Tanium – Update and Throttling

Posted by robd on February 08, 2024
Tanium / No Comments

Hi All,

Its been a while since my last post but I’ve been doing some interesting work with a new product we’ve bought called Tanium (no one has sponsored this post, or any of my posts to date).

Its essentially a cloud tool to manage your end user devices (especially brilliant for the all the staff who work at home).  It patches Office and Windows, rolls out software, has a self service portal so users can install software themselves, checks for vulnerabilities etc etc.

I’m honestly really impressed with it, much lower overheads than SCCM and easier to deploy software than endpoint manager (intune).

So what’s this blog post all about.  Well we have had one or two teething issues after deploying this software to several thousand devices.

Issue 1:

Software is super slow to download to clients.  Well after tinkering around for a while I discovered Bandwidth throttles on the cloud console.

This was set at 45Mbps and concurrent connections at 300 meaning each client gets 0.15Mbps if all the connects are at max bandwidth.  Well for several thousand clients this would not do:

So after emailing support, we’re currently testing:

800Mbps and 1600 connections meaning each the bandwidth is 0.5 Mbps per connection if all connections use the maximum bandwidth.

So far this has made a huge difference!!  Worth a look if you’re getting sluggish downloads.

Issue 2:

Some clients were not getting the self service portal.

So in my naivety I presumed Tanium self updated, turns out this is not the case and as you’d expect new updates come out regularly to the client. So after being quite far behind we setup up the client update process.  Here’s how:

In the cloud console, go to:  Shared Services > Tanium Client Management > Tanium Client Upgrades

Click Create Client Upgrade:

Now there are a few options:

I did this twice, once for servers and once for clients, just incase in the future we needed a different version on servers than clients etc.

The deployment is pretty self explanatory:

Name: give it a name

Client Version: If you choose latest, then the client is always going to be up to date, I appreciate some companies might not be able to do this so you may have to choose a version. I went with always up to date.

Targets – choose who to deploy too, I went with All Workstations for my clients and All Servers for my servers.

Check the deployment schedule is Ongoing and click preview and go:

 

Job done.

Tags: , , , , , ,

Domain Trust and AD Groups

Posted by robd on April 26, 2023
powershell / No Comments

The company I work for is much like the Borg where they like to assimilate new companies.

Part of this assimilation often involves a domain trust and adding users from one domain to a second domains AD groups to gain access to permissions in Domain 2.

This is really useful if your giving a user a laptop on domain 1 but they need access to files on domain 2.

 

My Mate Handsom Dave came up with this script too:

Compare users from Domain 1 and Domain 2 on display name (username didnt match),

Get the Domain 2 groups,

Look at domain 2 groups members,

If they exist in domain 1 then add those people into the group in Domain 2.

Remember: The AD groups need to be Domain Local.

 

 

#Get the users from domain1
$domain1 = get-aduser -filter * -Server dc01.domain1.com
#get the users from domain2
$domain2 = get-aduser -filter * -Server dc02.domain2.net
#compare the users on name (not username as they didnt match)
$usercompare = Compare-Object -ReferenceObject $domain1.name -DifferenceObject $domain2.name -IncludeEqual
#If its the same then save to this variable
$inboth = $usercompare | where {$_.sideindicator -eq "=="}
#In Domain 2 get all the AD groups that start with ACL_
$domain1groups = Get-ADGroup -filter {name -like "ACL_*"} -Server dc01.domain1.com

#Here we go
foreach ($group in $domain1groups)
{ 
    #get the ad members from the acl group 
    $domain1groupmembers = Get-ADGroupMember $group.name -Server dc01.domain1.com 
    foreach ($groupmember in $domain1groupmembers) 
    { 
        #if the member of the group matches someone in the inboth variable
        if ($inboth.inputobject -contains $groupmember.name) 
        { 
        
        $domain2userobject = Get-ADUser -Filter {name -like $groupmember.name} 
        
        # add that domain 1 person to the domain 2 ad group
        Add-ADGroupMember -Identity $group -Members $domain2userobject -server dc01.domain1.com -WhatIf
        } 
        
        }
        
}

 

 

 

Tags: , , , ,

Take Ownership of paths from PowerShell

Posted by robd on April 25, 2023
powershell / No Comments

Hello,

Had a requirement to take ownership of a long list of windows file paths which were conviently in a csv file like this:

path

\\domain.local\site\users\User.Name\

So I used the following PowerShell and NTFSSecurity module.

#import this first (run powershell as Admin)
#Install-Module -Name NTFSSecurity

#Fill out the csv with all the paths you want to change

Import-CSV "C:\Temp\scripts\permissions.csv" |
    ForEach-Object{
    Add-NTFSAccess -Path $_.path -Account admin@domain.com -AccessRights FullControl
    Set-NTFSOwner -Path $_.path -Account  admin@domain.com

    }

 

Tags: , ,

Azure – Restore a VM from your Az Recovery Services Vault

Posted by robd on September 09, 2022
Azure, powershell / No Comments

Hello,

More DR stuff for me, I needed to restore a VM from Recovery Vault, heres how I did it:

Open PowerShell and connect to Azure:

Connect-AzAccount

Lets get started, as before, theres lots to change so READ it carefully:

#Find your vault and resouce Group, CHANGE FOR YOUR ENVIRONMENT
$vault = get-AzRecoveryServicesVault -Name "LinuxVault" -ResourceGroupName "LinuxRG"
Set-AzRecoveryServicesAsrVaultContext -Vault $vault

#Set the fabric of your vault, CHANGE FOR YOUR ENVIRONMENT
$PrimaryFabric = Get-AzRecoveryServicesAsrFabric -name asr-a2a-default-northeurope

#Set these
$PrimaryProtContainer = Get-AzRecoveryServicesAsrProtectionContainer -Fabric $PrimaryFabric -Name "asr-a2a-default-northeurope-container"

#set your network, CHANGE FOR YOUR ENVIRONMEN
$TFOVNet = Get-AzVirtualNetwork -Name uks-kil-dr-test-vnet
$TFONetwork= $TFOVnet.Id

#Here we get the VM and start the recovery, CHANGE FOR YOUR ENVIRONMENT
$ReplicationProtectedItem = Get-AzRecoveryServicesAsrReplicationProtectedItem -ProtectionContainer $PrimaryProtContainer -FriendlyName "Linux-Server-1"
$TFOJob1 = Start-AzRecoveryServicesAsrTestFailoverJob -ReplicationProtectedItem $ReplicationProtectedItem -AzureVMNetworkId $TFONetwork -Direction PrimaryToRecovery

#Same but a different VM
$ReplicationProtectedItem = Get-AzRecoveryServicesAsrReplicationProtectedItem -ProtectionContainer $PrimaryProtContainer -FriendlyName "Linux-Server-2"
$TFOJob2 = Start-AzRecoveryServicesAsrTestFailoverJob -ReplicationProtectedItem $ReplicationProtectedItem -AzureVMNetworkId $TFONetwork -Direction PrimaryToRecovery

#Same but a different VM
$ReplicationProtectedItem = Get-AzRecoveryServicesAsrReplicationProtectedItem -ProtectionContainer $PrimaryProtContainer -FriendlyName "Linux-Server-3"
$TFOJob3 = Start-AzRecoveryServicesAsrTestFailoverJob -ReplicationProtectedItem $ReplicationProtectedItem -AzureVMNetworkId $TFONetwork -Direction PrimaryToRecovery

#Same but a different VM
$ReplicationProtectedItem = Get-AzRecoveryServicesAsrReplicationProtectedItem -ProtectionContainer $PrimaryProtContainer -FriendlyName "Linux-Server-4"
$TFOJob4 = Start-AzRecoveryServicesAsrTestFailoverJob -ReplicationProtectedItem $ReplicationProtectedItem -AzureVMNetworkId $TFONetwork -Direction PrimaryToRecovery

#Same but a different VM
$ReplicationProtectedItem = Get-AzRecoveryServicesAsrReplicationProtectedItem -ProtectionContainer $PrimaryProtContainer -FriendlyName "DC-Server-1"
$TFOJob5 = Start-AzRecoveryServicesAsrTestFailoverJob -ReplicationProtectedItem $ReplicationProtectedItem -AzureVMNetworkId $TFONetwork -Direction PrimaryToRecovery

 

Once you’re done with you’re restored VMs should clean up your work if you need too (I was using them to test DR so wanted to deleted them after):

#Get teh VM you cloned and bin it off, CHANGE the VM name FOR YOUR ENVIRONMENT
$ReplicationProtectedItem = Get-AzRecoveryServicesAsrReplicationProtectedItem -ProtectionContainer $PrimaryProtContainer -FriendlyName "Linux-Server-1"
$Job_TFOCleanup = Start-AzRecoveryServicesAsrTestFailoverCleanupJob -ReplicationProtectedItem $ReplicationProtectedItem

$ReplicationProtectedItem = Get-AzRecoveryServicesAsrReplicationProtectedItem -ProtectionContainer $PrimaryProtContainer -FriendlyName "Linux-Server-2"
$Job_TFOCleanup = Start-AzRecoveryServicesAsrTestFailoverCleanupJob -ReplicationProtectedItem $ReplicationProtectedItem

$ReplicationProtectedItem = Get-AzRecoveryServicesAsrReplicationProtectedItem -ProtectionContainer $PrimaryProtContainer -FriendlyName "Linux-Server-3"
$Job_TFOCleanup = Start-AzRecoveryServicesAsrTestFailoverCleanupJob -ReplicationProtectedItem $ReplicationProtectedItem

$ReplicationProtectedItem = Get-AzRecoveryServicesAsrReplicationProtectedItem -ProtectionContainer $PrimaryProtContainer -FriendlyName "Linux-Server-4"
$Job_TFOCleanup = Start-AzRecoveryServicesAsrTestFailoverCleanupJob -ReplicationProtectedItem $ReplicationProtectedItem

$ReplicationProtectedItem = Get-AzRecoveryServicesAsrReplicationProtectedItem -ProtectionContainer $PrimaryProtContainer -FriendlyName "DC-Server-1"
$Job_TFOCleanup = Start-AzRecoveryServicesAsrTestFailoverCleanupJob -ReplicationProtectedItem $ReplicationProtectedItem

 

 

Tags: , , ,

Azure – Clone a VM from a Snapshot

Posted by robd on September 09, 2022
Azure, powershell / No Comments

Hello,

So something fun I’ve been working on recently is cloning a Linux Azure VM from a snapshot, for my case so I can test it for DR.

To do this you basically need to:

  1. Create a vnet for the clone if you need too (I reference it in the script)
  2. Create a snapshot of the VM
  3. Create a managed disk for the snapshot
  4. Create a VM with different name using the managed disk
  5. If needed rename the VM on the OS level to match the VM name.

Or you could use some PowerShell:

First open PowerShell and run:

Connect-AzAccount

The you need to change some of the below (look for “CHANGE THIS FOR YOUR ENVIRONMENT”):

#Existing virtual network where new virtual machine will be created, CHANGE THIS FOR YOUR ENVIRONMENT
$virtualNetworkName = 'uks-dr-test-vnet'  
  
#Resource group of the VM to be clonned from, CHANGE THIS FOR YOUR ENVIRONMENT
$oldresourceGroupName = 'UKS-VM1-DR'  
$newresourceGroupName = 'UKS-VM1-DR-TEST'  

#Region where managed disk will be created, CHANGE THIS FOR YOUR ENVIRONMENT
$location = 'UK South'  
  
#Names of source and target (new) VMs,CHANGE THIS FOR YOUR ENVIRONMENT
$sourceVirtualMachineName = 'Linux-VM1'  
$targetVirtualMachineName = 'Linux-VM1-DR'  

#Set the subscription for the current session where the commands wil execute,CHANGE THIS FOR YOUR ENVIRONMENT
Select-azSubscription -SubscriptionId '111111111-1111-1111-1111-111111111111'  
  
#Get the existing VM from which to clone from  
$sourceVirtualMachine = Get-AzVM -ResourceGroupName $oldresourceGroupName -Name $sourceVirtualMachineName  

$osdisk = Get-AzDisk -DiskName $($sourceVirtualMachine.StorageProfile.OsDisk.name) 
#Create new VM Disk Snapshot  
$snapshotconfig = New-AzSnapshotConfig -Sourceresourceid $osdisk.Id -Location $osdisk.Location -CreateOption copy  
$snapshot = New-AzSnapshot -Snapshot $snapshotconfig -SnapshotName "$($osdisk.name)-snapshot" -ResourceGroupName $oldresourceGroupName   

#Create a new OS Managed Disk from the Snapshot  
$disk = New-azDiskConfig -AccountType $osdisk.sku.Name -DiskSizeGB $($osdisk.DiskSizeGB) -Location $location -CreateOption Copy -SourceResourceId $snapshot.Id  
$disk = New-azDisk -Disk $disk -ResourceGroupName $newresourceGroupName -DiskName "$($osdisk.name)-DR"
  
#Initialize virtual machine configuration  
$targetVirtualMachine = New-azVMConfig -VMName $targetVirtualMachineName -VMSize $($sourceVirtualMachine.HardwareProfile.VmSize)
  
#Attach Managed Disk to target virtual machine. OS type depends OS present in the disk (Windows/Linux)  
$targetVirtualMachine = Set-azVMOSDisk -VM $targetVirtualMachine -ManagedDiskId $disk.Id -CreateOption Attach -linux 

$disks = $sourceVirtualMachine.StorageProfile.DataDisks
#$disks = Get-AzDisk -ResourceGroupName $oldresourceGroupName | where {$_.managedby -like "*$sourceVirtualMachineName" -and $_.Name -like "*Datadisk*"} 
foreach ($disk in $disks){
    #Create new VM Disk Snapshot
    $datadisk = Get-AzDisk -DiskName $disk.name   
    $snapshotconfig = New-AzSnapshotConfig -SourceUri $($disk.manageddisk.id) -Location $datadisk.Location -CreateOption copy  
    $snapshot = New-AzSnapshot -Snapshot $snapshotconfig -SnapshotName "$($disk.name)_snapshot" -ResourceGroupName $oldresourceGroupName 

    #Create a new Managed Disk from the Snapshot  
    $diskconfig = New-azDiskConfig -SkuName $datadisk.sku.name -DiskSizeGB $($disk.DiskSizeGB) -Location $location -CreateOption Copy -SourceResourceId $snapshot.Id  
    $newdisk = New-azDisk -Disk $diskconfig -ResourceGroupName $newresourceGroupName -DiskName "$($datadisk.Name)-dr"   
    $targetVirtualMachine = add-AzVMDataDisk -VM $targetVirtualMachine -ManagedDiskId $newdisk.Id -lun $disk.lun -CreateOption attach 

} 

#Get Virtual Network information,CHANGE THIS FOR YOUR ENVIRONMENT
$vnet = Get-azVirtualNetwork -Name $virtualNetworkName
$subnetid = $($vnet.Subnets | where {$_.Name -like "DR_Sunet"}).id

# Create Network Interface for the VM, CHANGE THIS FOR YOUR ENVIRONMENT
$nic = New-azNetworkInterface -Name ($targetVirtualMachineName.ToLower() + '_nic') -ResourceGroupName $newresourceGroupName -Location $location -SubnetId $subnetid -PrivateIpAddress 172.45.1.252
$targetVirtualMachine = Add-azVMNetworkInterface -VM $targetVirtualMachine -Id $nic.Id  
  
#Create the virtual machine with Managed Disk attached  
New-azVM -VM $targetVirtualMachine -ResourceGroupName $newresourceGroupName -Location $location  
  
#Remove the snapshot  
Get-AzSnapshot -ResourceGroupName $oldresourceGroupName | Remove-AzSnapshot -Force

This chap does something similar too:

https://www.techmanyu.com/how-to-quickly-clone-a-vm-in-azure-c5299ff82496

Tags: , , ,

Microsoft Edge Printing PDFs

Posted by robd on June 07, 2022
Windows 10 / No Comments

When a user prints a PDF from Microsoft Edge the following would appear:

“Check Your Printer and try again. Printing Failed.”

The fix for us was to disable Use System Print Dialog and push out this registry change to users:

Windows Registry Settings
  • Path (Mandatory): HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Edge
  • Value Name: UseSystemPrintDialog
  • Value Type: REG_DWORD
  • Value: 0x00000000

Microsoft Edge Browser Policy Documentation | Microsoft Docs

We used Ivanti to rollout the changes:

Tags: ,

Ubuntu Joining the Domain

Posted by robd on May 04, 2022
Linux / No Comments

Hello,

I had to join a Ubuntu server to a Window Domain recently, here’s what I did, the # are just annotated notes:

#Update the \etc\hosts file for 127.0.0.1 to be the hostname
sudo vi /etc/hosts
127.0.0.1 UbuntuServer.domain.com UbuntuServer


#Install the packages
sudo apt-get update
sudo apt-get install krb5-user samba sssd sssd-tools libnss-sss libpam-sss ntp ntpdate realmd adcli

#Update NTP for domain time
sudo vi /etc/ntp.conf

#In the ntp.conf file, create a line an add the following:
server domain.com
# I also removed out all the other NTPs


#stop and start ntp and we are golden
sudo systemctl stop ntp
sudo ntpdate domain.com
sudo systemctl start ntp


#Dicover the fookin domain (Case SeNsAtIvE)
sudo realm discover DOMAIN.COM
#should see the domain


#Initialise Kerberos (Case SeNsAtIvE) use yor own frickin username
kinit -V admin@DOMAIN.COM
#chuck in your password


#join the muther fuzin domain baby, you have a choice here, if your server can reach all your DCs in your domain then use the first command, if it cant then you have to specify one:
#1
#sudo realm join --verbose DOMAIN.COM -U admin@DOMAIN.COM --install=/
#2
sudo realm join --verbose -U admin@DOMAIN.COM dc01.DOMAIN.COM --install=/


#comment out the use fully qualified thing
sudo vi /etc/sssd/sssd.conf
# use_fully_qualified_names = True

#restart ssssd
sudo systemctl restart sssd

#enable the user to vcreate home dirve
sudo vi /etc/pam.d/common-session
#place the following under the line that contains session optional pam_sss.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

#test
id admin@DOMAIN.COM

#visudo bitches
sudo visudo -f /etc/sudoers
%Domain\ Admins ALL=(ALL) NOPASSWD:ALL


#change the domains so we can login
sudo vi /etc/krb5.conf

        DOMAIN.COM = {
                kdc = dc01.domain.com
                kdc = dc02.domain.com
                admin_server = admin.domain.com
        }

.domain.com = DOMAIN.COM

#allows these to ssh
sudo realm permit -g 'Domain Admins'
sudo realm permit -g 'Tronstride Servers Local Admins'


#toublshoot
tail -f /var/log/auth.log

 

Tags: , , ,

Cisco ISE – Live Logs Broken

Posted by robd on February 24, 2022
Cisco / 5 Comments

Hello,

After upgrading to Cisco ISE 3.0 and updating some certs we noticed the Radius Live Logs broke:

So to fix, I changed certs and rebooted nodes and basically spent hours trying everything.

I dint get anywhere so I raised a Cisco TAC and they fixed it by doing the following (which took two seconds), they un-checked:

 

 

Tags: , ,

VMware vRops Azure error

Posted by robd on February 23, 2022
vmware / No Comments

So we’ve been getting a very annoying error when trying to monitor Azure with vrops:

“Unable to establish a valid connection to the target system. javax.net.ssl.SSLHandshakeException: General SSLEngine problem”

 

vrops error

I found this article that states how to fix it, which gave me a clue but didnt actually fix the problem:

https://kb.vmware.com/s/article/50122228

Basically the certs for Azure had expired so it couldn’t check the status.

The fix for me was to download all the new Azure Certs:

https://docs.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes

azure certs

Convert them to pem files:

https://cheapsslsecurity.com/p/convert-a-certificate-to-pem-crt-to-pem-cer-to-pem-der-to-pem/

Now upload the pem files to vrops:

/usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/

 

Now ssh to vrops and get the keystore password:

cd /storage/vcops/user/conf/ssl/

keytool -list -keystore tcserver.truststore

and finally import your pem files:

cd /storage/vcops/user/conf/ssl/
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/Microsoft_RSA_Root_Certificate_Authority_2017.pem -alias azure1 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/Microsoft_ECC_Root_Certificate_Authority_2017.pem -alias azure2 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/D-TRUST_Root_Class_3_CA_2_2009.pem -alias azure3 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/BaltimoreCyberTrustRoot.pem -alias azure4 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/DigiCertGlobalRootCA.pem -alias azure5 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/DigiCertGlobalRootG2.pem -alias azure6 -keystore tcserver.truststore

 

 

 

Tags: , ,

ISATAP – Direct Access Manage Out

Posted by robd on January 14, 2022
Direct Access / No Comments

I was working with Direct Access recently and the manage out function. The idea is servers on premises can communicate with direct access clients on the internet who are using a IPv6 over IPv4 protocol.

For example, it’s great when you want to manage SCCM clients who are not in the office.

To do this you need an ISATAP server that sits in-between the Direct Access servers and the internal servers, I like to think of ISATAP as like a DHCP/DNS server that gives out IPv6 addresses to internal servers which then in turn allows them to query IPv6 clients.

I’m going to presume you’ve setup Direct Access and ISATAP and at some point it was all working (if anyone wants a guide on setup of ISATAP, just shout), now for what ever reason you can not resolve IPv6 clients!!

  • Logon to your Direct Access (DA) Server, pick a client and check you can ping it, it should return a IPv6 address.
  • ping
  • Logon to your ISATAP server and ping the same client, if it does then great the issue is not between DA and ISATAP, if not then it’s time to check your connectivity (firewall and routes) between the two servers.
  • Logon to a server that that using the ISATAP server and ping the same client, in my case this did not work.
  • So first check the interface on the server, ipconfig /all

This is bad.  If its fe80 it means windows has assigned a IP itself and not had a address assigned from ISATAP, bit like APIPA address.

  • You can disable and enable ISATAP on the server to check if it changes to fe70
netsh int ipv6 isatap set state disable

netsh int ipv6 isatap set state enable
  • Moving back to the ISATAP server, there basically two things to check, the interface and the routes
  • First check the interface and its idx number:
netsh Int ipv6 show int
  • In my case I know the interface I configured when I set up the server was IDX 6 where as below it shows IDX 9, this means that something has changed, potentially a VMWare hardware update.

  • As the interface has changed that means the interface settings have been lost and the static routes, so lets add them again:
    • First on the NIC, add forwarding:
netsh Int ipv6 set int 12 forwarding = enabled

    • Then on the ISATAP Interface
netsh Int ipv6 set int 9 advertise = enabled
netsh Int ipv6 set int 9 forwarding = enabled

  • Next check the routes for the interface, the magic route is mising
netsh int ipv6 show route

  • Add it back
netsh interface ipv6 add route fd07:4444:4444:1::/64 9 publish=yes

  • Finally check the server again

  • YAY!!!

Tags: , , ,