October 30, 2009

Modifying SCCM to collect additional registry information during Hardware Inventory

Filed under: SCCM — Tags: , , , , , , , — Tim Lefler @ 9:22 am

We use System Center Configuration Manager (SCCM) 2007 in our shop to manage the windows environment.   Weekly we perform a SCCM “Hardware Inventory” and it collects tons of information using the WMI repository.  We wanted to extend this to collect asset information like Building, Floor, Room Number, etc.  We wrote a script that populates this information into each individual PC’s registry on a weekly basis……so now we need a way to extract that information and report on it using SCCM reports.

Below is an example of the type of information that we want to retrieve from the registry of each SCCM client.

hardware inventory isn’t really hardware inventory, it’s inventory from the WMI repository. WMI is most often associated with hardware and most of the default information stored in WMI is hardware related, but not all of it. This is of course significant when you look at the Resource Explorer and see Add/Remove Programs under it or when you want to extend inventory in Config to collect registry values and are told that it is handled by the hardware inventory process.
[HKEY_LOCAL_MACHINE\SOFTWARE\AssetInfo]
“Building-Floor”=”111/1″
“DetectedIP”=”10.X.X.X”
“Location”=”10100″
“PurchaseDate”=”10/27/2004 12:00:00 AM”
“LastUpdated”=”10/27/2009 3:09:49 PM”
“Status”=”Deployed”
“DeployDate”=”10/27/2009 12:00:00 AM”

Before we get into making any changes backup your MOF files on the SCCM server:

C:\Program Files\Microsoft Configuration Manager\inboxes\clifiles.src\hinv\sms_def.mof
C:\Program Files\Microsoft Configuration Manager\inboxes\clifiles.src\hinv\configuration.mof

Config Manager does not pull all WMI information available.  It pulls a subset that is defined in the sms_def.mof & configuration.mof files.  These files are  plain text files that can be edited with notepad and are formatted in “Managed Object Format” (MOF).  MOF is part of the WBEM/CIM standard and is documented somewhere on MSDN.
(more…)

Notes on Using SSH to autologon using Public Keys

Filed under: unix — Tags: , , , , — Tim Lefler @ 7:44 am

Steps documented in this post were performed using two Solaris 8 machines (SUN1 and SUN2), but the same technique could be applied to other Unix varieties.
This process allows you to login from one computer to another without having to provide a password, and do it in a secure fashion.

On the Client computer, SUN1:

Generate a private and public key to be used for authentication:

tim@SUN1:/export/home/tim $ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/export/home/tim/.ssh/id_rsa):
Created directory ‘/export/home/tim/.ssh’.
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in /export/home/tim/.ssh/id_rsa.
Your public key has been saved in /export/home/tim/.ssh/id_rsa.pub.

The key fingerprint is:
45:d0:39:3e:24:9a:50:d6:f8:49:f9:da:46:1a:49:60 tim@SUN1

In the /etc/ssh_config file create make sure the following lines are uncommented.

Host *

<content_omitted>

RSAAuthentication yes
PubkeyAuthentication yes
IdentityFile ~/.ssh/id_rsa

<content omitted>

Copy the /export/home/tim/.ssh/id_rsa file generated earlier to each user’s home directory ~/.ssh/id_rsa     This filename is what key will be presented to the remote host “SUN2” when the ssh client connects.  It is specified in the ssh_config file as the “IdentityFile”  The permissions on this file must be 600.

SUN1:/# chmod 600 ~/.ssh/id_rsa

On the Host Computer, SUN2:

Logon to the remote host and edit the /usr/local/etc/sshd_config file, make sure the following lines are uncommented:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

Issue the reconfigure command to make the changes apply to the running sshd daemon.

SUN2:/usr/local/etc# /etc/init.d/sshd reconfigure

Copy the /export/home/tim/.ssh/id_rsa.pub file generated earlier on the client machine to the remote hosts /export/home/tim/.ssh/authorized_keys file.

/export/home/tim $ mkdir .ssh
/export/home/tim $ /usr/local/bin/scp tim@sun1:.ssh/id_rsa.pub .ssh/authorized_keys
Warning: Permanently added ‘sun1,10.X.X.X’ (RSA) to the list of known hosts.
tim@sun1′s password:   *******

id_rsa                                        100%  887     0.9KB/s   00:00

That is it.  The client computer, SUN1 should now be able to login to the host, SUN2, without being prompted for the password.

Debugging.

To debug the client:

tim@SUN1:/export/home/tim $ssh -vv tim@sun2

OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Applying options for sunsales
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to sunsales [10.14.54.21] port 22.
debug1: Connection established.
debug2: key_type_from_name: unknown key type ‘—–BEGIN’
debug2: key_type_from_name: unknown key type ‘—–END’
debug1: identity file /export/home/d3000/.ssh/id_rsa type 1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

<content omitted>

To debug the server side uncomment the following lines in /usr/local/etc/sshd_config

SyslogFacility AUTH
LogLevel DEBUG

The debug content will be logged to /var/log/authlog

October 28, 2009

SCCM Script to Initiate a Hardware Inventory

Filed under: SCCM — Tags: , , , , — Tim Lefler @ 10:37 am

This is a handy System Center Configuration Manager (SCCM) script that can be used to initiate a hardware inventory.

' Set the required variables. 
actionNameToRun = "Hardware Inventory Collection Cycle" 
 
' Create the CPAppletMgr instance. 
Dim controlPanelAppletManager 
Set controlPanelAppletManager = CreateObject("CPApplet.CPAppletMgr") 
 
' Get the available client actions. 
Dim clientActions 
Set clientActions = controlPanelAppletManager.GetClientActions() 
 
' Loop through available client actions. Run the matching client action when found. 
Dim clientAction 
For Each clientAction In clientActions 
	' To list available client actions, output using the Name property (below). 
	'wscript.echo "Action: " & clientAction.Name 
	If clientAction.Name = actionNameToRun Then 
		clientAction.PerformAction 
	End If 
Next 
wscript.echo " " 
wscript.echo "Ran: " & actionNameToRun

I’ve also used this code in a custom VB.Net application to initiate an inventory cycle.

I initially adapted this from a post found on TechNet here.

October 12, 2009

How to Configure URLSCAN to help protect against SQL Injection Attacks

Filed under: Information Technology — Tags: , , , — Tim Lefler @ 9:47 am

URLSCAN is an IIS add-on that restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being processed by web applications on the server.

Download it from Microsoft here

Simply install

Urlscan Installation Wizard

Urlscan Installation Wizard

Once installed Urlscan sits as an ISAPI filter between the web application and IIS.

Urlscan as ISAPI Filter

Urlscan as ISAPI Filter

Urlscan is configured via an ini file located here:  C:\WINDOWS\system32\inetsrv\urlscan

Of note is the configuration command “RejectResponseUrl=/~*” this pus the application into log only mode and should be used to tweak the configuration and help eliminate filtering for legitimate traffic.
(more…)

October 6, 2009

How to use SharePoint Elevated Privileges to set security on an item

Filed under: Information Technology — Tags: , , , , , , , , , — Tim Lefler @ 12:28 pm

I needed to develop the ability for a SharePoint workflow to modify permission’s on a list item.  In my case, after an approval workflow was instantiated I did not want a document item to be modified.  So I wanted to be able to break inheritance and set custom permissions for the individual list item.  This is somewhat complicated by the fact that the user who initiates the workflow doesn’t have permission to modify permissions.  Thankfully, SharePoint has the ability to execute code with Elevated Privileges.  So I encapsulated this functionality in a class so I could make use of it elsewhere. This was an excellent blog post that pointed me in the right direction. I had to make a few modifications to fit my functionality and also had to serialize the class to prevent these nasty errors:

10/05/2009 09:28:55.67     w3wp.exe (0x167C)                           0x0D90    Windows SharePoint Services       Workflow Infrastructure           98d4    Unexpected    System.Workflow.Runtime.Hosting.PersistenceException: Type ‘Microsoft.SharePoint.SPWeb’ in Assembly ‘Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c’ is not marked as serializable. —> System.Runtime.Serialization.SerializationException: Type ‘Microsoft.SharePoint.SPWeb’ in Assembly ‘Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c’ is not marked as serializable.     at System.Runtime.Serialization.FormatterServices.InternalGetSerializableMembers(RuntimeType type)     at System.Runtime.Serialization.FormatterServices.GetSerializableMembers(Type type, StreamingContext context)     at System.Runtime.Serialization.Formatters.Binary.WriteObjectInfo.InitMemberInfo()     at System.Runtime.Serialization.Formatters.B…

Here is my class.

(more…)

Steps Used to Recover my Exchange 2003 SP2 environment

Filed under: Information Technology — Tags: , , , , , , , , , — Tim Lefler @ 10:22 am

Recently I had a major hardware failure on the server that houses my Exchange 2003 mailbox store.  My company, like many smaller organizations, did not spend the extra capital to setup a clustered environment and therefore we had to endure the downtime while the machine was repaired/recovered.  Needless to say, this is not the optimal environment to be working in to recover your exchange environment.  I believe upper management will now be more open to spending a little more to avoid prolonged downtime.

So our exchange machine has two RAID controllers, one with a 70 GB  mirrored drive with the OS, and another with a number of different RAID disks configured for Exchange performance.  All of the disks are locally attached.   So our hardware failure was on the controller that services the OS.  Essentially the cache on the controller partially failed and was writing corrupt data to the mirrored disks.  The system crashed because the “C:” drive became corrupt and wouldn’t boot.

My Exchange Server Disk Layout

My Exchange Server Disk Layout

The good news was that all of the Exchange data was on the disks/controller that were not damaged so there was no data loss.  So all we needed to do was recover the OS and remount the databases.  Since our last system backup was off site and in the interest of reducing the number of panicky “How much longer” SMS messages I was receiving from upper management,  I decided it would be quicker to rebuild the OS, reinstall Exchange, and point Exchange at the existing database.   Sounds scary doesn’t it! This turns out to not be that difficult because all of the Exchange configuration information is stored in Active Directory and the Exchange setup program has a handy little “/DisasterRecovery” switch that essentially tells the installation program to make use of the configuration that is already populated in AD.
(more…)

Powered by WordPress