Friday, December 21, 2012

Virus Alert - Win 7 Defender

I just found out today about a new virus that is going around called Win 7 Defender. It is a scareware virus that is designed to look like a legitimate anti-virus program but actually only provides false security warnings. It is spread by masquerading as a program that requires viewing an online video and once installed it modifies your .exe file associations to point to the Win 7 Defender interface.
Once installed it will pretend to scan your machine and present you with multiple false positive infections on your PC. If you try and remove these infections it will state that you need to purchase the program before you will be able to execute the removal. Under NO circumstances should you do so! This virus was created for one reason, to scare you into thinking you are infected so you will purchase the program.

Removal Process:
  1. From a clean computer download Rkill here. Save this file to a thumb drive so you can copy it to the infected computer
  2. Restart the infected computer in Safe Mode with Networking. You do this by pressing the F8 key during the start-up process as soon as you see anything on the screen. 
     
  3. Once the computer has booted plug in the flash drive and run Rkill. This will terminate the Win 7 Defender process so you can safely remove it.
  4. Now you should download and install Malwarebytes Anti-Malware (if you do not already have it)
  5. Once installed it will automatically run and offer to scan your PC. Make sure you run a FULL scan.
  6. When the scan completes you will be asked to view the results Click OK
  7. You will be taken to a screen that shows all the infected files. Check all files and Click Removed Selected
  8. Close Malwarebytes and Restart your PC in normal mode and the virus should be gone.
My advice is be careful on the links you click on especially from suspicious email's. Delete it and be safe, not sorry!
Additional Information:
Associated Win 7 Defender Files
  • %AllUsersProfile%\Desktop\Win 7 Defender.lnk
  • %CommonAppData%\pcdfdata\
  • %CommonAppData%\pcdfdata\<random>.exe
  • %CommonAppData%\pcdfdata\app.ico
  • %CommonAppData%\pcdfdata\config.bin
  • %CommonAppData%\pcdfdata\defs.bin
  • %CommonAppData%\pcdfdata\support.ico
  • %CommonAppData%\pcdfdata\uninst.ico
  • %CommonAppData%\pcdfdata\vl.bin
  • %CommonStartMenu%\Programs\Win 7 Defender\
  • %CommonStartMenu%\Programs\Win 7 Defender\Remove Win 7 Defender.lnk
  • %CommonStartMenu%\Programs\Win 7 Defender\Win 7 Defender Help and Support.lnk
  • %CommonStartMenu%\Programs\Win 7 Defender\Win 7 Defender.lnk
File Location Notes:
  • %AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.
  • %CommonAppData% refers to the Application Data folder for the All Users Profile. By default, this is C:\Documents and Settings\All Users\Application Data for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.
  • %CommonStartMenu% refers to the Windows Start Menu for All Users. Any programs or files located in the All Users Start menu will appear in the Start Menu for all user accounts on the computer. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Start Menu\, and for Windows Vista/7/8 it is C:\ProgramData\Microsoft\Windows\Start Menu\.
  • %CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista/7 it is C:\ProgramData.
Effected Registry Settings:
  • HKEY_CLASSES_ROOT\.exe "(Default)" = "<random>"
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcdfdata
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = ""%CommonAppData%\pcdfdata\<random>.exe" /ex "%1" %*"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "pcdfsvc" = "%CommonAppData%\pcdfdata\<random>.exe /min"

More to come!

If you like this blog give it a g+1

Wednesday, December 19, 2012

AD 2008R2 - Remove Users From Local Admin Using Group Policy

So one of the more frustrating things to deal with as a system admin is managing local user permissions on desktops and servers. People with local admin rights can do just about anything to their local machines which can cause significant headache to the Help Desk team. In 2008R2 Active Directory Microsoft has given administrators the ability manage local system groups via GPO. In this segment I plan to cover some of the highlights of this policy.

Create the GPO:
On your Domain Controller go ahead and open up Group Policy Management. Drill down to the domain where you want to create the policy and expand Group Policy Objects. Right Click in the active window and Select New. Lets call the GPO Local Users. Click OK

Edit the GPO:
You should see the newly created GPO in the active window. Right Click on it ans Select Edit. In the Group Policy Management Editor Drill down to User Configuration > Preferences > Control Panel, then Right Click on Local Users and Groups. Select New > Local Group

In the New Local Group Properties window in Action: select Update. For the Group name: type in Administrators. Select the Remove the current user radio button and Click OK
*Note - In addition to removing the current users you can use this to add users, delete all users and delete all groups. Be careful how you set this up as you may inadvertently remove users or groups you want to keep.

Your newly created element should appear in the active window. Go ahead and close the editor.

Apply & Test the GPO:
Next we need to apply the GPO to the OU that that has the computers which will receive it.

*Caution - You should test all GPO's in a lab environment or on a Test OU BEFORE applying them to the live production environment to ensure you will achieve the desired outcome.

In the navigation tree simply drag the Local Users GPO to the computer group you want it to be applied to. You will be prompted to link the GPO to the OU. Click OK

The final step is to test the GPO. Log into a machine that is in the OU you applied the GPO to and open a command prompt. Run the following:
gpupdate /force
Go into Administrators under Local Users and Groups and you should see the the user has been removed from the group.


More to come!

If you like this blog give it a g+1

Tuesday, December 18, 2012

AD 2008R2 - Setting Local Administrator Password via GPO

When you are managing a large environment, changing the local administrator password on a regular basis can be challenging. There are various tools out there and you can do it with scripting but the easiest way to do it is by using Group Policy. In this segment I am going to walk through the process of setting up the GPO.

Create the GPO:
On your Domain Controller go ahead and open up Group Policy Management. Drill down to the domain where you want to create the policy and expand Group Policy Objects. Right Click in the active window and Select New. Lets call the GPO Local Admin PW. Click OK

Edit the GPO:
You should see the newly created GPO in the active window. Right Click on it and Select Edit. In the Group Policy Management Editor, drill down to Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups. Right Click on Local Users and Groups and Select New > Local User.

For the Action Select Update. In the User name: type Administrator. Type and Confirm the new password you want applied. Uncheck all but Account never expires and Click OK
*Note - This is also a great way to get rid of any local accounts that are out there that are no longer needed. Under Action Select Delete, enter the account name then continue with the steps below.

Back on the Group Policy Management Editor you will see the new Administrator user element has been created in the Active Window. Go ahead and close this and go back to Group Policy Management.

Apply & Test the GPO:
Next we need to apply the GPO to the OU that that has the computers which will receive it.

*Caution - You should test all GPO's in a lab environment or on a Test OU BEFORE applying them to the live production environment to ensure you will achieve the desired outcome.

In the navigation tree simply drag the Local Admin PW GPO to the computer group you want it to be applied to. You will be prompted to link the GPO to the OU. Click OK

The final step is to test the GPO. Log into a machine that is in the OU you applied the GPO to and open a command prompt. Run the following:
gpupdate /force

Log out of the computer and log back in as the Administrator using the new password.


More to come!

If you like this blog give it a g+1

Wednesday, December 12, 2012

AD 2008R2 - GPO for Adding a Security Group to Local Administrators

There are times where you will have a default security group which needs access to all the servers in a particular domain or an organizational unit. In AD 2008R2 you can create a group policy that will automatically deploy this security group to all the servers or computers in a particular group.

Create a Security Group:
The first thing we need is to create a new Security Group to assign to the GPO. In Active Directory Users and Computers Right Click in the organizational unit where you want to create this new security group and Click New and then Group from the flyout. Lets call this group Server Admins. This group should be a Global Security Group.
Once the group is created Double Click on it and go to the Members Tab. Go ahead and add the users that you would like to be in this group and Click OK
 
Create a GPO:
Now that we have our Security Group ready lets create the GPO. Open Group Policy Management and drill down to the domain you would like to create this GPO in and expand Group Policy Objects. In the active window Right Click and select New. Lets call this GPO Local Administrator. Click OK and you should see the new GPO you just created.
 
Modify The GPO:
In the navigation tree Right Click on your newly created GPO and select Edit. In the Group Policy Management Editor drill down to Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups. In the active field Right Click and select Add Group. You can Click Browse to locate the security group you just created and Click OK

You will be prompted to apply properties to this group. Under This group is a member of: Click Add and Click Browse. Add Administrators and Remote Desktop Users. Click OK
*Gotcha - If you change Members of this group: you will overwrite the users you added to the group in the Create a Security Group step above.

*Note -The group selection is dynamic. If you add a group called Butterfly, the security group will be added to any server that has a local group called Butterfly

You will see the new security group added to the GPO and the group memberships as well.

Apply & Test the GPO:
Next we need to apply the GPO to the OU that that has the computers which will receive it.

*Caution - You should test all GPO's in a lab environment or on a Test OU BEFORE applying them to the live production environment to ensure you will achieve the desired outcome.

In the navigation tree simply drag the Local Administrator GPO to the computer group you want it to be applied to. You will be prompted to link the GPO to the OU. Click OK

The final step is to test the GPO. Log into a machine that is in the OU you applied the GPO to and open a command prompt. Run the following:
gpupdate /force
Go into Administrators under Local Users and Groups and you should see the newly created Security group.



More to come!

If you like this blog give it a g+1

Tuesday, December 11, 2012

SCOM 2012 - Install Hangs at Importing System Network Management MP

I have only actually seen this happen one time. You are going through and doing an install of SCOM 2012 and it hangs indefinitely on Importing System Network Management Management Pack in the Operational database configuration portion of the install.

You will eventually see in the OpsMgrSetupWizard.log file:
[18:06:54]:    Error:    :ImportManagementPack: Unknown Error. Microsoft.EnterpriseManagement.Common.ServerDisconnectedException : The client has been disconnected from the server. Please call ManagementGroup.Reconnect() to reestablish the connection.
[18:06:54]:    Always:    :FirstManagementServer: Failed to load MP D:\Setup\AMD64\..\..\ManagementPacks\System.NetworkManagement.Library.mp.  We will retry.
[18:06:55]:    Always:    :ImportManagementPack: Loading management pack D:\Setup\AMD64\..\..\ManagementPacks\System.NetworkManagement.Library.mp. 18:06:55
And this will repeat multiple times. I eventually had to kill the install because it never went through successfully.

Now you will remember that I covered the install prerequisites in SCOM 2012 - Installation. In this segment we covered how to use the GUI and install SCOM correctly. The order of operations I had illustrated was to install .NET 3.5, .NET 4.0, Enable the Remote Registry service and then install Microsoft Report Viewer 2010. Now if you were planning on running Web Services on this machine as well, and if you installed IIS after .NET 4.0 it will not register properly with IIS. If this happens it will freeze up your install during the System Management MP import, so you need to re-register .NET 4.0 with IIS by running the following command:
%WINDIR%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -r

Once .NET 4.0 is re-registered with IIS you should be able to run through the install without issues.



More to come!

If you like this blog give it a g+1

Contributing Documentation:
Technet

SQL 2008R2 - SP1 Install

Recently had to do an upgrade on one of my SLQ 2008R2 servers to SP1 so I thought I would walk through the process and the steps I took to do this upgrade. First we need to get a copy of SQL 2008R2 SP1 which is available from the Microsoft Download Center. Once we have it we need to log into our SQL server with local admin privileges. Right Click on the SQLServer2008R2SP1-KB2528583-x64-ENU.exe file and Run as Administrator. The installer will kick off and automatically run the rule checker. When that finishes Click Next

Go ahead and accept the EULA and Click Next

You will be prompted to select which database instances you want to upgrade. In my case I selected everything. Click Next

The installer will check to see if there are any files in use. If it identifies any you will need to stop the related applications or services. Click Next

Review your install selections and Click Update

You can monitor the install progress which could take some time depending on how many instances you will need to update.

Success!


More to come!

If you like this blog give it a g+1

Friday, December 7, 2012

SCOM 2012 - Agent Causing High CPU Utilization

So I ran into an interesting situation not too long ago. I was just wrapping up a deployment when one of the people I was working with came to me with a performance issue. He had noticed that there were a few of the servers being monitored by SCOM that were experiencing an issue with high CPU utilization. The CPU was flapping about every five minutes or so as shown in the perf-mon in figure 1. I was a bit surprised to hear this because everything I had read up to this point about SCOM 2012 had indicated that Microsoft had slimmed down the agent profile to run thinner and lighter then its predecessors.
Fig. 1
After some discussion I asked him to disable the SCOM agent and do a follow up perf-mon and the results are below in figure 2. The CPU went from a flapping state to almost null.
Fig. 2
This was quite strange. I had to do some digging to see if anyone else had come across the same thing. As it turns out there have been some an update to the BaseOS MP to run utilization scripts. One of the things that changed in this new management pack was the addition of a script which runs to provide an output on network utilization. There are three monitors and three rules for 2003 and 2008 that use this new script.

2003
Monitors
  •  Microsoft.Windows.Server.2003.NetworkAdapter.PercentBandwidthUsedReads (Percent Bandwidth Used Read)
  •  Microsoft.Windows.Server.2003.NetworkAdapter.PercentBandwidthUsedWrites (Percent Bandwidth Used Write)
  • Microsoft.Windows.Server.2003.NetworkAdapter.PercentBandwidthUsedTotal (Percent Bandwidth Used Total)
Rules
  • Microsoft.Windows.Server.2003.NetworkAdapter.PercentBandwidthUsedReads.Collection (Percent Bandwidth Used Read)
  •  Microsoft.Windows.Server.2003.NetworkAdapter.PercentBandwidthUsedWrites.Collection (Percent Bandwidth Used Write)
  • Microsoft.Windows.Server.2003.NetworkAdapter.PercentBandwidthUsedTotal.Collection (Percent Bandwidth Used Total)
2008
Monitors
  •  Microsoft.Windows.Server.2008.NetworkAdapter.PercentBandwidthUsedReads (Percent Bandwidth Used Read) 
  •  Microsoft.Windows.Server.2008.NetworkAdapter.PercentBandwidthUsedWrites (Percent Bandwidth Used Write) 
  • Microsoft.Windows.Server.2008.NetworkAdapter.PercentBandwidthUsedTotal (Percent Bandwidth Used Total)
     Rules
    •  Microsoft.Windows.Server.2008.NetworkAdapter.PercentBandwidthUsedReads.Collection (Percent Bandwidth Used Read)
    •  Microsoft.Windows.Server.2008.NetworkAdapter.PercentBandwidthUsedWrites.Collection (Percent Bandwidth Used Write)
    •  Microsoft.Windows.Server.2008.NetworkAdapter.PercentBandwidthUsedTotal.Collection (Percent Bandwidth Used Total)
    The advantage to having this run is it allows you insight into what the network bandwidth is, but the downside is when the script runs, every five minutes by default, it consumes a great amount of CPU. The best approach is to disable the monitor and rule for Percent Bandwidth Used Total in each 2003 and 2008. Read and write are disabled by default. For more information on how to disable these rules / monitors review SCOM 2012 - Creating Overrides.


    More to come!

    If you like this blog give it a g+1

    Monday, December 3, 2012

    SCOM 2012 - How to Email Scheduled Reports

    Now that we have Web and Reporting services up and running we should talk about one of the more beneficial features of Reporting Services, the scheduled report. You can have reports automatically sent out to members of your team, or management or have them dropped into a document repository like a file share or SharePoint. This is a good way to document long term conditions of your environment as well as easily distributing daily information.

    First thing we need to do is make sure we have SSRS configured properly. We already did most of the heavy lifting in SQL 2008R2 - Configuring SSRS for SCOM 2012, but there was one step we skipped because I wanted to elaborate on it a bit more in this segment. So lets go into SSRS and go to the E-mail Settings page in the navigation tree. In Sender Address we need to put something descriptive so people will know when they are getting automated reports. In SMTP Server provide the name of your corporate SMTP server. You may need to check with your Exchange administrator for this information if you do not already have it. Also they may need to configure internal relay in order for the email to be passed through the system. Click OK and close SSRS.

    Now lets go ahead and open up the Operations Console and go into the Reporting space. In the list of available reports go ahead and find the report you want to setup a schedule for. For this example we will be using SQL Server 2005. Once selected Click Schedule on the Actions pane. From here there are a few options you can use as far as delivery method, Windows File Share, E-Mail, and Null Delivery Provider.

    For the purpose of this segment we are going to do an E-Mail delivery. When you Select E-Mail it will activate the settings menu below. Enter a valid To e-mail address. You can check the Include Report check box. In the Render Format select what format you would like to have delivered. Then choose the priority and Click Next

    For Subscription Schedule select the delivery times and frequency you require. In The subscription is effective beginning this is when the first report will be sent out. Select an appropriate date and Click Next

    Since we are doing a SQL report we will select the SQL Server 2005 Servers. Click Next

    For Report parameters select the Data Aggregation type you would like to see and Click Finish. Depending on what you set the The subscription is effective beginning you may have to wait a bit to see the first report.

    More to come!

    If you like this blog give it a g+1