Archive

Archive for the ‘System Administration’ Category

Protecting Local Data on a DPM 2007 Server

September 2nd, 2009
No comments

DPM2007_Logo

Recently I was attempting to use Data Protection Manager 2007 to create a protection group that included volumes directly attached to the DPM server. I was slightly dismayed to see that I couldn’t install the protection agent on the machine or select anything other than the DPM configuration database in the New Protection Group wizard.

The answer, in my case, was to enable local data protection on the DPM server by executing the following command in the Data Protection Manager Console:

1

Set-DPMGlobalProperty -DPMServerName ServerName.Domain.Local -AllowLocalDataProtection $true

Richard Computer Hardware and Software, Data Protection Manager, Enterprise Hardware and Software, PowerShell, System Administration, Windows

Information Gathering via PowerShell Script Pt. 2

May 13th, 2009
No comments

Here is another script that I created while trying to hone my PowerShell skills. It prompts you for the FQDN of the computer that you want to gather information on, asks you whether you want to see the output on the screen or dump it into a text file, and then runs a bunch of WMI queries to get a good general overview of the machine in question.

# Function Definition: fnCompInfoGatherExecute
Function fnCompInfoGatherExecute
{
	# Prompt for FQDN of Computer to be Queried
	"Enter the FQDN of the computer you wish to query."
	$CompName = Read-Host " "
 
    # Prompt for Output Method
	" "
	"How would you like the output to be handled?"
	$MenuTopLevel = 
'
[1] Display on Screen
[2] Output to File
[3] Exit 
 
Choice'
 
	# Define Logic for Top Level Menu
	switch (Read-Host $MenuTopLevel)
	{
		1 {
			# Define WMI Information to be Retrieved
			Get-WmiObject Win32_BIOS -ComputerName "$CompName"
			Get-WmiObject Win32_ComputerSystem -ComputerName "$CompName"
			Get-WmiObject Win32_DiskDrive -ComputerName "$CompName"
			Get-WmiObject Win32_DiskPartition -ComputerName "$CompName"
			Get-WmiObject Win32_NetworkAdapterConfiguration -ComputerName "$CompName"
			Get-WmiObject Win32_Processor -ComputerName "$CompName"
		  }
		2 {
			# Prompt for Output Path
			" "
			"Enter the path to the output file (i.e. C:\Output.txt)."
			$OutputPath = Read-Host " "
 
			# Define WMI Information to be Retrieved
			Get-WmiObject Win32_BIOS -ComputerName "$CompName" >> "$OutputPath"
			Get-WmiObject Win32_ComputerSystem -ComputerName "$CompName" >> "$OutputPath"
			Get-WmiObject Win32_DiskDrive -ComputerName "$CompName" >> "$OutputPath"
			Get-WmiObject Win32_DiskPartition -ComputerName "$CompName" >> "$OutputPath"
			Get-WmiObject Win32_NetworkAdapterConfiguration -ComputerName "$CompName" >> "$OutputPath"
			Get-WmiObject Win32_Processor -ComputerName "$CompName" >> "$OutputPath"
 
			# Open Output File
			C:\Windows\notepad.exe "$OutputPath"
		  }
		3 {Exit}
		default {"You have chosen an invalid option"; fnPause; fnADSearchMenu}
	}
}
 
# Call fnCompInfoGatherExecute Function
fnCompInfoGatherExecute

Richard PowerShell, System Administration

Deny Logoff of an Administrator Logged in to the Console Session

April 21st, 2009
No comments

Here is a Group Policy setting you can apply in Active Directory to prevent an administrator or other user from logging you off from a machine that you have remotely logged into via the console session.

Policy Path: Administrative Templates\Windows Components\Terminal Services

Supported On: At least Microsoft Windows Server 2003

Help/Explain Text: Specifies whether to allow an administrator attempting to connect to the console of a server to log off an administrator currently logged on to the console. The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. If the status is set to Enabled, logging off the connected administrator is not allowed. If the status is set to Disabled, logging off the connected administrator is allowed. If the status is set to Not Configured, logging off the connected administrator is allowed but can be changed at the local computer policy level. This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost.

Registry Settings: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableForcibleLogoff

Richard Active Directory, System Administration ,

Physical to Virtual Conversion Methods with Hyper-V

February 19th, 2009
No comments

A lot of people seem to wonder what the best, FREE,  way to do a Physical to Virtual (P2V) conversion of their Windows servers is. If your VM host is going to be a Hyper-V server, then there are two good methods (that I know of) to perform the operation.

Method 1:

Use the System Center Virtual Machine Manager’s (SCVMM) integrated P2V conversion utility to perform the operation. This supports doing a live migration, meaning that the target system can remain online and available for user’s requests during the migration period.

SCVMM 180 Day Evaluation: http://technet.microsoft.com/en-us/evalcenter/cc793138.aspx

Method 2:

If you don’t want to use the SCVMM method or it isn’t working properly for you, you can use the free VMWare converter tool. The VMWare converter tool also supports live migrations. After you perform the live P2V conversion with the VMWare converter tool you will end up with a VMDK file (VMWare’s virtual hard disk format), so that will have to be converted to a Hyper-V usable file with the VMDK to VHD converter.

VMWare Converter: http://www.vmware.com/products/converter/

VMDK to VHD Converter: http://vmtoolkit.com/files/folders/converters/entry8.aspx

Good luck!

Richard Hyper-V, System Administration, Windows , , ,

Errors Mapping Network Drives

February 17th, 2009
No comments

I was working with a client today and I encountered an error mapping a network drive, so I thought I would share with you the situation along with the way in which I was able to solve it.

So I was trying to map a network drive to a client’s file server so they could more easily access their Quickbooks company files. I went through the motions of opening up the computer via UNC and navigating to the parent directory of the folder I wished to map to. I right clicked on the target folder, selected “Map Network Drive” and filled out the appropriate options and clicked finish. No dice! I received the following error:

The network folder specified is currently mapped using a different user name and password. To connect using a different user name and password, first disconnect any existing mappings to this network share.

Hmmm… I was fairly sure that there were no other mapped drive, but of course I went back and double checked. No drives were mapped. After testing the connectivity to the target machine ( which was good ) I thought that possibly because the target directory was listed in “My Network Places” via the UNC path that it could be causing my problem. After clearing out the “My Network Places” folder I attempted to map the drive again, to the same unsuccessful end.

So I started looking around, trying to google the error message to find solutions. One site, which I did not record and couldn’t find again, suggested making sure that all active connections were cleared via the “net use” command. So I opened up a command prompt and typed “net use”. Ah ha! There were several active connections listed here which were not listed anywhere else ( so far as I could tell ). After checking how I could use the command via “net use /?” I found that I should use the following syntax:

net use /delete \\server\share

As a side note if your share folder includes spaces you must enclose the entire UNC path in quotes:

net use /delete "\\server\shared folder"

After clearing out all of the paths listed in the output of the “net use” command I again attempted to establish the mapped drive. Success!

The client and his mapped drive then lived happily ever after…

Richard Networking, System Administration ,

Implementing Good Password Policy

February 17th, 2009
No comments

Passwords are the single most important principal in any security scheme. You can have all the security in the world, but if your password policy is lax then all that work was wasted. It is a difficult balance to maintain a password policy that both satisfies the need for sufficiently complex passwords and the human ability to remember them. Following a few guidelines should keep your organization / home both safe and sane.

One of the most important things to keep in mind when implementing a policy is that your level of security should match the need for security. If you are trying to protect your corporation’s mission critical file server, then by all means that 24 digit alpha numeric mixed case password is awesome. However if you are just trying to protect your music files at home, don’t break your neck trying to implement a complex password scheme. I think it is helpful if we look at a couple of ways that people will try to break your passwords, then we can understand the level of protection we might require.

Dictionary Attacks:

A dictionary attack is one of the most common techniques used by would be password crackers. In a dictionary attack the perpetrator will use a script or program that enters passwords from a predefined list at a very fast rate ( think around 1,000 per second ) . This ‘dictionary’ list takes in account the human tendency to use passwords that are generally 6-8 characters long, single words, or variations of single words ( i.e. adding a 1 to the end ). This attack method is only meant to try those passwords which are most likely to succeed, and is easily overcome by even a very basic complexity in your passwords.

Brute Force Attacks:

By contrast a brute force attack is method by which an attacker will exhaustively try every possible combination of a set length and complexity ( i.e. 1111, 1112, 1113, etc.. ). The brute force method is feasible for very short or simple passwords, but increasing the complexity of a password by even a small amount lessens the chance of this type of attack being effective. For example if your password follows along the lines of seven characters in length, includes mixed case, includes numbers, and uses punctuation you are already in the area of 70,000,000,000,000 possible combinations! So even a script that could put out 1000 passwords a second would take over 1,000 years to work through all the combinations.

Implementing easy to remember passwords:

So what is the best way to produce a strong but easy to remember password? One of the best ways, that I learned in class, was the use of pass phrases. For example, a lyric from an old Led Zeppelin song, “havinganervousbreakdowndrivemeinsane“. Wow, a 36 digit password that is much easier to remember and highly secure. For an added degree of complexity you could, for example, replace all the I’s with 1’s and the E’s with 3’s “hav1ngan3rvousbr3akdowndr1v3m31nsan3“. Just think of a phrase that you find funny or interesting and you will have no problem remembering it!

If you need some extra help here a few links to some automatic password generators I have found around the web:

http://www.pctools.com/guides/password/ – The PC Tools password generator

http://www.snapfiles.com/get/ranpass.html – A downloadable random password generator

https://www.grc.com/passwords.htm – An ultra secure (64 bit alpha numeric) password generator

Richard Network Security, System Administration ,