Jun 26 2009   2:56PM GMT

Did you see this? - Microsoft Offline Virtual Machine Servicing Tool

Posted by: Troy Tate
Microsoft, virtual machine, Virtual machine management, solution accelerator, technology, technology management, tool, toolkit, education

Microsoft has a very large library of Solution Accelerators. These solution accelerators are meant to be detailed guides and toolkits to help organizations be successful in the planning, deployment and management of Microsoft products and technologies.

One accelerator that recently came to my attention is the Offline Virtual Machine Servicing Tool. According to the Microsoft website:

The increasing use of virtual machines—for purposes ranging from support of older operating system environments to power savings—has created new challenges for IT.

In particular, virtual machines may be left offline (stored in a non-operating state) for extended periods of time, which conserves resources when the server capacities of the virtual machines are not needed or frees up physical computing resources for other purposes.

However, offline machines do not automatically receive operating system, antivirus, or application updates that would keep them compliant with current IT policy. An out-of-date virtual machine may pose a risk to the IT environment. If deployed and started, the out-of-date virtual machine might be vulnerable to attack or could be capable of attacking other network resources.

Therefore, IT groups must take measures to ensure that offline virtual machines remain up-to-date and compliant. At present, these measures involve temporarily bringing the virtual machine online, applying the necessary updates, and then storing it again.

In the future, image updating solutions may be able to update virtual machines while they remain offline. Until such solutions become available, the Offline Virtual Machine Servicing Tool, a Solution Accelerator from Microsoft, provides a way to automate the process of updating virtual machines. This tool is now available as a free download from the Microsoft Download Center.

Business Scenarios

You can use this Solution Accelerator to help you with business scenarios such as these:

• Your IT organization is converting physical servers to virtual machines to reduce costs, including administrative overhead. How can you regularly update offline virtual machines while minimizing administrative costs?
• Your IT organization has thousands of virtual machines stored for months at a time in a number of libraries. How do you keep the virtual machines reliably up to date?

This tool can be useful to those organizations already managing virtual machines or those considering deployment. Maybe it can make your life a little easier. Why not leave some feedback if you have used or are considering this tool?

Thanks for reading and let’s continue to be good network citizens!

Apr 29 2009   12:25PM GMT

Did you see this? - Free Wireless LAN planning, deployment and management tools

Posted by: Troy Tate
tools, toolkit, wi-fi tools, network analysis, performance analysis, performance monitoring, wlan, 802.11, free, throughput, network throughput, throughput testing

Xirrus is a WLAN equipment manufacturer. They have some very cool products and if you have not checked them out and are looking for installing, adding or replacing any WLAN network gear, then I suggest you take a look at their offerings before making a decision.

Xirrus has a page on their website where they offer some cool free tools for planning, deploying and managing wireless networks. The tools will work on any 802.11 wireless network as well as on wired networks. Some of the tools available include:

Xirrus Wi-Fi Inspector
The Xirrus Wi-Fi Inspector is a powerful tool for managing and troubleshooting the Wi-Fi on a Windows XP or Vista laptop. Built in tests enable you to characterize the integrity and performance of your Wi-Fi connection.

Xirrus Wi-Fi Monitor Gadgets/Widgets
The Xirrus Wi-Fi Monitor allows you to monitor your Wi-Fi environment and connection in real time from your desktop in an easy-to-use mini-application. Nine different color skins allow you customize the Wi-Fi Monitor to your desktop

Iperf
Iperf is an easy to use and very popular tool that every IT professional should have that measures maximum throughput. Iperf provides you the data to tune TCP and UDP characteristics. Iperf reports throughput, delay jitter, and datagram loss in easy to understand tables and graphs. You can run Iperf from and command line or a GUI interface.

Qcheck
Qcheck is a must have and handy tool for any IT professional. It does much more than the traditional “ping” command

Other tools are available on this excellent website. I recommend that you take a few minutes, review the offerings and add to your toolbox those tools of value to you.

Thanks for reading and let’s continue to be good network citizens.

Feb 27 2009   7:41PM GMT

Did you see this? - Internet Measurement Testing tools

Posted by: Troy Tate
network testing, network, testing, toolkit, research, throughput, analysis, Performance, performance monitoring

There will always be some user saying “the internet is slow”. There are many resources out there to test internet connections. The Measurement Lab is one I came across the other day. There are several useful tools under this page. Some of the tools and descriptions are listed below. Maybe one of these will be useful to you or your users some day. Just remember you heard about it on IT-Trenches! Thanks for reading and let’s continue to be good network citizens.

• Network Diagnostic Tool

  Test your connection speed and receive sophisticated diagnosis of problems limiting speed.

• Glasnost

  Test whether BitTorrent is being blocked or throttled.

• Network Path and Application Diagnosis

  Diagnose common problems that impact last-mile broadband networks.

• DiffProbe (coming soon)

  Determine whether an ISP is giving some traffic a lower priority than other traffic.

• NANO (coming soon)

  Determine whether an ISP is degrading the performance of a certain subset of users, applications, or destinations.

Feb 25 2009   2:30PM GMT

Did you see this? - The Cheapskate’s Infosecurity Toolbox

Posted by: Troy Tate
information security, infosecurity, tools, toolkit, management, research

This may be a couple of years old, but the need for infosecurity tools and requirements for cheap solutions has not changed. This was first published in the CSO magazine in 2006. The tools have only gotten better since then. Hope you can find some use for the tools that it recommends in these trying budget & resource times.

The Cheapskate’s Infosecurity Toolbox

Thanks for reading & let’s continue to be good network citizens!

Feb 2 2009   5:15PM GMT

ARP as a network auditing tool

Posted by: Troy Tate
ARP, protocol, testing, tools, toolkit, scanning, education, video, training, protocol analysis, Laura Chappell

ARP - or Address Resolution Protocol is a necessary element for network traffic. Per Wikipedia: “In computer networking, the Address Resolution Protocol (ARP) is the method for finding a host’s link layer (hardware) address when only its Internet Layer (IP) or some other Network Layer address is known. ARP is defined in RFC 826.^[1] It is Internet Standard STD 37.” It is not an IP only protocol.

What this means, is that ARP is not a protocol that is easily blocked or disabled on a network. This is as designed but this also means that attackers can use this protocol for malicious activities. It is important that you understand the ARP protocol and the ways it is used and the dangers associated with it.

Laura Chappell, the BitGirl, has created a new tutorial on using ARP to scan networks which may be firewalled or ICMP pings are blocked. ARP will permit you - and attackers - to find hosts on the network. Take some time and watch this short video and gain some valuable insights into ARP.

Watch Chappell University - Ethical Hacking with NetScanTools Pro - ARP Scanning

Thanks for your time and let’s be good network citizens!

Jan 29 2009   9:13PM GMT

Nifty tools for tracking down that “interesting” network traffic

Posted by: Troy Tate
pstools, Sysinternals, Microsoft, Routers, Cisco, troubleshooting, toolkit, Security, WAN, LAN, malware, network analysis, network monitor, network troubleshooting

My previous posting was meant to help you determine the source of potentially dangerous network traffic at your network’s edge. This post is meant to help you identify applications and traffic on your local network that seems to be “interesting”. I define “interesting” as something that you don’t know much about but would find it interesting to learn more about and maybe take some action to shutdown.

As you may already know, I work at an international company with sites around the globe. There are over 2500 computer nodes not including printers, servers, switches, etc. Sometimes it is necessary to identify what traffic is crossing the network links between the sites. There are lots of tools and processes that can be used to gather this information. I will outline a couple here.

Our WAN edge routers are from Cisco. One of the features that can be enabled on a Cisco router is the ip cache flow feature. The show ip cache flow command returns some very useful information. An example is shown below.

show ip cache flow

IP packet size distribution (116972772 total packets):

1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480

.000 .375 .090 .023 .010 .007 .006 .003 .002 .014 .011 .010 .009 .005 .004

512  544  576 1024 1536 2048 2560 3072 3584 4096 4608

.004 .003 .006 .028 .378 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 278544 bytes

64 active, 4032 inactive, 4367569 added

80215342 ager polls, 0 flow alloc failures

Active flows timeout in 30 minutes

Inactive flows timeout in 15 seconds

IP Sub Flow Cache, 21640 bytes

0 active, 1024 inactive, 0 added, 0 added to flow

0 alloc failures, 0 force free

1 chunk, 1 chunk added

last clearing of statistics never

Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)

--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow

TCP-Telnet         724      0.0         7   430      0.0       6.1      15.4

TCP-FTP          13859      0.0         9    93      0.0       6.7       3.4

TCP-WWW        3537205      0.8        14  1021     12.2       3.7       9.7

TCP-SMTP           290      0.0       104   989      0.0       5.5       1.8

TCP-X                3      0.0         2    42      0.0       0.3       1.3

TCP-BGP             18      0.0         1    43      0.0       0.0      13.9

TCP-Frag           112      0.0        37    78      0.0      18.3      15.5

TCP-other       684674      0.1        12   831      2.0       6.4       7.0

UDP-DNS           1973      0.0         1    72      0.0       0.1      15.4

UDP-NTP            248      0.0         1    77      0.0       0.0      15.4

UDP-Frag             3      0.0         1    45      0.0       0.0      15.6

UDP-other        10247      0.0         1   210      0.0       0.8      15.4

ICMP             97640      0.0        19    83      0.4      18.6      15.4

GRE              20509      0.0      2598   150     12.4     165.6      14.5

Total:         4367505      1.0        26   593     27.2       5.2       9.4

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts

Tu0           10.aa.20.254    Fa0/0         10.bb.21.1      01 0000 0000    20

Tu0           10.cc.12.200    Fa0/0         10.bb.21.1      01 0000 0000    20

Tu0           10.dd.12.8      Fa0/0         10.bb.12.150    06 0D0A 0871   467

Tu0           10.ee.12.200    Fa0/0         10.bb.ee.140    06 0A23 01BD     1

Tu0           10.ff.12.150    Fa0/0         10.bb.ee.130    06 048A 07DA     1

Tu0           10.gg.20.254    Fa0/0         10.bb.21.1      01 0000 0000    20

Tu0           10.hh.20.254    Fa0/0         10.bb.21.1      01 0000 0000    20

Tu0           10.ff.12.150    Fa0/0         10.bb.ee.11     06 048A 04A7     1

Tu0           10.oo.12.210    Fa0/0         10.bb.12.200    11 0035 EA0B     1

Tu1           203.151.20.17   Fa0/0         10.bb.50.200    06 0050 055D     5

Tu1           203.151.20.17   Fa0/0         10.bb.50.200    06 0050 055E    10

As you can see it includes statistics about the packet size distribution, the various protocols and amount of traffic for each protocol and then a summary listing of the traffic through the various interfaces on the router. In this case, the traffic is passing through a couple of encrypted tunnel interfaces. This is where things get interesting when troubleshooting traffic on a link. The first column is the source interface, then the source IP address. The third column is the destination interface followed by the destination IP address. The next 3 columns give some critical information about the traffic between the source and destination hosts. These values are all given in HEX. There is the protocol number (e.g. 01 - ICMP, 06 - TCP, 11 - UDP). See the protocol listing at IANA for more information on these numbers - remember to convert from HEX to decimal.

The next two columns are the source port and destination port pairing. These values are also in HEX. So, converting values like 01BD to 445 indicates that the traffic is Microsoft DS according to the port number listing at IANA. Port 0035 (53 decimal) would be DNS traffic. Port 0050 (80 decimal) would be http traffic. Port 01BB (443 decimal) would be https. So, as you can see, lots of information is right there on the router and no sniffing is required to see what traffic is on your network.

Once you find an “interesting” source and destination pair that concerns you, you might consider finding out what application is generating the traffic between that source / destination pair. This can be done unobtrusively using some of the excellent tools from the Microsoft/Sysinternals toolkit. For example, the following command will list the current tcp & udp connections on a remote computer (10.xx.50.81) - note that you must have administrative access to the remote computer to run this command (netstat is not a Sysinternals tool but is built into the Windows operating system):

psexec \\10.xx.50.81 netstat -ano

The output would look something like this:

PsExec v1.94 - Execute processes remotely

Copyright (C) 2001-2008 Mark Russinovich

Sysinternals - www.sysinternals.com

Active Connections

Proto Local Address Foreign Address State PID

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 852

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4

TCP 0.0.0.0:5800 0.0.0.0:0 LISTENING 1748

TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING 1748

TCP 0.0.0.0:8085 0.0.0.0:0 LISTENING 1456

TCP 10.xx.50.81:139 0.0.0.0:0 LISTENING 4

TCP 10.xx.50.81:445 10.bb.50.64:1826 ESTABLISHED 4

TCP 10.xx.50.81:1221 10.xx.12.200:135 ESTABLISHED 608

TCP 10.xx.50.81:1222 10.xx.12.200:1026 ESTABLISHED 608

TCP 10.xx.50.81:1822 10.xx.50.241:8080 ESTABLISHED 3756

TCP 10.xx.50.81:1823 10.xx.50.241:8080 ESTABLISHED 3756

TCP 10.xx.50.81:1827 10.xx.50.241:8080 ESTABLISHED 3756

TCP 10.xx.50.81:1828 10.xx.50.241:8080 ESTABLISHED 3756

TCP 10.xx.50.81:1829 10.xx.50.241:8080 ESTABLISHED 3756

TCP 10.xx.50.81:1830 10.xx.50.241:8080 ESTABLISHED 3756

TCP 10.xx.50.81:1831 10.xx.50.241:8080 ESTABLISHED 3756

TCP 127.0.0.1:1068 0.0.0.0:0 LISTENING 2412

UDP 0.0.0.0:445 *:* 4

UDP 0.0.0.0:500 *:* 608

netstat exited on 10.xx.50.81 with error code 0.

So, these results show that the host has various tcp & udp connections that are in an established state. It shows the source & destination ports (again like the show ip cache flow results). The other very useful piece of information that is shown is the PID or process identifier. This number matches a process running on the remote computer. So, to find out what the various running processes are and their PID’s, run the following command:

pslist \\10.xx.50.81

The results returned are like the following:

pslist v1.28 - Sysinternals PsList

Copyright ¬ 2000-2004 Mark Russinovich

Sysinternals

Process information for 10.xx.50.81:

Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time

Idle 0 0 1 0 0 0:37:20.984 0:00:00.000

System 4 8 67 316 0 0:00:48.343 0:00:00.000

smss 464 11 3 21 164 0:00:00.015 4:43:15.698

csrss 528 13 15 545 2520 0:00:13.484 4:43:14.792

winlogon 552 13 19 524 9488 0:00:04.265 4:43:14.370

services 596 9 16 295 1876 0:00:04.281 4:43:14.183

lsass 608 9 20 428 4160 0:00:02.843 4:43:14.167

svchost 792 8 17 193 3284 0:00:00.796 4:43:13.667

svchost 852 8 10 371 2144 0:00:35.421 4:43:13.370

svchost 916 8 70 2092 16500 0:00:54.359 4:43:13.292

svchost 968 8 6 84 1596 0:00:00.921 4:43:13.245

svchost 992 8 15 292 3044 0:00:00.843 4:43:12.714

spoolsv 1196 8 12 142 3492 0:00:00.296 4:43:12.277

stormliv 1324 8 9 163 4952 0:00:08.343 4:43:04.339

EngineServer 1444 8 3 35 576 0:00:00.078 4:43:03.995

FrameworkService 1456 8 21 356 20632 0:00:37.203 4:43:03.573

VsTskMgr 1504 8 19 243 7128 0:00:29.578 4:43:02.714

MDM 1556 8 4 86 1092 0:00:00.140 4:43:02.495

mfevtps 1580 8 6 126 6848 0:00:02.609 4:43:02.370

ArchivingORBService 1636 8 4 88 3304 0:00:15.031 4:43:01.964

svchost 1696 8 5 118 2608 0:00:00.453 4:43:01.777

CcmExec 1836 8 13 810 14688 0:00:12.796 4:43:01.214

Mcshield 1880 13 26 182 45316 0:02:15.078 4:42:59.464

naPrdMgr 1964 8 6 130 208448 0:01:05.328 4:42:57.902

mfeann 1968 8 8 151 2264 0:00:01.625 4:42:57.855

alg 2412 8 5 102 1256 0:00:00.109 4:42:17.303

wmiprvse 2876 8 4 140 4132 0:00:00.781 4:42:09.979

wmiprvse 2660 8 7 146 1996 0:00:00.828 4:39:42.549

explorer 3676 8 12 442 17392 0:01:01.828 3:59:34.124

hkcmd 4092 8 2 86 896 0:00:00.140 3:59:30.406

igfxpers 816 8 3 93 868 0:00:00.078 3:59:30.343

UdaterUI 3388 8 5 115 1648 0:00:00.859 3:59:27.390

shstat 3252 8 10 98 2160 0:00:00.812 3:59:27.093

ctfmon 3968 8 1 67 984 0:00:00.156 3:59:25.828

Then if we need to remotely stop a running process that we consider suspicious or “interesting” issue the following command:

pskill 3968 \\10.xx.50.81 - note you can use either the PID # or the name of the process - however, you should use the PID if there are multiple instances of the application running

The results of the command, if successful, should look like:

PsKill v1.12 - Terminates processes on local or remote systems

Copyright (C) 1999-2005 Mark Russinovich

Sysinternals - www.sysinternals.com

Process 3968 on 10.xx.50.81 killed….

This process has become very useful when finding some rogue processes (malware) on some remote computers and there is no other way to disable the system or application. You can also issue a psshutdown command in a similar fashion, but the user may attempt to restart the machine again and then you will have to again shutdown the rogue application. There’s lots of ways to handle this situation including shutting down the LAN switch port if you have that access and privilege.

Let me know what processes you go through when managing remote systems where you may have limited physical access. Good luck out there and let’s be good network citizens!

Jan 6 2009   4:45PM GMT

Swiss-army knife for public network testing

Posted by: Troy Tate
toolkit, tools, testing, connectivity testing, website, dns, ping, tracert, icmp, tcp, udp, public network, ssh, SSL, cryptography, crypto, crypto testing, hash, typosquatting

Sometimes it is necessary to test connectivity outside of your private company network. There are several resources I use. I will share a couple of those with you in this posting.

One of my favorite and most frequently used sites is Network-Tools. This website allows you to test Traceroute, PIng, Domain Name Server (DNS) lookup, Whois, and DNS record lookups. This is an excellent resource like DNSTools or DNSStuff.

Another site with useful public internet testing tools is Serversniff.net. You can use this site to perform TCP pings rather than the standard ICMP pings. There is also a step-ping test. This provides the ability to have increasing ping packet sizes to see if there is a bottleneck somewhere before the tested host. There are lots of other tools available on this website. I recommend you check it out and see which offer value to you in your support activities.

Unfortunately, these tools only work from the public internet. You will not be able to test hosts on your private network, but hey, shouldn’t you already have some other testing tools in your toolbag for the private network? I’m sure I will describe more tools as the year moves on.

Thanks for reading & let’s practice safe networking out there! Please feel free to leave comments for other readers so they can adequately support their networks.

Dec 22 2008   7:20PM GMT

Improving yourself in 2009 - part 2

Posted by: Troy Tate
administration, planning, tools, reporting, CIO, performance monitoring, Performance, howto, Metrics, blog, education, toolkit, professional

Maybe Bubbletimer mentioned in part 1 is not something that will help improve your professional value in 2009. How about the Printable CEO series then? The tools David Seah offers on his blog seem like great resources to track your goals, tasks and time. Sometimes those we work for wonder what all we do in our positions. We sometimes have to prove our worth to the organizations who pay us. The When is something worth doing? tool that David outlines may help you improve your decision making and therefore your professional value.

What other professional development and/or tracking tools do you use in your job?  Please leave some feedback and let me know what you use or if this Printable CEO made a difference in your job.

Dec 10 2008   2:41PM GMT

Did you see this? - Microsoft Infrastructure Planning & Design Guides

Posted by: Troy Tate
administration, planning, tools, Microsoft Windows, documentation, IT education, design, Microsoft, howto, awareness, education, toolkit

Microsoft has become much better offering documentation beyond just marketing materials about their products and systems. The Infrastructure Planning and Design (IPD) guides are the next version of Windows Server System Reference Architecture. The guides in this series help clarify and streamline design processes for Microsoft infrastructure technologies, with each guide addressing a unique infrastructure technology or scenario.

The guides available include:

• Exchange Online—Evaluating Software-plus-Services
• Microsoft System Center Configuration Manager 2007 SP1 with R2
• Microsoft Application Virtualization 4.5
• Windows Server 2008 File Services
• Windows Server 2008 Print Services
• Infrastructure Planning and Design Series Introduction
• Internet Information Services 7.0
• Selecting the Right NAP Architecture
• Selecting the Right Virtualization Technology
• System Center Operations Manager 2007
• System Center Virtual Machine Manager 2008
• Windows Deployment Services
• Windows Server 2008 Active Directory Domain Services
• Windows Server 2008 Terminal Services
• Windows Server Virtualization (for Windows Server 2008 Hyper-V and Virtual Server 2005 R2 SP1)

As you see, there is a lot of information here to absorb and make use of in your environment. I’m going to be checking out the Systems Center Operations Manager 2007 implementation guide. It’s gonna be an interesting ride but at least Microsoft is offering some free support assistance in the planning and design phase.

Try some of these guides out. Share with us your thoughts and how effective the guides were in helping your organization meet operational demands.

Dec 3 2008   8:58PM GMT

Did you see this? - Windows Powershell Scriptomatic tool

Posted by: Troy Tate
administration, tools, Microsoft Windows, reporting, Microsoft, Powershell, policy enforcement, toolkit

A new utility that writes Windows PowerShell scripts that harness the power of WMI (Windows Instrumentation Management) for use in system management and administration. This tool was created by Microsoft consultant and author Ed Wilson.

 

Windows PowerShell Scriptomatic