VMWARE/ESX: You can only manager Virtual machine version up to 9 under regular Console- So if no reason exists choose Version 9 instead of ten even if you have ESX 5.5.
One for example is if you need SATA-Controller for some reason.
http://www.ivobeerens.nl/2013/10/01/watch-out-with-hardware-version-10-in-vmware-esxi-5-5/
Microsoft February 2016 Patchday, Upgrade to Windows 10 Patches
These updates have come to WSUS-customer even when to W10 product was chosen. They appear under W7 Product category.
Nach Migration von alter Frontrange Version sind bestehende SHOP Policy auf dynamische Gruppen nicht sichtbar.
- Wir sehen die bestehenden SHOP Policy nur auf COMPUTER Konten
- Shop Policy welche wir auf dynamische Gruppen zugewiesen haben sehen wir nicht
- Wir können den Reiter SHOP Policy auch nicht selektieren oder Anzeigen
Bei einer Gruppe kann man den Reiter "Shop-Policy s" nicht einblenden.
Workaround:
Dazu diese Spalte einblenden. Rechtsclick auf das Reiter Feld und Spalten wählen
ENG "Instance Creation Mode"
DEU " Instanz-Erstellungs-Modus"
Jetzt sieht man welche Policy's wie erstellt wurden
On demand = Shop Policy
Automatic = Software Policy
Danke an Frank von NWC Services für den Hinweis im Enteo Forum |
Issue and Resolution #20445
The rate new ransomeware Drops in currently and the fact that it's getting more aggresive will turn around IT-security in 2016 complete.
People who denied to spend money in protection and new technology will suffer. CIO/IT-mangers who are afraid of managment will have to learn to stand up and defend their position.
Dridex: Tidal waves of spam,pushing dangerous financial Trojan, Dick O'Brien, February 16, 2016
Locky Cryptlocker
https://medium.com/@networksecurity/you-your-endpoints-and-the-locky-virus-b49ef8241bea#.cuh2e0i6m
Lock down Office for Locky with Gpo
https://medium.com/@networksecurity/it-s-time-to-secure-microsoft-office-be50ec2797e3#.9rqk0ehho
Users will cry but will even more if it hits you
http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:Win32/Locky.A
Communication is via h00p://195.64.154.14/main.php
This threat can create files on your PC, including:
It modifies the registry so that it runs each time you start your PC, as part of its installation routine For example:
In subkey: HKEY_CURRENT_USER\Software\Locky
Sets value: "id"
With data: "8C05983C8B06FC65" --> ID of the victim
In subkey: HKEY_CURRENT_USER\Software\Locky
Sets value: "pubkey"
With data: hex:06,02,00,00,00,a4,00,00,52,53,41,31,00,08,00… -->RSA public key
It encrypts files with the following extensions:
.123 | .djvu | .mml | .ppsm | .tgz |
.602 | .DOC | .mov | .ppsx | .tif |
.3dm | .docb | .mp3 | .PPT | .tiff |
.3ds | .docm | .mp4 | .pptm | .txt |
.3g2 | .docx | .mpeg | .pptx | .uop |
.3gp | .DOT | .mpg | .psd | .uot |
.7z | .dotm | .ms11 | .qcow2 | .vb |
.aes | .dotx | .ms11 (Security copy) | .rar | .vbs |
.ARC | .fla | .MYD | .raw | .vdi |
.asc | .flv | .MYI | .rb | .vmdk |
.asf | .frm | .NEF | .RTF | .vmx |
.asm | .gif | .odb | .sch | .vob |
.asp | .gpg | .odg | .sh | .wav |
.avi | .gz | .odp | .sldm | .wb2 |
.bak | .h | .ods | .sldx | .wk1 |
.bat | .hwp | .odt | .slk | .wks |
.bmp | .ibd | .otg | .sql | .wma |
.brd | .jar | .otp | .SQLITE3 | .wmv |
.c | .java | .ots | .SQLITEDB | .xlc |
.cgm | .jpeg | .ott | .stc | .xlm |
.class | .jpg | .p12 | .std | .XLS |
.cmd | .js | .PAQ | .sti | .xlsb |
.cpp | .key | .pas | .stw | .xlsm |
.crt | .lay | .svg | .xlsx | |
.cs | .lay6 | .pem | .swf | .xlt |
.csr | .ldf | .php | .sxc | .xltm |
.CSV | .m3u | .pl | .sxd | .xltx |
.db | .m4u | .png | .sxi | .xlw |
.dbf | .max | .pot | .sxm | .xml |
.dch | .mdb | .potm | .sxw | .zip |
.dif | .mdf | .potx | .tar | wallet.dat |
.dip | .mid | .ppam | .tar.bz2 |
|
.djv | .mkv | .pps | .tbk |
|
I
Error you see under the VSE TIE (Threat Intelligence Exchange) Report.
ERROR: |
Error Message: The CUBE() and ROLLUP() grouping constructs are not allowed in the current compatibility mode. They are only allowed in 100 mode or higher.Error Message: The CUBE() and ROLLUP() grouping constructs are not allowed in the current compatibility mode. They are only allowed in 100 mode or higher.Error Message: The CUBE() and ROLLUP() grouping constructs are not allowed in the current compatibility mode. They are only allowed in 100 mode or higher. |
| |||
https://technet.microsoft.com/en-us/library/bb510454(v=sql.105).aspx |
Report that this happens |
|
Our SQL Express was running 10.50.2500.0
https://kc.mcafee.com/corporate/index?page=content&id=KB76739
Under checks there is a hint.
Sadly the Upgrade Check tool they extra wrote to make sure things like this does not happen does not check that point!
Ensure the Compatibility level is set to 100 or higher for the ePO database
Solution:
Solution Change Compatibility Mode from 90 to 100
Restart EPO Server
Ausgehend von einem single Enteo Server im Hauptsitz plus clients in anderen VLAN Segmenten.
Enteo Server 10.10.20.3
DHCP Server Windows: 10.10.20.2
Clients: Andere VLAN
Drei wichtige Punkte damit es neu mit 6.X/2012 klappt
a) Vorne auf z.B. Windows 2000/2003 DHCP Server (Kein 60, Kein Bootserver, Alles ALTE vom 3.2X löschen!)
b) Hinten auf dem Enteo Proxy wird dies alles geliefert (Es gibt eine proxy**.exe auf der CD dann siehst Du sie)
c) Auf allen Switch mit VLAN pro VLAN einen IP-Helper Eintrag zum bestehenden für DHCP-Relay für VLAN's
Frage: Wie geht das mit zwei DHCP?
1) Der client sendet ein Broadcast, die IP helper leiten diese wieter an VLANS oder remote sites
2) Beide DHCP (Der Server 2003 und der Enteo Proxy DHCP) antworten
3) Der Server 2003 mit gültigem IP-Feld x.x.x.x und der Enteo Proxy DHCP mit IP-Feld immer "0.0.0.0"
4) Der client weiss so, gemäss RFC, das die Antwort mit dem "0.0.0.0" keine richtige Vergabe ist (Advanced)
5) Der client nimmt die IP vom 2003 und die Advanced Attribute vom Proxy aus dem "0.0.0.0" Paket
Hier ist ein Gutes Dokument von HP, welches einiges in der Richtung zeigt und erklärt.
http://h40060.www4.hp.com/procurve/u...dhcp_relay.pdf
HP ProCurve Switch 5304XL>enable
HP ProCurve Switch 5304XL# config term
HP ProCurve Switch 5304XL(config)# ip routing
HP ProCurve Switch 5304XL(config)# vlan 20
HP ProCurve Switch 5304XL(vlan-20)# untagged b3,b4
HP ProCurve Switch 5304XL(vlan-20)# ip address 10.10.20.1/24
HP ProCurve Switch 5304XL(vlan-20)# vlan 30
HP ProCurve Switch 5304XL(vlan-30)# untagged a1
HP ProCurve Switch 5304XL(vlan-30)# ip address 10.10.30.1/24
HP ProCurve Switch 5304XL(vlan-30)# ip helper-address 10.10.20.2
HP ProCurve Switch 5304XL(vlan-30)# ip helper-address 10.10.20.3
HP ProCurve Switch 5304XL(vlan-30)# vlan 40
HP ProCurve Switch 5304XL(vlan-40)# untagged c1
HP ProCurve Switch 5304XL(vlan-40)# ip address 10.10.40.1/24
HP ProCurve Switch 5304XL(vlan-40)# ip helper-address 10.10.20.2
HP ProCurve Switch 5304XL(vlan-40)# ip helper-address 10.10.20.3
HP ProCurve Switch 5304XL(vlan-40)#
HP Switche
http://www.hp.com/rnd/support/config_examples/5300xl_dhcp_relay.pdf
Dell Switche
http://www.dell.com/downloads/global/power/ps2q04-028.pdf
Netgear
http://www.downloads.netgear.com/docs/m4100/enu/202-11161-01/cli.pdf
PXE
http://www.1e.com/blogs/2014/09/29/osd-pxe-ip-helpers-dhcp-options-isnt-there-a-better-way/
http://henkhoogendoorn.blogspot.ch/2014/03/pxe-boot-files-in-remoteinstall-folder.html
8.8.0.1528 seems available on EPO Software Manager but no public info.
Solved OAS On access scanner Display BUG. The OAS was running but Center displayed warning.
Windows Security Center and Action Center no longer erroneously report OAS being
disabled after system restart on systems with long boot times.
"Problem – Scannen bei Zugriff deaktiviert"
Support for Windows 10 Update 1
This release adds support for VirusScan Enterprise on Windows 10 Update 1.
File inventory
Component Version
WSUS: Setup WSUS 2012 R2 stalls when SSL / 443 are inspected by Web Filter
While you finish WSUS Server installation you get an error
Error:
Windows Server Update Services Configuration Wizard
Synchronization Error Details
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Solution:
Make a new Firewall Policy depending on your Firewall/IPS/Web Filter which opens Port 443 to *.Microsoft.com and does NOT Inspect/Break/Deep Inspect SSL traffic.
How to check if someone breaks SSL from and Endpoint you are on
On the machine you install WSUS open https://www.microsoft.com and check the Certificate.
If issued by "Shows a local domain" or a another Certificate than Issued to then the company
breaks the SSL traffic on Servers where install WSUS.
Ask the security engineer to make a new firewall rule from that server IP to *.microsoft.com Port 443
and DON'T break SSL in that rule.
Ransomware in Switzerland: Locky, Cryptlocker what will come next and what if they spread/distribute within the LAN and attack SQL/Exchange and Backup Files/Dumps.
MAR/2016: Several Swiss companies including governments and hospitals/Healthcare have been hit by Ransomware the last few weeks. This goes from KMU (SBS) to Enterprise. At least people are beginning to think about security in a new way again.
The ransomware wave will also wipe out smaller security AV-firms because they don't supply the full branch of systems and appliances customer's needs to solve the current problem. Price and budget suddenly does not matter and more expensive appliances come into the game.
Either you move to enterprise security or you turn off the Internet. If you don't follow one of the paths you sooner or later loose data because "Murphy's law" will make sure backup number Incremental Job X-1 did not run on day x you catch the next Ransomware.
What's the problem or news because I restore Files and all seems fine. Out IT-budget leaves me no other solution as CIO.
The latest Mcafee blog shows a direction we are afraid off and if you are not you may need to investigate and read further or have a very optimistic view.
The people begin to attack SQL DUMP, SQL Files and as example also Veeam files.
In short all files which are important and locked. With some OS exploit leaks or tools like Mimi Katz you may reach Domain Admin or Service user Credentials and that's where the fun will begin and enterprise will jump around in panic. (https://adsecurity.org/?p=2362)
To gain profit from ransomware people will start taking down Database Servers or Exchange Servers with smaller databases like Public Folders so they can encrypt those.
Often those have their own Backup solution like Replicas in SQL or DAG with Local Storage in Exchange. The whole VEEAM and B2D only revolution gives us another headache in that direction.
Even when you use separate credentials for NAS/SAN/CIFS how safe are those and where are they stored?
Sample code from Mcafee Analyze with SQL parts |
After the ransomware and key have been distributed to the victim's machines, sqlrvtmg1.exe and the batch file re1.bat are also distributed.
re1.bat: @echo off for /f "delims=" %%a in (list.txt) do ps -s \\%%a cmd.exe /c if exist C:\windows\sqlsrvtmg1.exe start /b C:\windows\sqlsrvtmg1.exe pause
Filename: Sqlsrvtmg1.exe MD5: 5cde5adbc47fa8b414cdce72b48fa783
The main function of the file "sqlsrvtmg1.exe" is to search for locked files, especially backup related files. |
Global Enterprise Solution?
Here is how Mcafee tries to solve it:
EXAMPLE: A new file Germany.exe comes into the enterprise (Via installation, through Windows Installer, on USB Stick, Through Clickonce installer, through E-Mail, through web download)
Next point would be the cW7/W10 client:
Also the Tie-Agent will scan the file
If it's still unclear then what the file does it will be analyzed in the ATD Sandbox which analyzes the file
*1) Separate Manufactures
In the past separating manufactures in security was sometimes a good thing. Then you had several suppliers and ITIL-Risk Analyze looked better.
With Ransomware time has come where you have to watch a file incoming though all endpoints and ways.
We will have to attach Endpoint on laptops, Desktop, VDI, Firewall NG, Web filters, SPAM Filters in one part.
The solution would be to buy all from one producer that has all in the portfolio. Since Intel bought Mcafee and this will go into Chips for me the producer is clear.
If Ransomware Malware will come to TPM/CPU/NIC/Chipset Intel-Mcafee will be the company who can solve it.
Mcafee TIE Module in mcafee EPO-Server screenshot:
Information which the software rated the Executables. Is it new? Where it run? Was there before with other MD5? Etc.
Trust based on Certificates and files:
Rate/Scan Files based on VIRUSTOTAL info by just one mouse click:
Ransomware in Switzerland: Locky, Cryptlocker what will come next and what if they spread/distribute within the LAN and attack SQL/Exchange and Backup Files/Dumps.
SQL: Build Numbers and Express Limitations GB, Core, RAM
http://sqlserverbuilds.blogspot.ch/
| RTM (Gold, no SP) | SP1 | SP2 | SP3 | SP4 |
| |||||
| 12.0.2000.8 12.00.2000.8 | 12.0.4100.1 |
|
|
|
| 11.0.2100.60 11.00.2100.60 | 11.0.3000.0 | 11.0.5058.0 | 11.0.6020.0 |
|
| 10.50.1600.1 | 10.50.2500.0 | 10.50.4000.0 | 10.50.6000.34 |
|
| 10.0.1600.22 10.00.1600.22 | 10.0.2531.0 10.00.2531.0 | 10.0.4000.0 10.00.4000.0 | 10.0.5500.0 10.00.5500.0 | 10.0.6000.29 10.00.6000.29 |
| 9.0.1399.06 9.00.1399.06 | 9.0.2047 9.00.2047 | 9.0.3042 9.00.3042 | 9.0.4035 9.00.4035 | 9.0.5000 9.00.5000 |
| 8.0.194 8.00.194 | 8.0.384 8.00.384 | 8.0.532 8.00.532 | 8.0.760 8.00.760 | 8.0.2039 8.00.2039 |
|
Limitation SQL Express Versionen:
Extract from:
Product name | Build number | Date | KB |
SQL Server 2008 R2 RTM | 10.50.1600.1 |
|
|
For more information: The SQL Server 2008 R2 builds that were released after SQL Server 2008 R2 was released 
Product name | Build number | Date | KB |
SQL Server 2008 R2 Service Pack 1 | 10.50.2500.0 | 07/11/2011 | |
Cumulative update package 1 for SQL Server 2008 R2 Service Pack 1 | 10.50.2500.0 | 08/18/2011 | |
Cumulative update package 2 for SQL Server 2008 R2 Service Pack 1 | 10.50.2769.0 | 09/15/2011 | |
Cumulative update package 3 for SQL Server 2008 R2 Service Pack 1 | 10.50.2772.0 | 10/17/2011 | |
Cumulative update package 4 for SQL Server 2008 R2 Service Pack 1 | 10.50.2789.0 | 12/19/2011 | |
Cumulative update package 5 for SQL Server 2008 R2 Service Pack 1 | 10.50.2796.0 | 02/20/2012 | |
Cumulative update package 6 for SQL Server 2008 R2 Service Pack 1 | 10.50.2806.0 | 04/16/2012 |
For more information:
Product name | Build number | Date | KB |
SQL Server® 2008 R2 Service Pack 2 Community Technology Preview | 10.50.3720.0 |
| |
|
|
For more information:
Product name | Build number | Date | KB |
SQL Server 2012 RTM | 11.0.2100.60 |
|
|
Cumulative update package 1 for SQL Server 2012 | 11.0.2316.0 | 04/20/2012 | |
Cumulative update package 2 for SQL Server 2012 | 11.0.2325.0 | 06/18/2012 | |
Cumulative update package 3 for SQL Server 2012 | 11.0.2332.0 | 08/31/2012 | |
Cumulative update package 4 for SQL Server 2012 | 11.0.2383.0 | 10/15/2012 |
For more information:
The SQL Server 2012 builds that were released after SQL Server 2012 was released 
Product name | Build number | Date | KB |
SQL Server 2012 Service Pack 1 | 11.0.3000.00 | 08/11/2012 | |
https://www.bsi.bund.de/DE/Themen/Industrie_KRITIS/Empfehlungen/KRITIS/empfehlungen_kritis_node.html
IT-Sicherheitsvorfälle beeinträchtigen Funktionsfähigkeit Kritischer Infrastrukturen
Ort Bonn, Datum 08.03.2016
Im Zusammenhang mit den IT-Sicherheitsvorfällen in Krankenhäusern weist das Bundesamt für Sicherheit in der Informationstechnik (BSI) erneut auf die Risiken hin, die durch Verschlüsselungs-Trojaner (Ransomware) entstehen. Insbesondere Betreiber Kritischer Infrastrukturen müssen sich angesichts der Bedeutung ihrer Versorgungsdienstleistungen für die Gesellschaft mit dem Gefährdungspotenzial durch Cyber-Angriffe auseinander setzen.
Dazu erklärt BSI-Präsident Arne Schönbohm: "Die durch Ransomware verursachten IT-Sicherheitsvorfälle der letzten Wochen zeigen, wie abhängig unsere Gesellschaft von Informationstechnologie ist und welche Auswirkungen ein Cyber-Angriff auf die Verfügbarkeit Kritischer Infrastrukturen haben kann. Krankenhäuser sind aufgrund ihrer herausragenden Bedeutung für das Wohlergehen der Bevölkerung ein wichtiger Teil der Kritischen Infrastrukturen. Sie haben daher eine besondere Verpflichtung, die Verfügbarkeit ihrer Dienstleistungen sicherzustellen. Um dem gerecht zu werden, sollten Krankenhäuser die potenziellen Risiken für die Funktionsfähigkeit ihrer Prozesse kennen und diesen durch geeignete Maßnahmen der Prävention, Detektion und Reaktion begegnen. Das im Juli 2015 in Kraft getretene IT-Sicherheitsgesetz verpflichtet Betreiber Kritischer Infrastrukturen dazu, ein Mindestniveau an IT-Sicherheit einzuhalten und ihre IT-Systeme nach dem Stand der Technik abzusichern."
Cyber-Angriffe werden auch in Zukunft eine Bedrohung sein, auf die sich Wirtschaft, Staat und Gesellschaft einstellen müssen. Neben der Prävention sollte zum Risikomanagement einer Organisation auch gehören, sich darauf vorzubereiten, dass ein IT-Sicherheitsvorfall eintritt oder ein Cyber-Angriff erfolgreich ist. Dazu müssen Strukturen geschaffen, Verantwortlichkeiten benannt und Prozesse geübt werden, wie mit einem Vorfall umzugehen ist. Durch eine professionelle Reaktion auf einen Vorfall können Folgeschäden wirksam vermindert werden. Mit der "Risikoanalyse Krankenhaus-IT" zeigt das BSI auf, wie die IT-Abhängigkeiten kritischer Prozesse in Krankenhäusern analysiert werden können. Die Publikation steht auf der Webseite des BSI zum kostenlosen Download zur Verfügung.
Aktueller Blog Eintrag:
How to integrate 2012R2 on an older Server OS-version WSUS.
Install this Hotfix on Server 2012 R2 so you see
"Windows 10" instead of "Vista"
and
"Server 2012 R2" instead of "Windows 6.3"
Hotfix WIN10 Integration WSUS |
This hotfix enables Windows Server Update Services (WSUS) on a Windows Server 2012-based or a Windows Server 2012 R2-based server to sync and distribute feature upgrades for Windows 10. This hotfix is not required to enable WSUS to sync and distribute servicing updates for Windows 10. |
Install these two Hotfixes on 2008R2 (One needs a Reboot)
https://support.microsoft.com/de-de/kb/2720211
https://support.microsoft.com/de-de/kb/2720211#/de-de/kb/2720211
https://support.microsoft.com/de-de/kb/2734608
http://www.microsoft.com/en-us/download/details.aspx?id=30747
http://www.butsch.ch/post/WSUS-Windows-Update-Server-Most-common-Problems-FAQ.aspx
http://www.butsch.ch/post/WSUS-Windows-Update-Client-Agent-Commandline-wuaucltexe.aspx
http://www.butsch.ch/post/WSUS-SRV-2008-R2-Code-8007EE2.aspx
Ransomware Schweiz, Switzerland, Suisse. Lösungen/Solutions.
Intelligente "Black/White-Listing" Technologie z.B. Mcafee TIE ist die derzeit einzige Lösung nebst ATD-Sandboxen um Ransomware/Epressungstrojaner in den Griff zu bekommen. (http://www.mcafee.com/de/products/threat-intelligence-exchange.aspx). Alles andere ist ein Gebastel und man rennt nur den Problemen nach statt diese zu lösen.
|
|
Proof of Concept soll zeigen wie Mcafee TIE unbekannte Dateien erkennt und soll zeigen, dass Directory welche wir im Virenschutz Modul VSE 8.X ausschliessen nicht vom TIE tangiert sind. Diese Ausnahmen gelten AUCH fuer TIE-Modul.
Wir nehmen ein EXEcutable z.B. Superscan.exe und Machen dies auf um es anzupassen. |
|
Wir passen einige unrelevante Sachen mit eine HEX Editor im EXE an und speichern dies unter neuen Namen TIE_superscan.exe (HEX Editor z.B. http://hxd-hex-editor.soft32.com). Einfach die TEXT Partie "not be rund in DOS" anpassen. |
|
Die Software superscan.exe ist im Mcafee TIE nicht vorhanden (Obwohl Foundstone von Mcafee/Intel gekauft wurde ;-). Ca. 75-80% Aller Binaries sind aber in der GTI/TIE Datenbank vorhanden. (Durchschnitt Windows 7 64BIT client mit ca. 80 Applikationen Schweiz). |
|
Test client virtuel exclusions VSE (Normaler Virenschutz) Der Folder c:\Geheim_geheim ist exlcuded da sonst z.B. Internet Explorer IEAK9/11 Setups aber auch andere Software beim Setup Probleme machen. Aber auch Driver fuer das Installieren des OS selber sind dort vorhanden. Dieser Folder wird nicht gescannt da man dort zu 100% Vertrauenswürdige Files hat. User hat dort keine Schreibrechte. |
|
Im Mcafee TIE nicht sichtbar da in c:\geheim_geheim | |
Update Mcafee > Force senden Infos an EPO
|
|
Kopieren des Files in c:\temp und ausführen Directory nicht Exlcuded und VSE > Daher TIE auch Scan |
Alarm auf client und Block des Files beim Öffnen.
|
Umgehend auch OHNE Force Framework Agent sichtbar in Mcafee EPO TIE |
|
Neue Datei unbekannt und Rating 50 > DAHER geblockt | |
|
|
Die anderen Werte welche zur Einstufung der Reputation heran gezogen werden sind noch nicht ermittelt worden. Da es sich um einen Installer handelt wird dies zudem anders gewichtet. |
GTI (mcafee P2P/Cloud Datenbank) kennt das File noch nicht:
|
Wir passen die Reputation des Files an da wir dieses File kennen und mit dem PLUGIN in TIE fuer VIRUSTOTAL.COM gescannt haben. Dies kann man durch einen Click auf einen Button automatisch machen lassen! | ||
|
| Nach dem Anpassen der Reputation von "Unknown" to "File Known Trusted" PLUS zusätzlich einem Rename des EXE (TIE_superscan.exe zu superscan.exe) wird das File ausgeführt. Damit TIE das Binary intelligent einstufen kann muss es längere Zeit und in mehreren Versionen in der Firma sein ODER die TIE/GTI cloud kennt es.
|
Anzeige in MCAFEE EPO Konsole (Enforcement Events)
|
|
Mcafee EPO Konsole, DASHBOARD | |
|
|
Weitere Links von uns:
Problem: Exchange 2010, 2008R2, Event 106 MSExchange Common
Solution: Reload the correct performance counter file in Powershell
Event 106, MSExchange Common |
Performance counter updating error. Counter name is Base for Average Number of Mailboxes Processed per Request, category name is MSExchange Availability Service. Optional code: 1. Exception: The exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly. at System.Diagnostics.PerformanceCounter.Initialize() at System.Diagnostics.PerformanceCounter.IncrementBy(Int64 value) at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.IncrementBy(Int64 incrementValue) Last worker process info : System.UnauthorizedAccessException: Access to the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14\Transport' is denied. at Microsoft.Win32.RegistryKey.Win32Error(Int32 errorCode, String str) at Microsoft.Win32.RegistryKey.CreateSubKey(String subkey, RegistryKeyPermissionCheck permissionCheck, RegistrySecurity registrySecurity) at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo() Processes running while Performance counter failed to update: 2164 MSExchangeMailSubmission |
Get the "D:\Program Files\Microsoft\Exchange Server\V14\Setup\Perf" path
Open Exchange Powershell:
Add-pssnapin Microsoft.Exchange.Management.PowerShell.Setup
D:\Program Files\Microsoft\Exchange Server\V14\Setup\Perf\RpcClientAccessPerformanceCounters.ini
[PS] C:\ >Add-pssnapin Microsoft.Exchange.Management.PowerShell.Setup [PS] C:\ >New-perfcounters -definitionfilename "D:\Program Files\Microsoft\Exchange Server\V14\Setup\Perf\RpcClientAccessPerformanceCounters.xml" [PS] C:\ > |
Event 1000, Source LOADPERF > OK |
Performance counters for the MSExchange RpcClientAccess (MSExchange RpcClientAccess) service were loaded successfully. The Record Data in the data section contains the new index values assigned to this service. |
If this does not fix try following (Correct the paths again) |
Add-pssnapin Microsoft.Exchange.Management.PowerShell.Setup
|
Your worst case scenario in terms of risk would be at the end if all does not solve it you have to re-index the Exchange Databases.
In would wait with that UNTIL you check all the Permissions/Counters and if they are registered correct!
Here is the official Linkl for the RE-INDEX (Last options if it currently fails all of the time)
You have LEFTOVER SYMBOL Link on all drives or OLD NVBUShadowcopy Directory on LUNS you handle with Netvault Backup.
Solution 1a)
Stuck left over drives from failed backup in Netapp Plugin:
Solution 1b)
In cmd.exe
Diskshadow
List shadows all
Search for corresponding leftover folder like "E:\NvbuShadowCopy_2052"
Get the SHADOW COPY ID of the stuck one |
* Shadow copy ID = {e08f4105-1d42-4d53-afdd-838247c03529} <No Alias> - Shadow copy set: {e9f98574-49b1-4df1-bcb9-67d5c485764a} <No Alias> - Original count of shadow copies = 4 - Original volume name: \\?\Volume{b304d909-0cc1-11e4-b5ec-00505 68121c3}\ [E:\] - Creation time: 30.11.2015 12:34:36 - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeS hadowCopy1 - Originating machine: server12.customer.ch - Service machine: server12.customer.ch - Exposed locally as: E:\NvbuShadowCopy_2052\ - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5} - Attributes: No_Auto_Release Persistent Differential |
Delete it:
Delete shadows id {e08f4105-1d42-4d53-afdd-838247c03529}
Some points for upcoming Mcafee VSE 10. You can run TIE/GTI integration today with VSE8.8 and Framework 5.X.
Check out some related links:
http://www.butsch.ch/post/Ransomware-Schweiz-Mcafee-TIE-Threat-Intelligence-Exchange-im-Einsatz.aspx
A few few intermin/post May 2016 Patches in WSUS from Microsoft
https://www.microsoft.com/en-us/download/details.aspx?id=51581&WT.mc_id=rss_windows_7
https://support.microsoft.com/en-us/kb/3133977
This article describes an issue in which BitLocker can't encrypt the drive and the service crashes in Windows 7 Service Pack 1 (SP1) or Windows Server 2008 R2 SP1. An update is available to fix this issue. Before you install this update, see the Prerequisites section.
This issue occurs after you install A FIPS-compliant recovery password cannot be saved to AD DS for BitLocker in Windows 7 or Windows Server 2008 R2 (2990184) and have the Federal Information Processing Standard (FIPS) mode enabled.
https://support.microsoft.com/en-us/kb/3137061
This article describes an issue in which Windows Azure virtual machines (VMs) don't recover from a network outage and data corruption occurs in Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 7 Service Pack 1 (SP1), or Windows Server 2008 R2 SP1. Before you install this update, see the Prerequisites section.
This issue occurs because the SCSI synchronize cache command fails, and the command result isn't checked when VMs handle the FLUSH request.
Note VMs disks should check the result of the synchronize cache command.
http://www.mcafee.com/us/resources/release-notes/threat-intelligence-exchange/tie-03-14-2016.pdf
https://community.mcafee.com/thread/88126
https://community.mcafee.com/thread/88837
The problem with the c:\Windows\assembly\Nativeimages seemed to be solved by update 424. These are Framework
Files Executables which are compiled in real time first usage. We have only seen that as example on Exchange CAS Servers before.
They time the first user logs onto OWA after an MSP Patch has that delay once. We had up to 6'000 Files per W7 client before that patch new
During March 2016 Patchday.
Rule 139 - Identify trusted DOT Net assemblies
Description:
This rule detects files that have CLR code (DOT Net) and have been installed into the global
Assembly cache folders. The files are present on multiple machines within the enterprise,
Indicating they are not just-in-time compiled assemblies.
Default State: Mandatory
Changes in this release
Changed how age and prevalence are handled in DOT Net validation algorithm
Also there is a heavy update for Ransomware detection.
Rule 240 - Identify suspicious files with characteristics that have been predominantly seen in
Ransomware
Description:
Identify suspicious files with characteristics that have been predominantly seen in
ransomware, are in uncommonly used locations and less than 7 days old
Default State: Evaluate
Error:
1000 requests per 2 seconds in Exchange GUI or if you open Powershell worst case
Error: MTA reports error "system load quota of 1000 requests per 2 seconds has been exceeded" |
Connecting to remote server failed with the following error message : The WS-Management service cannot process the request. The system load quota of 1000 requests per 2 seconds has been exceeded. Send future requests at a slower rate or raise the system quota. The next request from this user will not be approved for at least 1812767488 mi lliseconds. For more information, see the about_Remote_Troubleshooting Help topic.
+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc eption + FullyQualifiedErrorId : PSSessionOpenFailed |
Event ID: 32784 |
Source: Microsoft-Windows-PowerShell Computer: exch-cas121-switzerland-admin WSMan reported an error with error code: -2144108120. Error message: Connecting to remote server failed with the following error message : The WS-Management service cannot process the request. The system load quota of 1000 requests per 2 seconds has been exceeded. Send future requests at a slower rate or raise the system quota. The next request from this user will not be approved for at least 1795919616 milliseconds. For more information, see the about_Remote_Troubleshooting |
Quick Solution:
Try another Exchange Server (CAS, Mailbox or maybe a IT management Server with Exchange Tool installed).
Solution quick:
Open IIS Konsole
Go to "Application Pools"
Select
MSExchangePowershellAppPool
On right side "Select" Recycle
Please check and re-open the Exchange GUI.
If this does not solve it please open an elevated cmd.exe shell and run:
Iisreset /noforce
Please check and re-open the Exchange GUI.
If this does not help run:
Iisreset
If this does not help restart the server that has the Error in Event.
Reason:
Could be a third party tool like an E-Mail Archive (Symantec EV [Enterprise Vault]?) or external Blackberry Server (Just something that PULLS E-Mails from the Exchange) and modifies the Throttling Policy. We however compared running customer to non-running and did not see any difference in the values if you run.
Get-ThrottlingPolicy
Or
Get-ThrottlingPolicy | fl powershellmaxconcurrency
One value would be "powershellmaxconcurrency". We see a value of 18 in Exchange 2010 SP3 some describe values of 5 (Maybe earlier Exchange 2010 or RTM, Dell KB does so). This value is described in different KB articles BUT we can't confirm that this value is the source. Because all our larger customers have a Value of 18 there. Only the Backup Exec Throttling Policy has a value of $null and thus unlimited numbers of Shells.
DefaultThrottlingPolicy Throttling Policy |
AnonymousMaxConcurrency : 1 AnonymousPercentTimeInAD : AnonymousPercentTimeInCAS : AnonymousPercentTimeInMailboxRPC : IMAPMaxConcurrency : IMAPPercentTimeInAD : IMAPPercentTimeInCAS : IMAPPercentTimeInMailboxRPC : OWAMaxConcurrency : 5 OWAPercentTimeInAD : 30 OWAPercentTimeInCAS : 150 OWAPercentTimeInMailboxRPC : 150 PowerShellMaxConcurrency : 18 PowerShellMaxTenantConcurrency : PowerShellMaxCmdlets : PowerShellMaxCmdletsTimePeriod : ExchangeMaxCmdlets : PowerShellMaxCmdletQueueDepth : PowerShellMaxDestructiveCmdlets : PowerShellMaxDestructiveCmdletsTimePeriod : RCAMaxConcurrency : 20 RCAPercentTimeInAD : 5 RCAPercentTimeInCAS : 205 RCAPercentTimeInMailboxRPC : 200 CPAMaxConcurrency : 20 CPAPercentTimeInCAS : 205 CPAPercentTimeInMailboxRPC : 200 MessageRateLimit : RecipientRateLimit : ForwardeeLimit : CPUStartPercent : 75 AdminDisplayName : ExchangeVersion : 0.10 (14.0.100.0) |
EnterpriseVault Throttling Policy |
AnonymousMaxConcurrency : 1 AnonymousPercentTimeInAD : AnonymousPercentTimeInCAS : AnonymousPercentTimeInMailboxRPC : EWSMaxConcurrency : 10 EWSPercentTimeInAD : 50 EWSPercentTimeInCAS : 90 EWSPercentTimeInMailboxRPC : 60 EWSMaxSubscriptions : 5000 EWSFastSearchTimeoutInSeconds : 60 EWSFindCountLimit : 1000 IMAPMaxConcurrency : IMAPPercentTimeInAD : IMAPPercentTimeInCAS : IMAPPercentTimeInMailboxRPC : OWAMaxConcurrency : 5 OWAPercentTimeInAD : 30 OWAPercentTimeInCAS : 150 OWAPercentTimeInMailboxRPC : 150 PowerShellMaxConcurrency : 18 PowerShellMaxTenantConcurrency : PowerShellMaxCmdlets : PowerShellMaxCmdletsTimePeriod : ExchangeMaxCmdlets : PowerShellMaxCmdletQueueDepth : PowerShellMaxDestructiveCmdlets : PowerShellMaxDestructiveCmdletsTimePeriod : RCAMaxConcurrency : RCAPercentTimeInAD : RCAPercentTimeInCAS : RCAPercentTimeInMailboxRPC : CPAMaxConcurrency : 20 CPAPercentTimeInCAS : 205 CPAPercentTimeInMailboxRPC : 200 MessageRateLimit : RecipientRateLimit : ForwardeeLimit : CPUStartPercent : 75 AdminDisplayName : |
SymantecEWSRestoreThrottlingPolicy has unlimited
The Throttling Policy from Symantec Backup Exec has a value of $null (Unlimited Powershell)
You should also check WIM interface:
winrm get winrm/config/winrs
Change with:
winrm set winrm/config/winrs @{MaxShellsPerUser="25"}
winrm set winrm/config/winrs @{MaxConcurrentUsers="25"}
Change in Powershell:
Get-ThrottlingPolicy | Set-ThrottlingPolicy -powershellmaxconcurrency 25
Please also see:
http://www.butsch.ch/post/Exchange-Error-you-get-while-you-open-the-EMC-GUI-Console.aspx
Exchange 2007 > 2013 Transition/Migration, POPUP on Outlook 2010 or Public Folder can't be open from 2007
Error1: When you click a Public Folder which lies on 2007 in Outlook.exe
"Cannot expand the folder. Microsoft Exchange is not available. Either there are network problems or the Exchange server is down for maintenance."
Event 401 is logged in IIS log file on 2007 side
Error2: Even if you have selected the option not to DOWNLOAD and other resources or public folder you Recieve constant authentication POPUPS "Windows Security" with username password. Outlook.exe shows password need at some point. Even if you chose remember my Credentials.
Quick Reason:
You have to change the Authentication for "Outlook Anywhere" on old 2007 side to NTLM.
A general reason is that Exchange 2013 works OVER "Outlook Anywhere" all the time. To make it correct you could enable "Outlook anywhere" backwards/afterwards on the old Exchange 2007. Warning: However this function will run from 10-60 Minutes depending on your Exchange 2007. Read and search more if it not enabled on the old Exchange 2007 and you want to do that while the old 2007 is productive. Most blogs don't mention that and most of them do 2007>2010>2013 and some 2007>2013 direct. However they assume you have "Outlook anywhere" on 2007 already on before you begin the swing Transition (Migration).
Explained:
Exchange 2007 and 2013 Coexistence:
Check Logfiles on Exchange 2007 under:
C:\inetpub\logs\LogFiles\W3SVC1\*.*
Search for string "/rpc/rpcproxy.dll"
This is the Health check the Exchange 2013 does:
RPC_IN_DATA /rpc/rpcproxy.dll - 443 - 192.168.20.198 HttpProxy.ClientAccessServer2010Ping401 2 5 0
Controll the Settings on the Exchange 2007.
get-OutlookAnywhere -Server "servername2007" | fl identity, IISAuthenticationMethods
Set-OutlookAnywhere -Identity " servername2007\Rpc (Default Web Site)" -IISAuthenticationMethods Ntlm
Or in GUI on the Exchange 2007
Do an IISRESET
If that does not work > Also recycle the IIS folders and Reboot the 2007.
Open IIS Konsole
Go to "Application Pools"
IIS Logfile after the change should be with a 500 value.
2016-04-26 14:20:35 192.168.20.13 RPC_IN_DATA /rpc/rpcproxy.dll - 443 - 192.168.20.198 HttpProxy.ClientAccessServer2010Ping 500 0 64 45021
Change on client side
IF account still under 2007 and using ONLY Outlook Anywhere you then have to change something in outlook.exe on each client THAT is laptop or workgroup and not domain joined. If Autodiscover and the EXPR-Record are correct this should work by itself.
