[EDIT 14-01-2013]
Oracle release Java 7 Update 11 to fix this security issue. Be sure to update: http://java.com/
[EDIT]
Normally when I read about security vulnerabilities, I don’t really get a sense of urgency.
With the current Java vulnerability however, I do feel like people have to act quick because there are so many respected companies and even countries actively taking action:
Apparently this vulnerability is actively being exploited already and Oracle hasn’t released a Java fix yet. You might want to consider a combination of the options below:
Personally I like the way FireFox is handling the issue because it blocks by default, but allows users to easily override this behavior for specific sites. Also I’m getting quite fed up with all these Java security vulnerabilities lately 😦
I’d like to know what you’ll be doing. Have you or are you going to disable Java ? Which methods will you use ? Why ?
Tags: Apple, chrome, Cisco, firefox, Google, google chrome, IE, Internet Explorer, Intrusion Prevention System, IPS, IPS signature, Java, Microsoft, Microsoft IE, Microsoft Internet Explorer, Mozilla, mozilla firefox, MS IE, Oracle, OS X, plug-in, plug-ins, plugin, plugins, security, security issue, Signature, US-CERT, vulnerability, Windows, Windows 7, Windows 8, Windows Server 2003, Windows Server 2008, Windows Server 2008R2, Windows Server 2012, Windows Vista, Windows XP
As a passionate ICT person, I work with multiple virtualization products including Microsoft Hyper-V and VMware vSphere.
At home I’m running Server 2012 with Hyper-V in my home lab and even though it works perfectly, I miss the option to be able to run multiple other hypervisors beneath it like by example multiple Hyper-V, VMware ESXi or Citrix XenServer instances.
With VMware products like VMware Fusion, VMware Workstation you can enable this with only a couple of minor adjustments as described in these great articles:
For me personally, I’ll stay with my Hyper-V based home server and my Windows 8 Client with Client Hyper-V installed. For testing purposes however, I’ll have to use VMware Workstation 9 on my Windows 8 machine. (even though I have Client Hyper-V installed). This way I can still run other hypervisors when needed.
I still hope though that Microsoft will add a similar feature to Hyper-V in the future.
Tags: Citrix, Citrix XenServer, Client Hyper-V, ESXi, home lab, Hyper-V, Hyper-V 3.0, hypervisor, Microsoft, multiple hypervisors, nested esxi, nested hypervisor, Server 2012, test lab, virtualization, VMware, VMware ESXi, VMware ESXi 5.1, VMware Fusion, VMware vSphere, VMware vSphere 5.1, VMware Workstation, VMware Workstation 9, Windows, Windows 2012 Server, Windows 8, Windows Server 2012, workstation, XenServer
In yesterday’s post I described how you could extract Office 2003 updates. When they are extracted however, they still need to be slipstreamed into the package. I also created this script to automate the slipstreaming.
Basically for each extracted patch (.msp) file, it runs msiexec with the correct parameters. So if you have other msi packages that need multiple patch (.msp) files applied to it, you could use this script as a foundation as well.
Tags: automation, extract, msi, msieexec, msp, Office 2003, patch, patch file, Powershell, Script, Scripting, slipstream
Not so long ago I had to create a new Office 2003 Administrative Installation Point.
There were 2 choices:
- Use the default ISO and have WSUS handle patching after each install.
- Slipstream all available patches in the Office 2003 Administrative Installation Point.
Ofcourse option 2 is the best choice, because then the package will be the most secure from the moment the software is deployed. Also it saves bandwidth and time.
To slipstream updates into Office 2003, there are basically 4 steps:
- Extract the original Office 2003 files.
- Download the updates you want to slipstream.
- Extract the updates you want to slipstream.
- Slipstream the updates into the extracted Office 2003 files.
You can imagine that the older the source files are, the more updates there are to be slipstreamed. So it is best to use an ISO/CD of Office 2003 with the latest Service Pack.
Still if you have the latest Service Pack, you need to slipstream more than 20 updates. I personally don’t like these kind of manual tasks, so I created this script to do the extraction of the updates for me.
Ofcourse this script can be used to extract other kinds of updates as well..
Tags: automation, extract, Office 2003, Powershell, Script, Scripting, slipstream
In yesterday’s post I showed some commands to protect all or specific Active Directory objects from accidental deletion.
In some situations (by example preparing for a change) you might want to know which objects are protected from accidental deletion and which are not. Also when multiple people make changes in an Active Directory it might prove difficult to keep track of the changes.
To determine the protection status of AD objects, I use a script that checks the ACL of the AD Object. When Everyone is explicitly Denied access, it is protected from accidental deletion.
Tags: Active Directory, AD, automation, Microsoft, Powershell, protect from accidental deletion, protected from accidental deletion, Script, Scripting, Windows, Windows Server, Windows Server 2008, Windows Server 2012
In a previous blog post I explained how to enable the Active Directory Recycle Bin which allows you to restore deleted active directory object.
But even though it’s great to be able to restore objects, it is even better to prevent accidental deletion. What accidental deletion basically does, is modify the permissions on an AD object to Deny Everyone so you won’t be able to delete it by accident.
More information about protection from accidental deletion can be found in “Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory” and “Windows Server 2008 Protection from Accidental Deletion“.
In Windows Server 2012 with all the new cmdlets, it has become much easier to enable protection from accidental deletion.
By example, you could use these commands:
#Get-ADobject class names
get-adobject -filter * | select objectclass | group objectclass
#Protect specific AD object classes from accidental deletion
get-adobject -filter * | where{($_.ObjectClass -eq “container”) -or ($_.ObjectClass -eq “organizationalunit”) -or ($_.ObjectClass -eq “user”) -or ($_.ObjectClass -eq “group”) -or ($_.ObjectClass -eq “computer”)} | Set-ADObject -ProtectedFromAccidentalDeletion $true
#Protect all AD organizational units from accidental deletion
Get-ADOrganizationalUnit -filter * | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
#Protect all AD objects from accidental deletion
Get-ADobject -filter * | Set-ADObject -ProtectedFromAccidentalDeletion $true
Tags: accidental deletion, Active Directory, AD, automation, Microsoft, Powershell, protect from accidental deletion, protection from accidental deletion, Script, Scripting, Windows, Windows Server, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
Currently report files for multiple customers are placed in a source folder monthly. These report files include the customer name and need to be uploaded a for each customer in a subfolder named “Backup Controle” of their own folder.
Notes:
- The customer’s root folder name can differ from the customer name used in the report files.
- The folder “Backup Controle” isn’t always located in the same relative location from the root folder
Example:
- The source report files folder contains:
- Backup Controle – Customer 1 – 12-2012.pdf
- Backup Controle – Customer 2 – 12-2012.pdf
- The customer’s root folder’s might be:
- C:\Customersroot\Cust1
- C:\Customersroot\Client2
- The “Backup Controle” folder might be located at:
- C:\Customersroot\Cust1\folder1\folder2\folder3\temp\folder4\Backup Controle
- C:\Customersroot\Client2\folder1\folder2\Backup Controle
This action was performed manually at first using the SharePoint web interface to browse to each customer’s folder and upload the report. This is ofcourse not the type of work you want to do. Using the SharePoint WebDAV you can perform this using Explorer and drag and drop, which would make it a bit more bearable.
It would however be even better if it could be automated and that’s just what we did with this script. The script contains a function where you can define for each customer:
- Which name filter specifies the customer for the report name. B.e. : “Customer 1” or “Customer 2”
- What the name of the folder is for the customer’s root folder. B.e. : “Cust1” or “Client2”
The script will then recursively look inside the customer’s folder for a folder matching the “Backup Controle” folder and will copy the report to it (assuming the report is not already there).
In this example you would call the function like this:
- Copy-FileMatchingFilterToCustomerFolder “Customer 1” “cust1”
- Copy-FileMatchingFilterToCustomerFolder “Customer 2” “client2”
Note: It is assumed that there is only one folder named “Backup” Controle in the customer’s folder.
Tags: copy, File, folder, move, Powershell, report
I’ve been around in the Windows world for quite some time and have studied quite a bit as well. As such I have always been taught that upgrading the functional level was irreversible. It also didn’t help that I got my Windows 2008 certification through beta exams before R2 was released and even before there were any books available.
Thanks to this blog post however, it came to my attentention that it is possible to lower the Forest and Domain Functional Level from 2008R2 to 2008 or from 2012 to 2008R2.
All of this can only be done using PowerShell as you can read in “Step by Step guide to lower Active Directory functional level” by Aman Sahota.
Tags: Active Directory, AD, domain functional level, forest functional level, functional level, guide, lower domain functional level, lower forest functional level, lower functional level, Powershell, raise domain functional level, raise forest functional level, raise functional level, step by step, step-by-step guide
[EDIT] 09-04-2013 : As described in my blog post, this script has become unnecessary for most people. This is because Microsoft to allow almost every Flash site by default. [EDIT]
[EDIT] 13-01-2013 : Apparently for Windows RT, the script doesn’t seem to be working yet. Unfortunately I have no Windows RT to troubleshoot and resolve the issue. [EDIT]
Windows 8 and Windows RT include support for Flash in Internet Explorer 10.
In Windows 8 there are however two version of Internet Explorer 10 that handle flash websites differently. First there’s Internet Explorer 10 Desktop, which is similar as the Internet Explorer you’ve been used to with previous versions of Windows. Then there’s also Internet Explorer 10 (non Desktop), which is the Internet Explorer in the new modern/Windows interface (Metro) that is full screen.
Internet Explorer 10 Desktop allows Flash for all websites. Internet Explorer 10 (Metro) only allows Flash for websites that have been whitelisted.
Especially for Windows tablets, Flash support can be a selling point because most other tablets don’t have Flash support. It is however confusing for regular consumers that not all their websites will work. By example a friend of mine who’s a hairdresser, uses http://www.kapperssite.nl to show her customers hair models and their haircuts. The site is however completely in Flash and that it is not working by default is very annoying.
The websites that have been whitelisted are defined in your local appdate folder. By example: “C:\Users\Bjorn\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml”. This file also contains information about websites and which compatibility mode should be used for each. The segment between <flash> and </flash> contains the websites that have been whitelisted for flash. You can manually modify this file as described here: http://forum.xda-developers.com/showthread.php?t=1961793
Basic steps include:
- Modifying the iecompatdata.xml to add the websites you want to whitelist for Flash. Wildcards don’t work unfortunately.
- Open Internet Explorer 10 Desktop, press ALT, Tools, “Compatibility View setting”. Then Disable “Download updated compatibility lists from Microsoft”. This way Microsoft won’t overwrite the updates you’ve made in step 1.
- Delete the IE10 browser history. The disadvantage of this method however is, that you won’t be taking advantage of future compatibility updates because you’ve disabled the update functionality. Leaving it enabled however means that you you would have to keep re-adding sites you want to whitelist for Flash.
As a workaround, I’ve created this script that will automatically perform these tasks:
- Disable “Download updated compatibility lists from Microsoft”
- Close all internet explorer processes.
- Download the latest iecompatdata.xml to the appropriate folder. Currently the latest version is: https://iecvlist.microsoft.com/ie10/201206/iecompatviewlist.xml
The script however will dynamically look for the latest versions by modifying the date in the url.
- Combine the data from the latest iecompatdata.xml with websites you want to whitelist for Flash (specified in “C:\Users\Bjorn\AppData\Local\Microsoft\Internet Explorer\IECompatData\flashsitestoadd.txt).
- Backup the original iecompatdata.xml and store the modified iecompatdata.xml
- Clear the Internet Explorer browsing history.
Because automatic downloading of updated compatibility lists has been disabled, I advise to schedule the script to run on a regular basis (by example monthly). For instructions read this blog post: http://blogs.technet.com/b/heyscriptingguy/archive/2012/08/11/weekend-scripter-use-the-windows-task-scheduler-to-run-a-windows-powershell-script.aspx Keep in mind that this will clear your Internet Explorer browsing history though.
Tags: automation, Compatibility list, Flash, Internet Explorer, Internet Explorer 10, Powershell, Script, Scripting, Whitelist, Windows, Windows 8, Windows RT
Many companies and people in the past have encountered where they lost users, groups or other resources from Active Directory either by disaster or human error. Since Windows Server 2008 R2, you can use the Active Directory Recycle Bin to easily recover from this.
The AD Recycle Bin features requires a forest functional level of Server 2008 R2 or higher and is disabled by default. Also, once it has been enabled it cannot be disabled.
With Windows Server 2008 R2 you could only enable the AD Recycle Bin using Windows PowerShell and you could also only restore objects using CLI. With Windows Server 2012 you can both enable and restore very easily from the GUI using Active Directory Administrative Center (ADAC).
The script can be found here.
The script basically performs the following steps:
- Determine the current forest.
- Use parts of the current forest name to dynamically generate a command that is appropriate for every environment to enable the Active Directory Recycle Bin Feature.
- If the Active Directory Recycle Bin Feature hasn’t been enabled yet, enable it.
Even though it has become very easy to do using the GUI in Windows Server 2012, automating is Always better. Therefore I also added it to the script I used in: Home LAB Setup guide – 04 Configuring Server 2012 VM as DC with DNS and DHCP using PowerShell
Tags: Active Directory, active directory recycle bin, AD, AD Recycle Bin, automation, Powershell, recycle bin, Script, Scripting, Windows
blog.bjornhouben.com 