlook via the registry.

reg

When we checked the path Outlook was using for temp files, we were horrified to see this

image003

The Can’t Create File: STUABSD.rtf hit us because Outlook, or probably Windows Explorer, couldn’t create a temp file called STUABSD (100).rtf.

Deleting the temp files cleared up the error straight away

Random AD User Account Lockout

user-account-control-icon The last few weeks we’ve had a problem with one of our IT Staff user accounts where it would regularly get locked out during the day. We suspected some of the Students were trying to guess the password for the account and were probably hoping to get around our web content filter….

This made me realise, we’ve never really looked for account lockouts and and where/why/how they might be happening on the network. I wasn’t excited about scouring the security event logs on our domain controllers to find the info I needed. A quick search brought up the Account Lockout and Management Tools from Microsoft which has been around since 2003, but was new to me. I probably should have been a bit sharper on that one.

One of the applications in the download is that LockoutStatus. This app will take the AD username and return the lockout status and bad password count on each DC for that user.

lockoutstatus

After finding the lockout status if the user you then use the EventCombMT app to search the event logs of the domain controllers. EventCombMT can search the event logs for any event ID but to find events with login issues, I limited the search to the Security logs on the DC’s with event ID’s 529 644 675 676 and 681. More info on usage here

EventComb

EventCombMT produces a text file for each server with the results of the search:

644,AUDIT SUCCESS,Security,Wed Apr 14 10:21:08 2010,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: zdjb     Caller Machine Name: STNB4200ZKLC     Caller User Name: IDM$     Caller Domain: TEACH     Caller Logon ID: (0x0,0x3E7)   

644,AUDIT SUCCESS,Security,Wed Apr 14 10:08:14 2010,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: zdjb      Caller Machine Name: STTB2710ZJLW     Caller User Name: IDM$     Caller Domain: TEACH     Caller Logon ID: (0x0,0x3E7)  

Straight away I could see the two machines that were causing the account lockout and after calling them back into the Service Desk so we could see what was going on. We were able to work out that it was the Sophos Auto Update causing the problem because these machines had been using the credentials  of this account, with an old password, for receiving updates instead of the update account we normally use.

Solving the problem of the account lockout has prompted some new strategies for monitoring the network that we hadn’t considered before. Now that we have the tools, we can regularly search the event logs for bad passwords on Administrator accounts and follow up the results. Also, we may have started the ball rolling on a project to create more user accounts in AD for different network services. It was lucky that we’d found Sophos was the culprit, but next time it could be difficult to find old credentials being used in an Altiris job for example. By creating different user accounts for services like Sophos, Altiris Jobs, SQL, Exchange and Intranet applications it will help narrow down a search next time we have a password problem and will make it easier to change these passwords on a regular basis.

Vista Black Screen of Death and Altiris SVS

When we rolled out the HP 2730p tablets to Staff last year, we decided to try out the Altiris software virtualisation (SVS).

Since it came bundled with our Altiris purchase it seemed like the easiest choice for getting into software virtualisation. We had tried the demo for VMWare’s Thinapp but were discouraged by the pricing and had been impressed with demos if Microsoft App-V. Software virtualisation would let us have a much smaller SOE with just Vista, Office 2007 and the Adobe CS4 Master Collection, and have every other application installed as an SVS layer. This way we could reduce the time needed for imaging and control the application deployment through Altiris. We could also enable the web portal which would let Staff select which SVS layers they’d like deployed to their machine!

Since the 2730p machines have been imaged, we’ve had a few come back because Vista seems to hang on a black screen after the green progress bar on boot up

Vista Green Bars

The problem seems to be with a driver for SVS (fslx.sys) and after browsing the web for reasons why we’ve had this issue found that it may be a problem with one of the SVS packages we’ve deployed.

A thread on the Symantec forums details some of the SVS KSOD issues that people have had and found that troublesome SVS layers are the culprit. This thread confirmed our suspicions that we were having trouble with SVS packages that we’d made for applications like Skype and iTunes that have regular/frequent updates. The files in the SVS layer can’t be updated when there’s an update or patch for an application. With software virtualisation on the rise it would be handy if the application knew it was virtualised and would warn the user that new versions can’t be installed until the virtualised application is removed.

Anyway, here’s the fix:

· Boot the machine into Safe Mode

· Login as Admin

· Rename C:\Windows\system32\drivers\fslx.sys to C:\Windows\system32\drivers\fslx_old.sys

· Restart the machine

This will disable SVS and all the SVS layers. We’ve had some success with updating the SVS software to a slightly newer version, though, in most cases we’ve still had trouble after updating the SVS client. The best bet is to work out which SVS layer us causing the problem and disable it. Easier said than done.

We’re yet to decide if we’ll consider SVS for the 2010 Staff image. If we do, we’ll have to exclude applications like iTunes and Skype and try to avoid the black screen issues. We also need to decide if we’re going to move to Windows 7 for this image and whether it will be 32 or 64bit. Symantec have released the beta version of Symantec Workspace Virtualization,new version of SVS, which is compatible with 64bit Windows but it’s unlikely that the final version will be released in time for our internal testing.

Netbooks: Setting Student as Admin’s during deployment

3761637114_47d8ac8cf0 As part of our config for the Student Netbook SOE, we’re going to make each Student an Administrator on their netbook. We don’t want to make every student an administrator on the machines, because of the security/privacy issues that may arise. If every Student is an administrator then it’s possible for them to log onto another Students machine and look/edit/delete/copy their files.

When we unboxed the netbooks we attached our Asset tags (BGSID) and used the barcode scanner to grab the BGSID and Serial for each netbook and put them into Excel. We thought we could use this data and run a post imaging script from Altiris to set the student admin on each machine after they’re sysprep’d and before they’re given out to Students.

We created a SQL database with one table, see below. The image shows our test data, but we’re able to copy the BGSID’s and Serials from the spreadsheet to the database and assign a username for each netbook. The database also has a field for MachineName, which is blank initially and is populated when the script is run. Altiris automatically names the machines, according to the template we’ve specified, but we thought it would be handy to grab the machine name and store it next to the Serial as the machines are assigned to Students.
We can also be sneaky, and use the StudentUserName field to query AD and grab the Student’s firstname and surname to make sticky labels for their machine and maybe their bags too… will see

image001

‘______________________ Start SetStudentAdmin.vbs __________________________
‘Option Explicit

dim adoConn, adoRS, adoStrm
Set adoConn = CreateObject(“ADODB.Connection”)
Set adoRS = CreateObject(“ADODB.Recordset”)
Call GetBGSID

‘_______________________________________________________________________

Sub GetBGSID()

Dim NetBookSerial

winmgmt1 = “winmgmts:{impersonationLevel=impersonate}!//.”
Set SNSet = GetObject( winmgmt1 ).InstancesOf (“Win32_BIOS”)

for each SN in SNSet
NetBookSerial = SN.SerialNumber
Next

adoConn.Open “Provider=SQLOLEDB;Data Source=lumberjack;User ID=sa;Password=12345;Initial Catalog=Netbooks;”
adoRS.Open “select * from netbooks where (Serial = ‘” & NetBookSerial & “‘)”, adoConn, 1, 3

Set objWshNet = CreateObject(“WScript.Network”)
strDomain = objWshNet.UserDomain
strComputer = objWshNet.ComputerName
Set objGroup = GetObject(“WinNT://” & strComputer & “/Administrators,group”)

strUser = adoRS.fields.item(3)

Set objUser = GetObject(“WinNT://” & strDomain & “/” & strUser & “, user”)

If Not objGroup.IsMember(objUser.ADsPath) Then
objGroup.Add(objUser.ADsPath)
End If
adoRS.fields.item(4) = strComputer

adoRS.Update
adoRS.Close
adoConn.Close

End Sub
‘______________________ End SetStudentAdmin.vbs ___________________________

Exchange 2007 Edge Server Licence

Earlier this year we migrated our Exchange 2003 setup to Exchange 2007 and all was going well for a while. Until we had noticed that our Edge Server thought it was unlicensed, even though we’d entered all the licence info as part of the initial Exchange config. A quick search found this handy PowerShell command for setting, or resetting, the Product Key for our Edge Server. I’m still impressed with how much PowerShell can do in Exchange/Windows, its definitely worth investing the time to learn.

< Power Shell CMD >
[PS] C:\Windows\System32>get-ExchangeServer

Name                Site                 ServerRole  Edition     AdminDisplayVersion
—-                —-                 ———-  ——-     ————–
JACKAL             BGS                  Mailbox,… Standard    Version 8.1…
CARLOS            BGS                  ClientAc… Standard    Version 8.1…
EDGE                BGS                  Edge        Standard… Version 8.1…
ZORO               BGS                  ClientAc… Standard    Version 8.1…

[PS] C:\Windows\System32>set-ExchangeServer Edge -ProductKey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
[PS] C:\Windows\System32>get-ExchangeServer

Name                Site                 ServerRole  Edition     AdminDisplayVersion
—-                —-                 ———-  ——-     ————–
JACKAL             BGS                  Mailbox,… Standard    Version 8.1…
CARLOS            BGS                  ClientAc… Standard    Version 8.1…
EDGE                BGS                  Edge        Standard    Version 8.1…
ZORO               BGS                  ClientAc… Standard    Version 8.1…

[PS] C:\Windows\System32>

HP 2730p: machine is not in committed state

hp2730pA couple of weeks ago we ran into problems with our new fleet of 2730p Tablets where the machines weren’t booting into Vista. We had a version of the Black Screen of Death, KSOD, that was caused by something upsetting the Altiris SVS client on these machines. While we were troubleshooting the KSOD we tried  updating one of the machines with the latest drivers including the latest BIOS update for the machine from HP. After updating the BIOS to F.0A 31 Jul 2009, the machine rebooted and gave us this error as soon as the machine was powered on:

WARNING!!! – machine is not in committed state!

After some quick Googling I found others had the same issue after a BIOS update on various HP models. Resetting BIOS defaults and installing an older version didn’t make any difference.

Some people suggested running HPSetCfg 1.36, downloaded from here, or later to reset the serial and model number for the machine. This is a handy little tool from HP and runs from a bootable CD or USB stick, seemed to only want to work on FAT (not NTFS), and made the USB stick bootable with HPUSBFW.EXE. This worked nicely but did nothing to remove the Warning on boot….

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1251435425255+28353475&threadId=1338615

After making my way to the end of that thread on itrc.hp.com I looked at the AMT settings. Checking the AMT settings in the BIOS showed that it was greyed out and not able to be enabled? Thinking that the machine needed a firmware update for the AMT to go with the BIOS update, I attempted to install the 4.1.1.1028 version from the HP site. This should have been the version that was on the machine, Dec 2008, since the machines were purchased in early 2009. The AMT update failed installation so I started the hunt for the AMT Branding Tool that was mentioned in the thread above and found here

This is straight from allaboutmicrosoft.net:

Swapped MB on a HP Elitebook 6930P and need get the serial number into BIOS.
At boot I get a message stating “Warning. Machine is not in committed state. Invalid serial number”, but when entering BIOS there is no way for me to enter it. Read on HP forums that I need HP SetConfig Utility 1.36 to do this, but I can’t find it anywhere. Does anyone have this program or maybe another solution that could help me?

Solution: Machine is not in committed state

use this tool. run it from a bootable flash drive.  read the readme.txt inside the archive.
http://www.naturatek.com/files/amtool.zip

I downloaded the AMT tool and copied it to the bootable USB stick that I’d used before. Because I copied the files to their own folder I had to run Brand.bat from the command line, should have run from autoexec.bat. The Tool checks the current settings and prompts you to see if you’d like to make changes

VPro Uncommitted
Descriptor Unlocked
Management Engine disabled
Flash Protection Override disabled
****************************************

Do you want to enable or disable AMT now [Y, N]?

The text above is copied from the readme.txt that comes with the AMT tool, but is essentially the same as what I saw at the command line. After selecting Y to enable AMT, there was another prompt or two, followed by a reboot. On boot up the warning message was gone and entering the BIOS showed that the AMT was now enabled and I could change the AMT settings etc too!

SMTP: Data 421 Message Rejected

This morning we noticed some strange issues with email’s and delays in messages arriving. A quick check of the Exchange SMTP queues and the Mail Marshal queue found nothing, none of our messages were sitting on a server waiting to be delivered. I checked the queues 30min later and the Mail Marshal queue had blown out and had 80 messages from 70 domains waiting to be sent?!

MM_Mail_Queue_sml

A quick look at the mail history in Mail Marshal revealed the SMTP error, Data 421 Message rejected!

MM_Mail_History_sml

A quick search in Google found that the clever people on the Whirlpool forum had the problem solved. Dangermouze had found that the issue was with the Bigpond mail servers and their anti-spam settings. This started to make sense… a few weeks ago we added a secondary Internet connection to our Sonicwall firewall and configured the load balancing for the outgoing web requests. We had some issues with emails trying to go out on the new internet connection and failing because there was no reverse DNS and secondary MX server configured yet for that connection. Our workaround was to set the mail.bigpond.com server as our forwarding SMTP server which seemed to fix the problem, the Sonicwall would use our Telstra ADSL2 connection to send to this address and wouldn’t attempt to send mail on the Cable connection!

Word is that if too many emails are sent via the Bigpond mail server in a short period of time, they will temporarily block forwarding email from your address for 20min or so, then let you try again. This appears to be a restriction on the Bigpond Home ADSL plans, generally, BigPond Members can’t send more than 20 emails in 10 minutes and they can only be sent using the BigPond mail servers. however we’re on a Business Broadband connection, and appear to have the same limitation.

Dangermouze’s Telnet test to Bigpond SMTP

heres the a ‘telnet mail.bigpond.com 25’ session
220 oaamta03ps.mx.bigpond.com esmtp server ready wed,6 feb 2008 22:32
helo
250 oaamta03ps.mx.bigpond.com
mail from: ***@bigpond.net.au
421 message rejected

The telnet session confirms that Bigpond is the source of the 421 message rejection, not the destination server or an RBL type service.

We may have to confirm out Bigpond settings with our account manager….

iTunes -9808

I came across an interesting problem today while trying to subscribe to a podcast through iTunes where iTunes threw up an error (-9808) saying an unknown error had occurred.

9808

I’ve used iTunes on this machine (Vista SP1) a fair bit and have had no issues with downloading podcasts before, however, I was logged in as a test user and wasn’t using my normal user account. Some quick checking found that it wasn’t our Internet Content Filter causing the problem, but did find this message in our ISA firewall log:

Failed Connection Attempt
Log type:
Web Proxy (Forward)
Status: 995 The I/O operation has been aborted because of either a thread exit or an application request.
Destination: External (17.250.237.19:443)
Request: buy.itunes.apple.com:443
Filter information: Req ID: 1b5d88f0; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: SSL-tunnel

Searching for status 995 and ISA in Google didn’t bring up any useful results, but a search for iTunes and 9808 bought up a a heap of results. Turns out this is a reasonably common problem and found the solution at soccerislife8 and disabled Check for server certificate revocation in Internet Explorer.

9808 IE Setting

After some more research it seems that updating to the latest version of iTunes won’t fix the problem?!

Apple_SSL

Checking Apple’s SSL Certificate in IE shows that its valid so its a still a mystery. I’m not impressed that I’ve had to disable security features in my browser for the sake of iTunes

ProCurve – Front-Panel Security & Authentication

I was looking for some ProCurve documentation on AAA security and stumbled across the Hardening ProCurve Switches White Paper and found a few nice things to add to our ProCurve config.

Password Clear Protection – Front-Panel Securitylogo_procurve_networking_by_hp
ProCurve devices utilize the Reset and Clear buttons on the front panel to help users reset the switch configuration to factory default or to reset the console password. This capability creates a security risk anywhere it’s impossible to  prevent physical access to the switch. ProCurve makes it possible to disable this functionality to protect from malicious use of these features.

There are two components to front-panel security: “password clear” and “factory reset.” Both must be disabled to fully secure the device.

In the switch’s default mode, a malicious user can utilize the front-panel clear button to reset a console password stored locally on the switch. To disable this feature, issue the command:

ProCurve Switch(config)# no front-panel-security password-clear

The other capability built into ProCurve switches is the ability to reset the switch configuration to the factory default mode:

ProCurve Switch(config)# [no] front-panel-security factory-reset

Executing this command prevents reset of the switch configuration by use of the front-panel Reset and Clear buttons.

It’s critical to understand that disabling these features severely restricts administrator options if the password is lost or forgotten. Before making these changes, users are strongly encouraged to review all considerations outlined in the Access and Security Guide for your model.
wireless_edge_services_zl_module
Authentication – Server-Supplied Privilege Level
Login privilege level instructs the switch to accept the authenticating user’s command level (manager or operator) that is supplied by the server. This allows manager-level users to skip the login context and proceed immediately to enable context, thus eliminating the need for a manager-level user to login twice.

To allow the switch to accept the privilege level provided by the server, use the following configuration command:

ProCurve Switch(config)# aaa authentication login privilege-mode

To supply a privilege level via RADIUS, specify the “Service-Type” attribute in the user’s credentials.
• Service-Type = 6 allows manager-level access
• Service-Type = 7 allows operator-level access
• A user with Service-Type not equal to 6 or 7 is denied access
• A user with no Service-Type attribute supplied is denied access when privilege mode is enabled

– The Radius Authentication for switch access sounds interesting. If our Staff are using their network credentials to access the switch config, or contractors that are working on the network, we can easily enable/disable their access to the switches without hassle and letting everyone know the Manager/Operator passwords