WSUS, 3rd Party Update and Local Publishing to a DFS or UNC

I'm not going to get elaborate with this post.  Mostly because I don't post often.  However this is one of those "Woohoo!" moment when you get something working despite everyone else saying it does not work or there is no workaround.

I'm referring to a "bug" in the WSUS Publishing API when your WSUS Content folder resides on a UNC or DFS path.

http://blogs.msdn.com/b/minfangl/archive/2014/01/29/system-center-update-publisher-2011-troubleshoot-series-3-publish-fail-when-scup-2011-is-remote-and-wsus-is-using-unc-as-content-folder.aspx

In this scenario your WSUS servers have a registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup\ContentDir

This points to the UNC path were all your content is published to.  The problem is that this information is not available if your using SCUP on a remote system or your 3rd party updating tool is on a different server from your WSUS server.

Honestly after beating my head on a wall for a few days I just exported the whole key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Update Services\Server\Setup

Then imported that onto the system where your running SCUP.  I expect the same would work for other 3rd party patching tools like from SolarWinds or others.

http://www.solarwinds.com/patch-manager.aspx

I'm guessing that the WSUS Console expects these registry keys to be available.  All the 3rd party patching just called it a bug.  I bet if you ran Process Monitor you could identify the specific registry keys that are needed rather than exporting all the sub-keys.

http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Cloud & Hosted Security

SO it’s a blast watching patch 61 of 98 installing at 2AM…

Something my troubled brain has pondered is why companies seem to be migrating services to cloud servers in droves.  How can you trust anything if you don’t manage the physical hardware?

Whoever manages that physical hardware is holding all the keys.  No matter how “secure” you make the VM from network attacks, use duper strong pass phrases and keep the system patches and even install HIPS its easily bypassed by the provider.

This article about how a collection of 3 letter agencies were able to take down "The Silk Road" a website that operated in the Tor network (just to be clear I am not upset they took the website down but this is not a post about morality).  Anyway this re-started my brain pondering the security of cloud VMs and hosted servers.

http://arstechnica.com/tech-policy/2013/10/how-the-feds-took-down-the-dread-pirate-roberts/

The interesting part in the article was “the government asked for an image of the server's hard drives”.  This was accomplished without turning off or shutting down the VM.  It happened without the owner ever knowing something happened.

It’s a security issue that’s been raised before.

http://searchvmware.techtarget.com/news/1378347/How-to-steal-a-virtual-machine-and-its-data-in-3-easy-steps

So what can we do to mitigate this type of security issue?

Nothing.  Seriously, nothing.

For example how about installing PGP WDE/TrueCrypt on the VM and encrypt the entire VM contents?  Sound like that would fix everything right?  I mean the virtual drive is encrypted and so if they capture that then it’s still encrypted.  Great!  Oh well the problem is "they" have physical access to the host so the operator can simply snapshot the entire VM and dump the VM Memory to a file.  Now can you guess where the encryption keys are stored while the VM is running?  Yep in memory.  So now they just search the memory for where PGP WDE/TrueCrypt stores the keys.  Well shoot we didn’t even have to hack into the console redirection code of the host operating system to log console redirection when the VM owner had to manually enter the PGP WDE/TrueCrypt key to get the VM to boot.

So not even the coveted whole disk encryption can save your VM from curious eyes that might be working for a cloud provider. 

Now this could have also been done on any physical server with raid 1 drives.  They would just have to pull a drive out claiming it had failed and needed to be replace.  Once pulled they could simply  pop that drive into another system and capture the image.  For physical servers there is some additional security such as adding some type of whole disk encryption on the physical server would prevent the drive from being pulled and used to capture the system image.  However it would still be possible to extract the encryption keys from the physical servers memory the process is much more involved and would require some noticeable downtime while the system memory was dumped.

There is also the TPM (Trusted Platform Module) chip on some motherboards that provides a secure location to store the encryption keys between rebooting.  This eliminates the requirement to enter any pass phrase to being booting the system.  The problem here is that the manufacture creates the RSA keys used by the TPM chip and they cannot be re-generated (to my knowledge).  So every TPM chip produced is intentionally compromised.  Yah very “trusted”.  This is similar to the issue with centralized Certification Authorities.  So even [insert trusted root CA here] SSL certificates are intentionally compromised but that’s another rant of mine.

If you cannot trust the physical network, physical security and host the VM is being executed on there is no amount of “security” you can patch on to make it secure. 

So where does that leave us?  Lockup your servers in a dark, cold, tower of a room and do not let anyone in.

Ok back to watching servers patch.

J

Document Active Directory with GPO Reports

Accuratly documenting your network is one of the most important things you can do.  Not only does it make your job easier but it also helps make everyone elses job just a little easier.  Knowing how something should be can really help in getting it fixed faster.

We have had a big push to more acuratly document our network.  Being a big fan of GPOs we have quite a few of them.  Around 160 of them actually.  So I wanted to document them but without having to look through each one and write every setting down.

Luckily the Group Policy MMC has a neat little report you can export.  Whats even neater is you can call that up with PowerShell and export it without using the GUI.  So you can export every setting in all your GPOs with a single script.

We like to keep records of what changes so each time you run this it puts the reports into a dated folder.

Here is that script.

Import-Module GroupPolicy $year = get-date -uformat "%Y" $month = get-date -uformat "%m" $day = get-date -uformat "%d" New-Item -ItemType directory -Path C:\GPOReports\$year\$month\$day -ErrorAction silentlyContinue $GPOs = Get-GPO -All $pattern = "[{0}]" -f ([Regex]::Escape([String][System.IO.Path]::GetInvalidFileNameChars())) foreach($GPO in $GPOs){  $filename = $GPO.DisplayName  $filename = [Regex]::Replace($filename, $pattern, ' ')  $path = 'C:\GPOReports\' + $year + '\' +$month + '\' + $day + '\' + $filename + '.htm'  Get-GPOReport -Guid $GPO.Id -ReportType HTML -Path $path }

Spreading the word about Solarwinds

Everyone knows monitoring your network is important and there are so many tools out there to get the job done it can be overwhelming.  I have tried several and have found SolarWinds to be my favorite.  I have been using it since around 2007 and love the active support and community.

SolarWinds has a whole set of tools for whatever your needs are from standard network monitoring to configuration management and security event management.  The great thing about all their products is they offer some of the highest quality support I have ever dealt with.  Their support is responsive and they really know the products they support.

If you’re looking at getting something for network management checkout the solutions from SolarWinds.

CentOS & RHEL 6.3 missing libnetfilter_queue

I am no Linux expert so it bugs me when I have to go hunting for packages to meet my requirements. In this case I was trying to setup a new CentOS 6.3 development VM for my project OpenNOP. To build OpenNOP it requires libnetfilter_queue & libnetfilter_queue-devel. These are very popular packages now and most distro have them out the door. Debian, Fedora, openSuSE are the ones I know of to include these packages. Now that would be fine if these were burried away down in some "extra" or "contrib" repo but no they just dont seem to exist. Redhat has not packaged them for RHEL thus CentOS does not have them either.

Well to finally end my frustration I was able to find a repo that contains these packages for me and from a trusted source. ClearOS the gateway appliance based on CentOS has built packages for libnetfilter_queue and libnetfilter_queue-devel.

Just create a new repo and enable them to install the packages. Then disable them when finished. They offer almost all the same packages as the RHEL/CentOS repos so we want to be very careful when using these. Be even more careful when trying to update them.

nano /etc/yum.repos.d/ClearOS-Base.repo # CentOS-Base.repo # # The mirror system uses the connecting IP address of the client and the # update status of each mirror to pick mirrors that are updated to and # geographically close to the client. You should use this for CentOS updates # unless you are manually picking other mirrors. # # If the mirrorlist= does not work for you, as a fall back you can try the # remarked out baseurl= line instead. # # # # Added Custom Repo for libnetfilter_queue # #base - packages by ClearOS [clearos] name=ClearOS-$releasever - Base #mirrorlist=http://mirror.clearfoundation.com/?release=$releasever&arch=$basearch&rep$ #baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/ baseurl=http://mirror.clearfoundation.com/clearos/community/$releasever/os/$basearch/ gpgcheck=0 enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 # # Added Custom Repo for libnetfilter_queue # #addons - packages by ClearOS [addons] name=ClearOS-$releasever - Addons #mirrorlist=http://mirror.clearfoundation.com/?release=$releasever&arch=$basearch&rep$ #baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/ baseurl=http://mirror.clearfoundation.com/clearos/community/$releasever/addons/$basearch/ gpgcheck=0 enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

Grading the quality of your source code

While reviewing the source code for OBS over on GitHub. I stumbled upon a very neat little tool called Code Climate. It reviews your code and provides you with real-time feedback on it's quality. Currently Code Climate only supports Ruby and while that helps me very little the concept is still pretty great. I asked them if they had plans to include other languages for their service. They answered "Yes" but did not have any plans to include C or a link to SVN at this time. If you’re into Ruby and Git it’s a pretty neat tool. I hope they will soon include other languages and help people make better code.

WSUS Wont download updates

Over the years of working with WSUS I have had some clients that just refuse to download and install updates. Eventually manually clearing out the BITS download cache and trying to resync they will eventually work. So I made a little script to do that for me. net stop wuauserv net stop bits REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f del %windir%\SoftwareDistribution\*.* /q/s net start bits net start wuauserv wuauclt /detectnow