How-To

Removing a Orphaned Virtual Machine from vRealize Automation

**** ATTENTION !!! ****
**** Please be sure to BACKUP any related databases

 

The following steps provide information on removing virtual machines from VMWare vRealize Automation (vRA).

These steps are to be used when the following conditions exist:

  • A virtual machine that is being managed without being deleted from the endpoint.
  • You want to manually remove the machine from the endpoint.

 

vRA Application Steps:

Log into vRA – https://vcac.yourdomain.tld using your-domain\*your-user-id*

  1. Click the Infrastructure Tab
  2. Click Machines > Reserved Machines
  3. Search for Service Name (e.g. VRA-FAQ360)
  4. Delete the associated service

SQL Database Steps:

  1. Connect to SQL Database Server: VRA-SQL
  2. In “Object Explorer” window, Locate database vCAC
  3. Backup the vCAC database
  4. Expand the vCAC database
  5. Under Programmability > Stored Procedures, locate ‘dbo.usp_RemoveVMFromVCAC’
  6. Execute Procedure and apply ID of the Multi-Machine Service (e.g. VRA-FAQ360)
  7. Repeat this step for each instance

Notes:

The store procedure may look like the following:

USE [vCAC]
GO

DECLARE @return_value int

EXEC @return_value = [dbo].[usp_RemoveVMFromVCAC]
@MachineName = N’VRA-FAQ360′

SELECT ‘Return Value’ = @return_value

GO

Privacy & Google Search Alternatives

When it comes to privacy, using Google search is not the best of ideas. When you use their search engine, Google is recording your IP address, search terms, user agent, and often a unique identifier, which is stored in cookies.

Here are a few Google search alternatives

 

DuckDuckGo is a US-based search engine that was started by Gabriel Weinberg in 2008. It generates search results from over 400 sources including Wikipedia, Bing, Yandex, and Yahoo. DuckDuckGo has a close partnership with Yahoo, which helps it to better filter search results. This is a great privacy-friendly Google alternative that doesn’t utilize tracking or targeted ads.

Searx is a very privacy-friendly and versatile open source metasearch engine that gathers results from other search engines while also respecting user privacy. One unique aspect with Searx is that you can run your own instance

Qwant – is a private search engine that is based in France and was started in 2013. Being based in Europe, the data privacy protections are much stricter, as compared to the United States.

Metager – is a private search engine based in Germany, implementation of free access to knowledge and digital democracy. Ref: https://metager.de/en/about

StartPage – StartPage gives you Google search results, but without the tracking.
Ref: https://classic.startpage.com/eng/protect-privacy.html#hmb

 

Set up the Default Domain for vCenter Single Sign-On | Tech-Short

vCenter Single Sign by default requires the user to specify the domain during authentication with vCenter.
Example: JERMSMIT\admin or admin@JERMSMIT.LAB.

You can eliminate the need to insert the domain in the username by following the following steps.

 

  1. Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges.

  2. Browse to Administration > Single Sign-On > Configuration.
  3. Under the Administration, configuration locate the Identity Sources tab
  4. On the Identity Sources tab, select an identity source and click the Set as Default Domain icon.
  5. In the domain display, the default domain shows (default) in the Domain column. Set the domain of choice as your new default.

The next time when you attempt to login into vCenter, you can omit the DOMAIN from your username.

Full ref located here
Full Link: https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.psc.doc/GUID-11E651EF-4503-43BC-91F1-15502D586DE2.html

 

CredSSP encryption oracle remediation

If you’re like me, you have encountered this error remoting into one of your servers.

An Authentication error has occurred. The function requested is not supported.
Remote computer: <servername> This could be due to CredSSP encryption oracle remediation

The quick solution is to patch your host from one of the patches here

If you are unable to patch and then issue the mandatory reboot of the remote server then you can apply the following registry fix

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters]
“AllowEncryptionOracle”=dword:00000002

Workaround Warning

After you change the following setting, an unsecured connection is allowed that will expose the remote server to attacks. Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case of problems occurring.

 

Scenario 1: Updated clients cannot communicate with non-updated servers

The most common scenario is that the client has the CredSSP update installed, and the Encryption Oracle Remediationpolicy setting does not allow an insecure RDP connection to a server that does not have the CredSSP update installed.

To work around this issue, follow these steps:

  1. On the client has the CredSSP update installed, run gpedit.msc, and then browse to Computer Configuration > Administrative Templates > System > Credentials Delegation in the navigation pane.
  2. Change the Encryption Oracle Remediation policy to Enabled, and then change Protection Level to Vulnerable.

If you cannot use gpedit.msc, you can make the same change by using the registry, as follows:

  1. Open a Command Prompt window as Administrator.
  2. Run the following command to add a registry value:
    REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\ /v AllowEncryptionOracle /t REG_DWORD /d 2

Scenario 2: Non-updated clients cannot communicate with patched servers

If the Azure Windows VM has this update installed, and it is restricted to receiving non-updated clients, follow these steps to change the Encryption Oracle Remediation policy setting:

  1. On any Windows computer that has PowerShell installed, add the IP of the VM to the “trusted” list in the host file:
    Set-item wsman:\localhost\Client\TrustedHosts -value <IP>
  2. Go to the Azure portal, locate the VM, and then update the Network Security group to allow PowerShell ports 5985 and 5986.
  3. On the Windows computer, connect to the VM by using PowerShell:
    For HTTP:
    $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "<<Public IP>>" -port "5985" -Credential (Get-Credential) -SessionOption $SkipFor HTTPS:
    $Skip = New-PSSessionOption -SkipCACheck -SkipCNCheck Enter-PSSession -ComputerName "<<Public IP>>" -port "5986" -Credential (Get-Credential) -useSSL -SessionOption $Skip
  4. Run the following command to change the Encryption Oracle Remediation policy setting by using the registry:
    Set-ItemProperty -Path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' -name "AllowEncryptionOracle" 2 -Type DWord

 

CVE-2018-0886 – CredSSP Remote Code Execution Vulnerability

Description

A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploited this vulnerability could relay user credentials and use them to execute code on the target system. CredSSP is an authentication provider which processes authentication requests for other applications; any application which depends on CredSSP for authentication may be vulnerable to this type of attack. As an example of how an attacker could exploit this vulnerability against Remote Desktop Protocol, the attacker would need to run a specially crafted application and perform a man-in-the-middle attack against a Remote Desktop Protocol session. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The security update addresses the vulnerability by correcting how Credential Security Support Provider protocol (CredSSP) validates requests during the authentication process.

The vulnerability impacts Windows 7, Windows 8.1, and Windows 10 systems, as well as Windows Server 2008, Windows Server 2012, and Windows Server 2016.

Download patches here

To address the issue, Microsoft released an update to correct the manner in which CredSSP validates requests during the authentication process. The update patches the CredSSP authentication protocol and the Remote Desktop clients for all affected platforms.

“Mitigation consists of installing the update on all client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers. We recommend that administrators apply the policy and set it to “Force updated clients” or “Mitigated” on client and server computers as soon as possible,” Microsoft says.

I have noticed that this patch has been disruptive to system owners who use remote desktop to access and manage servers.  Installing the patch on a client host w/o having it installed on the remote endpoint will end in an error preventing you from accessing them.

 

Its best to upgrade endpoints (servers) before client systems

Ref: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886