Veeam Virtual Labs & SureBackup

KB ID 0001572

Problem

If you require a ‘Virtual Lab’ for testing patches or config changes, on copies of your live servers, or simply want to test the ‘integrity‘ of your backups, then this is the post for you!

Licence Requirements: SureBackup and On Demand Sandbox require Enterprise Plus Veeam Licensing.

Host Licences: Hosts that are only used for SureBackup  / On Demand Sandbox DO NOT NEED Licences, (in Veeam,) only hosts that you back up FROM need licences.

SureBackup and Virtual labs are built on vPower, which allows you to power on your ‘backup files’ in a test/sandbox environment. It’s actually the same technology that Veeam use for U-AIR recovery.

Three components make up a virtual lab;

1. Application Group: This is a group of VMs, and the ‘Order’ they need to be powered on, e.g. for Exchange server you would also need a DC (global catalog server,) and maybe your mail filter appliance to be in the same group.

2. Virtual Lab: Requires a ‘Host’, and a DataStore, (for redo logs only), this only needs to be 10% of the size of the VMs that are being powered on in the lab.

3. SureBackup: This is the process that ‘Tests backups‘, it will bring your backed up machines online, and perform some tests on them, some are simple like ‘ping’ tests others are specific to particular server roles, like additional tests for Domain Controllers, Exchange servers etc.

Solution

Veeam Backup and Recovery Download

Here’s how it all ‘hangs together’. We are backing up a Domain Controller, and an Exchange Server, and we are going to use those backup files to power on a copy of the servers in our ‘Test-Lab’.

Note: I’m using VMware ESX, you can also use Microsoft Hyper-V.

These are presented though a ‘Veeam Proxy Appliance’, which presents them to the VEEAM server with a changed ‘octet’ in their IP address. (So by default any other machine needs a static mapping, {see below}).

Create a Veeam SureBackup Application Group

As mentioned above, make sure you have ‘Enterprise Plus‘ licences.

It should go without saying, but you will also need a ‘good’ backup of your servers.

Backup Infrastructure > SureBackup > Application Group > Add App Group > VMware.

Give the app group a name > Next > Add VM > From Backup > Select the VMs for the Lab > Add Next.

 

Put the server(s) in the correct order, i.e. the domain controllers at the top.

If you are just going to use SureBackup to check backups, then ‘Edit’ the servers, and change their ‘role’ so the correct tests get performed on them. If you are just wanting a Virtual Lab, don’t bother as you will be interacting with them directly anyway. Here are the settings for a Domain Controller.

And here for Exchange.

Next > Finish.

Create a Veeam SureBackup Virtual Lab

Backup Infrastructure > SureBackup > Virtual Labs > Add Virtual Lab > VMware.

Give the lab a name > Next > Choose > Select the ‘Target’ ESX Server to use > OK > Next > Choose > Select a datastore for the ‘redo’ logs, remember this needs to be about 10% of the size of the restored VMs. > OK > Next.

Next > ‘Advanced Single Host’ > Next > Add > Browse to the ‘Port Group’ your production VMs are in > Add > OK > Next.

Note: If you need to have your lab network on its own VLAN, this is where you need to specify that traffic to be ‘tagged’ accordingly.

Add > Specify the IP for the ‘inside’ of your Veeam Proxy Appliance, this MUST BE the same as the default gateway on the live network. Then select a sensible masquerade network address > OK > Next.

Veeam: What’s a Masquerade Address?

The proxy server basically will perform NAT from the test lab to the live network, (their actual IP addresses never change, that’s why the proxy appliance had the same IP as the default gateway on the live network. The Masquerade addresses simply change one ‘octet’ of the IP address so the Veeam server can speak directly to each sand-boxed, (Test lab) VM.

If required, Add a ‘Static Mapping‘ i.e if you want to be able to ‘speak’ to a test lab VM from the live network.

How Do Veeam Virtual Lab ‘Static Mappings’ Work?

Using the example, I used above, here if someone on the live network speaks to 192.168.100.21, they are actually talking to 192.168.100.196 in the test lab.

Apply > Finish.

Create a Veeam SureBackup Job

There are two ways of doing this, if you want to create a SureBackup job that just checks your backups, then you would schedule the job, and connect it to your backups, or if you just wanted to do some lab testing, you would create a ‘one off’ SureBackup job and leave the VMs powered on (I’ll point this out below).

Home > SureBackup Job > VMware > Give the job a name > Next.

Select the lab you created above > Next > Select the App Group you created above. (NOTE: If you want to leave your machines ‘powered on’ after the job, i.e. for performing upgrades, patch tests etc, then TICK the option indicated).

Link this job to the backup job for the VMs in question > Add > Select the backup Job > OK.

Note: The option at the bottom, specifies how many VMs are tested at a time in a standard SureBackup Job.

Next > Next.

Schedule the job (if required) > Apply > If you didn’t schedule, then you can click ‘Run the job when I click Finish‘ for ‘one-off’ jobs > Finish.

If you selected the option to leave the machines powered on, then there will ‘always’ be a job running and the job will stop at 99%. (You will need to manually stop the job to remove the test VMs). If you do continuous backups this will be a familiar sight anyway!

There’s my test VMs powered on, that I can interact with, update, patch, and change configurations, without it affecting my live servers.

Related Articles, References, Credits, or External Links

NA

How To Install Exchange 2016 (Greenfield Site) – Part 2

KB ID 0001302

Problem

Back in Part-One, we looked at all the things to consider before you start to install Exchange 2016. Now we will start installing software, and getting to a point where we can configure Exchange 2016 and carry out some post deployment.

Solution

Your forest functional level needs to be at ‘Windows Server 2008’ before you can install Exchange 2016.

The server you intend to deploy Exchange on, needs to be a domain member server.

To save you any hassle, make sure your intended server is fully updated.

The server needs .Net installing, the versions, (at time of writing ) are;

  • Exchange 2016 CU3 Req.Net 4.5.2 (or greater).
  • Exchange 2016 CU5 Req.Net 4.6.2 (or greater).
  • Exchange 2016 CU6 Req.Net 4.7.2 (or greater).

Exchange 2016 Roles/Features Windows Server 2016

As with previous versions of Exchange there’s a long list of roles and features that needed to be added, open an administrative PowerShell Window and run the following;

[box]

Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS, Server-Media-Foundation

[/box]

Exchange 2016 Roles/Features Windows Server 2012 (2012 R2)

As with previous versions of Exchange there’s a long list of roles and features that needed to be added, open an administrative PowerShell Window and run the following;

[box]

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS

[/box]

You will also need to install the ‘Unified Communications Managed API 4.0 Runtime‘ software. Note: Not required if you are only installing the management tools.

Windows Server 2016 Only: You should already have update KB3206632 as we updated the server above, if you skipped that step you need to pre install that update, so update now!

Installing Exchange 2016

If you downloaded the Exchange media as a .iso file mount it and let it autoplay. If you extracted the software run Setup.exe. The first thing it will do is look to see if it has any updates.

Files will get copied over > Next > You will be presented with an introduction > Next.

Accept the EULA > Next > I usually just accept the recommended settings > Next.

Select either Mailbox server, Edge Transport server, or just the management tools > Next > Select the location that you want to install Exchange to > Next.

Note: Although in the example below, I’m using the ‘C:’ drive, for production I would always install Exchange onto a separate volume to the OS.

I usually accept the default organisation name of ‘First Organisation’ you can change it if you with, but choose wisely because you can’t change it once installed > Next > Unless you have a specific requirement to disable the built in malware protection, leave it enabled > Next.

Exchange now does a quick check to make sure it’s happy to progress, you will always get a couple of warnings, if it complains about anything else rectify it and click ‘recheck’, once you are happy click Next.

Setup progress takes ages! Seriously go to lunch at this point > Next > Once completed Ive ticked the box to open the Exchange Admin Center, but nearly every time I’ve done this it fails. Your best bet is to reboot the server, go and have a coffee then come back and open a browser window and navigate to https://{server-FQDN}/ecp 

In Part 3, we will look at post install tasks.

Related Articles, References, Credits, or External Links

How To Install Exchange 2016 (Greenfield Site) – Part 1

Deploy Cisco FirePOWER Management Center (Appliance)

KB ID 0001263

Problem

You have been able to manage your firewalls Internal SFR module for  while using the ASDM

Setup FirePOWER Services (for ASDM)

For most people that’s fine, but if you have a lot of FirePOWER devices to manage that does not scale well. In those cases you should use theFMC  (FirePOWER Management Center). Here ‘Im going to use the Vmware virtual appliance, (at time of writing there is no Hyper-V version).

This lets you create policies centrally and then deploy them to your devices in bulk.

Solution

Deploy the FirePOWER Management Center Appliance

Obviously before you start you need to have VMware (ESX or vCenter). With 250GB of storage free, (you can deploy it thin provisioned). You will also need to allocate 8GB of RAM and 4 virtual CPUs. Whichever network (or VMware port Group) you connect the appliance to it needs to have IP connectivity to the devices you intend to manage.

Download the FMC Appliance: Be aware it downloads in tar.gz format so on a Windows machine you will need something like 7Zip to uncompress the files. You WONT find the file under the firewalls, they are listed under;

Downloads > Produces > Security > Firewalls > Firewall Management > Firepower Management Center Virtual Appliance

Make Sure: You download the same version that is installed on the modules you want to manage! (‘show module’ on the ASA will yell you).

Get the files extracted and on a machine that you can access your VMware infrastructure from;

The appliance comes in OVF format if you are unsure how to import an OVF file see the following article;

VMware vSphere – How to Import and Export OVF and OVA Files

You will need to accept the EULA, then set the admin password, and some basic IP settings.

I’ve got IPv6 disabled, if you want to address the appliance with IPv6 enter the details here.

Even after the appliance has been imported and powered on it can take 20-30 minutes before you can log on. At this point I would go and do something else. If you really must, then open a ‘console’ session and wait until the logon prompt is shown. You can then logon to the web portal.

Go to System > Updates > Download and install any updates > Visit both the ‘Rule Updates’ and the ‘Geolocation Updates’ tabs and set a time to download them.

Don’t Install the licences Just Yet! Add your devices to the FMC first, then if there’s a problem and you need to rebuild/redeploy, you don’t have to go cap in hand to Cisco licensing to get the licences re-armed. To add the SFR devices see the following article;

Cisco Add FirePOWER Module to FirePOWER Management Center

Network Discovery: Older version of the FMC used to only look for RFC 1918  IP ranges, This was changed at some point to 0.0.0.0/0 so you couldn’t misconfigure the system by having a private address space internally for example. This was a good idea but Ive seen some firewalls fall over trying to run discovery on every IP address they see!  So lets manually add in our subnets. Objects > Object Management > Add Network > Add Object > Add one for you internal network(s).

Policies > Network Discovery > Remove the 0.0.0.0 Rule.

Create a new discovery rule using just your subnet(s).

 

Adding Licences To FirePOWER Management Center

You used to have to licence the appliance itself, after version 6 you don’t need to do that, if you have a licence and you try and apply it nothing happens and you just see this message;

Note: FireSIGHT is the old name for FirePOWER Management Center.

What Licences do I need to Add? Your Next Generation Firewalls now come with a ‘CONTROL LICENSE‘ in the box, it is in a large white card envelope, you don’t need to open it the number you need is on the front of the envelope. You add a control licence for every device you want to manage (they do not expire).

System > Licences > Classic Licenses > You need to take a note of the ‘Licence Key’, (which is the MAC address of the appliance with a 66 in front of it). This is the serial number you need to enter on the Cisco licensing portal.

When you get the licence back, if you open it in a text editor, it will look like this (its essentially a digital certificate). Copy everything from ‘— BEGIN‘ to ‘License —‘ 

Paste in the text > Submit License.

Repeat for each licence (IDS, AMP, URL Filtering ,etc)

You will also need to allocate the licenses to devices. Devices > Device Management Select the Device in question > Edit.

Device > License Section >Edit > Allocate accordingly.

Configuring FirePOWER Intrusion Policy

To use an intrusion policy the devices each need a ‘Protection‘ licence. Note: You get a protection licence now automatically when you add a CONTROL licence, but you still need to pay a subscription to legally obtain the updates.

Policies > Access control > Intrusion > Create Policy.

Give the policy a recognisable name > Create and Edit policy.

The policy it creates is based on the ‘Balances Security and Connectivity’ Template. You might want to add a few extra rules > Rules > Blacklist > Select All.

Rule State > Drop and Generate Events.

Repeat for ‘Malware’. Note: This does NOT require and AMP licence@

Repeat for  PUA (Probably Unwanted Applications).

Repeat for ‘Indicator Compromise‘.

Repeat for ‘Exploit Kit‘.

Search for ‘1201’ and locate the ‘INDICATOR-COMPROMISE 403 Forbidden’ rule and DISABLE IT.

Policy Information > Commit Changes > OK.

Note: To be used, the Intrusion policy needs to be declared in an Access control policy (or set as a Default Action).

Also in the Access Policy set the logging to ‘Log at the end of connection‘.

As mentioned above you can also set it as the ‘Default Action‘.

Configuring FirePOWER AMP and File Policy

You need an AMP, (subscription based licence) to enable the ‘Malware Cloud Lookup, or Block Malware‘ Actions, but you can have a file policy and block specific file types.

Polices > Access Control > Malware and File > New File Policy.

Give the policy a name you will remember > Save.

Action = Malware Cloud lookup > Add in the files you want to scan > Below I’ve set it to store unknown files > Save.

Then create another rule below that that detects all files.

As above the file policy wont be applied to anything unless you specify it in an access policy.

In the rule also set the logging to ‘log at the end of connection’.

 

Configuring FirePOWER URL Filtering Policy

You need to have a URL filtering licence allocated to the devices you want to use this policy on.

Unlike File policies and Intrusion policies, URL filtering is configured directly on your Access Control policy > Add Rule.

Here’s an example of blocking some categories you don’t want viable in tour organisation.

In a rule that only has URL filtering set the login to ‘Log at the beginning of the conneciton‘.

 

When done, don’t forget to ‘Deploy‘ the new policy to your managed devices. Deploy > Select Devices > Deploy.

hen Related Articles, References, Credits, or External Links

NA

FMC – AMP Malware Inspection

KB ID 0001159 

Problem

If you take a look in your SourceFire dashboard, and there is no data shown on the malware threat section like so;

Solution

The message is pretty descriptive, and it’s telling you exactly what you need to do. Now I’m making the assumption that you have added a valid AMP / Malware licence like so;

Policies > Access Control > Edit your access control policy > Then Edit the file policy.

Add in “Block Malware with Reset”.

You can test the rule is applying correctly by trying to download the eicar test infected files;

Then after a short time, you should start to see the malware threats window start to show some data.

Related Articles, References, Credits, or External Links

NA

Malwarebytes – Manually Update Database/Definitions

KB ID 0000629

Problem

I was called to a 2003 Server yesterday, that was riddled with malware, whatever was on there was generating a lot of network traffic, so the first thing I did was disconnect it from the network.

That’s fine, but if I wanted to use my usual ‘weapon of choice’ Malwarebytes, how was I going to get the latest database installed?

Solution

WARNING: There is a note on the Malwarebytes website that discourages this procedure, as it breaks the incremental update mechanism of Malwarebytes. They recommend that you use this utility to do the job, and that it should be updated every week (though the page currently has December 2011 as the update date!) . In my case once the machine is clean, I’ll remove Malwarebytes and install Trend Worry Free on it anyway. Either way, I prefer to know for a fact I’m using the latest database.

1. Install and update Malwarebytes on a nice clean machine (In this case, my Windows 7 laptop).

2. Find out what version of Malwarebytes you are running (on the about tab).

3. Navigate to the following location, and take a copy of the rules.ref file, i.e. put a copy on a USB thumb drive.

Windows 7 / Vista / 2008 / 2008 R2

[box]C:ProgramDataMalwarebytesMalwarebytes’ Anti-Malware[/box]

Windows XP / 2000 / 2003 / 2003 R2

[box]C:Documents and SettingsAll UsersApplication DataMalwarebytesMalwarebytes’ Anti-Malware[/box]

4. If your version is 1.60 or newer you also need to take a copy of the database.conf file that’s in the same folder, but in the configuration folder.

5. Copy the file(s) to the corresponding folder(s) on the affected machine, and paste them over the copies that exist there.

6. Then launch Malwarebytes on the affected machine, and scan with the updated database.

 

Related Articles, References, Credits, or External Links

Spyware / Malware Rogue AV and Rogue Antispyware “Scareware”

Cannot Install Malwarebytes (Already Infected) – Deploy Chameleon

Cannot Install Malwarebytes (Already Infected) – Deploy Chameleon

KB ID 0000750 

Problem

If I’m working on a machine that I suspect is infected by Malware/Spyware then one of the first tools I reach for is Malware Bytes.

Spyware / Malware Rogue AV and Rogue Antispyware “Scareware”

As it’s one of the most popular repair tools, it’s not uncommon for the writers of these pieces of malicious code, to actively block the installation of Malwarebytes. So the publishers of Malwarebytes have come up with a solution called Chameleon.

Solution

1. Head over to the Malwarebytes download site > For Home > Other Tools.

2. Download Chameleon.

3. The files will come down in a zip file > Extract them > Locate the Chameleon.chm file and run it.

4. You can now attempt to install Malwarebytes by using the install options presented, start with the first and work your way down.

5. When running, a command window will open, and ask you to press any key > It will see if the software is installed, if not it will download and install it.

6. Then it will update the software with the latest definitions.

7. When complete the software will start and begin a scan.

 

Related Articles, References, Credits, or External Links

Malwarebytes – Manually Update Database/Definitions

Spyware / Malware Rogue AV and Rogue Antispyware “Scareware”

KB ID 0000183 

Problem

The last time I wrote any information on Spyware was a while ago. When I wrote that article the main problem was browser hijacking – while that’s still a problem more recently the trend is towards infecting your machine with “Scareware”. This is software that pretends to be either an antivirus program or an antispyware program and tells you to either install something – or perform a scan (which installs something) or forces you to buy some useless software etc.

A lot of my clients who get infected justifiably ask “Well I’ve got up to date AV and Antispy software, how did I get infected?” The simple answer is (In most cases) because you clicked the button that said “Yes” when proper text on the button should have said “Yes, please slow my machine down and infect it horribly”. Some programmers of these Scareware applications have produced some awesome professional looking programs, that would fool even the more “Technically aware” user.

The Best form of Defense is Offence (And common sense!)….

Error Reads: Windows Title: “Windows Internet ExplorerWindow Text: “This computer is under attack.They can seriously harm your private data or files, and should be healed immediately. Return to Antivir and download it secure to your PC.

Windows Internet explorer is telling you you’re infected? How would an internet Browser know you are infected? And If you actually read the text, the grammar is terribly bad (Even by my D Grade O Level Standards!) But click anything (OK, Cancel, The Red X to close the window) you will probably drag some nastiness into your PC. Also look at the URL “http://my6-antivirus-scanner.com/” Google that (that’s search for it in Google NOT type it in the address bar!) And you will see its bogus.

Here’s Another Example

Solution

I’ve got a window just like that one, what do I do?

Right Click Your Taskbar and select “Task Manager” or “Start Task Manager” > On the applications Tab select the instance of Internet Explorer > Click “End Task” > Accept any warnings > Close Task Manager. If you still worried run a full AV and Antispy scan on the machine.

 

Help! – I’ve been infected and now my machine tells me I’m infected all the time!

1. Before you do anything make sure you have a backup of anything important. (Your documents, emails, photos internet favorites, programs etc) just in case.

To Fix things you need to install some software. If you are so badly infected that you cannot install the software, or the infection you have specifically stops the removal tools from working, (some do!) Then reboot the PC, and Press F8 – and select Safe mode.

2. Install Malwarebytes, Let it update itself, then perform a scan, reboot and re scan, until it tells you there is no infection left.

3. Install SuperAntispyware, Let it update itself, then perform a scan, reboot and re scan, until it tells you there is no infection left.

4. When done, make sure you have good, up to date, Antivirus software, a personal firewall, (The Windows one is better than nothing). Then periodically run one of the above products.

Hang On! I’ve done that and its not worked (I’m still Infected).

The two products above are usually all you should need, if an infection gets past one, the other usually gets it. However in some cases the code writers will get something on your PC quicker than the good guys can defeat it, if that’s happened to you, you have a choice.

1. Consider reinstalling Windows (For everyone who has just rolled back in their seat, I charge £75.00 an hour for desktop work, it might take me 4-8 hours to clean a machine manually, how much is your PC worth?). And its the ONLY way to make sure you’ve got all remnants of nastiness away (You’re looking at about 4 hours work with a modern PC to rebuild it, patch it, and reinstall everything).

2. Roll your sleeves up and get on the internet, the chances of you being the first person infected are pretty slim. Download HijackThis and get the log it generates, posted in an online forum or check it online(Warning: Automated systems).

3. If you have tried everything then your last port of call should be COMBOFIX this is a VERY powerful tool and if used incorrectly can destroy Windows (hence why i’ts at the bottom of the list).

Gallery Of Nastiness Note: Here’s just a few – there are tons more – If you want to send me a screenshot of anymore please do so

Security Sheild (Seen 22/12/10 – Infected by an email attachment) SecurityTool Security system Protection Control Panel WinReanimator VirusHeat Virus Protect IE Defender 2.2 VirusRay AntiVirGear SpyShredder 2.1 VirusProtect Pro Windows Security Center (No It is’nt) Spyware Protect 2009 VIRUSBUSTERS Personal AntiVirus ExtraAntivirus System Antivirus 2008 IE Antivirus 3.3 Fast AntiVirus 2009

Related Articles, References, Credits, or External Links

Malwarebytes – Manually Update Database/Definitions

Windows 8 – Empty Explorer.EXE Window Opens on Boot

KB ID 0000893 

Problem

After cleaning an infected Windows 8 machine, I was faced with an empty Explorer.EXE window with just a warning triangle like this every time the PC booted.

Solution

It was being caused by a piece of junk that was left in the registry.

1. Press Windows Key+R > type regedit {Enter} > The registry editor will open.

2. Navigate to;

[box]

HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindows

[/box]

3. Check the the existence of a string named ‘Load’ > If it exists, delete it and reboot to test.

Related Articles, References, Credits, or External Links

NA