Re: Rename 2003 domain

[Andrew S. Baker]

There's only so much genuflecting I can take in a single thread, so cut it
out, or i'll send both of you to your rooms (Citrix and
Microsoft, respectively)





*ASB
**http://XeeMe.com/AndrewBaker* *
**Providing Virtual CIO Services (IT Operations & Information Security) for
the SMB market…***





On Tue, Feb 5, 2013 at 4:29 PM, Michael B. Smith wrote:

>  Pffft. You are known world-wide (literally) as the Citrix AD Expert.
>
> ** **
>
> If there is any name that doesn’t belong on that list, it is mine.
>
> ** **
>
> *From:* Webster [mailto:webs...@carlwebster.com]
> *Sent:* Tuesday, February 5, 2013 3:33 PM
>
> *To:* NT System Admin Issues
> *Subject:* RE: Rename 2003 domain
>
>  ** **
>
> My name doesn’t belong in the same sentence as “Desmond and MBS”.  My name
> should have appeared in subscript! J
>
> ** **
>
> Carl Webster
>
> Consultant and Citrix Technology Professional
>
> http://www.CarlWebster.com 
>
> ** **
>
> ** **
>
> *From:* David Lum [mailto:david@nwea.org ]
> *Sent:* Tuesday, February 05, 2013 1:46 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Rename 2003 domain
>
> ** **
>
> Wow, Webster Desmond and MBS recommend against it.
>
> ** **
>
> …and I thought  a couple of SBS swings were high on the “things could go
> horribly wrong” scale…
>
> ** **
>
> *From:* Michael B. Smith [mailto:mich...@smithcons.com]
>
> *Sent:* Tuesday, February 05, 2013 10:36 AM
> *To:* NT System Admin Issues
> *Subject:* RE: Rename 2003 domain
>
> ** **
>
> To the OP: you already know your domain is broken. 
>
> ** **
>
> Good luck. You are going to need it.
>
> ** **
>
> *From:* Brian Desmond [mailto:br...@briandesmond.com]
>
> *Sent:* Tuesday, February 5, 2013 1:29 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Rename 2003 domain
>
> ** **
>
> *To add to Michael’s point, this wasn’t necessary and probably wasn’t the
> best idea. The consultant obviously messed something up given you had to
> rejoin clients. The simple fact that the consultant was happy to (and
> possibly recommended) this domain rename tells me a lot. *
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *br...@briandesmond.com*
>
> * *
>
> *w – 312.625.1438 | c – 312.731.3132*
>
> * *
>
> *From:* David Mazzaccaro 
> [mailto:david.mazzacc...@hudsonmobility.com]
>
> *Sent:* Tuesday, February 5, 2013 9:55 AM
> *To:* NT System Admin Issues
> *Subject:* RE: Rename 2003 domain
>
> ** **
>
> We hired a consultant to move us to AD 2008 R2 and E2010.
>
> He renamed the domain to company.net this past weekend.
>
> We did have to manually rejoin the clients to the new domain (rebooting
> twice did not make the clients auto-join), but everything appears to be
> working fine.  We have just extended the schema and have our first 2008 R2
> domain controller up and running.
>
> ** **
>
> Anything in particular I should check to verify that all is well?
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
> *From:* Michael B. Smith [mailto:mich...@smithcons.com]
>
> *Sent:* Tuesday, February 05, 2013 9:50 AM
> *To:* NT System Admin Issues
> *Subject:* RE: Rename 2003 domain
>
> ** **
>
> Don't rename the domain. Just Say No. There is no need.
>
> Sent from my Windows Phone
>   --
>
> *From: *David Mazzaccaro
> *Sent: *2/1/2013 9:50 PM
> *To: *NT System Admin Issues
> *Subject: *RE: Rename 2003 domain
>
> Thx
>
> I Just read through that thread.
>
> One comment was that you never need to register an internal name on a
> certificate…. 
>
> But it doesn’t go into detail as to why.
>
>  
>
> The other bigger headache (which I understand) is to NOT use an internal
> name that will also be used externally. 
>
> We only use “company.com” on in the internet.  So if we never use
> “company.NET” on the outside, why couldn’t/shouldn’t I rename the domain to
> that?
>
>  
>
> Thx
>
>  
>
>  
>
>  
>
>  
>
> *From:* Webster [mailto:webs...@carlwebster.com ]
>
> *Sent:* Friday, February 01, 2013 12:23 PM
> *To:* NT System Admin Issues
> *Subject:* RE: Rename 2003 domain
>
>  
>
> Go to the archives and read the “SSL and the new no internal names ruling”
> thread.  I think you are going in the wrong direction.
>
>  
>
> Thanks
>
>  
>
>  
>
> Webster
>
>  
>
> *From:* David Mazzaccaro 
> [mailto:david.mazzacc...@hudsonmobility.com]
>
> *Sent:* Friday, February 01, 2013 9:48 AM
> *To:* NT System Admin Issues
> *Subject:* Rename 2003 domain
>
>  
>
> I will be upgrading my domain from 2003 to 2008 R2 and Exchange 2003 >
> 2010.
>
> Apparently E2010 does not like my current domain name “company.town.main”*
> ***
>
> It wants (needs?) a name that can be registered w/ an internet registrar
> in order to obtain a certificate.
>
> So… I will be renaming the domain to “company.net” this weekend

RE: Rename 2003 domain

[Webster]

But compared to "Desmond and MBS", superscript would have put my name higher 
than theirs and it should be lower (much lower) so subscript, in this one case, 
should be used.

Thanks


Webster

> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, February 05, 2013 3:23 PM
> To: NT System Admin Issues
> Subject: Re: Rename 2003 domain
> 
> Footnotes are more typically done with superscripts.
> 
> Just sayin' :)
> 
> Kurt
> 
> On Tue, Feb 5, 2013 at 12:33 PM, Webster 
> wrote:
> > My name doesn’t belong in the same sentence as “Desmond and MBS”.
> My
> > name should have appeared in subscript! J
> >
> >
> > From: David Lum [mailto:david@nwea.org]
> > Sent: Tuesday, February 05, 2013 1:46 PM
> > To: NT System Admin Issues
> > Subject: RE: Rename 2003 domain
> >
> > Wow, Webster Desmond and MBS recommend against it.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Rename 2003 domain

[Michael B. Smith]

Pffft. You are known world-wide (literally) as the Citrix AD Expert.

If there is any name that doesn't belong on that list, it is mine.

From: Webster [mailto:webs...@carlwebster.com]
Sent: Tuesday, February 5, 2013 3:33 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

My name doesn't belong in the same sentence as "Desmond and MBS".  My name 
should have appeared in subscript! :)

Carl Webster
Consultant and Citrix Technology Professional
http://www.CarlWebster.com


From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, February 05, 2013 1:46 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Wow, Webster Desmond and MBS recommend against it.

...and I thought  a couple of SBS swings were high on the "things could go 
horribly wrong" scale...

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Tuesday, February 05, 2013 10:36 AM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

To the OP: you already know your domain is broken.

Good luck. You are going to need it.

From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, February 5, 2013 1:29 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

To add to Michael's point, this wasn't necessary and probably wasn't the best 
idea. The consultant obviously messed something up given you had to rejoin 
clients. The simple fact that the consultant was happy to (and possibly 
recommended) this domain rename tells me a lot.

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]
Sent: Tuesday, February 5, 2013 9:55 AM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

We hired a consultant to move us to AD 2008 R2 and E2010.
He renamed the domain to company.net this past weekend.
We did have to manually rejoin the clients to the new domain (rebooting twice 
did not make the clients auto-join), but everything appears to be working fine. 
 We have just extended the schema and have our first 2008 R2 domain controller 
up and running.

Anything in particular I should check to verify that all is well?






From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Tuesday, February 05, 2013 9:50 AM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Don't rename the domain. Just Say No. There is no need.

Sent from my Windows Phone

From: David Mazzaccaro
Sent: 2/1/2013 9:50 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain
Thx
I Just read through that thread.
One comment was that you never need to register an internal name on a 
certificate
But it doesn't go into detail as to why.

The other bigger headache (which I understand) is to NOT use an internal name 
that will also be used externally.
We only use "company.com" on in the internet.  So if we never use "company.NET" 
on the outside, why couldn't/shouldn't I rename the domain to that?

Thx




From: Webster [mailto:webs...@carlwebster.com]
Sent: Friday, February 01, 2013 12:23 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Go to the archives and read the "SSL and the new no internal names ruling" 
thread.  I think you are going in the wrong direction.

Thanks


Webster

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]
Sent: Friday, February 01, 2013 9:48 AM
To: NT System Admin Issues
Subject: Rename 2003 domain


I will be upgrading my domain from 2003 to 2008 R2 and Exchange 2003 > 2010.

Apparently E2010 does not like my current domain name "company.town.main"

It wants (needs?) a name that can be registered w/ an internet registrar in 
order to obtain a certificate.

So... I will be renaming the domain to "company.net" this weekend.

I have already registered the "company.net" name.

>From what I have read, it is fairly (?) straightforward:

http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx

Then there are specific Exchange changes: "XDR-fixup"

Then it seems EVERY computer needs to reboot twice for them to see the new 
domain.

I do have a script for this and a txt file w/ all the machines in it:

for /f %%i in (machines.txt) do shutdown -m \\%%i -f -r -t 05

My question is... has anyone here successfully renamed a 2003 domain 
(especially w/ Exchange 2003 in it)?

Care to share your experience and any gotcha's that came up?



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyr

RE: Java 7 patch 13 out... how to attack Servers via RMI protocol

[Ziots, Edward]

And guess what here is a way to exploit the servers also, so the Java flaws 
aren't just for workstations anymore. 

Cross post from Bugtraq

Hello All,

Due to the inquiries received regarding our claims pertaining to the 
possibility of exploiting Java SE vulnerabilities on servers, we've published 
our Proof of Concept code that illustrates this.

The code relies on RMI protocol [1] to deliver a malicious Java class file to a 
target RMI server. It can be downloaded from our project details page:

http://www.security-explorations.com/en/SE-2012-01-details.html

Thank You.

Best Regards,
Adam Gowdiak

-
Security Explorations
http://www.security-explorations.com
"We bring security research to the new level"
-

References:
[1] RMI Wire Protocol
 
http://docs.oracle.com/javase/1.5.0/docs/guide/rmi/spec/rmi-protocol.html


Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.




-Original Message-
From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Tuesday, February 05, 2013 9:05 AM
To: NT System Admin Issues
Subject: RE: Java 7 patch 13 out...

Did I not say like 1-2 days after Java updated to version 7.0 update 13 that 
the Security explorations folks would post what is still broken in java 
security wise, expect a update 14 or even 15 soon enough. 

Cross post from Bugtraq

Hello All,

Below, we are providing you with technical details regarding security issues 
reported by us to Oracle and addressed by the company in a recent Feb 2013 Java 
SE CPU [1].

[Issue 29]
This issue allows for the creation of arbitrary Proxy objects for interfaces 
defined in restricted packages. Proxy objects defined in a NULL class loader 
namespaces are of a particular interest here. Such objects can be used to 
manipulate instances of certain restricted classes.

In our Proof of Concept code we create such a proxy object for the 
com.sun.xml.internal.bind.v2.model.nav.Navigator interface.
In order to use the aforementioned proxy object, we need an instance of that 
interface too. We obtain it with the help of Issue 28, which allows to access 
arbitrary field objects from restricted classes and interfaces. As a result, by 
combining Issue 27-29, one can use Navigator interface and make use of its 
sensitive Reflection API functionality such as obtaining access to methods of 
arbitrary classes. That condition can be further leveraged to obtain a complete 
JVM security bypass.

Please, note that our Proof of Concept code for Issues 27-29 was reported to 
Oracle in Apr 2012 and depending Issues 27-28 were addressed by the company 
sooner than Issue 29. Testing of the PoC will thus give best results on older 
versions of Java SE 7.

[Issue 50]
Issue 50 allows to violate a fundamental security constraint of Java VM, which 
is type safety. This vulnerability is another instance of the problem related 
to the unsafe deserialization implemented by 
com.sun.corba.se.impl.io.ObjectStreamClass class.
Its first instance was fixed by Oracle in Oct 2011 [2] and it stemmed from the 
fact that during deserialization insufficient type checks were done with 
respect to object references that were written to target object instance 
created by the means of deserialization. Such a reference writing was 
accomplished with the use of a native functionality of sun.corba.Bridge class.

The problem that we found back in Sep 2012 was very similar to the first one. 
It was located in the same code (class) and was also exploiting direct writing 
of object references to memory with the use of putObject method. While the 
first type confusion issue allowed to write object references of incompatible 
types to correct field offsets, Issue 50 relied on the possibility to write 
object references of incompatible types to...invalid field offsets.

It might be also worth to mention that Issue 50 was found to be present in Java 
SE Embedded [3]. That is Java version that is based on desktop Java SE and is 
used in today's most powerful embedded systems such as aircraft and medical 
systems [4]. We verified that Oracle Java SE Embedded ver. 7 Update 6 from 10 
Aug 2012 for ARM / Linux contained vulnerable implementation of 
ObjectStreamClass class.

Unfortunately, we don't know any details regarding the impact of Issue 50 in 
the embedd

Re: Rename 2003 domain

[Kurt Buff]

Footnotes are more typically done with superscripts.

Just sayin' :)

Kurt

On Tue, Feb 5, 2013 at 12:33 PM, Webster  wrote:
> My name doesn’t belong in the same sentence as “Desmond and MBS”.  My name
> should have appeared in subscript! J
>
>
>
> Carl Webster
>
> Consultant and Citrix Technology Professional
>
> http://www.CarlWebster.com
>
>
>
>
>
> From: David Lum [mailto:david@nwea.org]
> Sent: Tuesday, February 05, 2013 1:46 PM
> To: NT System Admin Issues
> Subject: RE: Rename 2003 domain
>
>
>
> Wow, Webster Desmond and MBS recommend against it.
>
>
>
> …and I thought  a couple of SBS swings were high on the “things could go
> horribly wrong” scale…
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Tuesday, February 05, 2013 10:36 AM
> To: NT System Admin Issues
> Subject: RE: Rename 2003 domain
>
>
>
> To the OP: you already know your domain is broken.
>
>
>
> Good luck. You are going to need it.
>
>
>
> From: Brian Desmond [mailto:br...@briandesmond.com]
> Sent: Tuesday, February 5, 2013 1:29 PM
> To: NT System Admin Issues
> Subject: RE: Rename 2003 domain
>
>
>
> To add to Michael’s point, this wasn’t necessary and probably wasn’t the
> best idea. The consultant obviously messed something up given you had to
> rejoin clients. The simple fact that the consultant was happy to (and
> possibly recommended) this domain rename tells me a lot.
>
>
>
> Thanks,
>
> Brian Desmond
>
> br...@briandesmond.com
>
>
>
> w – 312.625.1438 | c – 312.731.3132
>
>
>
> From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]
> Sent: Tuesday, February 5, 2013 9:55 AM
> To: NT System Admin Issues
> Subject: RE: Rename 2003 domain
>
>
>
> We hired a consultant to move us to AD 2008 R2 and E2010.
>
> He renamed the domain to company.net this past weekend.
>
> We did have to manually rejoin the clients to the new domain (rebooting
> twice did not make the clients auto-join), but everything appears to be
> working fine.  We have just extended the schema and have our first 2008 R2
> domain controller up and running.
>
>
>
> Anything in particular I should check to verify that all is well?
>
>
>
>
>
>
>
>
>
>
>
>
>
> From: Michael B. Smith [mailto:mich...@smithcons.com]
> Sent: Tuesday, February 05, 2013 9:50 AM
> To: NT System Admin Issues
> Subject: RE: Rename 2003 domain
>
>
>
> Don't rename the domain. Just Say No. There is no need.
>
> Sent from my Windows Phone
>
> 
>
> From: David Mazzaccaro
> Sent: 2/1/2013 9:50 PM
> To: NT System Admin Issues
> Subject: RE: Rename 2003 domain
>
> Thx
>
> I Just read through that thread.
>
> One comment was that you never need to register an internal name on a
> certificate….
>
> But it doesn’t go into detail as to why.
>
>
>
> The other bigger headache (which I understand) is to NOT use an internal
> name that will also be used externally.
>
> We only use “company.com” on in the internet.  So if we never use
> “company.NET” on the outside, why couldn’t/shouldn’t I rename the domain to
> that?
>
>
>
> Thx
>
>
>
>
>
>
>
>
>
> From: Webster [mailto:webs...@carlwebster.com]
> Sent: Friday, February 01, 2013 12:23 PM
> To: NT System Admin Issues
> Subject: RE: Rename 2003 domain
>
>
>
> Go to the archives and read the “SSL and the new no internal names ruling”
> thread.  I think you are going in the wrong direction.
>
>
>
> Thanks
>
>
>
>
>
> Webster
>
>
>
> From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]
> Sent: Friday, February 01, 2013 9:48 AM
> To: NT System Admin Issues
> Subject: Rename 2003 domain
>
>
>
> I will be upgrading my domain from 2003 to 2008 R2 and Exchange 2003 > 2010.
>
> Apparently E2010 does not like my current domain name “company.town.main”
>
> It wants (needs?) a name that can be registered w/ an internet registrar in
> order to obtain a certificate.
>
> So… I will be renaming the domain to “company.net” this weekend.
>
> I have already registered the “company.net” name.
>
> From what I have read, it is fairly (?) straightforward:
>
> http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx
>
> Then there are specific Exchange changes: “XDR-fixup”
>
> Then it seems EVERY computer needs to reboot twice for them to see the new
> domain.
>
> I do have a script for this and a txt file w/ all the machines in it:
>
> for /f %%i in (machines.txt) do shutdown -m \\%%i -f -r -t 05
>
> My question is… has anyone here successfully renamed a 2003 domain
> (especially w/ Exchange 2003 in it)?
>
> Care to share your experience and any gotcha’s that came up?
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ 

Re: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2

[Michael Leone]

So the boss figures that if we are creating a new database, we might
as well install SQL Server 2008 R2 Express, and use that (locally). So
we'll go with that, I guess.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Rename 2003 domain

[Webster]

My name doesn't belong in the same sentence as "Desmond and MBS".  My name 
should have appeared in subscript! :)

Carl Webster
Consultant and Citrix Technology Professional
http://www.CarlWebster.com


From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, February 05, 2013 1:46 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Wow, Webster Desmond and MBS recommend against it.

...and I thought  a couple of SBS swings were high on the "things could go 
horribly wrong" scale...

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Tuesday, February 05, 2013 10:36 AM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

To the OP: you already know your domain is broken.

Good luck. You are going to need it.

From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, February 5, 2013 1:29 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

To add to Michael's point, this wasn't necessary and probably wasn't the best 
idea. The consultant obviously messed something up given you had to rejoin 
clients. The simple fact that the consultant was happy to (and possibly 
recommended) this domain rename tells me a lot.

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]
Sent: Tuesday, February 5, 2013 9:55 AM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

We hired a consultant to move us to AD 2008 R2 and E2010.
He renamed the domain to company.net this past weekend.
We did have to manually rejoin the clients to the new domain (rebooting twice 
did not make the clients auto-join), but everything appears to be working fine. 
 We have just extended the schema and have our first 2008 R2 domain controller 
up and running.

Anything in particular I should check to verify that all is well?






From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Tuesday, February 05, 2013 9:50 AM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Don't rename the domain. Just Say No. There is no need.

Sent from my Windows Phone

From: David Mazzaccaro
Sent: 2/1/2013 9:50 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain
Thx
I Just read through that thread.
One comment was that you never need to register an internal name on a 
certificate
But it doesn't go into detail as to why.

The other bigger headache (which I understand) is to NOT use an internal name 
that will also be used externally.
We only use "company.com" on in the internet.  So if we never use "company.NET" 
on the outside, why couldn't/shouldn't I rename the domain to that?

Thx




From: Webster [mailto:webs...@carlwebster.com]
Sent: Friday, February 01, 2013 12:23 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Go to the archives and read the "SSL and the new no internal names ruling" 
thread.  I think you are going in the wrong direction.

Thanks


Webster

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]
Sent: Friday, February 01, 2013 9:48 AM
To: NT System Admin Issues
Subject: Rename 2003 domain


I will be upgrading my domain from 2003 to 2008 R2 and Exchange 2003 > 2010.

Apparently E2010 does not like my current domain name "company.town.main"

It wants (needs?) a name that can be registered w/ an internet registrar in 
order to obtain a certificate.

So... I will be renaming the domain to "company.net" this weekend.

I have already registered the "company.net" name.

>From what I have read, it is fairly (?) straightforward:

http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx

Then there are specific Exchange changes: "XDR-fixup"

Then it seems EVERY computer needs to reboot twice for them to see the new 
domain.

I do have a script for this and a txt file w/ all the machines in it:

for /f %%i in (machines.txt) do shutdown -m \\%%i -f -r -t 05

My question is... has anyone here successfully renamed a 2003 domain 
(especially w/ Exchange 2003 in it)?

Care to share your experience and any gotcha's that came up?



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2

[Michael Leone]

On Tue, Feb 5, 2013 at 2:54 PM, Robert Peterson
 wrote:
> The actual moving of the database to another server is not difficult as long 
> as you don't change from internal to SQL database.  The problem is in 
> renaming the server.  When you do that you have to remember to change any 
> GPO's that are associated with WSUS. The database export and import 
> procedures are still the same that I'm aware of, use the WSUSutil command 
> line.

That's not working for me.

wsusutil export Old-Server-CAB.CAB Old-Server-LOG.LOG

give me a binary file as the LOG, and an empty zero-byte CAB file.

> If the environment is not very large

About 130 servers ...

> you could just install a fresh copy of WSUS on the new server, re-point the 
> GPO's and let the clients populate the new database on their own. Then import 
> only the metadata of approved updates.  That way you're not getting old 
> machines that may not be on the network any longer and you start with a much 
> cleaner database.

That's what I am hoping to do. I have installed WSUS on the new
server, and am about to synchronize updates. Then I was going to
change the GPO and let it re-populate the DB. But I have nothing to
import metadata from ...

I can approve everything up till last Patch Tuesday date, of course.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2

[Roger Wright]

Agreed.  It only takes a couple days for the database to update.



Roger Wright
___

Congressional Mantra:  Spending will continue increase until deficits
improve.




On Tue, Feb 5, 2013 at 11:56 AM, Kennedy, Jim
wrote:

> I have moved WSUS servers twice. It isn't worth it, just redo it. It
> doesn't take that long to mass approve the updates.
>
> -Original Message-
> From: Michael Leone [mailto:oozerd...@gmail.com]
> Sent: Tuesday, February 05, 2013 11:49 AM
> To: NT System Admin Issues
> Subject: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2
>
> I've asked this on the WSUS list over at PatchManahement.org, but while I
> am waiting on their wisdom, I thought I would ask here, as well.
>
> I am using WSUS 3.0 SP2 on a Win2003 SP2 VM, and I need to move it to a
> Win2008 R2 VM, and while I am it, change the server name.
>
> Since I posted on the other list, I have determined (I think) that my
> database is the default Windows Internal database. I have a SUSDB.MDF file,
> and a separate SUSDB.BAK in a different folder. I must have set that backup
> up at one point, and pointed it to that backup folder, but it was so long
> ago, I've forgotten, and there is no documentation here.
>
> I found this link - "How to move WSUS from one server to another"
> <
> http://blogs.technet.com/b/sus/archive/2009/07/02/how-to-move-wsus-from-one-server-to-another.aspx
> >,
> This blog post is 3.5 years old; is it still valid? Almost all the
> comments say this procedure did not work for them. If not, is there a
> better step-by-step guide?
>
> Thanks for any help.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <
> http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2

[Robert Peterson]

The actual moving of the database to another server is not difficult as long as 
you don't change from internal to SQL database.  The problem is in renaming the 
server.  When you do that you have to remember to change any GPO's that are 
associated with WSUS. The database export and import procedures are still the 
same that I'm aware of, use the WSUSutil command line. The OS should not make 
any difference at all.
Thomas would have more current knowledge of moving WSUS than I do.

If the environment is not very large you could just install a fresh copy of 
WSUS on the new server, re-point the GPO's and let the clients populate the new 
database on their own. Then import only the metadata of approved updates.  That 
way you're not getting old machines that may not be on the network any longer 
and you start with a much cleaner database.

William (Bill) Whitney
The Principia

-Original Message-
From: Michael Leone [mailto:oozerd...@gmail.com]
Sent: Tuesday, February 05, 2013 10:49 AM
To: NT System Admin Issues
Subject: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2

I've asked this on the WSUS list over at PatchManahement.org, but while I am 
waiting on their wisdom, I thought I would ask here, as well.

I am using WSUS 3.0 SP2 on a Win2003 SP2 VM, and I need to move it to a Win2008 
R2 VM, and while I am it, change the server name.

Since I posted on the other list, I have determined (I think) that my database 
is the default Windows Internal database. I have a SUSDB.MDF file, and a 
separate SUSDB.BAK in a different folder. I must have set that backup up at one 
point, and pointed it to that backup folder, but it was so long ago, I've 
forgotten, and there is no documentation here.

I found this link - "How to move WSUS from one server to another"
,
This blog post is 3.5 years old; is it still valid? Almost all the comments say 
this procedure did not work for them. If not, is there a better step-by-step 
guide?

Thanks for any help.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Rename 2003 domain

[David Lum]

Wow, Webster Desmond and MBS recommend against it.

...and I thought  a couple of SBS swings were high on the "things could go 
horribly wrong" scale...

From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Tuesday, February 05, 2013 10:36 AM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

To the OP: you already know your domain is broken.

Good luck. You are going to need it.

From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, February 5, 2013 1:29 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

To add to Michael's point, this wasn't necessary and probably wasn't the best 
idea. The consultant obviously messed something up given you had to rejoin 
clients. The simple fact that the consultant was happy to (and possibly 
recommended) this domain rename tells me a lot.

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]
Sent: Tuesday, February 5, 2013 9:55 AM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

We hired a consultant to move us to AD 2008 R2 and E2010.
He renamed the domain to company.net this past weekend.
We did have to manually rejoin the clients to the new domain (rebooting twice 
did not make the clients auto-join), but everything appears to be working fine. 
 We have just extended the schema and have our first 2008 R2 domain controller 
up and running.

Anything in particular I should check to verify that all is well?






From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Tuesday, February 05, 2013 9:50 AM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Don't rename the domain. Just Say No. There is no need.

Sent from my Windows Phone

From: David Mazzaccaro
Sent: 2/1/2013 9:50 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain
Thx
I Just read through that thread.
One comment was that you never need to register an internal name on a 
certificate
But it doesn't go into detail as to why.

The other bigger headache (which I understand) is to NOT use an internal name 
that will also be used externally.
We only use "company.com" on in the internet.  So if we never use "company.NET" 
on the outside, why couldn't/shouldn't I rename the domain to that?

Thx




From: Webster [mailto:webs...@carlwebster.com]
Sent: Friday, February 01, 2013 12:23 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Go to the archives and read the "SSL and the new no internal names ruling" 
thread.  I think you are going in the wrong direction.

Thanks


Webster

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]
Sent: Friday, February 01, 2013 9:48 AM
To: NT System Admin Issues
Subject: Rename 2003 domain


I will be upgrading my domain from 2003 to 2008 R2 and Exchange 2003 > 2010.

Apparently E2010 does not like my current domain name "company.town.main"

It wants (needs?) a name that can be registered w/ an internet registrar in 
order to obtain a certificate.

So... I will be renaming the domain to "company.net" this weekend.

I have already registered the "company.net" name.

>From what I have read, it is fairly (?) straightforward:

http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx

Then there are specific Exchange changes: "XDR-fixup"

Then it seems EVERY computer needs to reboot twice for them to see the new 
domain.

I do have a script for this and a txt file w/ all the machines in it:

for /f %%i in (machines.txt) do shutdown -m \\%%i -f -r -t 05

My question is... has anyone here successfully renamed a 2003 domain 
(especially w/ Exchange 2003 in it)?

Care to share your experience and any gotcha's that came up?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ 

RE: Rename 2003 domain

[Michael B. Smith]

To the OP: you already know your domain is broken.

Good luck. You are going to need it.

From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, February 5, 2013 1:29 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

To add to Michael's point, this wasn't necessary and probably wasn't the best 
idea. The consultant obviously messed something up given you had to rejoin 
clients. The simple fact that the consultant was happy to (and possibly 
recommended) this domain rename tells me a lot.

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]
Sent: Tuesday, February 5, 2013 9:55 AM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

We hired a consultant to move us to AD 2008 R2 and E2010.
He renamed the domain to company.net this past weekend.
We did have to manually rejoin the clients to the new domain (rebooting twice 
did not make the clients auto-join), but everything appears to be working fine. 
 We have just extended the schema and have our first 2008 R2 domain controller 
up and running.

Anything in particular I should check to verify that all is well?






From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Tuesday, February 05, 2013 9:50 AM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Don't rename the domain. Just Say No. There is no need.

Sent from my Windows Phone

From: David Mazzaccaro
Sent: 2/1/2013 9:50 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain
Thx
I Just read through that thread.
One comment was that you never need to register an internal name on a 
certificate
But it doesn't go into detail as to why.

The other bigger headache (which I understand) is to NOT use an internal name 
that will also be used externally.
We only use "company.com" on in the internet.  So if we never use "company.NET" 
on the outside, why couldn't/shouldn't I rename the domain to that?

Thx




From: Webster [mailto:webs...@carlwebster.com]
Sent: Friday, February 01, 2013 12:23 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Go to the archives and read the "SSL and the new no internal names ruling" 
thread.  I think you are going in the wrong direction.

Thanks


Webster

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]
Sent: Friday, February 01, 2013 9:48 AM
To: NT System Admin Issues
Subject: Rename 2003 domain


I will be upgrading my domain from 2003 to 2008 R2 and Exchange 2003 > 2010.

Apparently E2010 does not like my current domain name "company.town.main"

It wants (needs?) a name that can be registered w/ an internet registrar in 
order to obtain a certificate.

So... I will be renaming the domain to "company.net" this weekend.

I have already registered the "company.net" name.

>From what I have read, it is fairly (?) straightforward:

http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx

Then there are specific Exchange changes: "XDR-fixup"

Then it seems EVERY computer needs to reboot twice for them to see the new 
domain.

I do have a script for this and a txt file w/ all the machines in it:

for /f %%i in (machines.txt) do shutdown -m \\%%i -f -r -t 05

My question is... has anyone here successfully renamed a 2003 domain 
(especially w/ Exchange 2003 in it)?

Care to share your experience and any gotcha's that came up?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T

RE: Rename 2003 domain

[Brian Desmond]

To add to Michael's point, this wasn't necessary and probably wasn't the best 
idea. The consultant obviously messed something up given you had to rejoin 
clients. The simple fact that the consultant was happy to (and possibly 
recommended) this domain rename tells me a lot.

Thanks,
Brian Desmond
br...@briandesmond.com

w - 312.625.1438 | c - 312.731.3132

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]
Sent: Tuesday, February 5, 2013 9:55 AM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

We hired a consultant to move us to AD 2008 R2 and E2010.
He renamed the domain to company.net this past weekend.
We did have to manually rejoin the clients to the new domain (rebooting twice 
did not make the clients auto-join), but everything appears to be working fine. 
 We have just extended the schema and have our first 2008 R2 domain controller 
up and running.

Anything in particular I should check to verify that all is well?






From: Michael B. Smith [mailto:mich...@smithcons.com]
Sent: Tuesday, February 05, 2013 9:50 AM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Don't rename the domain. Just Say No. There is no need.

Sent from my Windows Phone

From: David Mazzaccaro
Sent: 2/1/2013 9:50 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain
Thx
I Just read through that thread.
One comment was that you never need to register an internal name on a 
certificate
But it doesn't go into detail as to why.

The other bigger headache (which I understand) is to NOT use an internal name 
that will also be used externally.
We only use "company.com" on in the internet.  So if we never use "company.NET" 
on the outside, why couldn't/shouldn't I rename the domain to that?

Thx




From: Webster [mailto:webs...@carlwebster.com]
Sent: Friday, February 01, 2013 12:23 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Go to the archives and read the "SSL and the new no internal names ruling" 
thread.  I think you are going in the wrong direction.

Thanks


Webster

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]
Sent: Friday, February 01, 2013 9:48 AM
To: NT System Admin Issues
Subject: Rename 2003 domain


I will be upgrading my domain from 2003 to 2008 R2 and Exchange 2003 > 2010.

Apparently E2010 does not like my current domain name "company.town.main"

It wants (needs?) a name that can be registered w/ an internet registrar in 
order to obtain a certificate.

So... I will be renaming the domain to "company.net" this weekend.

I have already registered the "company.net" name.

>From what I have read, it is fairly (?) straightforward:

http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx

Then there are specific Exchange changes: "XDR-fixup"

Then it seems EVERY computer needs to reboot twice for them to see the new 
domain.

I do have a script for this and a txt file w/ all the machines in it:

for /f %%i in (machines.txt) do shutdown -m \\%%i -f -r -t 05

My question is... has anyone here successfully renamed a 2003 domain 
(especially w/ Exchange 2003 in it)?

Care to share your experience and any gotcha's that came up?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the

Re: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2

[Michael Leone]

On Tue, Feb 5, 2013 at 11:56 AM, Kennedy, Jim
 wrote:
> I have moved WSUS servers twice. It isn't worth it, just redo it. It doesn't 
> take that long to mass approve the updates.

OK ... it's not approving the updates, really. It's rebuilding the
groups, and the client history. Once I re-point the GPO to the new
server, then the client has to fully scan and report to the new WSUS
server which patches it has, and for the server to determine what
patches it needs.

Those are the parts I would be trying to avoid. How can I migrate
that? Do I make the new WSUS server, and somehow replicate from the
current to the new, then "demote" the old, leaving only the new?

(in our case - we have a set of servers that are up to date with the
latest patches, and another set that one month behind. This lets us
test that the patches don't break anything, before rolling them out to
the production servers)


>
> -Original Message-
> From: Michael Leone [mailto:oozerd...@gmail.com]
> Sent: Tuesday, February 05, 2013 11:49 AM
> To: NT System Admin Issues
> Subject: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2
>
> I've asked this on the WSUS list over at PatchManahement.org, but while I am 
> waiting on their wisdom, I thought I would ask here, as well.
>
> I am using WSUS 3.0 SP2 on a Win2003 SP2 VM, and I need to move it to a 
> Win2008 R2 VM, and while I am it, change the server name.
>
> Since I posted on the other list, I have determined (I think) that my 
> database is the default Windows Internal database. I have a SUSDB.MDF file, 
> and a separate SUSDB.BAK in a different folder. I must have set that backup 
> up at one point, and pointed it to that backup folder, but it was so long 
> ago, I've forgotten, and there is no documentation here.
>
> I found this link - "How to move WSUS from one server to another"
> ,
> This blog post is 3.5 years old; is it still valid? Almost all the comments 
> say this procedure did not work for them. If not, is there a better 
> step-by-step guide?
>
> Thanks for any help.
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ---
> To manage subscriptions click here: 
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to listmana...@lyris.sunbeltsoftware.com
> with the body: unsubscribe ntsysadmin
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2

[steve ens]

Plus one
Sent from my BlackBird.

-Original Message-
From: "Kennedy, Jim" 
Date: Tue, 5 Feb 2013 16:56:01 
To: NT System Admin Issues
Reply-To: "NT System Admin Issues" 
Subject: RE: Advice on migrating WSUS 
3.0 SP2 from Win2003 32bit to Win2008 R2

I have moved WSUS servers twice. It isn't worth it, just redo it. It doesn't 
take that long to mass approve the updates.

-Original Message-
From: Michael Leone [mailto:oozerd...@gmail.com] 
Sent: Tuesday, February 05, 2013 11:49 AM
To: NT System Admin Issues
Subject: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2

I've asked this on the WSUS list over at PatchManahement.org, but while I am 
waiting on their wisdom, I thought I would ask here, as well.

I am using WSUS 3.0 SP2 on a Win2003 SP2 VM, and I need to move it to a Win2008 
R2 VM, and while I am it, change the server name.

Since I posted on the other list, I have determined (I think) that my database 
is the default Windows Internal database. I have a SUSDB.MDF file, and a 
separate SUSDB.BAK in a different folder. I must have set that backup up at one 
point, and pointed it to that backup folder, but it was so long ago, I've 
forgotten, and there is no documentation here.

I found this link - "How to move WSUS from one server to another"
,
This blog post is 3.5 years old; is it still valid? Almost all the comments say 
this procedure did not work for them. If not, is there a better step-by-step 
guide?

Thanks for any help.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2

[John Cook]

+1 just rebuild a new server and change your GPO to point to the new one.

 John W. Cook
Network Operations Manager
Partnership For Strong Families
5950 NW 1st Place
Gainesville, Fl 32607
Office (352) 244-1610
Cell (352) 215-6944
MCSE, MCP+I, MCTS, CompTIA A+, N+, VSP4, VTSP4


-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Tuesday, February 05, 2013 11:56 AM
To: NT System Admin Issues
Subject: RE: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2

I have moved WSUS servers twice. It isn't worth it, just redo it. It doesn't 
take that long to mass approve the updates.

-Original Message-
From: Michael Leone [mailto:oozerd...@gmail.com]
Sent: Tuesday, February 05, 2013 11:49 AM
To: NT System Admin Issues
Subject: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2

I've asked this on the WSUS list over at PatchManahement.org, but while I am 
waiting on their wisdom, I thought I would ask here, as well.

I am using WSUS 3.0 SP2 on a Win2003 SP2 VM, and I need to move it to a Win2008 
R2 VM, and while I am it, change the server name.

Since I posted on the other list, I have determined (I think) that my database 
is the default Windows Internal database. I have a SUSDB.MDF file, and a 
separate SUSDB.BAK in a different folder. I must have set that backup up at one 
point, and pointed it to that backup folder, but it was so long ago, I've 
forgotten, and there is no documentation here.

I found this link - "How to move WSUS from one server to another"
,
This blog post is 3.5 years old; is it still valid? Almost all the comments say 
this procedure did not work for them. If not, is there a better step-by-step 
guide?

Thanks for any help.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin




CONFIDENTIALITY STATEMENT: The information transmitted, or contained or 
attached to or with this Notice is intended only for the person or entity to 
which it is addressed and may contain Protected Health Information (PHI), 
confidential and/or privileged material. Any review, transmission, 
dissemination, or other use of, and taking any action in reliance upon this 
information by persons or entities other than the intended recipient without 
the express written consent of the sender are prohibited. This information may 
be protected by the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), and other Federal and Florida laws. Improper or unauthorized use or 
disclosure of this information could result in civil and/or criminal penalties.
Consider the environment. Please don't print this e-mail unless you really need 
to.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2

[Kennedy, Jim]

I have moved WSUS servers twice. It isn't worth it, just redo it. It doesn't 
take that long to mass approve the updates.

-Original Message-
From: Michael Leone [mailto:oozerd...@gmail.com] 
Sent: Tuesday, February 05, 2013 11:49 AM
To: NT System Admin Issues
Subject: Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2

I've asked this on the WSUS list over at PatchManahement.org, but while I am 
waiting on their wisdom, I thought I would ask here, as well.

I am using WSUS 3.0 SP2 on a Win2003 SP2 VM, and I need to move it to a Win2008 
R2 VM, and while I am it, change the server name.

Since I posted on the other list, I have determined (I think) that my database 
is the default Windows Internal database. I have a SUSDB.MDF file, and a 
separate SUSDB.BAK in a different folder. I must have set that backup up at one 
point, and pointed it to that backup folder, but it was so long ago, I've 
forgotten, and there is no documentation here.

I found this link - "How to move WSUS from one server to another"
,
This blog post is 3.5 years old; is it still valid? Almost all the comments say 
this procedure did not work for them. If not, is there a better step-by-step 
guide?

Thanks for any help.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Advice on migrating WSUS 3.0 SP2 from Win2003 32bit to Win2008 R2

[Michael Leone]

I've asked this on the WSUS list over at PatchManahement.org, but
while I am waiting on their wisdom, I thought I would ask here, as
well.

I am using WSUS 3.0 SP2 on a Win2003 SP2 VM, and I need to move it to
a Win2008 R2 VM, and while I am it, change the server name.

Since I posted on the other list, I have determined (I think) that my
database is the default Windows Internal database. I have a SUSDB.MDF
file, and a separate SUSDB.BAK in a different folder. I must have set
that backup up at one point, and pointed it to that backup folder, but
it was so long ago, I've forgotten, and there is no documentation
here.

I found this link - "How to move WSUS from one server to another"
,
This blog post is 3.5 years old; is it still valid? Almost all the
comments say this procedure did not work for them. If not, is there a
better step-by-step guide?

Thanks for any help.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Java 7 patch 13 out...

[Ziots, Edward]

Snap no feebees for me, I am sure the Security explorations are going to be 
dogging Oracle about the java issues until they get with the program and get 
stuff fixed, so expected more upgrades to Java coming.

Z

Edward E. Ziots, CISSP, Security +, Network +
Security Engineer
Lifespan Organization
ezi...@lifespan.org

This electronic message and any attachments may be privileged and confidential 
and protected from disclosure. If you are reading this message, but are not the 
intended recipient, nor an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that you are 
strictly prohibited from copying, printing, forwarding or otherwise 
disseminating this communication. If you have received this communication in 
error, please immediately notify the sender by replying to the message. Then, 
delete the message from your computer. Thank you.
[Description: Description: Lifespan]


From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, February 05, 2013 9:21 AM
To: NT System Admin Issues
Subject: Re: Java 7 patch 13 out...

You'll notice that no one took you up on your bet...

There's a reason for that. :)






ASB
http://XeeMe.com/AndrewBaker
Providing Virtual CIO Services (IT Operations & Information Security) for the 
SMB market...




On Tue, Feb 5, 2013 at 9:05 AM, Ziots, Edward 
mailto:ezi...@lifespan.org>> wrote:
Did I not say like 1-2 days after Java updated to version 7.0 update 13 that 
the Security explorations folks would post what is still broken in java 
security wise, expect a update 14 or even 15 soon enough.

Cross post from Bugtraq

Hello All,

Below, we are providing you with technical details regarding security issues 
reported by us to Oracle and addressed by the company in a recent Feb 2013 Java 
SE CPU [1].

[Issue 29]
This issue allows for the creation of arbitrary Proxy objects for interfaces 
defined in restricted packages. Proxy objects defined in a NULL class loader 
namespaces are of a particular interest here. Such objects can be used to 
manipulate instances of certain restricted classes.

In our Proof of Concept code we create such a proxy object for the 
com.sun.xml.internal.bind.v2.model.nav.Navigator interface.
In order to use the aforementioned proxy object, we need an instance of that 
interface too. We obtain it with the help of Issue 28, which allows to access 
arbitrary field objects from restricted classes and interfaces. As a result, by 
combining Issue 27-29, one can use Navigator interface and make use of its 
sensitive Reflection API functionality such as obtaining access to methods of 
arbitrary classes. That condition can be further leveraged to obtain a complete 
JVM security bypass.

Please, note that our Proof of Concept code for Issues 27-29 was reported to 
Oracle in Apr 2012 and depending Issues 27-28 were addressed by the company 
sooner than Issue 29. Testing of the PoC will thus give best results on older 
versions of Java SE 7.

[Issue 50]
Issue 50 allows to violate a fundamental security constraint of Java VM, which 
is type safety. This vulnerability is another instance of the problem related 
to the unsafe deserialization implemented by 
com.sun.corba.se.impl.io.ObjectStreamClass class.
Its first instance was fixed by Oracle in Oct 2011 [2] and it stemmed from the 
fact that during deserialization insufficient type checks were done with 
respect to object references that were written to target object instance 
created by the means of deserialization. Such a reference writing was 
accomplished with the use of a native functionality of sun.corba.Bridge class.

The problem that we found back in Sep 2012 was very similar to the first one. 
It was located in the same code (class) and was also exploiting direct writing 
of object references to memory with the use of putObject method. While the 
first type confusion issue allowed to write object references of incompatible 
types to correct field offsets, Issue 50 relied on the possibility to write 
object references of incompatible types to...invalid field offsets.

It might be also worth to mention that Issue 50 was found to be present in Java 
SE Embedded [3]. That is Java version that is based on desktop Java SE and is 
used in today's most powerful embedded systems such as aircraft and medical 
systems [4]. We verified that Oracle Java SE Embedded ver. 7 Update 6 from 10 
Aug 2012 for ARM / Linux contained vulnerable implementation of 
ObjectStreamClass class.

Unfortunately, we don't know any details regarding the impact of Issue 50 in 
the embedded space (which embedded systems are vulnerable to it, whether any 
feasible attack vectors exist, etc.). So, it's up to Oracle to clarify any 
potential concerns in that area.

[Issue 52]
Issue 52 relies on the possibility to call no-argument methods on arbitrary 
objects or classes. The vulnerability has its origin in 
com.sun.jmx.mbeanserver.Introspector class wh

RE: Rename 2003 domain

[David Mazzaccaro]

We hired a consultant to move us to AD 2008 R2 and E2010.

He renamed the domain to company.net this past weekend.

We did have to manually rejoin the clients to the new domain (rebooting
twice did not make the clients auto-join), but everything appears to be
working fine.  We have just extended the schema and have our first 2008
R2 domain controller up and running.

 

Anything in particular I should check to verify that all is well?

 

 

 

 

 

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Tuesday, February 05, 2013 9:50 AM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

 

Don't rename the domain. Just Say No. There is no need. 

Sent from my Windows Phone



From: David Mazzaccaro
Sent: 2/1/2013 9:50 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Thx

I Just read through that thread.

One comment was that you never need to register an internal name on a
certificate 

But it doesn't go into detail as to why.

 

The other bigger headache (which I understand) is to NOT use an internal
name that will also be used externally. 

We only use "company.com" on in the internet.  So if we never use
"company.NET" on the outside, why couldn't/shouldn't I rename the domain
to that?

 

Thx

 

 

 

 

From: Webster [mailto:webs...@carlwebster.com] 
Sent: Friday, February 01, 2013 12:23 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

 

Go to the archives and read the "SSL and the new no internal names
ruling" thread.  I think you are going in the wrong direction.

 

Thanks

 

 

Webster

 

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com] 
Sent: Friday, February 01, 2013 9:48 AM
To: NT System Admin Issues
Subject: Rename 2003 domain

 

I will be upgrading my domain from 2003 to 2008 R2 and Exchange 2003 >
2010.

Apparently E2010 does not like my current domain name
"company.town.main"

It wants (needs?) a name that can be registered w/ an internet registrar
in order to obtain a certificate.

So... I will be renaming the domain to "company.net" this weekend.

I have already registered the "company.net" name.

>From what I have read, it is fairly (?) straightforward:

http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx
 

Then there are specific Exchange changes: "XDR-fixup"

Then it seems EVERY computer needs to reboot twice for them to see the
new domain.

I do have a script for this and a txt file w/ all the machines in it:

for /f %%i in (machines.txt) do shutdown -m \\%%i 
-f -r -t 05

My question is... has anyone here successfully renamed a 2003 domain
(especially w/ Exchange 2003 in it)?

Care to share your experience and any gotcha's that came up?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Rename 2003 domain

[Michael B. Smith]

Don't rename the domain. Just Say No. There is no need.

Sent from my Windows Phone

From: David Mazzaccaro
Sent: 2/1/2013 9:50 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Thx
I Just read through that thread.
One comment was that you never need to register an internal name on a 
certificate….
But it doesn’t go into detail as to why.

The other bigger headache (which I understand) is to NOT use an internal name 
that will also be used externally.
We only use “company.com” on in the internet.  So if we never use “company.NET” 
on the outside, why couldn’t/shouldn’t I rename the domain to that?

Thx




From: Webster [mailto:webs...@carlwebster.com]
Sent: Friday, February 01, 2013 12:23 PM
To: NT System Admin Issues
Subject: RE: Rename 2003 domain

Go to the archives and read the “SSL and the new no internal names ruling” 
thread.  I think you are going in the wrong direction.

Thanks


Webster

From: David Mazzaccaro [mailto:david.mazzacc...@hudsonmobility.com]
Sent: Friday, February 01, 2013 9:48 AM
To: NT System Admin Issues
Subject: Rename 2003 domain


I will be upgrading my domain from 2003 to 2008 R2 and Exchange 2003 > 2010.

Apparently E2010 does not like my current domain name “company.town.main”

It wants (needs?) a name that can be registered w/ an internet registrar in 
order to obtain a certificate.

So… I will be renaming the domain to “company.net” this weekend.

I have already registered the “company.net” name.

>From what I have read, it is fairly (?) straightforward:

http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx

Then there are specific Exchange changes: “XDR-fixup”

Then it seems EVERY computer needs to reboot twice for them to see the new 
domain.

I do have a script for this and a txt file w/ all the machines in it:

for /f %%i in (machines.txt) do shutdown -m \\%%i -f -r -t 05

My question is… has anyone here successfully renamed a 2003 domain (especially 
w/ Exchange 2003 in it)?

Care to share your experience and any gotcha’s that came up?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

Re: Java 7 patch 13 out...

[Andrew S. Baker]

You'll notice that no one took you up on your bet...

There's a reason for that. :)





*ASB
**http://XeeMe.com/AndrewBaker* *
**Providing Virtual CIO Services (IT Operations & Information Security) for
the SMB market…***





On Tue, Feb 5, 2013 at 9:05 AM, Ziots, Edward  wrote:

> Did I not say like 1-2 days after Java updated to version 7.0 update 13
> that the Security explorations folks would post what is still broken in
> java security wise, expect a update 14 or even 15 soon enough.
>
> Cross post from Bugtraq
>
> Hello All,
>
> Below, we are providing you with technical details regarding security
> issues reported by us to Oracle and addressed by the company in a recent
> Feb 2013 Java SE CPU [1].
>
> [Issue 29]
> This issue allows for the creation of arbitrary Proxy objects for
> interfaces defined in restricted packages. Proxy objects defined in a NULL
> class loader namespaces are of a particular interest here. Such objects can
> be used to manipulate instances of certain restricted classes.
>
> In our Proof of Concept code we create such a proxy object for the
> com.sun.xml.internal.bind.v2.model.nav.Navigator interface.
> In order to use the aforementioned proxy object, we need an instance of
> that interface too. We obtain it with the help of Issue 28, which allows to
> access arbitrary field objects from restricted classes and interfaces. As a
> result, by combining Issue 27-29, one can use Navigator interface and make
> use of its sensitive Reflection API functionality such as obtaining access
> to methods of arbitrary classes. That condition can be further leveraged to
> obtain a complete JVM security bypass.
>
> Please, note that our Proof of Concept code for Issues 27-29 was reported
> to Oracle in Apr 2012 and depending Issues 27-28 were addressed by the
> company sooner than Issue 29. Testing of the PoC will thus give best
> results on older versions of Java SE 7.
>
> [Issue 50]
> Issue 50 allows to violate a fundamental security constraint of Java VM,
> which is type safety. This vulnerability is another instance of the problem
> related to the unsafe deserialization implemented by
> com.sun.corba.se.impl.io.ObjectStreamClass class.
> Its first instance was fixed by Oracle in Oct 2011 [2] and it stemmed from
> the fact that during deserialization insufficient type checks were done
> with respect to object references that were written to target object
> instance created by the means of deserialization. Such a reference writing
> was accomplished with the use of a native functionality of sun.corba.Bridge
> class.
>
> The problem that we found back in Sep 2012 was very similar to the first
> one. It was located in the same code (class) and was also exploiting direct
> writing of object references to memory with the use of putObject method.
> While the first type confusion issue allowed to write object references of
> incompatible types to correct field offsets, Issue 50 relied on the
> possibility to write object references of incompatible types to...invalid
> field offsets.
>
> It might be also worth to mention that Issue 50 was found to be present in
> Java SE Embedded [3]. That is Java version that is based on desktop Java SE
> and is used in today's most powerful embedded systems such as aircraft and
> medical systems [4]. We verified that Oracle Java SE Embedded ver. 7 Update
> 6 from 10 Aug 2012 for ARM / Linux contained vulnerable implementation of
> ObjectStreamClass class.
>
> Unfortunately, we don't know any details regarding the impact of Issue 50
> in the embedded space (which embedded systems are vulnerable to it, whether
> any feasible attack vectors exist, etc.). So, it's up to Oracle to clarify
> any potential concerns in that area.
>
> [Issue 52]
> Issue 52 relies on the possibility to call no-argument methods on
> arbitrary objects or classes. The vulnerability has its origin in
> com.sun.jmx.mbeanserver.Introspector class which is located in the same
> package as the infamous MBeanInstantiator bug found in the wild in early
> Jan 2013. The flaw stems from insecure call to invoke method of
> java.lang.reflect.Method class:
>
>  if (method != null)
>return method.invoke(obj, new Object[0]);
>
> In our Proof of Concept code we exploit the above implementation by making
> a call to getDeclaredMethods method of java.lang.Class class to gain access
> to methods of restricted classes. This is accomplished with the use of the
> following code sequence:
>
> Introspector.elementFromComplex((Object)clazz,"declaredMethods")
>
> Access to public method objects of arbitrary restricted classes is
> sufficient to achieve a complete Java VM security sandbox compromise. We
> make use of DefiningClassLoader exploit vector for that purpose.
>
> [Issue 53]
> Issue 53 stems from the fact that Oracle's implementation of new security
> levels introduced by the company in Java SE 7 Update 10 did not take into
> account the fact that Applet

RE: Java 7 patch 13 out...

[Ziots, Edward]

Did I not say like 1-2 days after Java updated to version 7.0 update 13 that 
the Security explorations folks would post what is still broken in java 
security wise, expect a update 14 or even 15 soon enough. 

Cross post from Bugtraq

Hello All,

Below, we are providing you with technical details regarding security issues 
reported by us to Oracle and addressed by the company in a recent Feb 2013 Java 
SE CPU [1].

[Issue 29]
This issue allows for the creation of arbitrary Proxy objects for interfaces 
defined in restricted packages. Proxy objects defined in a NULL class loader 
namespaces are of a particular interest here. Such objects can be used to 
manipulate instances of certain restricted classes.

In our Proof of Concept code we create such a proxy object for the 
com.sun.xml.internal.bind.v2.model.nav.Navigator interface.
In order to use the aforementioned proxy object, we need an instance of that 
interface too. We obtain it with the help of Issue 28, which allows to access 
arbitrary field objects from restricted classes and interfaces. As a result, by 
combining Issue 27-29, one can use Navigator interface and make use of its 
sensitive Reflection API functionality such as obtaining access to methods of 
arbitrary classes. That condition can be further leveraged to obtain a complete 
JVM security bypass.

Please, note that our Proof of Concept code for Issues 27-29 was reported to 
Oracle in Apr 2012 and depending Issues 27-28 were addressed by the company 
sooner than Issue 29. Testing of the PoC will thus give best results on older 
versions of Java SE 7.

[Issue 50]
Issue 50 allows to violate a fundamental security constraint of Java VM, which 
is type safety. This vulnerability is another instance of the problem related 
to the unsafe deserialization implemented by 
com.sun.corba.se.impl.io.ObjectStreamClass class.
Its first instance was fixed by Oracle in Oct 2011 [2] and it stemmed from the 
fact that during deserialization insufficient type checks were done with 
respect to object references that were written to target object instance 
created by the means of deserialization. Such a reference writing was 
accomplished with the use of a native functionality of sun.corba.Bridge class.

The problem that we found back in Sep 2012 was very similar to the first one. 
It was located in the same code (class) and was also exploiting direct writing 
of object references to memory with the use of putObject method. While the 
first type confusion issue allowed to write object references of incompatible 
types to correct field offsets, Issue 50 relied on the possibility to write 
object references of incompatible types to...invalid field offsets.

It might be also worth to mention that Issue 50 was found to be present in Java 
SE Embedded [3]. That is Java version that is based on desktop Java SE and is 
used in today's most powerful embedded systems such as aircraft and medical 
systems [4]. We verified that Oracle Java SE Embedded ver. 7 Update 6 from 10 
Aug 2012 for ARM / Linux contained vulnerable implementation of 
ObjectStreamClass class.

Unfortunately, we don't know any details regarding the impact of Issue 50 in 
the embedded space (which embedded systems are vulnerable to it, whether any 
feasible attack vectors exist, etc.). So, it's up to Oracle to clarify any 
potential concerns in that area.

[Issue 52]
Issue 52 relies on the possibility to call no-argument methods on arbitrary 
objects or classes. The vulnerability has its origin in 
com.sun.jmx.mbeanserver.Introspector class which is located in the same package 
as the infamous MBeanInstantiator bug found in the wild in early Jan 2013. The 
flaw stems from insecure call to invoke method of java.lang.reflect.Method 
class:

 if (method != null)
   return method.invoke(obj, new Object[0]);

In our Proof of Concept code we exploit the above implementation by making a 
call to getDeclaredMethods method of java.lang.Class class to gain access to 
methods of restricted classes. This is accomplished with the use of the 
following code sequence:

Introspector.elementFromComplex((Object)clazz,"declaredMethods")

Access to public method objects of arbitrary restricted classes is sufficient 
to achieve a complete Java VM security sandbox compromise. We make use of 
DefiningClassLoader exploit vector for that purpose.

[Issue 53]
Issue 53 stems from the fact that Oracle's implementation of new security 
levels introduced by the company in Java SE 7 Update 10 did not take into 
account the fact that Applets can be instantiated with the use of 
serialization. Such a possibility is indicated both in HTML 4 Specification [5] 
as well as in Oracle's code.

HTML 4 Specification contains the following description for the "object" 
attribute of APPLET element:

object = cdata [CS]
This attribute names a resource containing a serialized
representation of an applet's state. It is interpreted
relative to the appl

RE: VMWare snapshot issue

[Tom Miller]

Yes, I tried it both powered on and powered off.  I  have a ticket with vmware 
- will let the list know what the eventual resolution is.  Thanks for the 
recommendations.

From: Sean Martin [mailto:seanmarti...@gmail.com]
Sent: Monday, February 04, 2013 5:33 PM
To: NT System Admin Issues
Subject: Re: VMWare snapshot issue

Is the VM powered on when you attempt this? Have you tried with the VM powered 
off?

- Sean

On Feb 4, 2013, at 6:48 AM, Tom Miller 
mailto:tmil...@sfgtrust.com>> wrote:
Hi Folks,

VMWare question for you VMWare gurus:  I'm running ESX 5.0, vShpere client 5.0. 
 I  have one server that has many snapshots.  It is probably because BackupExec 
wasn't able to delete the snaphot properly after the vm backup.  This is only 
an issue on this server.  When I browse the datastore --> server name, I see at 
least 10 snapshots.  I've tried to consolidate the snapshots via the client, 
but each time I get an i/o error.

Suggestions or is this a call to support?

Thanks,
Tom

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to 
listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Dell windows 8 COA

[Nigel Parker]

Thanks to everyone that responded 
Ok so basically the disks are pre activated on these particular dell
models 

The think that scared me was no coa anywhere, and if we were audited
(again) we wouldn't have any proof. (apart from the invoices) that we
purchased the software legally 

Thanks 
Nigel 


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: 04 February 2013 18:32
To: NT System Admin Issues
Subject: Re: Dell windows 8 COA

On Mon, Feb 4, 2013 at 10:45 AM, David Lum  wrote:
> I don't know that the key is embedded in the BIOS so much that the OS 
> install looks for some specific BIOS properties, I've been able to 
> re-install via CD across various Dell models (I can install XPSP3 on a

> machine that came with XPSP2, for example).

  XP is not Win 8.

  From my investigations:

  XP's OEM pre-activation involved a few files on the OEM CD
("OEMBIOS.*").  Typically all CDs from a given OEM were identical (or
maybe within a major product  line), all containing the same OEM SLP PK
(which did *not* match the COA PK for any given unit).  There was
nothing unit-specific in the BIOS that was checked.  The XP activation
routines just checked to make sure the OEM hardware generically matched
the OEM software.  If it did, the system was considered pre-activated;
the user did not need to enter a PK.  If that failed, there was still a
PK printed on the COA which the user could enter.

  Win 8 is completely different.  There is no COA.  There is no PK
provided to the customer.  The unit-specific activation data is
installed in the ACPI BIOS.  Specifically, two tables are mentioned SLIC
("software license") and MSDM ("Microsoft Data Management").  The OEM
loads the data during manufacturing.  The Win 8 activation routines
verify the integrity of the BIOS info vs the rest of the hardware
signature, and against the overmind at Microsoft, to activate.

http://msdn.microsoft.com/en-us/library/windows/hardware/hh673514.aspx

OEM = Original Equipment Manufacturer (MSFT uses this to mean "PC
vendor") SLP = System Locked Pre-Activation PK = Product Key COA =
Certificate of Authenticity

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~

---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin



Please consider the environment before printing this e-mail.

The statements and opinions expressed in this email are my own and may not 
represent those of Ultraframe (UK) Ltd.
This email is subject to copyright and the information contained in it is 
confidential and may be legally privileged. It is sent out only for intended 
recipient(s). Access to this email by anyone else is unauthorised. If you are 
not an intended recipient, any disclosure, copying, distribution or other use 
or any action taken or omitted to be taken in reliance on it, is prohibited and 
unlawful.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin