Priveon Labs Security Blog

Microsoft has developed a web-based tool called "Exchange Server Deployment Assistant," which helps walk you through the Exchange upgrade or new implementation process for Exchange 2010.  You can find the tool here: http://technet.microsoft.com/en-us/exdeploy2010/default.aspx

It asks you a few simple questions about your existing environment, how your new environment will look, then creates a step by step checklist for you to go through while doing your Exchange installation.

A major concern for me when doing Exchange upgrades in the past has been: "Which tasks should I complete first, and in what order?" and "How will the completed steps affect the existing environment?"

I feel that this tool does a great job of prioritizing what needs to be completed first, outlining which steps to take, and giving referenced Technet documentation as to why, all along the way.

Overview

I recently worked with one of our customers on a project to migrate their Active Directory domain controllers running on Server 2003 to new servers running Server 2008 R2. Part of the project included changing clients to use the new servers as DNS servers. With a large server environment, having to manually change IP settings would be a very resource intensive effort and slow down the project considerably. That's when I decided that having BigFix do the work for me automatically would save time and help move the project along.

BigFix Task Info

The task I created is meant for Windows clients with static IP addresses only. I have tested with success using BigFix version 8 on Windows 2000, XP, Server 2003, Windows 7, Server 2008, and Server 2008 R2 but you should perform testing on your own environment before rolling this out in production. I will post the relevance and the action script so that all you need to do is copy and paste into your own custom task or fixlet (changing the IP's for your environment of course).

Relevance

The relevance is looking first for any Windows machine. You may want to change this if you have a version of Windows you do not wish to target with the task. The relevance then checks to make sure that the network adapter that it's about to check the settings on actually has an IP address. This weeds out bad information from the virtual adapters, WAN adapters, and other devices that show up in Windows as network cards but aren't actually used by the machine. The relevance also checks to make sure that the network adapter has a static IP address. Once it's gone through those checks it will see if any statically assigned adapter has an entry for your old DNS server IP addresses. You will need to change the IP addresses in the relevance I post to those of your own DNS servers that you are moving off of.

(name of operating system as lowercase starts with "win") AND ((not exists adapter whose (address of it != "0.0.0.0" AND dhcp enabled of it) of network) AND (exists addresses whose (it as string = "10.1.1.1") of dns servers of network OR exists addresses whose (it as string = "10.1.1.2") of dns servers of network))

Action

The action script is actually going to write out a vbscript to do the work for us. Using the "createfile" command, the script will write everything after that to a buffer and then write it to a file of our choosing. Pay attention to the line in the vbscript file where there are two "{" characters. This is because the "{" character has special meaning in BigFix action language so to actually have it written out to a file we just use two of them. The resulting vbscript file that is written to disk will be correct.

After the vbscript file is written to disk then the script writes a quick bat file and kicks off the vbscript which takes care of changing the DNS server IP settings on any network card that has IP enabled on the machine. Be sure and change the IP addresses in the action script to those of your new DNS servers.

//saves a vbscript to disk and then executes it
delete __createfile
delete __appendfile
//vbscript - line 11 has extra bracket because of BigFix action language, its an escape character
createfile until END_CREATE

On Error Resume Next

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
    & "{{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

Set colNetCards = objWMIService.ExecQuery _
    ("Select * From Win32_NetworkAdapterConfiguration Where IPEnabled = True")

For Each objNetCard in colNetCards
    arrDNSServers = Array("10.1.1.3", "10.1.1.4")
    objNetCard.SetDNSServerSearchOrder(arrDNSServers)
Next

END_CREATE
//end vbscript
move __createfile changedns.vbs

//create bat file to execute changes and call vbscript
appendfile cscript changedns.vbs
appendfile ipconfig /flushdns
move __appendfile changedns.bat
runhidden changedns.bat

Conclusion

You may need to edit the script for your purposes or create multiple instances of it based on how many DNS servers exist in different parts of your environment, but this should take a good deal out of the manual work involved in changing DNS server IP's. Thanks to BigFix we were able to make the change in a matter of minutes instead of taking hours and days.

In case you were out playing in the snow and missed the recent EOL/EOS announcements from Cisco relating to their NAC family of products, here's a brief round-up:

• Cisco announces the end-of-sale and end-of life dates for the Cisco NAC Profiler 33x0.

  • http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/end_of_life_c51-639783.html
  • Customers are encouraged to migrate to the Cisco NAC Profiler 33x5 products.

• Cisco announces the end-of-sale and end-of life dates for the Cisco NAC Appliance Software 4.6 and Earlier.

  • http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/end_of_life_c51-640625.html
  • Customers are encouraged to migrate to the Cisco NAC Appliance Software 4.8.

If you are effected by these recent announcements, please take the time to fully read the entire announcement to better understand Cisco's recommendations and support timelines.   For information and questions regarding Priveon's NAC support services, please contact us directly.

Cisco has announced the end-of-sale and end-of life dates for the Cisco Security Monitoring, Analysis, and Response System (Cisco MARS).   For detailed information about this announcement:

http//www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps6241/eol_c51-636888.html

For additional information and Priveon recommendations for migrating to the NitroSecurity solution, please contact us.

The Cisco AnyConnect Secure Mobility Client for iPhone iOS 4 is now available from the App store.

Features include:

• Automatically adapts its tunneling to the most efficient method possible based on network constraints using TLS and DTLS
• DTLS provides an optimized connection for TCP-based application access and latency-sensitive traffic, such as VoIP traffic
• Network roaming capability allows connectivity to resume seamlessly after IP address change, loss 2of connectivity, or device standby
• Wide Range of Authentication Options: RADIUS, RSA SecurID, Active Directory/Kerberos, Digital Certificates, LDAP, multifactor authentication
• Supports certificate deployment using Apple iOS and AnyConnect integrated SCEP
• Compatible with Apple iOS Connect On Demand VPN capability for automatic VPN connections when required by an application
• Policies can be preconfigured or configured locally, and can be automatically updated from the VPN headend
• Access to internal IPv4 and IPv6 network resources
• Administrator-controlled split / full tunneling network access policy