مايكروسوفت EMET 4.1 - الجزء 1

Posted by Ahmed Nabil | 0 comments»
Microsoft EMET 4.1 tool Part 1 for Basic Installation and configuration in Arabic



Force Log off of idle Remote sessions on Server 2008 R2

Posted by Ahmed Nabil | 0 comments»
Normally IT users will connect to the servers using RDP/MSTSC to administer and configure their servers, However they will mostly leave their sessions and forget to log off after doing their work especially if its long task or they are used to connect to these servers on regular basis. This can cause several security issues as well as account problems especially if the user changed his password while there is a session logged on another sever.

You can easily Force log off of idle sessions on remote servers by creating a scheduled task on these servers. In the below example i would assume forcing idle sessions to log off after one hour.

To create the needed task you need to do the following:

  1. Open the Task Scheduler, Click Task Schedule library
  2. Create New Task
  3. Type the name of the task and select "Run with Highest Privilege" check box                                                                                                                                                                                          
  4. On the triggers click New and check "On Idle"                                                                                                                      
                                                   
  5. From the Actions, Click New and choose the logoff.exe (The default path of the logoff.exe is C:\Windows\System32)                                                                                                                                           
                                                         
  6. In the Conditions Tab, Set the idle time. In this example, the idle time is 1 Hour.                                                                               
                                                   
Its a simple solution but would fix the problem of several idle connections on the server blocking other users to connect (I am mainly talking about normal servers with no Terminal server role installed where you have only two sessions available for remote users).






SCOM Event 26004, Health Services Module. Hyper-V Image Management Service admin Event Log

Posted by Ahmed Nabil In , | 1 comments»
I was working lately on Migrating and moving all our Virtual Machines from Hyper-V 2008 R2 Hosts to the latest 2012 R2 Hyper-V Hosts. We installed the Hyper-V 2012 and 2012 R2 SCOM Management Packs to monitor our new servers while keeping the old 2008 Hyper-V Management Pack since there are still VMs hosted on 2008R2 (Transition Phase).

It was noticed that Event ID 26004 is repeated on daily basis on my Hyper-V 2012 R2 Host servers under the Operations Manager logs from Server Event Viewer.



The Image Management Service Admin Event log was only available back in Hyper-V 2008 R2 Hosts and it doesn't exist in Hyper-V 2012 or 2012 R2



Problem

On my SCOM server i have three Hyper-V Management Packs for 2008R2, 2012 and 2012R2 Hyper-V hosts. Logically each Management Pack should identify and point all its monitors to its relevant servers. However it looks like the 2008R2 Management Pack which includes the Image Management Service admin Event log is pointing and trying to get this data from the 2012 and 2012 R2 servers

Upon checking this issue with several Microsoft Support engineers, they confirmed that when the 2008 R2 Management Pack was created the work flow was targeted very broadly and affected all Hyper-V hosts, Even if you have the correct Management pack as 2012 or 2012 R2, this won't stop the 2008 MP to monitor and target the newer Hyper-V servers.

Solution

The Solution is to disable targeting this monitor from the 2008 MP to 2012 and 2012 R2 servers

In order to do this you need to do the following:

1. Go to the SCOM Console, Authoring - Management Pack Objects - Monitors - find - mounted drive



2. To confirm that this Monitor although is 2008 its targeting also 2012 and 2012 R2 you need to check from the SCOM Console the Monitoring - Discovered Inventory and change Target type to Hyper-V Virtual Hard Disk, you will find all Hyper-V servers are listed and not only 2008 R2 Hosts.

3. From the Authoring - Groups -create new group, select a name and place it in new customized Management Pack.

4. In the Explicit Members - Click add/remove object. Add all 2012 R2 and 2012 Servers and disks (Search for Hyper-V Virtual Hard Disk and Widows server 2012/2012 R2 Full computer)



5. Right Click the SCOM Monitor (Hyper-V Virtual Hard Disk - Mounted drive Read-Only ), disable the monitor - For a group and pick the group created in Step 3. Enable & Enforce the Override as per attached.







This should fix the problem. Also if all VMs are migrated lately to 2012 R2 or 2012 Hosts and there is no more 2008R2 Hyper-V hosts in the environment, you can delete the 2008 Hyper-V Management Pack from SCOM to avoid this issue or similar ones.