Cattle vs Pets

Cattle and Pets are ways to classify how you think about a compute unit that is involved in providing a service.  Typically the unit would be a server ( metal or virtual ) but can also be a container ( e.g Docker ) that is running on a server.  The compute units classification will determine how you treat it.

Cattle

Can be destroyed and replaced at any time without the service failing.  It’s Cattle

Pets

Indispensable; destroying and replacing will cause the overall service to fail. It’s a Pet.

 

Example

EXCHANGE01 is ACME Corporations single server providing email to the entire company. If it goes down, email service is lost.   EXCHANGE01 is a Pet

The cluster compromising virtual servers WWW001 through to  WWW100 , provides ACME Corporation website to the world.  Any server in that cluster can be destroyed and replaced without ACME Corporations website failing.  Therefore these servers are Cattle

.

 

 

Symbol not found: __PyCodeInfo_GetIncrementalDecoder

After upgrading the version of Python on my Mac, I immediately got the above error when attempting to run a Python script. You can quickly test by typing

python
import io

and you’ll get the error

Quick digging around on Google revealed what was happening. When a new version of Python is installed, you may need to tell bash to reset the ‘cached’ location to Python. There’s two ways of achieving that

1) Log out and then log back in
or
2) At the terminal prompt, type

hash -r python

El Capitan download & Squid proxy

Last night I left my Mac downloading the update to El Capitan overnight so it would be ready for me to install following the morning.

I was greeted by a rather generic message saying that the download had failed. A bit of digging showed 2.15Gb had been downloaded before the failure. Maybe it was network disruption; I live in the countryside and it’s not unknown for the VDSL to drop out. Nothing to worry about, downloads resume from where they left off , so I tried again.

It failed again.

And again.

Activated debug mode for AppStore , cleared cookies, reset application and set the Debug level to 2.

Waited

And it failed again at the same point.

Browse of the App Store log file showed NSURLErrorDomain – 1005

Which was helpful in the same way that bricks are to aerodynamics.

Between the internet and my home network is a Squid proxy. I decided to eliminate that as a possible cause.

Several mouse clicks later and El Capitan is downloading without any errors.

Right now I don’t have time to investigate why Squid caused a failure ( max size of cache objects? ) but if others are in a similar situation , switch off the web proxy on your Mac.

Zero stop day is fast approaching

Busy day today securely wiping and then installing operating systems onto 1 x MacBook Air, 2 x Dell Workstations and a Lenovo W500.

All going back to Novell / MicroFocus tomorrow.

Time for a change

After almost 8 years, I am moving on from Novell. I handed in my resignation last Friday 24th April and will be leaving towards the end of May.

Whilst at Novell I have met and worked with great people on some fantastic products. I wish them all the best in the future.

For me, I’m onto new adventures with a U.K based security company — Sophos.

Jon

Thou shalt not install infidel software on the holy domain controller

Unless you really really have to.

In my case I needed to install VMware vsphere 5.5 client onto my lab domain controller. VMware had other ideas and clearly had decided that they needed to save my soul and prevented me from doing so.

Happily, you can override Bishop VMware by using a tool of the devil – a command line switch /VSKIP_OS_CHECKS=”1″ with the VMware client installer. Here’s an example

VMware-viclient-all-5.5.0-1281650.exe /VSKIP_OS_CHECKS="1"

Apostates rejoice !

Rename Active Domain Controller

Permissions

You must be a member of the Domain Admins group.

WARNING

Reboot will be required

Process

To rename a DC with the name from MY-SERVER in the PMLAB.LOCAL domain to DC-SERVER follow the next steps:

1. Open Command Prompt and type:

NETDOM computername MY-SERVER.PMLAB.LOCAL /add:DC-SERVER.PMLAB.LOCAL

This command will update the service principal name (SPN) attributes in Active Directory for this computer account, and register DNS resource records for the new computer name. The SPN value of the computer account must be replicated to all DCs for the domain, and the DNS resource records for the new computer name must be distributed to all the authoritative DNS servers for the domain name. If the updates and registrations have not occurred prior to removing the old computer name, then some clients may be unable to locate this computer using the new or old name. Therefore, it’s very important to wait till the Active Directory replication finishes a replication cycle. You can check that by using tools such as REPADMIN and REPLMON.

You can verify the new name was indeed added to the computer object by viewing it through ADSIEDIT.MSC (which, for Windows Server 2008, is installed by default). Navigate to the computer object and right-click it. Select Properties:

Scroll down in the list of available attributes till you reach the attribute called msDS-AdditionalDnsHostName.

2. Ensure the computer account updates and DNS registrations are completed, then type:

NETDOM computername MY-SERVER.PMLAB.LOCAL /makeprimary:DC-SERVER.PMLAB.LOCAL

Again, you can inspect the change with ADSIEDIT.MSC. Scroll down in the list of available attributes for the computer object (notice how the server now appears with the new name) till you reach the attribute called msDS-AdditionalDnsHostName.

Notice that the old name should appear in the attribute’s properties.

3. Restart the computer.

4. From the command prompt, type:

NETDOM computername DC-SERVER.PETRI.LOCAL /remove:MY-SERVER.PMLAB.LOCAL

5. Make sure that the changes have successfully been replicated to all the DCs.

 

Adapted from Perti IT Knowledge base

Cats, coffee and Elephants

As part of my job at Novell I get to travel around various places.  This has given me the chance to try numerous types of coffee across many countries and cultures. Coffee itself has an interesting history, starting with the legend of Kaldi. Kaldi was a goat herder who noticed his goats became somewhat animated after eating berries from a certain bush. History is quiet on if parents had told him not to eat berries from a bush; clearly they had not mentioned anything about picking the berries, throwing them into a fire and then using the roast beans to create the drink we know today as coffee.

Coffee was cultivated, traded and drank throughout the Middle East before spreading worldwide. The first coffee houses, known as qahveh khaneh, also began to appear at this time. Entertainment, musical performances, chess and news of day were all available to those imbibing of the black stuff.

Your local coffee shop may offer some or all of those things; they may even be on the menu although it’s unlikely you’d be able to buy Black Ivory Coffee unless you have phoned ahead several days in advance. This will then allow your beverage provider enough time to obtain a herd of Elephants, feed them several kilos of coffee berries and then wait for the digestive process to complete. Sort through the piles of dung for the coffee beans, roast , grind and you’re ready to brew. If space is an issue, as Elephants do take up space in any room, you could use Civet cats instead. I’d advise against that as we all know cats are evil. And their poo really smells.

I digress.

Today your coffee shop offers wi-fi as well. And that’s what can be hazardous to your computer. Here’s why.

Microsoft released it’s latest set of patches, so called Patch Tuesday, this week. This particular update is noteworthy and requires immediate action on your behalf.

Within the list of updates are

• MS15-011 & MS15-014 which harden group policy and address network access vulnerabilities that can be used to achieve remote code execution (RCE) in domain networks.
• MS15-014 update addresses an issue in Group Policy update which can be used to disable client-side global SMB Signing requirements, bypassing an existing security feature built into the product.
• MS15-011 adds new functionality, hardening network file access to block access to untrusted, attacker controlled shares when Group Policy refreshes on client machines.

Remember our coffee shops, its collection of Elephants, Cats and wi-fi? Here’s the attack scenario as described by Microsoft.

This is an example of a  ‘coffee shop’ attack scenario, where an attacker would attempt to make changes to a shared network switch in a public place and can direct the client traffic an attacker-controlled system.

1. In this scenario, the attacker has observed traffic across the switch and found that a specific machine is attempting to download a file located at the UNC path: \\10.0.0.100\Share\Login.bat .
2. On the attacker machine, a share is set up that exactly matches the UNC path of the file requested by the victim: \\*\Share\Login.bat.
   1. The attacker will have crafted the contents of Login.bat to execute arbitrary, malicious code on the target system. Depending on the service requesting Login.bat, this could be executed as the local user or as the SYSTEM account on the victim’s machine.
3. The attacker then modifies the ARP table in the local switch to ensure that traffic intended for the target server 10.0.0.100 is now routed through to the attacker’s machine.
4. When the victim’s machine next requests the file, the attacker’s machine will return the malicious version of Login.bat.

You can find more detail here http://blogs.technet.com/b/srd/archive/2015/02/10/ms15-011-amp-ms15-014-hardening-group-policy.aspx

All of updates from Microsoft are available in ZENworks Patch Management. If you can’t see them, just perform a subscription download to make sure you have the latest content.

You  deploy these updates in the usual manner. I’d also recommend that you look at using patch policies that will make keeping on top of Patch Tuesday a lot easier for you.

To further protect your device estate, you should look at having security settings that can adapt to the location. ZENworks Endpoint Security allows you to define policies whose enforcement settings change depending on the location of the device. For example, the Firewall can be less restrictive on known networks but have increased restrictions for those that are unknown. You could force use of VPNs in those pesky coffee shops.

I should make it clear that ZENworks can do nothing about rogue Elephants sitting on a laptop or a cat doing something worse.

 

Applying a single patch policy

ZENworks patch policies were introduced in version 11.3 as a way for Administrators to express their wishes for automated patching.  Judging by your feedback at Brainshare 2014, these are becoming very popular.  Several of you asked questions about how to manually apply patch policies for devices that are mission critical e.g servers running SQL databases.  The scenario is

“Tell me automatically what vulnerabilities exist but I want to manually apply the policy to remediate them”

Lets start with reminding ourselves what a patch policy is.

Patch policy:  A  set of rules that determine what vulnerabilities should be remediated.

These are defined in ZCC.  Click on Patch Management and then click on Patch Policies

List of patch policies

To create a Patch Policy, click on New.  Choose your platform and give the policy a name.  Then you need to decide which vulnerabilities you want to remediate.  This is achieved by using rules

Patch policy rules

You can build up a fairly complex query to exactly determine the vulnerabilities you are interested in.  At any time, click on Apply to see what the result will be.

Carry on and complete the Patch Policy.  It will be added to the list shown in the first screen shot.

It could be that not all of the patches in the patch policy have not yet been cached ( downloaded ) into your zone.  Either wait for the next download as per your patch download schedule or trigger one manually using ZCC -> Configuration -> Patch management -> Subscription service information and click on Update Now

You also need to make sure that the patches are replicated to any primary / satellite servers used by those critical devices for content delivery.   If you don’t do this, then the patch policy will fail as the required patches are not available for the target devices.

At this point you would apply the patch policy to devices that you want to automatically remediate those vulnerabilities.  However, in this case we want to manually remediate.

Lets stop those devices from ever applying a patch policy by themselves.  For the purposes of this post, I am assuming that you have all of those devices in their own Device Folder.  If not, you’ll need to go to each Device in ZCC and change the settings.

I have a device folder called ‘My critical servers’.  To change the way Patch Policies are used for devices in that folder, click on Details

Folder details

In Details, click on Settings

Settings

We need to alter Patch Policy Distribution and Patch Policy Enforcement.  Let us start with Patch Policy Distribution

Click on Override.  I would recommend that distribution of patches to devices is triggered when we manually remediate.  You are free to choose  a scheduled approach if that works better for your environment.  Even if the patches have not yet arrived when you manually remediate, they will be downloaded.  Remember to click on Ok when you have made  any changes.

Now for Patch Policy Enforcement.  This needs to be manual and not automatic.

As these are critical devices, disable automatic reboots. You can choose to reboot at your leisure.  Just don’t leave it too long!

Click on Ok

And we’re almost there.

Go back to ZCC – Patch Management -> Patch policies.  Click on the patch policy you want and then click on Relationships.  Click Add and browse to the folder that contains your critical servers.   If the patch policy is applicable to other devices,  you can add those as well.

To manually apply remediation, go to each device ( or remote control it ) and get to a command prompt.  I would recommend that you run the command prompt as an administrator.

To manually remediate vulnerabilities, as defined by the patch policy, we will take advantage of them using the ZENworks bundle feature.

“Hang on a minute” ,  I hear you say,  ” What about zac pap? “

Two reasons

1 ) It is the worse acronym ever in ZENworks  as shown by this entry from a U.K dictionary of slang

---

Noun. 1. Nonsense, rubbish.
2. Faeces.
Verb. To defecate. E.g.”He was so scared he papped his pants.”

---

2) zac pap applies all patch policies not just the one we are interested in.  You may have another patch policy that the device has been included in.  We only want to apply our patch policy.

Let press on.

At the command prompt, type zac bl

You will get a list of associated bundles for the device.  In that list will be our patch policy.

My patch policy is “Windows Server updates”

To apply the patches in that patch policy and remediate vulnerabilities, type zac bin <Display name shown in the list.>

If the patches have not yet been distributed, they will be.  Once all patches are downloaded, installation will start

Wait until this process is completed.

Then reboot when you’re ready.

 

Cloud computing – made successful thanks to inefficient policies

During my routine morning read of industry articles, whilst slurping tea, I came across one which started discussing using cloud computing for D.R before moving onto a wider arena of cloud computing in general.

Essentially the article argued that cloud computing was successful because internal organisational policies / politics made onsite computing more expensive. If the decision was made by Excel, then onsite wins in the majority of use case followed by co-location and finally cloud.

Interesting to see if that premise holds.