Tuesday, April 20, 2010

Systems Center Operations Manager R2 CU1 Issues and command line update

Just a quick one on our recent opsmgr R2 CU1 update. 

Kevin Holman has a good post about his experiences.  Start here.  I would add the below

1.  The gateway update does not copy the update msp to the agentmanagement folder.  Due to this, when I approved updates for agents on the other side of a gateway, they did not get the update.  You could fix this by copying the files from your gateway server before you approve your pending agent updates.  Copy the files at c:\Program Files\System Center 2007 R2 Hotfix Utility\KB974144\agent to the appropriate directory under c:\Program Files\System Center Operations Manager 2007\AgentManagement.  Make sure you copy the x86 update to the x86 folder.  x64 goes in AMD64 and ia64 goes in ia64.

2.  Only remotely managed agents will offer an update.  In my case, my only agents that were manually installed were due to troubleshooting or other issues.  Another solution from Kevin Holman shows how to reset your agents to be remotely managed.  Pay attention to the whole post to make sure it is right for you.

3.  If you didn’t realize your gateways were not updated (like me) or put in the wrong password for one of your domains, you may need to update manually.  You can go on each server and run the installer and then choose install agent but that seemed annoying.  You can do it from the server over the network w/:

"\\GATEWAYSERVER\c$\Program Files\System Center 2007 R2 Hotfix Utility\KB974144\SetupUpdateOM.exe" /silent /x86msp:KB974144-x86.msp /amd64msp:KB974144-x64.msp /UpdateAgent

4.  or you can do what I did and psexec it w/:

psexec -u DOMAIN\user "\\comp1,comp2,compN" cmd /c "\\GATEWAYSERVER\c$\Program Files\System Center 2007 R2 Hotfix Utility\KB974144\SetupUpdateOM.exe" /silent /x86msp:KB974144-x86.msp /amd64msp:KB974144-x64.msp /UpdateAgent

Note that you need to pass the user to psexec (which will query for a password) so you can access network resources.  Also note that I needed to enclose my computer list in “ to get it to pass correctly.  YMMV.

Also note that this will not work w/ 2k8+ clients as UAC gets in the way.  You could add –s to the the psexec line but then you would need a file share that the machine accounts could get at.  You could also probably do a small script that did a net use and then accessed the files.  I cheesed out and logged on directly as I only had a few that needed to be done manually. 

Good luck.

Thursday, April 15, 2010

How does windows determine a cipher strength for an encrypted connection OR SQL Server data in transit cipher strength

This question is really just “how does windows determine a cipher strength for an encrypted connection” as SQL server just hands off to the windows schannel.dll to deal w/ this. But I was looking to determine the answer for SQL Data in transit encryption.

This was pretty muddy to track down. There are some reference details here, here and here.

At the end of the day, it comes down to an OS version question (potentially influenced by some OS/registry settings or patches). I couldn’t find any matrix anywhere so I am going to start one here. I am going to start out w/ the few I tested and hopefully fill this in w/ reader submissions (hint, hint).  The guidance I can find seems to say that Win 2k8R2 and Win 7 have the same schannel capabilities so I am going to list them together. 

Client\Server Windows 2008 R2 Windows 2003 SP2 Windows 2000 SP4
How to use this table: Find the client OS listed vertically down the left side and then find the server OS listed horizontally across the top.  Where the row and column meet is your the cipher which, under the default settings, they should negotiate to use. More on the ciphers here.

How did we determine this? The only way I was able to find was to sniff the beginning of the SSL conversation. Netmon 3.3 is an excellent tool for this.  Note that you may need to set your Windows parsers from stub to full in order to decrypt the TDS packets.  You can do this in Tools -> options -> Parser. Set Windows to ‘Full’


Start your trace before you start your encrypted connection. I like netmon b/c it will separate the network traffic into conversations. Find the conversation you are looking for by IP and port. For my purposes I was looking for my web server IP and my DB IP going to port 1433 on my DB.

Once you have found your conversation, you are going to want to find the SSL conversation. In netmon, it will look like this:

What happens here, generally, is that the client offers a list of supported ciphers in the SSL: Client Hello. In netmon, you can see this by selecting that packet as I have done above. In the ‘Frame details’ pane, you can expand ssl: Client Hello.–> TlsRecordLayer: –> SSLHandshake –> Client Hello:.  You should see a list of CipherSuites listed in order of preference.  See the bottom of the picture below.

The server will respond with cipher it wants.  You can see this in the (likely) next packet under ssl –> TlsRecofdLayer-> SSLHandshake –> ServerHello –> CipherSuite.  In this case, both client and server are running Win 2k8 r2.

As you can see, between Win 2k8r2 and Win 2k8r2 we attain TLS_RSA_WITH_AES_128_CBC_SHA.
There are several methods to influence the SSL Handshake.  The links above will be useful in starting that journey.

One note on AES-128 cipher strength.  For a measure of scale, a computer with a billion processing elements, each capable of trying a billion keys every second, would be able to try (2^60 keys/second).  That means it would take (2^128 keys) / (2^60 keys/second) = 2^68 seconds to brute-force check all 128-bit keys. That is about 10^13 years to crack the key, or about 1000 times the age of the universe. Realistically, you would only need to try half the keys on average so that would be 500 times the age of the universe.

Or you could find a flaw in the algorithm...
or steal the certificate/password...