Trend Micro – Worry Free Business Security – Firewall Port Ranges Failing/Not Working

Posted on July 18, 2011

We recently applied an upgrade from Worry Free Business Security 6.0 SP3 to 7.0. After the upgrade we noticed whitelisted Ephemeral and other port ranges in the firewall policies were not allowing traffic in. After numerous hours verifying everything was correctly setup we got in touch with Trend Micro and they sent back a patch to resolve the issue. We haven't seen this online yet, so I figure this may help a few of you.

--------------------------------------------------------------------------------

Good Day.

Please apply the attached Hotfix to the WFBS Server. Unzip password: novirus
Let the agents update afterwards then observe if the issue persists.

We are looking forward to your reply.

Technical Support – Worry-Free Products and Services Trend Micro, Inc. “Securing Your Journey to the Cloud”

--------------------------------------------------------------------------------

Download: http://www.sirk.ca/downloads/WFBS_70_WIN_All_HFB1461.zip

After applying this patch and allowing the update to propagate down to the clients, the port ranges started allowing traffic through.

Windows 2008 R2 – cryptosvc – the service name is invalid – windows backup fails – sfc fails – windows updates fail

Posted on July 11, 2011


The title of this article sounds ... well just terrifying. If you run into a system with this many issues, its likely easier to just rebuild it from scratch, right? WRONG! I'm stubborn and figure some things are worth the challenge. Ultimately, this was a fairly critical exchange server that would take a lot of work to rebuild.

To approach a problem like this, we follow the trail of issues.

First noticed issues: Windows Backups are failing and Windows Updates will not install.
The system is Windows 2008 R2 64bit Enterprise Edition with Exchange 2010 SP1.

1) Verify the system filesystem integrity using SFC

C:\>sfc /scannow
Windows Resource Protection found corrupt files but was unable to fix some of them.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example
C:\Windows\Logs\CBS\CBS.log

From this you would normally interpret corruption and seek out the affected files by using the following command:

C:\Windows\system32>findstr/C:"[SR] Cannot repair member file" %windir%\Logs\CBS\CBS.log

The interesting thing in our case was the "findstr" command returned nothing. So we skipped this step and moved onto the next one for the time being. Who wants to dig through tens of  thousands of lines? not me!

2) Diagnose and attempt to repair the Windows Backup issues

The Windows Backup utility was failing with "The operation was stopped. Detailed Error: The System Writer is not found in the backup". System State Backup Failed. 

First thing to check is THAT exactly.

c:\> vssadmin list writers

You're looking for this:

Writer name: 'System Writer'
   Writer Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Instance Id: {05407ce0-b537-4973-a731-e7ed614a9a9e}
   State: [1] Stable
   Last error: No error

If your list does not include the "System Writer", that's a problem. A fairly common one at that. The windows backup utility requires this tool.

If you dig around online you'll find an arsenal of articles outlining permission errors on a specific set of windows folders that cause the System Writer to fail. We've done the research for you. The following script will reset permissions on those folders back to default.

Create a batch file called "fixPermissions.bat" and copy/paste the following:

------------------------------------------------------------------------------------------------------------
Takeown /f %windir%\winsxs\filemaps /a

icacls %windir%\winsxs\filemaps  /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps  /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps  /grant "BUILTIN\Users:(RX)"
icacls %windir%\winsxs\filemaps  /grant "Administratoren:(RX)"
Takeown /f %windir%\winsxs\filemaps\* /a
icacls %windir%\winsxs\filemaps\*.*  /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\filemaps\*.*  /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\filemaps\*.*  /grant "BUILTIN\Users:(RX)"
icacls %windir%\winsxs\filemaps\*.*  /grant "Administrators:(RX)"
Takeown /f %windir%\winsxs\temp\PendingRenames /a
icacls %windir%\winsxs\temp\PendingRenames  /grant "Administrators:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames /grant "BUILTIN\Users:(RX)"
Takeown /f %windir%\winsxs\temp\PendingRenames\*.* /a
icacls %windir%\winsxs\temp\PendingRenames\*.*  /grant "Administrators:(RX)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "NT AUTHORITY\SYSTEM:(RX)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "NT Service\trustedinstaller:(F)"
icacls %windir%\winsxs\temp\PendingRenames\*.* /grant "BUILTIN\Users:(RX)"

net stop cryptsvc && net start cryptsvc
------------------------------------------------------------------------------------------------------------

Run it from an elevated command prompt to ensure you have adequate permissions. As the impressive matrix like text runs down your screen, take notice to the very last command when it all finishes.

"net stop cryptsvc && net start cryptsvc"

You should see this:

The Cryptographic service is stopping..
The Cryptographic service was stopped successfully.
The Cryptographic service is starting.
The Cryptographic service was started successfully.

At this point reboot your system and run "vssadmin list writers" to verify if the "System Writer" is now listed. If so, you can test your backup again and it's likely to be working. If the VSS Writer is NOT Listed, but the "Net start cryptsvc && net start cryptsvc" was successful, you are experiencing a different issue and the following steps are not applicable (Please contact our support team if you require assistance).

In our case, the "cryptsvc" doesn't appear to be registered correctly. Instead or returning the successful stop/start on the Cryptographic service, we received:

The service name is invalid.
More help is available by typing NET HELPMSG 2185.

3) Verify the Cryptographic service is enabled and operating correctly

Start -> services.msc

Wait! "The service name is invalid" actually means it's not registered and you'll likely realize that when you can't find the service in the services list.

At this point you'll likely start wondering how the? where did it go? We honestly couldn't tell you, but it's really easy to fix. Using another Windows 2008 R2 System, export the missing registry values .

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc

If you load regedit and browse to this location, you'll notice the CryptSvc is missing. On your secondary system, right click the CryptSvc and export it to a file. You can then double click this file on your problematic system to import the missing values.

If you do not have access to another system, copy the content below into a registry file and double click to load.

File Name: cryptsvc.reg (use whatever you want as long as it ends in .reg)
------------------------------------------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc]
"DisplayName"="@%SystemRoot%\\system32\\cryptsvc.dll,-1001"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,53,00,65,00,72,00,76,\
  00,69,00,63,00,65,00,00,00
"Description"="@%SystemRoot%\\system32\\cryptsvc.dll,-1002"
"ObjectName"="NT Authority\\NetworkService"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
  00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,\
  00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\
  65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,00,61,\
  00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,\
  00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  63,00,72,00,79,00,70,00,74,00,73,00,76,00,63,00,2e,00,64,00,6c,00,6c,00,00,\
  00
"ServiceMain"="CryptServiceMain"
"ServiceDllUnloadOnStop"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CryptSvc\Security]
"Security"=hex:00,00,0e,00,01

------------------------------------------------------------------------------------------------------------

Once you've loaded the registry file and repaired the missing data, reboot your system. You should now see the "Cryptographic Services" running in the "services.msc" list, "sfc /scannow" will return no errors, the "System Writer" will show up in the "vssadmin list writers" list, and your Windows Backup and Windows Updates will complete successfully.

Hopefully this helps you avoid a complete re-installation!

 

The session setup from the computer %% failed to authenticate. The following error occurred: Access is denied.

Posted on May 7, 2011

Event ID: 5805
The session setup from the computer %computername% failed to authenticate. The following error occurred:
Access is denied.

We ran into a client with PCs that would not authenticate to his domain controllers.
After further investigations, the client had configured an RODC for a remote office and had not yet added the specific user or computer groups to the trusted list.

Just for those how are not aware, EVERY COMPUTER in a domain has an account (just like a user account, except it ends with $).

Add User & Computer Security Groups to the RODC Cache:
Active Directory Users & Computers ->  Right Click -> Properties of the RODC ->  Password Replication Policy -> Add
Choose the Computers individually or add the entire "Domain Computers" security group, or even better, create a new security group for the specific computers you would like this RODC to authenticate.

Once you've added them to the "allow" status in this window, reboot the PC and allow 15+ minutes for replication to the RODC to complete.

Voila!

Sharepoint Foundation 2010 Search returns no results

Posted on April 20, 2011

SharePoint foundation 2010 includes basic searching features. Despite all rumors and recommendations to upgrade to higher level searching packages, the basic SharePoint search works quite well ... and it's very useful.

If your SharePoint server is not returning search results, the following may help you resolve the issue. It's important to create the right accounts, enable the right services, assign the accounts to these services and finally attach the search server to your web applications.

Let's begin ...

1) You need to create (2) domain accounts for Searching and Crawling. Using the Farm Account (or default accounts) is not recommended. In our example we will use "spSearch" and "spCrawl". Use complex passwords!! These domains accounts should only be standard users, no administrative privileges should be applied.

2) Log into the SharePoint Central Administration Page

3) CA > Security > General Security > Configure Managed Accounts > Register Managed Account.

  • Enter in "domain\spSearch" and the password you chose
  • Click "OK".
  • You should now see this account in the Managed Account list

3) CA > System Settings > Servers > Manage Services on Server > SharePoint Foundation Search -> Start.

  • Service Account -> "Domain\spSearch"
  • Content Access Account (Crawl) -> "Domain\spCrawl" and the password you chose
  • Leave everything else as defaults (you can change the Database Name if you are having issues)

4) CA > Security > General Security > Configure service accounts

  • Choose "Windows Service -> SharePoint Foundation Service"
  • Choose "Domain\spSearch" for the account selection
  • Click "OK"

5) CA > Application Management > Manage Content Databases

  • This is important! For each site you want automatically crawled, you must assign the search server.
  • In the top right corner under "Web Application", choose the web applications to be crawled, one at a time followed by a click on the "database name" column once they are loaded.
  • In the profile page, change the "Search Server" and "Preferred Server for Timer Jobs" to your server.
  • Click "OK"
  • Repeat for any other Website Applications you wish crawled

6> CA > Monitoring > Timer Jobs > Review Timer Jobs > SharePoint Foundation Search Refresh

  • Choose "Run Now" to begin indexing your web applications (sites)
  • This can take several hours depending on the size of your database(s). Please be patient.

7> If you're feeling eager and have a background in SQL, you can use the SQL Management Studio to check the progress. If you are not familiar with SQL, don't be a hero ... this can cause major damage.

  • Load the SQL Management Studio
  • Expand the search database created in the earlier steps (typically WSS_Search_%hostname%)
  • Right click the database -> new query
  • Enter in the following Query:select * from msscrawlhostlist
    (execute)

    You will be presented with a table of results including a column for Hostname and SuccessCount.
    SuccessCount increases as it indexes each page.

  • You can also lookup the crawl summary with:select * from MSSCrawlURLLog
  • And should there be any error codes in the MSSCrawlURLog, they can be referenced with:select * from MSSCrawlErrorList where ErrorID = '<ERRORID>'

If you run into issues where things are still not being crawled, i would suggest deleting the spCrawl and spSearch from SharePoint and Active Directory, re-creating them from scratch, repeating this entire process, and changing the "database" value in step 3). This will re-create the crawling database from scratch.

Good luck!

PDF icon missing in Sharepoint 2010

Posted on April 13, 2011

The default installation of SharePoint 2010 does not include an icon for PDF documents.
Here's how to fix that:

  • Log onto the sharepoint server
  • Browse to "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\IMAGES"
  • Save the following image into this folder: (right click to save to your PC)
  • Browse to "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\TEMPLATE\XML"
  • Edit "DOCICON.XML"
  • Add the following line '<Mapping Key=”pdf” Value=”icpdf.png”/>' into the existing items
  • Save the modified XML file
  • Start -> Run -> iisreset /noforce

That's it!

PDF icon will now show up whenever a PDF document is listed.

Win XP RDP client fails to print Calibri font correct when connected to Win 2008 Server

Posted on April 11, 2011

Windows XP users using RDP to a Windows 2008 server may experience issues printing documents that contain Calibri. Locations that are not formatted with Calibri will print normally. This issue persists when using the Easy Print feature with XPS.

This is a known issue and Microsoft has released a hotfix for it.
Sadly, as you read the attached hotfix info you will notice that you have to call them to get the file.

http://support.microsoft.com/kb/946411

We located it here:

http://thehotfixshare.net/board/index.php?autocom=downloads&showfile=9930

(although we recommend calling microsoft to get it, you can likely find it online somewhere)

After installation, the RDP clients were printing Calibri correctly.

(BES) Blackberry Enterprise Activations – SMTP/Whitelist for in-bound activation e-mails

Posted on March 14, 2011

When adding a new user to your Blackberry Enterprise Server, a very specific e-mail is sent to the user's inbox with an activation password. The e-mail is NOT sent locally within your network. Your local BES server will issue the request through one of the many external blackberry servers housed all over the world. To ensure the mail arrives, add the following networks to your spam whitelist to allow delivery.

IP Address Netmask
206.51.26.0 / 24 255.255.255.0
193.109.81.0 / 24 255.255.255.0
204.187.87.0 / 24 255.255.255.0
216.9.240.0 / 20 255.255.240.0
93.186.16.0 / 20 255.255.240.0
68.171.224.0 / 19 255.255.224.0
206.53.144.0 / 20 255.255.240.0
67.223.64.0 / 19 255.255.224.0
74.82.64.0 / 19 255.255.224.0
173.247.32.0 / 19 255.255.224.0
178.239.80.0 / 20 255.255.240.

If you do not whitelist these networks and you do filter spam, don't say we didn't warn you!

Deploying Adobe Acrobat Reader MSI by GPO (Group Policy)

Posted on January 2, 2011

Adobe recently released version 10.0.0 of their Acrobat Reader package. Versions prior to this release did have an MSI available, it took extra steps to extract and acquire it. With 10.0, they finally came to their senses and released a native msi available for download directly from their site.

Download it here:
ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.0.0/en_US/

You can now deploy this package using the standard active directory software deployment methods available on all 2008/2008R2 servers. We can confirm that when Acrobat X is installed, it does upgrade previous versions of reader so that you only have the latest instance. In the past, we noticed the installation files did not remove/upgrade existing versions.

To deploy this package by group policy object, complete the following:

1) Download the adobe MSI package and save it to a shared network location accessible to all client stations. (example: \\server\software\adobe\)
2) Load the "Group Policy Management" console
3) Create a new Group Policy Object (call it "Software Deployment - Adobe Acrobat Reader")
4) Edit this GPO and navigate to ( Computer Configuration -> Policies -> Software Settings -> Software Installation)
5) Right click and add new "Package"
6) Browse to the UNC path to the downloaded package ( "\\server\software\adobe\AdbeRdr1000_en_US.msi")
7) Choose "Assigned" and save.
8 ) Browse through your OUs (organizational units) and find the container where your PCs reside. Link this new GPO to this container. If you currently have your computer objects located under the default "Computers" container, you need to create a new OU, move the computers to this location, and link the newly create GPO to it. Storing your computer objects under the default "Computers" location is not recommended and will not work with a lot of active directory features.

Your PCs will now install this package on start-up.
You can also apply updates using this same method and assigning the updates to the original package within the same GPO.

Have fun!

Send-As anyone or Bypass Anti-Spam agents for a single mailbox using extended-rights with Exchange 2010

Posted on December 13, 2010

Roaming SMTP Solution for Exchange Servers

Looking for a quick and efficient method to allow roaming POP3 users or remote equipment to send e-mail from anywhere in the world? Typically ISPs block port 25 (SMTP) and force customers to send through their own SMTP servers to prevent spam, but realistically how painful is it to consistently find the new SMTP server information and change your settings every time you change networks? I think not ...

Our common solution for the roaming user is to open a separate SMTP port (generally 587 or 2525) and allow them to send from anywhere. As these users require authentication to send, you need to update the advanced settings on their POP3 profile to use the same username / password when sending, and change the SMTP port to either 587 or 2525 (which ever you chose). Simple and efficient.

What about network devices without actual mailboxes? For example: a network scanner or scheduled task which relies on no POP3 account?

Instead of creating a separate mailbox for every device, why not share one?
By default, if the incoming sender address does not match the address of the mailbox, you will be given "550 5.7.1 Client does not have permissions to send as this sender".
Here's how the fix that issue:

1) Forward external port 2525 or 587 on your firewall to port 25 on your exchange server
2) Create an exchange mailbox to be used for sending (ie. deviceSMTP) and use a complex password
3) Load the Exchange Management Shell
4) Choose the default receive connector for port 25

Get-ReceiveConnector

mailserver\Client Mailserver {0.0.0.0:2525, :::25, 0.0.0.0:25} True

4) Apply extended rights to the user you created to allow any-incoming authenticated users to send as an alternative address

Get-ReceiveConnector "mailserver\Client Mailserver" | Add-ADPermission -user "<user you created>" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Sender"

5) Set your network device to use authenticated SMTP, enter the username/password you created, select port 2525 or 587.

Happy sending!

Bypass Anti-Spam agents for a specific mailbox

If your organization has a mailbox that requires unfiltered/un-protected mail, you can use extended rights to bypass the spam agents.

Get-ReceiveConnector "mailserver\Client Mailserver" | Add-ADPermission -user "<mailboxname>" -ExtendedRights "ms-Exch-Bypass-Anti-Spam"

Exchange 2010 SP1 – Exporting mailboxes to PST or another mailbox or mailbox folder

Posted on December 1, 2010

Just a quick note that several changes to the export features built into Exchange 2010 have been revised in SP1. The following are quick commands to help you get it done quickly.

1) Export a mailbox directly to a PST file

New-MailboxExportRequest -mailbox {mailbox} -FilePath \\server\folder\mailbox.pst

This will export the entire mailbox to a location and file name of your choice.

2) Export a mailbox directly to another mailbox

New-MailboxExportRequest -mailbox {mailbox} -FilePath \\server\folder\mailbox.pst
New-MailboxImportRequest -mailbox {newmailbox} -FilePath \\server\folder\mailbox.pst

This will export/import the entire mailbox contents to an alternative mailbox. Existing data located in the destination mailbox will be merged with the incoming data.

3) Export a mailbox directly into a unique folder in another mailbox

New-MailboxExportRequest -mailbox {mailbox} -FilePath \\server\folder\mailbox.pst
New-MailboxImportRequest -mailbox {newmailbox} -FilePath \\server\folder\mailbox.pst -targetrootfolder "Mailbox Contents"

This particular process is extremely useful when employees are terminated or leave the organization.

If you would like to review the progress of your imports or exports, use:

get-mailboxmoverequest | fl