Servers

Servers power many organisations and are even making their way into homes (even if it is a simple NAS box). With more RAM then you could even imagine (I have to admit I’m a RAM addict) and processors that make the latest and greatest gaming PC look minuscule in comparison it is these mighty machines that make the world go round.

With thanks to the 50 staff from across the University for attending please see below the links to the videos and PowerPoints of the day!

Direct link to Playlist – https://www.youtube.com/watch?list=PLRxbdlgJzwyjAf820T0u4GpP0E01a9LEX&v=u-GVJ_0VuRM

Slides as PowerPoint

  1 Intro (4.3 MiB, 17 hits)

  2 MDT (85.2 MiB, 27 hits)

  3 PowerShell (27.5 MiB, 12 hits)

  4 PRTG Network Monitor (47.5 MiB, 12 hits)

  5 OpenVAS (32.9 MiB, 12 hits)

  6 WSUS and Chocolatey (60.3 MiB, 9 hits)

  7 NPS and VLANs (10.7 MiB, 8 hits)

Slides as PDF

  1 Intro (2.0 MiB, 11 hits)

  2 MDT (2.2 MiB, 11 hits)

  3 PowerShell (1.8 MiB, 10 hits)

  4 PRTG Network Monitor (3.2 MiB, 13 hits)

  5 OpenVAS (2.3 MiB, 16 hits)

  6 WSUS and Chocolatey (2.9 MiB, 14 hits)

  7 NPS and VLANs (1.4 MiB, 13 hits)

Stay tuned over the coming days for the scripts that are mentioned through the video which will be linked to from this post.

This entry is part 4 of 4 in the series A Windows SysAdmin installs and uses OpenVAS

In my environment all of our network connected devices are configured to respond to PINGs; this mainly comes about from using PRTG Network Monitor to confirm that devices and services are up even in the most simple of fashions. The same also applies to client PCs which through Group Policy are configured to reply to PING. Thus to save OpenVAS some work while doing it’s scans I’ve got a custom scan configured (which will be used in later blog posts) that will only scan hosts which reply to PING.

Have a look at the screenshot sequence below to see how to configure such a scan.

A little bit of fun today with Milestone XProtect (in our case the express version) today; with the goal of improving our documentation I wanted to somehow obtain a list of all of the hardware devices (and to some degree the cameras) including there names, MAC addresses and IP addresses from our XProtect server.

Lone behold the configuration.xml file typically stored at “C:\ProgramData\Milestone\Milestone Surveillance\configuration.xml” held just the information I wanted; a little bit of PowerShell later and I had CSVs with the information in a human readable form.

To do the same on your server follow the guide using the Export-MilestoneConfig.ps1 script show below.

Download Export-MilestoneConfig.ps1 (download from GitHub)

Not the first time I’ve run into this issue and probably won’t be the last! While building a new Windows Server 2016 (Full) Microsoft Deployment Toolkit server when attempting to run the ‘Update Deployment Share’ wizard I was getting the following error message.

Unable to mount the WIM, so the update process cannot continue.

The solution is simple; if you are running this machine on Hyper-V (presumably other Hypervisors as well) you will need to shutdown the VM, disable Secure Boot (on the VM only) and then power it back on. The next time you run the wizard it will complete as normal.

The error message in full context for reference.

=== Making sure the deployment share has the latest x86 tools ===
=== Making sure the deployment share has the latest x64 tools ===

=== Processing LiteTouchPE (x64) boot image ===

Building requested boot image profile.
Determining if any changes have been made in the boot image configuration.
No existing boot image profile found for platform x64 so a new image will be created.
Calculating hashes for requested content.
Changes have been made, boot image will be updated.
Windows PE WIM C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\en-us\winpe.wim will be used.
Unable to mount the WIM, so the update process cannot continue.

=== Completed processing platform x64 ===

 

=== Processing complete ===

Following on from some recent OpenVAS testing and in turn discovering that some of our PHP versions were sorely out of date I’ve set about to patch and document all of the installations. In turn we have a simple guide on how to update PHP security releases!

Please note – this guide is aimed at really simple single server instances of PHP that are being used by Microsoft IIS, be sure to test the upgrade outside of your production environment before deploying it.

For this guide you will also need this link – http://windows.php.net which contains the downloads for PHP on Windows.

Troubleshooting:

  • If you encounter an error message during the overwrite of the existing PHP install consider stopping the IIS server service first and then restarting it with the following commands from an elevated command/PowerShell prompt.
    • net stop WAS
    • net start W3SVC
This entry is part 1 of 4 in the series A Windows SysAdmin installs and uses OpenVAS

This guide covers one (of I’m sure a 1,000) ways to deploy and use OpenVAS 9 in your environment on Ubuntu Server 16.04 for the purpose of White Hat Penetration Testing, more so it’s also written from the viewpoint of a SysAdmin who mainly works with Windows Systems (Windows Server/Hyper-V/PowerShell/suchlike) and so takes a very simplistic approach to the setup.

The goals of this project are to

  • Install Ubuntu Server 16.04 LTS on Hyper-V
  • Deploy OpenVAS to that server
  • Execute scripted commands against OpenVAS from a remote system
  • Light up with a big warning sign all of the unknown issues within a network

Lets get started!

To start out you will need

  • A Hyper-V host (although no reason not to run it on VMWare/whatnot)
  • The latest ISO for Ubuntu Server 16.04 LTS saved somewhere your Hyper-V server can get to
    • Download from – https://www.ubuntu.com/download/server
    • Worth noting that only the 16.04 LTS release is going to work with this guide, when I first tried getting OpenVAS to work with 17.04 (a newer release) there were various blocking issues that I could not overcome. In short – use 16.04!!!

Step 0 – Get DNS in the right place

Configuring DNS correctly in particular with relation to Reverse Lookup will help your OpenVAS deployment loads, for a good guide on how to setup Reverse Lookup take a look at this link – http://de.community.dell.com/techcenter/os-applications/w/wiki/684.how-to-configure-dns-reverse-lookup-zone-in-windows-server-2012 (don’t worry about the de. its in English!).

Step 1 – Configure a Hyper-V VM for OpenVAS

In this next step we configure a Hyper-V VM running on Windows Hyper-V Server 2016 (which is free by the way!).

Step 2 – Install Ubuntu Server

Next up the install of Ubuntu Linux, as I understand OpenVAS can be installed on all kinds of flavours of Linux however the support I’ve seen in the past around Ubuntu seems much better than other options. This portion of the guide assumes you are not running your OpenVAS server on a network that’s got DHCP enabled (in this example it’s on our Servers VLAN).

Step 3 – First Boot

Next up we have some housekeeping for Ubuntu, making sure it’s up to date and getting OpenSSH server running so we can move to using something like PuTTY (download from – https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) to manage the server.

For this portion of the guide you will need the following lines of script-

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install openssh-server

sudo reboot

Step 4 – Install OpenVAS

Here comes the good bit! The initial installation of OpenVAS and downloading of the lists of vulnerabilities.

For this portion of the guide you will need the following lines of script-

Step 5 – Change the default password!!!

Now that OpenVAS is running it’ll be using the default username/password combination of admin/admin, how brilliant is that!

Step 6 – Allow API Access

For the last step in this guide we will set it so that the port for API Access to OpenVAS is enabled on every boot of the machine.

sudo nano /etc/rc.local

sudo openvasmd -p 9390 -a 0.0.0.0

sudo /etc/rc.local

Next up….

So that’s things setup, in the next guide (hopefully following in a day or two) we will be using the API to create a list of victims to test against and generate reports for a ‘list of things to do’.

One of my favourite features of PowerShell is the Invoke-RestMethod cmdlet which (among a great many other things) can download the data from an RSS feed. One application I’ve found for this is to stay on top of security bulletins from organisations like Adobe and Drupal.

However just downloading the data from the feed and kicking it out in an email isn’t quite good enough for my needs thus the script below gets data from a CSV which contains the URL to the feed as well as some extra details to inject into any email notification (e.g. a link to the guide on how to deploy Adobe Updates).

In my production environment this script creates tickets on a FreskDesk helpdesk to log and manage any new update notifications. In the attached example below the script just fires off email notifications.

Have a look at the screenshot sequence below for more info!

  Get-Rss (4.0 KiB, 142 hits)

Update 09/05/2017 – v0.2 – Now handles XML and Arrays in the link and title objects (good for reddit and blogspot!)

For the past few months I’ve been using an in house script to manage the rebooting of Virtual Machines on Hyper-V hosts following Windows Updates. These Virtual Machines also take part in Hyper-V Replica Replication to a DR host. On occasion I’ve spotted that when shutting down (as part of the reboot sequence) the Hyper-V Replica state will go into a Error ‘Critical’ state.

As it transpires this happens when the machine is shutting down and Hyper-V replica is attempting to create a reference point to send replica data over to the DR host.

The best fix I have at the moment for this issue is to suspend replication (you can use the Suspend-VMReplication PowerShell Cmdlet as documented here – https://technet.microsoft.com/en-us/itpro/powershell/windows/hyper-v/suspend-vmreplication to accomplish this) before shutting down the machine and then resuming replication (Resume-VMReplication and https://technet.microsoft.com/en-us/itpro/powershell/windows/hyper-v/resume-vmreplication) once shutdown is complete.

You will also note this issue noted under Hyper-V-VMMS in Event Viewer with Event IDs along the lines of 19060, 33680, 32546 and 32026.

As some readers may know I currently work in Higher Education and while all of the business data is trivial to backup providing any level of backup service to students and academics is significantly harder. The challenges faced include the myriad of Operating Systems in use (Windows/OSX/Linux), the fact that the devices being backed up are inherently ‘untrusted’ (i.e. owned by the individual) and that they are often on networks (be it eduroam/public/home) that have no direct connectivity back to the internal trusted network.

Most enterprise class backup systems just aren’t suited to this kind of environment in that they cannot be securely published through a firewall or have exorbitant licencing costs for the number of devices to be protected (a few file servers vs 500+ student owned laptops).

One solution to this issue cropped up at a recent trade show where Synology were demonstrating their Synology DiskStation Manager NAS software which set itself apart from the traditional enterprise backup solutions with…

  • Support up to 16,000 users on high end models (and 2048 on the kind of model that we would consider using) with no extra licencing costs, users can have storage quotas set either by group or per user
  • Secure remote access (simply publish a single port which can be protected by HTTPS for encryption in transit)
  • Home grown backup clients for modern versions of Windows, OSX/macOS and Linux
  • On the point of OSX/macOS the backup client for Synology does not rely on Time Machine and so overcomes the issues associated with having to be on the same network as your backup device
  • Home grown Btrfs file system which auto detects (and fixes) corrupted files through metadata along with extensive snapshot support
  • Up to 32 recovery points and real-time file protection (when connected to the DiskStation)

So time for some screenshots! Below we have the initial setup of the Disk Station Manager and the installation of the client on a Windows PC.

Then restoring a file that has been deleted on the Windows PC; note that you can restore either individual files or entire folders to a point in time.

The same but for OSX…

So that’s all of the good, the only downside we have found thus far is while shared drives can be protected with encryption it is not possible to protect each individual home area (per user) with a unique encryption key thus opening up issues with data privacy. However, if you consider the following scenario…

  • A business needs to provide backup to remote workers
    • Those remote workers do not connect to the trusted network often
      • Perhaps they don’t like VPNs/DirectAccess (and so rules out using Offline Files)
    • and those remote workers do not use a commercial ‘cloud’ service to protect their data with
      • Perhaps trusting a 3rd party to host the data is not an option
    • The remote workers use OSX/macOS

…then using a Synology DiskStation should be a serious consideration for that business.

When working with a lab full of HPE ProCurve/Aruba switches (or you just want to know who is who in a stack of switches) the chassislocate CLI command comes in really handy by either blinking or holding solid the blue locator light. See the screenshots below for a little more info.