| 個人檔案Omar's Blog on Systems M...相片部落格清單 |  工具  說明 |
|
8月25日 SMS 2003 and GPO: "Bypass Traverse Checking" rightsEver heard of the "Bypass Traverse Checking" GPO Policy? I'm not going to talk about what it is or does, but Mark Russinovich wrote a good article about it .
Consulting on SMS 2003 SP 2 in the UK, I came across an not so well documented part of SMS functionality. What's wrong when all SMS components are 'green', but some machines can not download software while others already did or still can? Probable cause would be that "SMS-Policy" can't be downloaded (no more). If you get into a situation that has these symptoms:
Console: Not all advertisement statuses are shown on central and child sites.
SMS client - Execman.log: On the latest machines (no packages received) there are 5 lines in SMSTRACE:
Software Distribution Site Settings for the client are missing from WMI. execmgr 14-8-2006 12:13:55 2668 (0x0A6C)
Software Distribution Site Settings for the client are missing from WMI. execmgr 14-8-2006 12:15:30 3056 (0x0BF0)
Software Distribution Site Settings for the client are missing from WMI. execmgr 14-8-2006 12:15:30 3056 (0x0BF0) Software Distribution Site Settings for the client are missing from WMI. execmgr 14-8-2006 12:15:30 3056 (0x0BF0) Software distribution agent was enabled execmgr 14-8-2006 12:17:50 2928 (0x0B70) SMS Client - Execman.log: Older machines: Execman logging seems to be stopped for no particular reason
On the Management Point (MP) server, checking the IIS logs under %systemroot%\system32\LogFiles\W3SVC1
There are multiple lines coming from SMS client IP-adresses:
BITS_POST /CCM_Incoming/{HEX STRING} (bits_error:{HEX STRING},403,0x80200023) 403 Microsoft+BITS/6.5 403 0 64
If this is even partially the case, please check the local GPO for "Bypass Traverse Checking". The following objects should be named: Administrators, Authenticated Users, Everyone. Then you need to restart the IIS service (IISreset.exe). For more information check this obscure KB article 899715 about problems with uploading inventory data.
But it got the job done! (edited 120607: link edited) 8月15日 Visionapp and SMS 2003: My kind of future!Consulting on SMS at one of the largest finacial institutions in the UK, i had the pleasure to join up with the people of Visionapp. Visionapp is a german based firm who developped a product with the same name that functions as an upper layer management tool for SMS, but also for Citrix, ADS etc. I've got a short demo of one of their consultants, and i am impressed!
Usually, if you building up a SMS site and have to load a set of packages, it takes a long time. You need to create a SMS package, program, advertisement and connect it to a collection. With Visionapp, you can import as much packages as you want in one time, and all the other stuff is being created automaticly. Furthermore it has a task scheduler that makes it easy to schedule a set of packages to push out, get a reboot and then get a next set of apps going on their way. Especially for Citrix-solutions interesting: Each server you build is exactly the same!
Check it out at www.visionapp.de 8月10日 Vista hacked: Thake the Blue PillJoris Evers writing for ZDNet Australia attended the Black Hat confab in Las Vegas. While Microsoft talked up Windows Vista security at Black Hat, a researcher in another room demonstrated how to hack the operating system. Joanna Rutkowska, a Polish researcher at Singapore-based Coseinc, showed that it is possible to bypass security measures in Vista that should prevent unsigned code from running and how to abuse virtualisation technology to make malicious code undetectable: She code-named Blue Pill. The technique uses Pacifica, a Secure Virtual Machine, from chipmaker Advanced Micro Devices, to go undetected. Although the hack was done on an old Vista beta distribution, it gives some insight in the technologie used by Vista and the security problems that arise when new technology is introduced. Read the full article here 8月9日 IE7: What about Europe? - You need an adapter, errr... BlockerKinda silly title, but it is a spoof on a IBM commercial about the Universal Enterprise Bus. A group of people is looking at a gadget called the "UEB" with all kinds of connectors. Everybody is enthousiastic about it, but then one asks: What about Europe? - You need an adapter...
In a reaction in Dutch on my previous IE7 article, the anonymous contributor asked if Microsoft would get into trouble by deploying IE7 in such way. Microsoft and 'Castle Europe' had some difficulties. A couple of weeks ago Microsoft was fined a staggering 280.5 Million euro's for not complying to anti-trustlegislation and earlier there was another fine for having Windows Mediaplayer as an integrated part of the Windows OS distribution. To comply to the latter, Microsoft has made a Windows distribution without Media Player, especially for the European Market. For as far as I know, this is not the case with Internet Explorer.
But then, if you do not want to use an Automatic Update to IE7 within your organisation: Microsoft has made available in the Microsoft Download Center the Internet Explorer 7 Blocker Toolkit, which allows IT Administrators to prevent users from receiving Internet Explorer 7 as a high-priority update from Automatic Updates and the Windows Update and Microsoft Update sites. You can find it here: http://go.microsoft.com/fwlink/?linkid=65788
BTW: If you use an internal patch solution like WSUS or ITMU/ITCU under SMS 2003 (like you should  ), you're off the hook! |
|
|
