Skip to main content
Sign In |
  Help (new window)

Artem Pronichkin

Go Search
Russian / Home
Artem Pronichkin
test
Test02
Test03
  

Categories
Category 1
Category 2
Category 3
Other Blogs
There are no items in this list.
Links
Photos
Archive
Archive (Calendar)
Блог Проничкиных > Artem Pronichkin

12/29/2008

Administrative Template (ADMX) to Deploy Registry Settings for InfoTech Protocol Security for Remote Content Described in KB896054

What is InfoTech Protocol? There is not much information about it. Generally, we just know that it is used by Microsoft HTML Help application for rendering “CHM” (Compiled HTML Help) files. There were a couple of vulnerabilities discovered in this application back in 2004 and 2005. The patches for these vulnerabilities brought some restrictions in how HTML Help is handled in Windows. So, several capabilities of this application were broken. Some of them are not broadly used, for example — Protocols Nesting, but some are. For example — the ability to open CHM files located on network shares.

Later these patches were rolled up to Windows Server 2003 Service Pack 1 and subsequent OS releases. So turning off these features of HTML Help application became the default for Windows Vista. For example, if you try to open a CHM file from a remote share in Windows Vista or Windows Server 2008, by default you will be presented with an empty page telling you that

image

Navigation to the webpage was canceled

What you can try:

  • Retype the address.

There is a known workaround to turn these capabilities back on. It is officially documented in Microsoft Knowledge Base article 896054: You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1. This article describes different Windows Registry settings that may be used to tweak HTML Help security for remote content. But it is not easy to deploy these settings to multiple computers. The article suggests using Windows feature called Logon Script to set registry keys with Group Policy. This doesn’t seem to be a very good idea because it lacks both flexibility and elegance.

The common best practice for deploying custom Registry settings with Group Policy is creating so-called Administrative Templates. They are specially cooked plain text or XML files that accomplish two different goals in the same time.

  1. Describe how the settings should be hold in the OS level, and
  2. Provide a user-friendly way to define these settings.

Even if you have never worked with Administrative Templates before, you should realize now that they are a perfect way to deploy custom Registry settings with Group Policy. The only significant drawback here is some difficulty in creating these templates. Although they are just plain text (in Windows Server 2003 and below) or XML files (in Windows Vista and above), their syntax may be not very easy to learn quickly. So you probably would spend some time studying it before you create your first Administrative Template from scratch.

So it is a good idea to share your custom Templates if they are designed to change some well-known Windows Registry settings that have never been defined with a Template yet. Well, here is my simple Administrative Template to deploy the settings for InfoTech Protocol discussed above. I implemented all three Registry values described in KB896054 (however I actually prefer to use only the second one).

  • UrlAllowList — Trusted URLs;
  • MaxAllowedZone — Maximum allowed Security Zone and
  • NestedProtocolList — List of allowed Nested Protocols.

And here is what it looks like when you use my Administrative Template in an actual Group Policy Object.

image

I created my Administrative Template in the new XML format (ADMX), so you can use it only with modern Windows OSes. I hope you will find it a bit useful. Please feel free to share your feedback on this Template or any other Registry settings you wish were also implemented in this way.

Posted at 11:31 PM by Артём Александрович Проничкин | Permalink | Email this Post | Comments (0)

12/17/2008

Error when installing Microsoft Provisioning System (MPS) Deployment Tool: ‘The source folder specified (C:\\Service Provisioning) does not exist’

Today I started testing Microsoft Solution for Hosted Messaging and Collaboration (HMC) in general and Microsoft Provisioning System (MPS) in particular. The first thing you need to do when deploying MPS to an existing domain is installing Microsoft Provisioning System (MPS) Deployment Tool. The setup process is rather intuitive, but after clicking ‘Next’ several times and proceeding with ‘Install’ option I got the following error message.

image

---------------------------

---------------------------
The source folder specified (C:\\Service Provisioning) does not exist. This Script can not continue. Exiting ...
---------------------------
OK  
---------------------------

There are two bad things I’ve noticed about this message. Firstly, the window had no title — so it may be difficult to find and recognize it. Secondly, Windows Installer Log does not contain any information regarding to this error. The only relative info I found in verbose MSI log is the following lines.

MSI (s) (BC:70) [12:47:43:190]: MainEngineThread is returning 1603
MSI (s) (BC:E8) [12:47:43:190]: RESTART MANAGER: Session closed.
MSI (s) (BC:E8) [12:47:43:190]: No System Restore sequence number for this installation.
MSI (s) (BC:E8) [12:47:43:205]: User policy value 'DisableRollback' is 0
MSI (s) (BC:E8) [12:47:43:205]: Machine policy value 'DisableRollback' is 0
MSI (s) (BC:E8) [12:47:43:205]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (BC:E8) [12:47:43:205]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (BC:E8) [12:47:43:205]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2
MSI (s) (BC:E8) [12:47:43:205]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (s) (BC:E8) [12:47:43:205]: Restoring environment variables
MSI (c) (FC:0C) [12:47:43:221]: Back from server. Return value: 1603
MSI (c) (FC:0C) [12:47:43:221]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (FC:0C) [12:47:43:221]: PROPERTY CHANGE: Deleting SECONDSEQUENCE property. Its current value is '1'.
Action ended 12:47:43: ExecuteAction. Return value 3.
MSI (c) (FC:0C) [12:47:43:221]: Doing action: SetupCompleteError
Action 12:47:43: SetupCompleteError.
Action start 12:47:43: SetupCompleteError.
MSI (c) (FC:0C) [12:47:43:221]: Note: 1: 2235 2:  3: ExtendedType 4: SELECT `Action`,`Type`,`Source`,`Target`, NULL, `ExtendedType` FROM `CustomAction` WHERE `Action` = 'SetupCompleteError'
Action 12:47:43: SetupCompleteError. Dialog created
Action ended 12:47:44: SetupCompleteError. Return value 2.
Action ended 12:47:44: INSTALL. Return value 3.
MSI (c) (FC:0C) [12:47:44:503]: Destroying RemoteAPI object.
MSI (c) (FC:3C) [12:47:44:518]: Custom Action Manager thread ending.

<…>

MSI (c) (FC:0C) [12:47:44:565]: Product: MPS Deployment Tool Build 4.5.261.12 -- Installation operation failed.

MSI (c) (FC:0C) [12:47:44:581]: Windows Installer installed the product. Product Name: MPS Deployment Tool Build 4.5.261.12. Product Version: 4.5.261.12. Product Language: 1033. Installation success or error status: 1603.

Well, there are also two useful statements we can understand from this message. Firstly, it wants to use a catalog located at ‘C:\Service Provisioning’ for whatever reason. Secondly, this catalog is referred to as a ‘Source Folder’. So, why not try just to copy Microsoft Provisioning System (MPS) sources from the installation media to this catalog? It works!

So, the workaround for this issue is quite simple. You need to copy ‘SolutionMedia\Service Provisioning’ catalog from the installation media to the root of your drive C:\. Then just run setup from this folder.

%SystemRoot%\system32\msiexec.exe /package "C:\Service Provisioning\DeploymentTool
\DeploymentTool.msi"

After this Microsoft Provisioning System (MPS) Deployment Tool is installed successfully.

image

Posted at 2:07 PM by Артём Александрович Проничкин | Permalink | Email this Post | Comments (0)

12/16/2008

A Note for Myself: When to Enable What Firewall Rules —Part 4. SQL Server Configuration Manager

SQL Server Configuration Manager is a handy MMC Snap-In that you can use to manage SQL Server-specific protocols and services. Best of all, it supports remote connections — though it may be not so obvious. You can not target the MMC to remote server from the GUI — neither when running the Snap-In by itself, nor when adding to existing MMC window. By default in only manages local SQL Server instances. But you can specify a remote SQL Server when launching the Snap-In from the command line.

C:\Windows\System32\SQLServerManager10.msc /computer:s-s-db08.inf.winextreme.org

Sometimes after this you may receive the following error message.

image

---------------------------
SQL Server Configuration Manager
---------------------------
Connection to target machine could not be made in a timely fashion.
---------------------------
OK  
---------------------------

SQL Server Configuration Manager is actually powered by WMI. So this error message usually means that you have to enable WMI through your firewall. In case of the built-in Windows Firewall with Advanced Security you need to enable the following pre-defined rule.

Name
Windows Management Instrumentation (WMI-In)

Description
Inbound rule to allow WMI traffic for remote Windows Management Instrumentation. [TCP]

Program
%SystemRoot%\system32\svchost.exe

Service
Windows Management Instrumentation (winmgmt)

Transport
TCP (Protocol number 6)

Local Port

Any

Posted at 10:06 PM by Артём Александрович Проничкин | Permalink | Email this Post | Comments (0)

12/14/2008

A Note for Myself: When to Enable What Firewall Rules —Part 3. Computer Management won’t connect at all

Here’s another error message you may get when trying to connect to remote computer using Computer Management MMC Snap-In.

image

---------------------------
Computer Management
---------------------------
Computer \\<Computer Name Here> cannot be managed. (null)

Choose 'Connect to another computer' from the Action menu to manage a different computer.
---------------------------
OK  
---------------------------

This one is not very self-descriptive message. But it turns out that the only Winfdows Firewall built-in rule you need to enable here is the following.

Name
Remote Administration (NP-In)

Description
Inbound rule for all services to be remotely managed over Named Pipes.

Program
System

Service
Any

Transport
TCP (Protocol number 6)

Local Port
445

Posted at 5:53 PM by Артём Александрович Проничкин | Permalink | Email this Post | Comments (0)
A Note for Myself: When to Enable What Firewall Rules —Part 2. Event Viewer and Computer Management

When I first saw Windows Server 2008 Server Manager, I really spent several minutes trying to find how to connect to a remote server. What a pity, current version of Server Manager is a pefect tool, but it was never designed to work remotely, so you can use it only to manage local server. Okay, in Windows Server 2008 R2 it will actually be able to connect remotely, but it is still not here. So when I need to connect to a remote server I still have to use old good Computer Management MMC. I usually launch it from the command line.

compmgmt.msc /computer:<Computer Name Here>

But on default fresh instllations of Windows Server 2008 it doesn’t seem to work very well.

image

And a minute later

image

---------------------------
Event Viewer
---------------------------
Event Viewer cannot connect to computer 'Computer Name Here'. The error reported is : The RPC server is unavailable
---------------------------
OK  
---------------------------

Okay, the reason is Windows Firewall for sure. Obviously, the built-in firewall rule you need to enable on the remote computer is:

Name
Remote Event Log Management (RPC)

Description
Inbound rule for the local Event Log service to be remotely managed via RPC/TCP.

Program
%SystemRoot%\system32\svchost.exe

Service
Windows Event Log (EventLog)

Transport
TCP (Protocol number 6)

Local Port
Dynamic RPC

Posted at 3:04 PM by Артём Александрович Проничкин | Permalink | Email this Post | Comments (0)
A Note for Myself: When to Enable What Firewall Rules —Part 1. GPMC, RSoP and WMI

I tried to generate Resultant Set of Policy (RSoP) report for remote computer from Group Policy Management Console (GPMC). After selecting the target computer and clicking ‘Next’ I received the following error message.

image

Group Policy Error

Failed to connect to <Computer Name Here> due to the error listed below. Ensure that the Windows Management Instrumentation (WMI) service is enabled on the target computer, and consult the event log of target computer for further details.

Details:

The RPC server is unavailable.

Nearly all the errors of this type are actually caused by a firewall blocking some kind of communications between you management workstation and the target computer. There are a plenty of different recomendations over the Internet to turn Windows Firewall off forever. I don’t like them and always try to find out the particular rules you need to enable (or create from scratch) in order to make things work. So I’m going to post these little observations here from time to time — just as a note for myself.

So, to get through this particular error you need to enable the following built-in rule in Windows Firewall on the remote computer (i.e. the computer you’re trying to manage remotely).

Name
Windows Management Instrumentation (WMI-In)

Description
Inbound rule to allow WMI traffic for remote Windows Management Instrumentation. [TCP]

Program
%SystemRoot%\system32\svchost.exe

Service
Windows Management Instrumentation (winmgmt)

Transport
TCP (Protocol number 6)

Local Ports
Any

Posted at 2:10 PM by Артём Александрович Проничкин | Permalink | Email this Post | Comments (0)

12/2/2008

First steps implementing Advanced Group Policy Management in existing domain

Yesterday I started playing with AGPM in my test environment and found that there’s one step quite unclear to me. AGPM documentation says that the Service Account needs to have full permissions to all existing GPOs in the domain. But it provides no information about how to grant these permissions.

Okay, GPMC has several different options for managing permissions. Most of them deal with Delegation and this means only some rights to perform specific operations — i.e. create new GPOs or link them to different places of the domain. In other words, these are permissions for domain objects, but not the GPOs themselves. (Yep, I know that the GPOs themselves are also domain objects, but you’ve got what I mean, haven’t you?). We also have a feature called Security Filtering which actually is managing permissions for GPOs themselves. But GPMC can only set permissions for one GPO a time — so it really not easy to grant permissions for all the GPOs one by one. Especially if your domain is here for quite a long time and you already have a ton of those GPOs!

I’ve asked several colleagues of mine about how they suppose to set permissions for multiple GPOs. Most of them suggested me to use low-level tools like ADSIedit and set permissions directly on Active Directory objects or ‘Policies’ container. I didn’t like this idea just because it seems too unclear and geeky. I was sure that there should be an easier and much more obvious way.

It’s clear that managing permissions is a common operation that should be scriptable. And it is! Even more, Microsoft provides us with a set of pre-configured sample scripts which can perform a plenty of useful tasks with Group Policy. And there is actually one called GrantPermissionOnAllGPOs.wsf which does exacly what it says — “Grant Permissions for all GPOs in a Domain”.

Well, ther’s one more little trouble. The MSDN article says that the sample scripts are installed along with GPMC itself and can be found at ‘%programfiles%\gpmc\scripts’. Maybe that’s correct for older stand-alone version of GPMC which is still available for Windows XP and Windows Server 2003. But in Windows Vista SP1 and Windows Server 2008 GPMC became just a regular component of Remote Server Administration Tools (RSAT). And, no, there are no more GPMC scripts there installed along with RSAT.

But, yes, you can get them as a separate download — just go and grab Group Policy Management Console Sample Scripts. They are installed to ‘%programfiles%\Microsoft Group Policy\GPMC Sample Scripts’ by default now. So, assuming that:

  • your AGPM Service Account name is just ‘AGPM’,
  • your domain’s NetBIOS name is ‘Inf’ and
  • you’re running 64-bit Windows in the same domain,

after installing AGPM you can just run:

cscript "%ProgramFiles(x86)%\Microsoft Group Policy\GPMC Sample Scripts\GrantPermissionOnAllGPOs.wsf" Inf\AGPM /Permission:FullEdit

And then go to GPMC (with AGPM client installed), select all of your pre-existed GPOs, which are listed as “Uncontrolled” — and turn them all into “Controlled” at once!

Posted at 1:48 AM by Артём Александрович Проничкин | Permalink | Email this Post | Comments (0)

11/3/2008

Forefront Server Security Administrator vs Windows Firewall with Advanced Security on Windows Server 2008 (and probably Vista)

I’ve installed Forefront Server Security for Microsoft Exchange 2007 and Forefront Server Security Administrator on different computers, both Windows Server 2008 with all current patches. And by default it was not able to connect to each other. Here’s what the error message looked like.

image

---------------------------
Confirmation
---------------------------
ERROR: Unable to connect to service. An error was returned. Location: CoCreateInstanceEx. Error: The RPC server is unavailable.

---------------------------
OK  
---------------------------

Also, the following record appeared in the System event log on my client computer (i.e. where the “Administrator” part had been installed).

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Date:          11/3/2008 4:55:21 AM
Event ID:      10006
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      <Client Computer FQDN here>
Description:
DCOM got error "2147944122" from the computer <Server Computer FQDN here> when attempting to activate the server:
{903C424C-BE15-4BCE-8256-EDC95C6E28FE}

Ok, I quickly searched over the Internet and found a few places where the same trouble had been discussed. Well, only one newsgroup thread actually. In German. All it suggested was to read product documentation. Alright, there’s a note really about this error in Forefront Security for Exchange Server User Guide (quite strange that it wasn’t found directly). Here’s what it says.

If you create a user that is part of the Administrators Group with read-only access rights to FSE, when that user logs on and tries to open the Forefront Server Security Administrator, the following error will occur:
ERROR: Unable to connect to service. An error was returned. Location: CocreateInstanceEx.Error: Access is denied.
This error is caused by a Windows Server 2003 SP 1 security enhancement. To work around this problem, follow these steps:

  1. Run DCOMCNFG from START/Run. The Component Services dialog box appears.
  2. Expand Component Services.
  3. Expand Computers, My Computer, and DCOM Config.
  4. Right-click on FSCController, and then select Properties.
  5. Click the Security tab, and then click Edit in Launch and Activation Permissions.
  6. Add Domain Users, and click Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  7. Click OK for both open dialog boxes.

But this turned totally useless. The real solution consists of two parts. The fist one is also described in the fore-mentioned manual.

To enable the Forefront Server Security Administrator to run on Microsoft Windows XP SP2

  1. Click Start, click Run, and then enter dcomcnfg. The Component Services dialog box appears.

  2. In the Component Services dialog box, expand Component Services, expand Computers, right-click My Computer and then click Properties.

  3. On the COM Security tab, click Edit Limits under Access Permissions, and then select the Allow check box for Remote Access for the Anonymous Logon user.

  4. Add the Forefront Server Security Administrator application to the Windows Firewall Exceptions list:

    1. Open Control Panel, and then select Security Center.
    2. Select Firewall Administrator. The Windows Firewall dialog box appears.
    3. Select the Exceptions tab.
    4. Click Add Program, select FSSAClient from the list, and then click OK. This adds the Forefront Server Security Administrator to the Programs and Services list.
    5. In the Programs and Services list, select the FSSAClient.
    6. Click Add Port, enter a name for the port, enter 135 as the port number, and then select TCP as the protocol.
    7. Click OK.

But the second one was not found anywhere. So I had to find it out myself and now want to share with you. Besides creating firewall exception on the client side, you need a matching rule on the server side. Here’s how you could create it.

netsh advfirewall firewall add rule name="Forefront Server Security for Microsoft Exchange Controller Service" dir="in" action="allow" program="%ProgramFiles% (x86)\Microsoft Forefront Security\Exchange Server\FSCController.exe" description="For source info please read at http://pronichkin.com/blog/Lists/Posts/Post.aspx?ID=3" enable="yes" profile="domain" localip="any" remoteip="any" localport="RPC" remoteport="any" protocol="TCP" interfacetype="any" edge="no" security="notrequired"

Bold is the only parametr you actually need if you prefer to manage firewall rules using GUI MMC (launched via wf.msc).

And one more command-line trick. You can launch Forefront Server Security Administrator with specifying the server you want to manage via commad-line. Just run “FSSAClient.exe your-mail-server.domain.com”, where the latter is actual FQDN of your server (or NetBIOS name if you prefer). A nice trick for creating desktop shortcuts :)

Posted at 7:48 AM by Артём Александрович Проничкин | Permalink | Email this Post | Comments (0)

5/13/2008

Welcome to your Blog!
To begin using your site, click Create a Post under Admin Links to the right.

What is a Blog?

A Blog is a site designed to help you share information. Blogs can be used as news sites, journals, diaries, team sites, and more. It is your place on the World Wide Web.

Blogs are typically displayed in reverse chronological order (newest entries first), and consist of frequent short postings. With this Blog, it is also possible for your site visitors to comment on your postings.

In business, Blogs can be used as a team communication tool. Keep team members in touch by providing a central place for links, relevant news, and even gossip.

Posted at 3:29 PM by COM\Administrator | Permalink | Email this Post | Comments (0)

 ‭(Hidden)‬ Admin Links