Oct 7, 2018

Update for Xen 7.1+ - STOP: 0x0000007B BSOD After Restoring UrBackup Image to XenServer VM

A few months ago I posted about getting a STOP: 0x0000007B blue screen of death on one of my VMs after restoring an image backup from UrBackup in Xen 6.5. My solution then was to create the blank VM that we were restoring to using a Windows XP template.

Well, the other night I was migrating all of my old Xen 6.5 VMs to a new Xen 7.1 cluster, and that troublesome VM popped up again! I got another BSOD when I powered it up in the new cluster!



The trouble this time is that Xen 7.1 doesn't have a Windows XP template! Damn it!

No problem, I did find a solution. If you are getting this error for one of your VMs after moving, upgrading or restoring to Xen 7.1 or newer just use "Other install media" template located at the bottom of the templates list.


After using that template, and attaching the original disk it booted up just fine!

Sep 26, 2018

SQL Query to see how long DBCC CHECKDB will take

Last night while converting a VMWare VM to a XenServer VM I had a little bit of an issue with one of the database VMs, and several of the databases came up as "Suspect."

We decided to follow this procedure here (How to fix a Suspect Database) and it went fairly quick except on the biggest database that was almost 100GB in size.

Well, we wanted to know how long it would take for the DBCC CHECKDB to finish! I'm sure you are here because you are in the same position. Well, here is a query that will give you an estimated completion time so you have a rough estimate on how long it will take:

 SELECT session_id ,  
 request_id ,  
 percent_complete ,  
 estimated_completion_time ,  
 DATEADD(ms,estimated_completion_time,GETDATE()) AS EstimatedEndTime,   
 start_time ,  
 status ,  
 command   
 FROM sys.dm_exec_requests  
 WHERE database_id = <YOUR DATABASE ID NUMBER>  


Fairly simple right? Your output will look like this:


If you are wondering how to find your database_id you can find it by running this query:

 Use <DATABASE NAME>  
 Select DB_ID() AS [Database ID]  
 GO  

Again, fairly simple right? I hope this helped!

Sep 17, 2018

Getting Fog PXE boot working on a Thinkpad T460P, T470P and a T480P

I've been using Fog Project for years. It's my favorite open source operating system imaging tools for large networks. We were using it at my company up until a few years ago when we started buying Thinkpad T460P laptops and my desktop technician at the time couldn't get these laptops to boot. Instead of doing some actual Googling he and my Systems Administrator at the time wanted to use WDS instead.

Well both of those guys have since moved onto other places, and I decided that we were going to save a Windows server license and go back to Fog!

The first thing I had to do was figure out how to get the T460P's, T470P's and now T480P's to boot up to the Fog boot menu. When I first tried booting my T460P, this is the message I received:


Long story short, it got stuck saying No configuration methods succeeded.... Boo!

Well the fix was actually pretty easy. Instead of using the undionly.kpxe tftp file like the documentation says, we used intel.kpxe instead and it worked like a charm! Now we get the Fog boot menu on all models of our Lenovo laptops!

Have you had problems with Lenovo and Fog? What did you have to do to get it to work? Let us know in the comments!

Sep 10, 2018

Active Directory Users and Computers Will Not Open After Azure Site Recovery Test Failover

The other day we wanted to test some database stuff in our Production Azure environment. Obviously, we didn't want to mess with actual Production data, so since we're using Azure Site Recovery for our disaster recovery plan, we decided to initiate a test failover of the impacted systems in an isolated network.

Also, since we're using our own domain controller VMs, we had to fail those over for authentication. This is where I ran into problems. After initiating the test failover of my domain controllers I couldn't open Active Directory Users and Computers. When I tried, I got this message:
Naming information cannot be located because: The specified domain either does not exist or could not be contacted. Contact your system administrator to verify that your domain is properly configured and is currently online.


Well, after banging by head on the wall for a few hours, I finally found a solution. Open a registry editor and browse to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Open the SysvolReady key. If the value of the key is 0 change it to 1. If the value is 1 change it to 0 and ‘Accept’, again change to 1 and accept. Exit registry editor.

Boom! After that I could open Active Directory Users and Computers again without a reboot!

One thing that still didn't work though was Netlogon and Group Policy. To fix that on my two domain controllers in the test environment I had to copy all contents from C:\Windows\SYSVOL\domain\NtFrs_PreExisting___See_EventLog on both domain controllers to C:\Windows\SYSVOL\domain\. When that was done I ran the following on both test domain controllers:

  • net stop netlogon
  • net start netlogon
After that, Netlogon and Group Policy were working again. I also took the extra steps seizing FSMO roles and deleting the other domain controllers from Active Directory Users and Computers, as well as Active Directory Sites and Services along with their sites. That way I wouldn't have to deal with replication issues in the isolated test environment.

Have you ever ran into something like this? Did you fix it differently? Let us know in the comments!

Aug 31, 2018

Alternative Download For HP Proliant SPP

Is it just me or should hardware manufacturers make their drivers easy to download regardless of support contracts? I've been a loyal HP server user for years, but just recently something really chapped my ass! I went to download the latest Service Pack for Proliant (SPP) so I could install drivers on an older Proliant system and couldn't! Why? Because I didn't have a current support contract with HP!

I've also been a loyal Lenovo user for years. Guess what? I can download their System Update tool fine! No need to have some bullshit login for it! In the past I could always download HP's SmartStart CD's without a login. Why now all of a sudden is there a change?

Now you're probably just saying, why not buy a support contract? Well, I already have full hardware support from our aftermarket re-seller Curvature at a fraction of the cost of HP's support. I don't feel the need to pay extra for roughly the same level support. The only draw back, at least for HP, is that I can't get tools like SPP!

Well, I found a good Samaritan that is making the downloads for the SPP available for free!  At the time of this writing the March and June 2018 versions of SPP are available here.

Hurry up and grab them before they are gone!

Aug 28, 2018

End of an Era: Coleman University is Out of Business



This is a real shame. I myself am a Coleman Alumnus. I just heard the news while interviewing someone for my company's open Systems Administrator position in San Diego.

Via Fox 5:
Coleman University -- a private college that's operated in San Diego since 1963 -- is closing at the end of the current term, school leadership announced Thursday. 
"To all our very fine students, staff, and faculty, I am personally sorry that we have to close Coleman University," President & CEO Norbert J. Kubilus said. 
In a letter to students, faculty and staff obtained by FOX 5, Kubilus said that Coleman learned in late June that they had lost a bid for accreditation from the Western Association of Colleges and Universities Senior College and University Commission, putting the school in a financial bind.
Continue Reading


Aug 27, 2018

Shadow Admins: What Are They and How Can You Defeat Them?

Managing something you don’t even know exists in your network is always a challenge. This is why the problem of stealthy or shadow admins needs to be acknowledged by security officers. after all, it only takes compromising a single account with elevated privileges to put the security of an entire company in jeopardy.

So, who are these shadow admins and what strategies may help you combat the threats they pose? Keep on reading to find answers to these questions.

Shadow admins: what are they?

When talking about the shadow or stealthy admins, we are referring to the accounts that were delegated admin-level privileges in Active Directory, usually with a direct permission assignment. This is why these shadow admins can also be called delegated admins.

In general, there are four main groups of privileged accounts:

  • Domain admins
  • Local admins
  • Application/services admins
  • Business privileged accounts

Any of these categories may have both legitimate and shadow administrative accounts. However, while legitimate privileged accounts are easy to identify, stealthy admins are not members of any of the default administrative groups in Active Directory and, therefore, can’t be found that easily. As a result, many organizations simply don’t take delegated admins into account when looking for privileged users in Active Directory.

Ignoring delegated admins is not an option though. These accounts can possibly have unrestricted control over legitimate Active Directory admins and be able to:

  • change passwords for privileged accounts
  • change permissions on the existing admin groups or accounts
  • add new accounts to the existing administrative groups
  • create new admin groups in Active Directory, and so on.

Therefore, a successful attack on just one delegated admin account can have consequences just as devastating as when a legitimate privileged account was compromised.

Let’s take a closer look at the main risks posed by shadow admins.

Top risks posed by unmanaged admin accounts


The presence of stealthy administrators in your network creates a variety of problems, including:

  • Cybersecurity risks
  • Financial risks

Unmanaged privileged accounts are like a Christmas gift for the attackers. Since they are often not taken into account by an organization’s cybersecurity policy, they can be easier to compromise while still providing the attackers with unrestricted access to your company’s critical data.

With the increased risks of data leakage, the presence of shadow admins in the network creates additional financial risks for the company. Not to mention that the news about the loss of valuable, sensitive data can cause severe damage to the company’s reputation.

In April 2017, for instance, Oracle’s Solaris operating platform was targeted by hackers using shadow admins to get into the system. In particular, there were two malicious programs discovered (EXTREMEPARR and EBBISLAND) that were able to elevate the rights of existing users to the administrative level. Thus, they turned regular users into shadow admins with remote root access to platform networks.

The only way to mitigate risks posed by such accounts is by identifying all shadow admins within your network and managing them effectively. In the next section, we talk about the ways you can find and manage all administrative accounts in your company’s network.

Best practices for detecting and managing shadow admins

As of today, there are two ways you can detect delegated admins in your network and mitigate the risks they pose:

  • By analyzing Access Control Lists (ACLs) on Active Directory
  • By building an effective privileged access management strategy

ACLs analysis. When trying to identify all of the privileged accounts present in your company’s network, look for the tools that scan ACLs and analyze effective permissions rather than an account’s presence in a particular Active Directory group. Thus, you’ll be able to find even the accounts that were delegated additional privileges without being added to any of the admin groups on Active Directory.

Once identified, make sure that only legitimate administrators (such as members of Domain Admin groups) are granted such critical privileges as Replicating Directory Changes All, Reset Password, or Full Control.

Privileged access management. Building a well thought out privileged access management strategy can also help you solve the problem of stealthy admins. Your cybersecurity strategy should include two measures:

  • Continuous monitoring and audit of the network
  • Effective management of privileged access to critical data and assets


Audit and monitoring are important for several reasons. First and foremost, it ensures a better level of visibility within the network: you gain the knowledge about who can access what. Secondly, all information gathered at this stage is essential for investigating security incidents should any of them take place in your organization.

When monitoring your network, pay special attention to the following factors:

  • What accounts have elevated privileges and can access your company’s critical assets (who can access particular servers or domains, who can work with your company’s sensitive information)
  • What privileged accounts and elevated permissions were added just recently (to identify a possible attack in progress)
  • If there’re any suspicious activities (a sudden use of a “dead” privileged account, an admin logging in from an unusual IP address, and so on)


Ensuring an appropriate level of privileged access management is the second step in building an efficient cybersecurity strategy and combating shadow admins. Once you know who can access your company’s valuable data, you can take necessary measures to either secure or dismiss these accounts. Consider implementing the least-privilege approach for all privileged accounts and assigning any elevated permissions only on an “as needed” basis.

When looking for an efficient solution to these problems, turn your attention to Ekran System. It’s a universal platform for monitoring, auditing, and managing both regular and privileged users. This platforms gives you a full visibility into your network and allows taking proactive measures for preventing privilege misuse at any level.

Conclusion

Delegated or shadow administrative accounts can pose a serious threat to an organization’s cybersecurity when remaining undiscovered. However, identifying stealthy admins isn’t enough – you need to manage them effectively in order to mitigate any cybersecurity and financial risks they can pose. While ACLs scanning works well for discovering accounts with elevated permissions, the only way you can effectively manage and secure these accounts is by implementing an appropriate level of Privileged Access Management.



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam