Tuesday, 24 January 2012

SCVMM 2012- Creating a Highly Available VMM Server


Here are the pre-requisites for a HA VMM server installation:
1. Failover clustering feature added, cluster created and configured (Windows Server 2008 R2 is the minimum OS version supported as node servers)
2. Windows Automated Installation Kit (AIK) for Windows 7 installed on all nodes that will be used as VMM servers http://www.microsoft.com/downloads/en/details.aspx?FamilyID=696dd665-9f76-4177-a811-39c26d3b3b34&displaylang=en
3. Server and instance name of a SQL Server 2008 or SQL Server 2008 R2 cluster or remote SQL server (best practice to use clustered SQL Server with HA VMM servers)
4. For our DKM (Distributed Key Management) requirement, either logged on, installing VMM with an account that has “edit” permission on the Active Directory container (can be a lower level container doesn’t have to be the root) or DKM group pre-created on Active Directory and its name available to provide at setup (more on DKM requirement later)

HA VMM Installation Steps
When we were designing this feature we wanted it to be very easy and simple. Installation of VMM in an HA or standalone fashion is very similar and it is integrated into the usual standalone installation.
1. To install VMM in an HA fashion you just need to start installation of VM on one of the clustered nodes, and select install from our splash screen.
2. After accepting our EULA you will get our feature selection screen, as you can see one of the setup improvements that we did for this version of VMM is to chain the various VMM installations together.
3. Once you select VMM Server feature, we will detect that you are running this server on a failover clustering node and will offer you to start HA VMM setup instead, you will need to select YES at this dialog to start HA VMM setup. Note that it is supported to install VMM in a standalone fashion on a cluster node; all you have to do is select NO at this dialog box.
4. Once you select YES to the HA VMM opt-in question, setup will select the features that you need for this installation. In this version of VMM, regardless of its high availability aspect, it is a requirement to install VMM Console on all machines that VMM Server is installed; therefore in this dialog we will select VMM Server and VMM Console.
Another important thing to note here is that we actually do not recommend selecting Self-Service Portal during HA VMM installation, but it is allowed at Beta code, this will be fixed at RTM timeframe and we will gray out Self-Service Portal selection in this view.
5. After this page we will ask you standard questions about registration information, product key (another improvement; you can pass this product key section empty in VMM 2012), Microsoft Update configuration (if not configured previously), installation location and we finally we will come to the database configuration page.
In the database configuration page you will need to provide the server name, instance name and database name that setup will use.
There are many options here:
1. You can ask setup to create a new database (logged on user needs to have permission to create a database on the server name provided)
2. Use an existing database (if logged on user don’t have permission to create a database, database admins can pre-create an empty database and VMM can add its tables to that database during installation)
3. Provide different credentials other than logged on users credentials
Please note that as mentioned before the best practice is to use a clustered SQL server for HA VMM installations.
If you leave a port or instance name boxes empty in this page we will use the defaults for that box (e.g. if you leave port number empty we will use 1433, or if you leave the instance name empty we will use default instance on the SQL server that you provided.)
We will use the provided SQL server instance’s defaults for log and database file locations, if you like to provide different locations you can;
1. Pre-create an empty database with its log and database file locations pointing to where ever you want them to, and then provide this empty database to VMM as existing database during install.
6. After database configuration page you will come to an HA VMM specific cluster configuration page. This page will be different for different configurations, for example for IPv6 and DHCP configured servers you will not see the second portion of the page and will only provide the cluster service name.
Cluster service name here basically is the name in active directory the users and admins will use to identify this HA VMM service. When choosing this name, make sure that it is a unique name that is easy to identify the HA VMM service.
7. Another important setup page in HA VMM installation is the account configuration page.
There are two things that are mandatory in this page for HA VMM installations:
a. HA VMM server installation requires a domain account as a startup account for the VMM service. You won’t have the choice to use a local system here. It is best practice to use a dedicated domain account created just for VMM as a service account here.
b. The other mandatory place in this page is for VMM to store its encryption keys in AD.
As mentioned at the beginning of the blog we use Distributed Key Management (DKM) to let users and processes running on different machines securely share data. Once an HA VMM node fails over to another node, the VMM service on that failed over node starts accessing the VMM database and uses the encryption keys conveniently stored under a container in AD to decrypt the data that is being held securely encrypted in the VMM database.
· The AD container distinguished name that will contain DKM data needs to be written in the LDAP Data Interchange Format (LDIF) at this screen.
· If the logged on user has permission to create a container in AD then the group won’t have to be pre-created. The group name can be anything VMM admin chooses, and the container in AD doesn’t have to be a root container.
Example#1: If domain name is contoso.com and the DKM group name was decided to be “VMMDKM”, user can writer CN=VMMDKM,DC=contoso,DC=com under the DKM and since the logged on user has permission to create this container, VMM setup would create this container in contoso.com domain.
Example #2: If user has no permission to create a container in AD then he/she needs to coordinate with the AD admins to create this group and get the container’s “distinguished name” from AD admins prior to HA VMM installation. Make sure to ask AD admin to provide the following rights to the setup user;
1. Generic Write
2. Generic Read
3. Create Child
One convenient way to get this information from AD admin could be to give him/her a ready script to run in his/her environment. This way you don’t have to explain much, they would just run the script and let you know when it successfully executes.

One easy way to create an ADSI script is to use “ADSI Scriptomatic” tool to create a script; you can get this tool from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=39044e17-2490-487d-9a92-ce5dcd311228&DisplayLang=en
8. Once you are done with these pages you will see VMM port selection page and after that you will see the library creation page. For HA VMM installation this page is just there for warning purposes because setup does not create a default library share after HA VMM installations.
The reason behind this is that when creating high availability for VMM servers, it is important that not only the VMM server feature but all components that constitutes VMM service are also highly available (hence the best practice recommendation for clustered SQL Server in the previous step)

After HA VMM installation, a new library server and share needs to be added to VMM . It is best practice to use a HA file server for HA VMM library server.
9. After going through the installation summary page your installation will start and in couple of minutes end with a successful installation of the first node of your HA VMM server.
10. After the first node installation you can easily add another node to this HA VMM cluster that you just created, to do that simply start the VMM setup on the second node where you want to install HA VMM.
After going through the EULA page and selecting the VMM server feature checkbox you will see a similar popup as the first node installation, but this time we will detect the HA VMM and ask “if you want to add this server as a node”. If you say YES, there will be minimum amount of pages of setup and your second node will be added. You will need to repeat this on all of the nodes that you want to add to this HA VMM installation.
Important SCVMM 2012 HA VMM Facts
a. It is a fault tolerant service feature, but this not does increase scale/performance
b. There can be as many as 16 nodes in an HA VMM installation but there can be only one node active at any time.
c. When VMM console connects it asks for a VMM server name and port number. Make sure to provide the cluster name of the HA VMM service instead of a node name here. Connecting to a node name will not be allowed.
d. You can do a planned failover (i.e. to install a patch, do maintenance to a node etc..) using failover clustering UI; there is no way to failover HA VMM service using the VMM console in this version of VMM.
e. You can only see the active node of the HA VMM service from the failover clustering UI or using Get-SCVMMServer PowerShell commandlet at beta timeframe.
PowerShell Commands
There are three new parameters under Get-SCVMMServer
1. IsHighlyAvailable – True/False
2. FailoverVMMNodes – FQDN of all nodes that this HA VMM installation contains
3. ActiveVMMNode – FQDN of the active node
When you do a planned failover make sure to do following:
  • Always perform inside a maintenance window that is communicated to SCVMM users.  All running tasks and all connections to VMM consoles and Self-Service Portals will be stopped at failover time.
  • Running jobs that failed due to the failover will not start automatically after failover. If the particular job supports restarting it will be possible to restart this job but this process will not be automatic.
  • Ensure that when connecting VMM console the VMM cluster service name is used to enable reconnecting to the VMM service after planned failover.
Uninstall HA VMM Service
  • To uninstall an HA VMM server, simply go to any node and manually uninstall VMM server on that node, repeat this until you come to the last node, during last node un-installation, setup will warn you that this is the last node of the HA VMM Installation and removing this node will remove the clustering resources.
    • Note: You cannot uninstall HA VMM from an active node of a multi-node cluster; you will need to start from the inactive node first.

How to install Data Protection Manager to a Windows 2008 Server


Article http://technet.microsoft.com/en-us/library/bb808814(TechNet.10).aspx describes how to install DPM on to a 2008 Server. However I have found that this article is incomplete. The following is how to install DPM onto a 2008 Server.
After the 2008 Server setup has finished perform the following:
1. Click Start, point to Administrative Tools, and then click Server Manager.
2. Expand Server Manager to the Features node, and then select Features.
3. In the Features pane, click Add Features.
4. Select Windows PowerShell, and then click Next.
5. On the Confirm Installation Selections page, click Install.
6. Click Start, point to Administrative Tools, and then click Server Manager.
7. Expand Server Manager to the Roles node, and then select Roles.
8. In the Roles pane, click Add Roles.
9.  In the Add Roles Wizard, on the Before You Begin page, click Next.
10. On the Select Server Roles page, select Web Service (IIS).
11. In the Add features required for Web Server (IIS)? message box, click Add Required Features.
      1. Ensure that you select the following Role service:
      2. HTTP Redirection
      3. Application Development
        1. ASP.net
        2. .NET Extensibility
        3. ISAPI Extensions
        4. ISAPI Filters
        5. Server Side Includes
      4. IIS 6 Management Compatibility
        1. IIS 6 Metabase Compatibility
        2. IIS 6 WMI Compatibility
        3. IIS 6 Scripting Tools
        4. IIS 6 Management Console
      5. Security (Installed)
        1. Windows Authentication (Installed)
Note: if you do not install these components correctly you will get an error during DPM installation.
12.  Install SIS
  1. At a command prompt (with elevated privileges) type:
    1. Ocsetup.exe SIS-Limited
    2. Press enter
    3. Wait for the command to complete (this can take a while)
    4. Reboot the box.
      1. To ensure that the SIS service gets installed you can check the following key. This key will appear after a reboot.
13.  Run the DPM installation wizard.
14, Install hotfix 950082 Description of the Data Protection Manager 2007 hotfix package rollup 2

Sunday, 22 January 2012

DHCP -Information


Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays the IP address, subnet mask, and default gateway for all adapters.
ipconfig [/all] [/renew [Adapter]] [/release [Adapter]] [/flushdns] [/displaydns] [/registerdns] [/showclassid Adapter] [/setclassid Adapter [ClassID]]
Top of page
/all : Displays the full TCP/IP configuration for all adapters. Without this parameter, ipconfig displays only the IP address, subnet mask, and default gateway values for each adapter. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
/renew [Adapter] : Renews DHCP configuration for all adapters (if an adapter is not specified) or for a specific adapter if the Adapter parameter is included. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
/release [Adapter] : Sends a DHCPRELEASE message to the DHCP server to release the current DHCP configuration and discard the IP address configuration for either all adapters (if an adapter is not specified) or for a specific adapter if the Adapter parameter is included. This parameter disables TCP/IP for adapters configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
/flushdns : Flushes and resets the contents of the DNS client resolver cache. During DNS troubleshooting, you can use this procedure to discard negative cache entries from the cache, as well as any other entries that have been added dynamically.
/displaydns : Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. The DNS Client service uses this information to resolve frequently queried names quickly, before querying its configured DNS servers.
/registerdns : Initiates manual dynamic registration for the DNS names and IP addresses that are configured at a computer. You can use this parameter to troubleshoot a failed DNS name registration or resolve a dynamic update problem between a client and the DNS server without rebooting the client computer. The DNS settings in the advanced properties of the TCP/IP protocol determine which names are registered in DNS.
/showclassid Adapter : Displays the DHCP class ID for a specified adapter. To see the DHCP class ID for all adapters, use the asterisk (*) wildcard character in place of Adapter. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically.
/setclassid Adapter [ClassID] : Configures the DHCP class ID for a specified adapter. To set the DHCP class ID for all adapters, use the asterisk (*) wildcard character in place of Adapter. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. If a DHCP class ID is not specified, the current class ID is removed.
/?: Displays help at the command prompt.
Top of page

The ipconfig command is the command-line equivalent to the winipcfg command, which is available in Windows Millennium Edition, Windows 98, and Windows 95. Although Windows XP does not include a graphical equivalent to the winipcfg command, you can use Network Connections to view and renew an IP address. To do this, open Network Connections, right-click a network connection, click Status, and then click the Support tab.

This command is most useful on computers that are configured to obtain an IP address automatically. This enables users to determine which TCP/IP configuration values have been configured by DHCP, Automatic Private IP Addressing (APIPA), or an alternate configuration.

If the Adapter name contains any spaces, use quotation marks around the adapter name (that is, "Adapter Name").

For adapter names, ipconfig supports the use of the asterisk (*) wildcard character to specify either adapters with names that begin with a specified string or adapters with names that contain a specified string. For example, Local* matches all adapters that start with the string Local and *Con* matches all adapters that contain the string Con.

This command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections

Saturday, 21 January 2012

Upgrade Linux Kernel


You need to compile kernel only if:
=> You need custom made kernel for specific task such as embedded kernel.
=> Apply third party security patches.
=> You need to apply specific patch to Linux

Upgrade of the kernel in Red Hat enterprise Linux version <= 4.x

If your system is registered with Red Hat Network (RHN), then you can use the up2datecommand as follows:
# up2date -f kernel
For SMP kernel (multi core or multiple CPU) use command:
# up2date -f kernel-smp

Upgrade of the kernel in Fedora Linux / CentOS / RHEL 5

Use yum command to upgrade kernel:
# yum update kernel
If you have downloaded RPM file use rpm command:
# rpm -ivh kernel*

Upgrade of the kernel in Debian or Ubuntu Linux

Use apt-get command. First find your kernel version:
$ uname -r
Next find available kernel images:
$ apt-cache search linux-image
Now install kernel by explicitly specifying version number:
# apt-get install linux-image-x.x.x-xx
$ sudo apt-get install linux-image-x.x.x-xx

How to find which kernel version is installed on my Linux system


Q. I am a new proud Linux user. My question to you is - how do I find which kernel version installed on my Linux system? How do I upgrade my kernel to latest version? Any help would be greatly appreciated.
A. The Linux kernel is the central component of most computer operating systems (OSs). Its responsibilities include managing the system's resources and the communication between hardware and software components.
You need to use uname command to print certain system information including kernel name. Type the following command to print kernel version number:
$ uname -r

20 Linux Server Hardening Security Tips-3


#17: Logging and Auditing

You need to configure logging and auditing to collect all hacking and cracking attempts. By default syslog stores data in /var/log/ directory. This is also useful to find out software misconfiguration which may open your system to various attacks. See the following logging related articles:
  1. Linux log file locations.
  2. How to send logs to a remote loghost.
  3. How do I rotate log files?.
  4. man pages syslogd, syslog.conf and logrotate.

#17.1: Monitor Suspicious Log Messages With Logwatch / Logcheck

Read your logs using logwatch or logcheck. These tools make your log reading life easier. You get detailed reporting on unusual items in syslog via email. A sample syslog report:
################### Logwatch 7.3 (03/24/06) ####################
        Processing Initiated: Fri Oct 30 04:02:03 2009
        Date Range Processed: yesterday
                              ( 2009-Oct-29 )
                              Period is day.
      Detail Level of Output: 0
              Type of Output: unformatted
           Logfiles for Host: www-52.nixcraft.net.in
 --------------------- Named Begin ------------------------
 **Unmatched Entries**
    general: info: zone XXXXXX.com/IN: Transfer started.: 3 Time(s)
    general: info: zone XXXXXX.com/IN: refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 3 Time(s)
    general: info: zone XXXXXX.com/IN: Transfer started.: 4 Time(s)
    general: info: zone XXXXXX.com/IN: refresh: retry limit for master ttttttttttttttttttt#53 exceeded (source ::#0): 4 Time(s)
 ---------------------- Named End -------------------------
  --------------------- iptables firewall Begin ------------------------
 Logged 87 packets on interface eth0
   From 58.y.xxx.ww - 1 packet to tcp(8080)
   From 59.www.zzz.yyy - 1 packet to tcp(22)
   From 60.32.nnn.yyy - 2 packets to tcp(45633)
   From 222.xxx.ttt.zz - 5 packets to tcp(8000,8080,8800)
 ---------------------- iptables firewall End -------------------------
 --------------------- SSHD Begin ------------------------
 Users logging in through sshd:
       123.xxx.ttt.zzz: 6 times
 ---------------------- SSHD End -------------------------
 --------------------- Disk Space Begin ------------------------
 Filesystem            Size  Used Avail Use% Mounted on
 /dev/sda3             450G  185G  241G  44% /
 /dev/sda1              99M   35M   60M  37% /boot
 ---------------------- Disk Space End -------------------------
 ###################### Logwatch End #########################
(Note output is truncated)

#17.2: System Accounting with auditd

The auditd is provided for system auditing. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. With auditd you can answers the following questions:
  1. System startup and shutdown events (reboot / halt).
  2. Date and time of the event.
  3. User respoisble for the event (such as trying to access /path/to/topsecret.dat file).
  4. Type of event (edit, access, delete, write, update file & commands).
  5. Success or failure of the event.
  6. Records events that Modify date and time.
  7. Find out who made changes to modify the system's network settings.
  8. Record events that modify user/group information.
  9. See who made changes to a file etc.
See our quick tutorial which explains enabling and using the auditd service.

#18: Secure OpenSSH Server

The SSH protocol is recommended for remote login and remote file transfer. However, ssh is open to many attacks. See how to secure OpenSSH server:

#19: Install And Use Intrusion Detection System

A network intrusion detection system (NIDS) is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic.
It is a good practice to deploy any integrity checking software before system goes online in a production environment. If possible install AIDE software before the system is connected to any network. AIDE is a host-based intrusion detection system (HIDS) it can monitor and analyses the internals of a computing system.
Snort is a software for intrusion detection which is capable of performing packet logging and real-time traffic analysis on IP networks.

#20: Protecting Files, Directories and Email

Linux offers excellent protections against unauthorized data access. File permissions and MAC prevent unauthorized access from accessing data. However, permissions set by the Linux are irrelevant if an attacker has physical access to a computer and can simply move the computer's hard drive to another system to copy and analyze the sensitive data. You can easily protect files, and partitons under Linux using the following tools:

#20.1: Securing Email Servers

You can use SSL certificates and gpg keys to secure email communication on both server and client computers:

20 Linux Server Hardening Security Tips-2


#11: Configure Iptables and TCPWrappers

Iptables is a user space application program that allows you to configure the firewall (Netfilter) provided by the Linux kernel. Use firewall to filter out traffic and allow only necessary traffic. Also use the TCPWrappers a host-based networking ACL system to filter network access to Internet. You can prevent many denial of service attacks with the help of Iptables:

#12: Linux Kernel /etc/sysctl.conf Hardening

/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from /etc/sysctl.conf at boot time. Sample /etc/sysctl.conf:
# Turn on execshield
# Enable IP spoofing protection
# Disable IP source routing
# Ignoring broadcasts request
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1

#13: Separate Disk Partitions

Separation of the operating system files from user files may result into a better and secure system. Make sure the following filesystems are mounted on separate partitions:
  • /usr
  • /home
  • /var and /var/tmp
  • /tmp
Create septate partitions for Apache and FTP server roots. Edit /etc/fstab file and make sure you add the following configuration options:
  1. noexec - Do not set execution of any binaries on this partition (prevents execution of binaries but allows scripts).
  2. nodev - Do not allow character or special devices on this partition (prevents use of device files such as zero, sda etc).
  3. nosuid - Do not set SUID/SGID access on this partition (prevent the setuid bit).
Sample /etc/fstab entry to to limit user access on /dev/sda5 (ftp server root directory):
/dev/sda5  /ftpdata          ext3    defaults,nosuid,nodev,noexec 1 2

#13.1: Disk Quotas

Make sure disk quota is enabled for all users. To implement disk quotas, use the following steps:
  1. Enable quotas per file system by modifying the /etc/fstab file.
  2. Remount the file system(s).
  3. Create the quota database files and generate the disk usage table.
  4. Assign quota policies.
  5. See implementing disk quotas tutorial for further details.

#14: Turn Off IPv6

Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP/IP protocol suite that replaces Internet Protocol version 4 (IPv4) and provides many benefits. Currently there are no good tools out which are able to check a system over network for IPv6 security issues. Most Linux distro began enabling IPv6 protocol by default. Crackers can send bad traffic via IPv6 as most admins are not monitoring it. Unless network configuration requires it, disable IPv6 or configure Linux IPv6 firewall:

#15: Disable Unwanted SUID and SGID Binaries

All SUID/SGID bits enabled file can be misused when the SUID/SGID executable has a security problem or bug. All local or remote user can use such file. It is a good idea to find all such files. Use the find command as follows:
#See all set user id files:
find / -perm +4000
# See all group id files
find / -perm +2000
# Or combine both in a single command
find / \( -perm -4000 -o -perm -2000 \) -print
find / -path -prune -o -type f -perm +6000 -ls

You need to investigate each reported file. See reported file man page for further details.

#15.1: World-Writable Files

Anyone can modify world-writable file resulting into a security issue. Use the following command to find all world writable and sticky bits set files:
find /dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
You need to investigate each reported file and either set correct user and group permission or remove it.

#15.2: Noowner Files

Files not owned by any user or group can pose a security problem. Just find them with the following command which do not belong to a valid user and a valid group
find /dir -xdev \( -nouser -o -nogroup \) -print
You need to investigate each reported file and either assign it to an appropriate user and group or remove it.