SEPM: Remote SEP deployment within a common WORKGROUP

Posted on May 15, 2013 by

Enable Computer Browser service
SEPM has to discover the computers within the WORKGROUP before it can deploy SEP remotely to the computers. You have to turn on Computer Browser service, by default this service is disabled. You only require this service when SEPM needs to discover and enumerate computers that are destined to manage; once the SEP is deployed to the computer you should stop computer browser service henceforth.

Either run services.msc or from Start menu choose Administrative Tools –> Services.
Win2K8R2 SEPM lab-2013-05-15-00-14-43

Prepare for SEP deployment
From Symantec it mentioned that deployment requires UDP 137 and 138 and TCP 139 and 445 on both SEPM and remote computer. UDP137 and 138 are for network discovery, TCP 139 and 445 are for pushing symantec client after login.

SEPM will use netbios to try to resolve your computer name as well as use ICMP echo request to try to find the computer. Depend on remote computer’s network profile (Home/Work, Private, Public) turn on network discovery on the applicable network profile.

For my case my remote computer's network interface connected to public network, hence I turn on network discovery under public profile.

For my case my remote computer’s network interface connected to public network, hence I turn on network discovery under public profile.

Typically Windows 7 computer enable Windows firewall by default, network discovery rules are also turn on by default, enable File and printer sharing (ICMPv4-In) this rule allows the remote computer to receive echo request; if you want to discover the remote computer through IP address you need to enable File and printer sharing (ICMPv4-In) rule in your Windows firewall.
Win7 SEP Client1-2013-05-15-01-22-22

On the remote computer turn on network discovery under the profile that is applicable to you. For my case I turn on network discovery under public profile.

On the remote computer you need to enable two more rules File and printer sharing (NB-Session-In) and File and printer sharing (SMB-In).
Win7 SEP Client1-2013-05-15-01-32-55

On the remote computer you also need to enable Administrator account, Administrator account is inactive in Windows 7. To activate Administrator account run cmd as administrator:

net user administrator /active yes

You will have to give administrator account a password, by default there is no password for Administrator account.

Add a client
On the SEPM, create a group or use the default group, select the group and add a client.
Win2K8R2 SEPM lab-2013-05-15-01-26-45

Select remote push and click next

Select remote push and click next

Search the computer name or you can search the computer using IP address.

Search the computer name or you can search the computer using IP address.

To search the computer name network discovery has to be turned on on the remote computer, also on the Windows firewall you need to enable rules for network discovery (which are enabled by default). To search using IP address you must enable File and printer sharing (ICMPv4-In) rule.

Select the discovered computer and click >>

Select the discovered computer and click >>

This is where you need your Administrator account. Windows 7 will refuse your login attempt if you use user account with administrator rights. Only Administrator can be used.

This is where you need your Administrator account. Windows 7 will refuse your login attempt if you use user account with administrator rights. Only Administrator can be used.

Result after login attempt was successful

Result after login attempt was successful

Click Send

Click Send

Wait for the deployment to finish

Wait for the deployment to finish

Deployment is successful

Deployment is successful

Click finish

Click finish

After client was installed, your managed SEP may not be shown immediately, perhaps wait for 5 minutes then click refresh. Or wait until your managed SEP appears.

After client was installed, your managed SEP may not be shown immediately, perhaps wait for 5 minutes then click refresh. Or wait until your managed SEP appears.

Aftermath
On the remote computer windows firewall disable the file and printer sharing (SMB-In) and file, printer sharing (NB-Session-In) rules and file and printer sharing (ICMPv4-In) rules. Turn off network discovery, run cmd as administrator and deactivate Administrator user account.

net user administrator /active no

Administrator account still appears, however you will never be able to login with the correct Administrator password.

To make Administrator user account never appear on your Winlogon screen type:

net user administrator /active:no
Posted in Security | Tagged , , , , | Leave a comment

SEPM: Run liveupdate for SEPM

Posted on May 15, 2013 by

Running live update from SEPM is different from live update on SEP.

From Common task found at the top right hand corner of SEPM, select Run LiveUpdate.
Win2K8R2 SEPM lab-2013-05-15-00-04-48

Posted in Security | Tagged , , | Leave a comment

SEPM: Convert an unmanaged SEP client to a managed client

Posted on May 14, 2013 by

Unmanaged Symantec Endpoint Protection client

Server: Self Managed means this SEP is standalone and unmanaged.

Server: Self Managed means this SEP is standalone and unmanaged.

You can uninstall the unmanaged SEP then deploy SEP from SEPM or you can import the communication setting file to the unmanaged SEP.

Export sylink.xml from SEPM and import sylink.xml to SEP
You can export communication settings from Default group or you may wish to create your own group and export the communication setting from your created group.
Win2K8R2 SEPM lab-2013-05-14-22-33-22

You may wish to export your sylink.xml file to your thumb drive or share folder.

You may wish to export your sylink.xml file to your thumb drive or share folder.

From the client, click on Help, select troubleshoot, under communication settings click import button.

From the client, click on Help, select troubleshoot, under communication settings click import button.

Select the sylink file and click open.

Select the sylink file and click open.

After you have imported the sylink.xml file SEPM has no indication that it is successful or not, nor can you see any progress bar or progress report, you just need to wait until you see this:

Under General Information, your SEPM IP address will replaced Self Managed.

Under General Information, your SEPM IP address will replaced Self Managed.

Refresh your SEPM you will see your managed SEP.

Refresh your SEPM you will see your managed SEP.

Posted in Security | Tagged , , , , , | Leave a comment

SEPM: Offline virus definition update.

Posted on May 14, 2013 by

Overview
Unlike McAfee ePolicy Orchestrator, SEPM does not have import or virus definition check-in feature that makes virus definition update easy. In an environment where internet is not available, you have to download the .jdb file from symantec website, then copy the file to this path C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming this is the default path for SEPM. After you have copied the .jdb file, SEPM will automatically process the definition update.

Latest on Manager will show the virus definition file which you have copied.

Latest on Manager will show the virus definition file which you have copied.

Steps to do offline update
Step 1: Download the .jdb from Symantec website.
Win2K8R2 SEPM lab-2013-05-14-22-12-10

Step 2: Copy the file to the path C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming
Win2K8R2 SEPM lab-2013-05-14-22-14-21

Step 3: SEPM will process the file, once the file is processed the .jdb file will be disappeared from C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\data\inbox\content\incoming

A folder appears while SEPM starts to process .jdb file.

A folder appears while SEPM starts to process .jdb file.

Within the folder contains a series of DLL, sys and virus definition files.

Within the folder contains a series of DLL, sys and virus definition files.

Posted in Security | Tagged , , , | Leave a comment

VMware: Register vcenter server

Posted on May 13, 2013 by

vcenter server must be registered in vSphere Web Client Administration Tool before you can use vSphere web client to login the vcenter server.
VCENTER_VERSION_5-2013-05-13-00-30-37

VCENTER_VERSION_5-2013-05-13-00-30-48

VCENTER_VERSION_5-2013-05-13-00-31-00

VCENTER_VERSION_5-2013-05-13-00-31-52

VCENTER_VERSION_5-2013-05-13-00-32-05

Posted in VMware | Tagged | Leave a comment

Troubleshoot: VMware VirtualCenter Server service cannot start automatically and manually

Posted on May 7, 2013 by

Problem
An user forgot the domain user password for SQL and Vcenter server; reset the password of the domain users. Unable to login to vcenter server with vsphere client, vsphere client said connection fail despite correct domain user credential was used to login.

Finding the clues to the cause
1. From vcenter server (vc.cyruslab.local), two services were not started namely VMware VirtualCenter Server and VMware VirtualCenter Management Webservices (This service can only be started after VirtualCenter server is started). These services should start automatically after successfully login to the domain.

2. User attempted to start the VMware VirtualCenter Server manually, however encountered an error that the services could not be started because of failed logon.

Right click VMware VirtualCenter Server service and choose properties. Click on Log On tab and manually type in the new password.

Right click VMware VirtualCenter Server service and choose properties. Click on Log On tab and manually type in the new password.

Do the same for this service.

Do the same for this service.

User then happily tried to start VirtualCenter Server again, however encountered another error:

Windows could not start the VMware VirtualCenter Server on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code 2.

3. vc.cyruslab.local was Windows 2008 R2 SP1 64-bit OS, user checked vxpd.log from the path C:\ProgramData\VMware\VMware VirtualCenter\Logs, found the following messages

Section for VMware VirtualCenter, pid=2316, version=4.1.0, build=build-258902, option=Release
[2013-05-07 00:18:33.023 02692 info 'App'] Current working directory: C:\Windows\system32
[2013-05-07 00:18:33.023 02692 info 'App'] Log path: C:\ProgramData\VMware\VMware VirtualCenter\Logs
[2013-05-07 00:18:33.023 02692 info 'App'] Initializing SSL
[2013-05-07 00:18:33.023 02692 info 'Libs'] Using system libcrypto, version 9080CF
[2013-05-07 00:18:34.645 02692 info 'App'] Vmacore::InitSSL: doVersionCheck = true, handshakeTimeoutUs = 120000000
[2013-05-07 00:18:34.661 02692 info 'App'] Starting VMware VirtualCenter 4.1.0 build-258902
[2013-05-07 00:18:34.661 02692 info 'App'] Log directory: C:\Users\vc_admin\AppData\Local\VMwarevpx.
[2013-05-07 00:18:34.661 02692 info 'App'] Account name: vc_admin
[2013-05-07 00:18:34.661 02692 info 'App'] Total virtual memory available for the process 8589934464 KB
[2013-05-07 00:18:34.661 02692 info 'App'] [VpxOsLayer] Enabled low-frag process heap.

[2013-05-07 00:18:34.661 02692 info 'App'] [VpxOsLayer] Enabled low-frag crt heap.

[2013-05-07 00:18:34.661 02692 info 'App'] [Vpxd::ServerApp::Init:782] Calling: InfoDeclSchema(gDB)
[2013-05-07 00:18:34.661 02692 info 'App'] [Vpxd::ServerApp::Init:784] Calling: VpxCallbackDesc::Init(MakeFunctor(this, &ServerApp::RequestShutdown))
[2013-05-07 00:18:34.661 02692 info 'App'] [Vpxd::ServerApp::Init:785] Calling: VpxCryptInit()
[2013-05-07 00:18:34.661 02692 info 'App'] [Vpxd::ServerApp::Init:786] Calling: VpxLRO::Init()
[2013-05-07 00:18:34.661 02692 info 'App'] [Vpxd::ServerApp::Init:787] Calling: VpxLroList::Init(ltud)
[2013-05-07 00:18:34.661 02692 info 'App'] [VpxLRO] 512 max LROs
[2013-05-07 00:18:34.661 02692 info 'App'] [VpxLRO] 12 reserved internal LROs
[2013-05-07 00:18:34.661 02692 info 'App'] [VpxLRO] 12 reserved blocker LROs
[2013-05-07 00:18:34.661 02692 info 'App'] [VpxLRO] 12 reserved short LROs
[2013-05-07 00:18:34.661 02692 info 'App'] [VpxLRO] 8 reserved long LROs
[2013-05-07 00:18:34.661 02692 info 'App'] [VpxLRO] 600-second task lifetime
[2013-05-07 00:18:34.661 02692 info 'App'] [Vpxd::ServerApp::Init:788] Calling: VpxdCharacterizeThreadpool(ltud)
[2013-05-07 00:18:34.661 02692 info 'App'] [Vpxd::ServerApp::Init:789] Calling: VpxdCertificate_Load(gDB, CERTIFICATE_VMDBPATH )
[2013-05-07 00:18:34.661 02692 info 'App'] [Vpxd::ServerApp::Init:790] Calling: VpxdVdb::Init(VpxdVdb::GetVdb(), false, false)
[2013-05-07 00:18:55.799 02692 error 'App'] ODBC error: (08001) - [Microsoft][SQL Server Native Client 10.0]Named Pipes Provider: Could not open a connection to SQL Server [2]. 
[2013-05-07 00:18:55.799 02692 error 'App'] Error getting configuration info from the database
[2013-05-07 00:18:55.799 02692 error 'App'] [Vpxd::ServerApp::Init] Init failed: VpxdVdb::Init(VpxdVdb::GetVdb(), false, false)
[2013-05-07 00:18:55.799 02692 warning 'VpxProfiler'] ServerApp::Init took 21138 ms
[2013-05-07 00:18:55.799 02692 error 'App'] Failed to intialize VMware VirtualCenter. Shutting down...
[2013-05-07 00:18:55.799 02692 info 'App'] Forcing shutdown of VMware VirtualCenter now

From the log it says vcenter cannot open the SQL database to check the configuration, user decided to test the connection from vc.cyruslab.local to remote SQL server connection.

4. Testing the remote SQL server connection from local machine:
From Administrative tools select Data Sources (ODBC).

Select System DSN tab.

Select System DSN tab.

Then Click Configure button.

Then Click Configure button.

Click next button.

Click next button.

Click Next button again.

Click Next button again.

SQL server could not be connected. This could mean either SQL was unreachable or SQL service was stopped.

SQL server could not be connected. This could mean either SQL was unreachable or SQL service was stopped.

5. User used remote desktop and could remotely connected to sql.cyruslab.local, this showed that at least connection between vc.cyruslab.local and sql.cyruslab.local existed; it could be SQL service was not started. User open SQL server configuration manager.

MS SQL service was stopped.

MS SQL service was stopped.

User attempted to start the service manually but could not, so user right click SQL Server and select properties.

Manually type in the new password for the domain user account.

Manually type in the new password for the domain user account.

Happy Ending
After the new password was inserted, SQL server could be started. User attempted to start
VMware VirtualCenter Server, it was successful! Then user attempted to start VMware VirtualCenter Management Webservices which was also successful. User then use vsphere client to login.
VCENTER-2013-05-07-02-00-20

VCENTER-2013-05-07-02-02-12

Posted in Tshoot, VMware | Tagged , , , , , , , | Leave a comment

Security: Whitelist WSUS server

Posted on May 4, 2013 by

About whitelist
All applications within the whitelist can be executed, those that are not within the whitelist cannot be executed. One of the scenarios of malicious file being inadvertently downloaded by the user, this file downloaded cannot be executed since it is not within the whitelist.

The whitelist application used for this post is McAfee Application Control aka McAfee Solidifier, this is a very easy to use application, the only difficult part is to manually add applications to the whitelist and manually add updaters to the whitelist, however this is simplified by McAfee with its finetune.bat.

Checklist
Here is the checklist of what should be done before whitelist and during whitelist.

1. Scan the server/workstation thoroughly, preferably use different vendor antivirus scanners and rootkits scanner to ensure the machine is free from virus or other malicious files (zero day cannot be detected btw)

2. Use finetune.bat to add U-WindowsUpdate, A-McAfee and E-WSUSServer, these three are updaters for windows update, WSUS synchronization and McAfee Virus Scan.

C:\Program Files\McAfee\Solidcore>finetune.bat add E-WSUSServer
*****ADDING solidifier CUSTOMIZATIONS*****

Adding solidifier rules for Windows Server Update Services2.0 sp1...


Rules added sucessfully.

WARNING! Reboot your system before proceeding further as some rules take
effect only on system restart.

C:\Program Files\McAfee\Solidcore>finetune.bat add A-McAfee
*****ADDING solidifier CUSTOMIZATIONS*****

Adding solidifier rules for Mcafee.



Rules added sucessfully.

WARNING! Reboot your system before proceeding further as some rules take
effect only on system restart.

3. Solidify the C volume. Solidify means to whitelist the volume/file/directories. If you do not specify volumes or folders or files, by default sadmin will solidify all volumes that is available in your computer if this is not what you want you should specify explicitly for example sadmin so c:\

C:\Program Files\McAfee\Solidcore>sadmin so
Password:
Solidifying volume C:\
00:09:09: Total files scanned 72308, solidified 28002

C:\Program Files\McAfee\Solidcore>

4. Set McAfee Application Control password.

C:\Program Files\McAfee\Solidcore>sadmin passwd
New Password:
Retype Password:
Password changed.

5. Backup the windows server, or create restore point if you are using Windows 7.

6. Enable McAfee Application control.

C:\Program Files\McAfee\Solidcore>sadmin enable
Password:
McAfee Solidifier will be enabled without Memory Protection on service restart.
Memory Protection will be available on next reboot.

C:\Program Files\McAfee\Solidcore>

7. Reboot the machine.

Posted in Security | Tagged , , | Leave a comment