April 2009 - Posts
Microsoft announced this morning that they will be changing the behavior of AutoRun so that is is not enabled for devices other than optical media. This is in response to the changing threat environment, most notably with Conficker, which utilizes the AutoRun feature on Windows to exploit vulnerabilities through use of mass storage devices (USB keys, external hard disk drives, etc).
Windows 7 RC will be the first to receive these changes followed by an update for Windows Vista and Windows XP.
Here's the article from the Microsoft Security Response Center: http://blogs.technet.com/msrc/archive/2009/04/28/changes-in-windows-to-meet-changes-in-threat-landscape.aspx
That didn't take long.
The Adobe Product Security Incident Response Team (PSIRT) released a blog entry to anounce that all currently supported shipping versions of Adobe Reader and Acrobat are vulnerable. There no reports of known exploit code.
Here's the link: http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
Maybe I was sleeping or too busy last week, but I just noticed Microsoft released Service Pack 2 (SP2) for the 2007 Microsoft Office Suite.
Some changes worth highlighting are:
-
OpenDocument Format (ODF) support
-
Built-in Save As PDF/XPS support
-
General performance improvements
View the full list here: http://support.microsoft.com/kb/953195
Computers aren't perfect. Sometimes they just don't report properly to SMS. In one particular case, we had a computer whose Add/Remove Programs information was not populating in the SMS database. For this reason, they were showing applicable for several recurring advertisements we had out there and kept having jobs forced on them. Not fun for the user.
It was requested of me to manually filter the computer out of the query based collections to give them time to rebuild the machine. Even though I was hesitant to do so I finally did, adding something like AND Name != 'COMPUTERNAME' at the end of the query statements.
A month has past and now I've been asked to remove those statements, as the computer is healthy again. Easy enough...oh wait...what collections did I modify again?
I went to my old friend - the SQL database - to see if it could help me with my problem. Turns out, it had everything I needed.
I logged on to my server and opened SQL Server Management Studio. After connecting, I clicked "New Query" and made sure the SMS database was selected in the "Available Databases" dropdown. I then used the following statement:
SELECT *
FROM v_CollectionRuleQuery crq JOIN v_Collection col on crq.CollectionID=col.CollectionID
WHERE crq.QueryExpression LIKE '%COMPUTERNAME%'
This gave me everything I needed in order to find the queries that contained the computer in question. SQL to the rescue yet again!
As mentioned before, we're working on a side-by-side upgrade to SCCM 2007 from SMS 2003. We have less than 10,000 clients and currenty have a primary site in each of three geographical regions to serve as the Management Point for the regional clients. One of the challenges we are facing is that we are without a server to complete the side-by-side process in one region. So, we're trying to figure out the best way to address this situation:
1. In-place uprade the current SMS 2003 site server to SCCM 2007
2. Move the clients to another location temporarily, rebuild the current server and move them back
3. See if we can setup a Secondary Site in region and eliminate the need for a full primary site
Option three sounds very appealing to us, however it is the most "uncertain" of our options. We have always used Primary Sites and have never considered Secondary Sites in the past. I've been doing a lot of reading and have found the following benefits to implementing a Secondary Site with a Proxy Management Point:
1. One less SCCM license to purchase
2. Less administration than a Primary Site server
3. Transfers information as Site-To-Site traffic using custom bandwidth limitations and compression
On the downside, we need to figure out if the Secondary Site and Proxy management Point can be installed on another application server. Additionally, we'd have to figure out who we would want the parent to be. And from an aesthetic perspective, we would then have two Primary children and one Secondary child. Why not go Secondary site all the way?
The following articles helped me get a little better grasp of the subject matter. Hopefully I'll have this one figured out sooner rather than later.
Determine If a Proxy Management Point is Needed at a Secondary Site
Proxy Management Point: Benefits and Otherwise
The SMS 2003 web report query below returns the collection membership for a specific computer name. It also displays whether the collection has an advertisement associated with it. I've found it very helpful when trying to determine what advertisements a client should be receiving as well as if the client has ended up in some "funny" collections. It is similar to the canned report "All advertisements for a specific computer".
SELECT fcm.Name,
col.Name,
adv.AdvertisementName,
col.CollectionID
FROM v_Collection col JOIN
v_FullCollectionMembership fcm ON col.CollectionID=fcm.CollectionID LEFT JOIN
v_Advertisement adv ON col.CollectionID=adv.CollectionID
WHERE fcm.Name LIKE @name
ORDER BY col.Name
Copy and paste the above query into SMS web reporting, remembering to create a prompt. Or simply download the attached TXT file, rename it to a MOF and import it into SMS Reporting.
All collections for a specific computer (custom).mof.txt
Microsoft released their Advance Notification for April 2009 Software Updates.
It looks like five Windows patches (two of which are "Elevation of Privilege"), and one each for IE, Excel, and ISA.
The Conficker Eye Chart is a simple detection tool for determining whether your computer has been infected by Conficker. Depending on what images appear (or don't appear) in your browser you may be infected with a specific variant. Pretty clever. Why didn't I think of that?
In our environment, we have roles separated out. The software packaging team handles preparation of the application and packaging in SMS. The Systems Management Team handles everything else.
A new packaging team member was learning the ropes of SMS packaging and gave me a call.
"Brett, the package isn't available for me to deploy yet. I copied it to the Distribution Point, but it hasn't shown up yet. Can you have a look?"
Meanwhile, I get a call from our storage team.
"Brett, you seem to have a very large file growing continually larger on your D drive. You might want to take a look."
He was right. There was a TMP file growing at about 270MB per minute on my D drive. I saw the free space drop in chunks. I didn't know what to do. Before I knew it, free space was gone and then - poof - the file had disappeared and all my space was returned to me. That was about the best possible scenario I could have imagined (the one I was expecting was much worse).
I performed a Windows search in the SMS\logs directory, looking for files containing the phrase "TMP". One file was returned - distmgr.log. Could the package distribution issue and the monster TMP file somehow be related? Then I saw this in the log:
Starting to compress \\CENTRALSITESERVER\PKG_SRC to D:\_S Ms9ie.TMP for package ABC000E4
...
Cannot write to output file, Win32 Error = 112
CTool::CompressAndAppendFile failed, error = 4, win32 = 112, filename = (null)
Cannot compress \\CENTRALSITESERVER\PKG_SRC to D:\_S Mroa3.TMP, last failed file is , Win32 error = 112
STATMSG: ID=2309 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=CENTRALSITESERVER SITE=ABC PID=1940 TID=9476 GMTDATE=Tue Mar 24 21:30:35.329 2009 ISTR0="ABC000E4" ISTR1="\\CENTRALSITESERVER\PKG_SRC" ISTR2="" ISTR3="D:\_S Mroa3.TMP" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="ABC000E4"
Cannot create the compressed copy for package ABC000E4.
StoredPkgVersion (0) of package ABC000E4. StoredPkgVersion in database is 0.
SourceVersion (1) of package ABC000E4. SourceVersion in database is 1.
STATMSG: ID=2302 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=CENTRALSITESERVER SITE=ABC PID=1940 TID=9476 GMTDATE=Tue Mar 24 21:30:35.344 2009 ISTR0="PACKAGER - PI 2008" ISTR1="ABC000E4" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="ABC000E4"
Failed to process package ABC000E4 after 28 retries, will retry 72 more times
Exiting package processing thread.
Used 0 out of 3 allowed processing threads.
It turned out that the packge created by the new team member was pointing to the root of our package repository, instead of the subdirectory. SMS tried to compress the data for the "package" (which in this case was the source files for ALL packages) but due to space limitations, it choked and said "I quit".
I went into the package, corrected the source directory, resent it to the distribution point and everything was happy. Lesson learned - a little more supervision and direction may be necessary for first time packagers.
An image does wonders in explaining the amount of traffic that can be caused by the Conficker worm:
A Look Inside Conficker P2P Traffic
[via Chris Mosby]
We are in the process of our migration from SMS 2003 SP3 to SCCM 2007 SP1 R2. Our upgrade track is "side-by-side", allowing us the flexability to get SCCM up and running and become comfortable with the environemnt before migrating clients.
As part of planning for the upgrade, I have often referenced the documentation available on TechNet for System Center Configuration Manager 2007. In addition to the expected planning and deployment documents, I've recently come across Configuration Manageer Checklists:
Configuration Manager Planning Checklist
Configuration Manager Deployment Checklist
Configuration Manager 2007 Upgrade Checklist
These documents force you to think through each step in the planning and deployment process and reference other documents for more detailed tasks.
Now that I've gotten a cople posts under my belt, I figure it's time for brief introduction. I've been an active myITforum member for a little over three years now (time sure does fly). I started participating on the forums when I accepted a role supporting an SMS 2003 environment. In that time I've gone from the "new guy" to the lead for the product in our company.
I enjoy perusing through the SMS database in search of ways to get more information out, which is why I tend to gravitate towards reporting. I've also developed an interest for the security side of things, seeing that we are the ones who deploy the Software Updates. It interests me (scares me?) what this arena is going to be like in 10 years.
On a personal level, I live nearby Akron/Cleveland, OH. I'm getting married this year and training for my second season of triathlons (specifically offroad, Xterra triathlons). It's a lot of work - both mentally and physically. Mountain biking is a great hobby of mine, but I need to find things to do when the trails are wet and muddy, so I run, cross-country ski, hike...basically anything that gets me outdoors and in the woods is best. I've also got an 18 month old rescue Italian Greyhound that both challenges me an brings me wonderful joy.
We've all had technical issues we couldn't search our way out of. We've all had those forum posts with zero responses where you realize everyone else is as clueless about it as you are. My goal with this is to share little bits of what I learn along the way in my adventures in Systems Management so as to increase the Internet knowledge base (and some other stuff while I'm at it). Hopefully I help someone out in the process, whether through a Google search on an issue or through regular readership. Regardless how you got here, thanks for coming.
Microsoft released Security Advisory 969136 last night, reporting an unpatched vulnerabilty in Microsoft Office Powerpoint. I'm wondering if this one will make it into the April Software Updates? My gut feeling is "No", since they still haven't addressed the Microsoft Office Excel vulnerability published in late February.
That's okay. I've got enough work getting Adobe Reader and Adobe Flash Player up-to-date with their latest releases. 
More links for you:
http://blogs.technet.com/msrc/archive/2009/04/02/microsoft-security-advisory-969136.aspx
http://tools.cisco.com/security/center/viewAlert.x?alertId=17966
http://blogs.zdnet.com/security/?p=3088&tag=nl.e539
Last week I closed up a case with Microsoft concerning some orphaned distribution points (DPs from here on) that were still hanging around in our SMS 2003 SP3 database. I couldn't find much online on how to address this issue. I did find a blog entry by Russ Slaten but I wasn't quite comfortable running the included VBS on my production environment in hopes that it would resolve my issue. So, I gave Microsoft a call and opened a case.
Our scenario was as follows. The servers hosting the DP shares were decommissioned without us knowing. Once we found out, we deleted the DPs from all associated Packages and then deleted them from Site Systems on their appropriate Primary Site. However, because the servers were no longer around, things weren't totally cleaned up. Every day I would see entries in my Central Primary Site server's distmgr.log where SMS was not able to delete specific packages from these orphaned DPs.
Delete action for previously deleted package server '["Display=\\servername01\sms2003dp\"]MSWNET:["SMS_SITE=ABC"]\\servername01\sms2003dp\' for package 'ABC00002' will be ignored.
Delete action for previously deleted package server '["Display=\\servername02\sms2003dp\"]MSWNET:["SMS_SITE=ABC"]\\servername02\sms2003dp\' for package 'ABC00002' will be ignored.
Using SQL Server Management Studio, the Microsoft technician and I used the following queries to find if the DPs were still in our databases:
SELECT * FROM PkgServers WHERE NALPath like '%servername01%'
SELECT * FROM PkgStatus WHERE PkgServer like '%servername01%'
Once we confirmed these queries returned entries for the orphaned DPs (and ONLY the orphaned DPs) we checked to make sure we had a valid SMS backup. Once that was confirmed, we ran a delete query to clean things up:
DELETE FROM PkgServers WHERE NALPath like '%servername01%'
DELETE FROM PkgStatus WHERE PkgServer like '%servername01%'
And like that, I no longer have activity from non-existant DPs.
The SMS 2003 web report query below returns the list of Distribution Points for a specific package, separated by "Installed" and "Not Installed". I created this report to help me understand what Distribution Points were missing particular packages.
SELECT 'INSTALLED'
SELECT pkg.Name,
pkg.PackageID,
SUBSTRING(dp.ServerNALPath, CHARINDEX('\\', dp.ServerNALPath) + 2, CHARINDEX('"]', dp.ServerNALPath) - CHARINDEX('\\', dp.ServerNALPath) - 3 ) as C070,
dp.SiteCode
FROM v_Package pkg
LEFT OUTER JOIN v_DistributionPoint dp ON pkg.PackageID = dp.PackageID
WHERE pkg.PackageID = @PackageID
ORDER by C070
SELECT 'NOT INSTALLED'
SELECT distinct SUBSTRING(ServerNALPath, CHARINDEX('\\', ServerNALPath) + 2, CHARINDEX('"]', ServerNALPath) - CHARINDEX('\\', ServerNALPath) - 3 ) as C070,
v_DistributionPoint.SiteCode
FROM v_Package
LEFT OUTER JOIN v_DistributionPoint ON v_Package.PackageID = v_DistributionPoint.PackageID
WHERE v_DistributionPoint.ServerNALPath NOT IN (SELECT v_DistributionPoint.ServerNALPath FROM v_DistributionPoint WHERE v_DistributionPoint.PackageID = @PackageID) and v_DistributionPoint.ServerNALPath IS NOT NULL
ORDER by C070
Copy and paste the above query into SMS web reporting, remembering to create a prompt. Or simply download the attached TXT file, rename it to a MOF and import it into SMS Reporting.
All distribution points for a specific package (custom).mof.txt