Category: Cireson

When Configuration Manager Goes Bad! and How Cireson can Help.

Let me start by saying I Love Configuration Manager!

For those of you that don’t know, System Center Configuration Manager is now 25 years old. Brad Anderson recently blogged about it and even celebrated this milestone at Microsoft Ignite.

Personally, my love affair with ConfigMgr started when it was still SMS. (No not a text message service, but Server Management System) Over the years as the product has grown and become more and more powerful my infatuation with the product continued to increase and now it is an awesome tool that I can not imagine doing without.

Before SMS or ConfigMgr, admins would have to visit each machine for updates or for software installs, we had no clue what was installed on what machine and don’t even get me started on patch management.

Throughout the years more and more functionality has been added to the product to make it more efficient and to solve admin issues time and again including software deployment, Patch management, Operating System Deployment, Baseline configuration, inventory reporting, software metering and even anti virus!

However, There is one big issue with all this new found power…..  As someone famous once said:

With great power comes great responsibility!

With the power to deploy a single patch to many machines with just one click comes the potential for disaster of sending the wrong patch to the wrong machines. (or worse, the wrong Task Sequence).

Anyone that has been a ConfiMgr admin for any length of time has war stories of when the wrong advertisement was sent tot he wrong collection and business was impacted in some way. Many of these stories are small slow downs or minor interruptions in service but some are more like “Resume generating events”.

A very public example of this occurred in late July back in 2012. The Commonwealth Bank of Australia (The second largest bank in Australia) was effectively taken “Offline” and unable to open the doors of the majority of their 1,000 branches for trading due to a “Systems Outage”.

The official line from the bank at the time was “a problem with an internal software upgrade”. However, it was reported that “… 9,000 desktop PCs, hundreds of mid-range Windows servers (sources said as high as 490) and even iPads had been rendered unusable….”

Unofficially, a simple mistake by a ConfigMgr admin advertising an OSD Task Sequence  to the “All Systems” collection saw teller machines, AD servers and god knows what else, reboot and format the hard drive in preparation of installation of a new OS.

While there are no official numbers on the business cost to the bank or the cost of restoring the systems, I think we should all ask ourselves, “What would this type of impact cost your company?”

I don’t want to harp on this individual incident and break down the exact DNA of the outage, others have done this in the past. What I do want to do is talk about how we can make sure this does not happen to us, or at least minimise the potential risk.

How Can We Prevent ConfigMgr Disasters?

The biggest risk we have with ConfigMgr is the lack of control or granularity of security around deployments and limitations on what collections can be advertised to.

By default, all admins can send any package to any collection. Role Based Access Control (RBAC) within ConfigMgr does allow for some configuration of administration however it is not simple or straight forward to implement and has many limitations.

When an administrator deploys an OS Deployment task sequence to a collection with hundreds or thousands of  clients, ConfigMgr warns the admin that the action is a “High Risk” deployment and asks them to confirm the action. However, if the same admin sends patches or software updates to the same collection, no warning is given.

  • What if we could put warnings on ANY deployment type when sent to a collection containing large numbers of computers?
  • What if RBAC was more powerful and easier to use?
  • What if we could keep non-critical personnel out of the ConfigMgr console?
  • What if you could even add a bunch of support tools directly in to a single pane of glass?

Well that’s exactly what the Cireson True Control Center (TCC) does! 🙂

True Control Center is Cireson’s latest version of the Configuration Manager platform and allows organisations to control who sees and does what within Config Mgr all while making is super easy for them to come up to speed and learn so they can be more productive faster.

So lets take a look at each of the key points that Config Manager admins and Support Desk managers would be interested in:

Simple and Powerful RBAC

Using super simple RBAC rules it is possible to lock down what computers or users are visible to groups of users. This gives Config Manager admins the ability to limit what users can see and therefore the damage that can be inflicted if someone makes a mistake.

It also allows them to limit the number of applications that can be advertised and the number of computers that can be advertised to at one time. This removes the potential for an analyst to accidentally rebuild all your domain controllers to Windows 7. 🙂

Remote Manage Support Tools for Computers

True Control Center now introduces Remote Manage support tools that provide analysts with a wide range of simple tools to provide targeted and simple support to customers and computers all from within the browser.

Right clicking a computer and selecting Remote Manage provides a vast list of support tools including:

  • Basic Hardware information, including CPU, RAM, OS, Make and Manufacturer.
  • Process list and control. You can see and kill processes on the remote machine.
  • Services list and control. You can see and stop, start or restart services on the remote machine.
  • Client Actions and Logs. Support actions that allow analysts to trigger common support tools for client computers. Such as:
    • Remote Control
    • Client re-install
    • WMI repair
    • Remote PowerShell
    • and much more…..


Remote Manage Support Tools for Users

Quite often with Configuration Manager users in an environment are forgotten about. However, all the users in an AD domain are listed in Configuration Manger and are up to date. Wouldn’t it be great to introduce user tools to allow support actions such as Password Reset, Account unlock and Software Deployment?

Well now you can!
All from the one tool!


Audit Trail

A common security issue that is faced by organisations is how to audit who, internally, invoked specific actions. The most common example is resetting a users password. To allow support staff to reset passwords usually an organisation will grant users access to reset passwords via AD security then give the support staff access to AD Users and Computers. That user then has access to reset anyone’s user account and gain access to their account and there is no audit to show who did what when.

By using True Control Center to reset or unlock user accounts, there is a single service account that can unlock passwords and every time an account is unlocked or has it’s password reset, it event is logged against a specific user account that triggered it.

Simple and Intuitive User Interface

Any of the System Center products, while powerful, are complicated and to administer through a complex console interface. Many of the work-spaces and navigation nodes are not required by most staff and just add complexity and time to the learning of the solution.

True Control Center reduces complexity and removes the excess navigation menus that an average support representative would not require. This makes the time to benefit for analysts that are new to the tool very quick allowing them to be effective faster and with less confusion with the required learning curve.

Support Tool Integration

The nirvana of support tools for analysts is a “Single Pane Of Glass” that they can use to log calls, track and update calls, investigate and resolve calls and also report from.

In all my 20+ years of experience with ITSM tools, I can honestly say, I’ve NEVER seen an ITSM solution that even comes close to this goal……   until now.

With the recent release of v4.8.x of Cireson’s Analyst portal for System Center Service Manager, analysts now have access to all the regular ITSM goodness that the Analyst Portal provides, but now also access to the Remote Manage tools of True Control Center directly from any associated Computer CI!

  • No changing apps.
  • No need for multiple screens.
  • No need for copy and paste of machine names between apps.
  • All while being secure and audited.


But I don’t use System Center Service Manager, I hear you cry. (Why not? I ask…)
Don’t despair, The Truce Control Center functionality has a flexible API that you can use to create a custom integrated solution in to your ITSM tool of choice!

No Console App Required

Traditional use of the Configuration Manager console requires an analyst to install the Configuration Manager console on to their computer to administer or use the tools functionality. This locks the analyst to a specific workstations that they must return to or remote access to achieve even the most basic tasks.

True Control Center is a web based application and can therefore be accessed from anywhere including mobile devices and even outside the organisation. Analysts can trigger the required events from any browser without having the delay and effort of returning or remote accessing to their primary workstation.


True Control Center is an amazing tool that any organisation that runs Configuration manager should review. It quickly and easily delivers real world benefits to any analyst responsible for the configuration and health of end users and computers.

Reducing time-to-resolution is a constant goal for support organisations and the Cireson True Control Center solution delivers the tools to drive down the time and effort required to achieve the most common tasks all while ensuring security and the ability to audit activity.

Do your support team a favour and get an onsite trial organised today or even try it out in the online demo environment with no need to install a thing.


Securing Cireson True Password Reset for Use Over The Internet

Many customers with Cireson’s True Password Reset need to publish the password reset portal external to the organisation enabling end users the ability to change their domain passwords from anywhere. Publishing the solution externally provides great value and flexibility however, internet facing web servers create security concerns that MUST be addressed to reduce security risk to the organisation.

In this blog post I will take you through some steps to ensure the security of your site is as high as possible.


The most obvious first step in securing ANY web site is to enable HTTP (port 443) with a signed trusted certificate. This is ubiquitous throughout the internet nowadays and provides us with a level of security to know that no one has hijacked the communications between the client and the server therefore preventing replay attacks.

To set the True Password Reset site to accept an HTTPS connection we first must provide it with a certificate to use to secure the communications. For testing you can use a self-signed certificate but for production use it is recommended to use a publicly signed certificate to ensure maximum compatibility regardless of what machine your end users are connecting from.

The easiest way to include a certificate in to the True Password Reset site is at installation time. Ensure the certificate is installed on the server(s) that will be hosting the password reset server and select the required certificate and installation time.

This will save the certificate values in to the configuration settings to ensure HTTP is available for end users.



To ensure all users visit the True Password Reset site across a secure channel, we want to enforce HTTPS on the page. To do this we have to disable HTTP protocol, or simply stop Port 80 listening.

To do this:

  • Logon to the server hosting True Password Reset.
  • Within the Password Reset installation folder, open Platform_CiresonPasswordReset.Config in a text editor such as Notepad++.
  • Within the URLS section, remove the value “http://*:80” and ensure “https://*:443“ is available.
  • Save the file and restart the CiresonPasswordReset service.

Once this change has been made, if a user navigates to HTTP:// they should be greeted with a 404 Error as the server is no longer responding on that port.


Once we have force end users to communicate over HTTPS only, we need to make sure that the correct protocols are being used and no outdated security cyphers are used that may expose weaknesses or open us to known attacks.

So how do we know if our server is secure or not?

The best way to know where you stand is to check your server against some of the free tools that are available on the internet for scanning sites for known issues.

Some examples are:

  • SOPHOS – Used for checking what response headers are returned from your site to tell browsers and search web crawlers what to and what not to scan and record from your site.
  • Symantec CryptoReport – Used for checking your certificate plus a bunch of server configurations.
  • Qualys SSLLabs – Used for giving an in-depth report on what protocols and ciphers are enabled and what possible attacks can be launched against any weak or outdated configurations.

The top two things you can do to secure your site in relation to protocols and ciphers are:

  1. Disable SSL.
  2. Configure TLS.

To do this I would suggest using a tool called IIS Crypto which is a free tool from Nartac Software. Those of you who are concerned that the name of the tool has IIS in the name and the True Password Reset app does not use IIS, do not despair. The underlying web protocols are intrinsic to Windows, not the web hosting service.

With this tool installed you have two choices for configuring the settings you need:

  • Download the template that I have created to set these exact settings described below.


  • Configure the following settings manually.


The only protocols that should be enabled are:

  • TLS 1.0
  • TLS 1.1
  • TLS 1.2

Uncheck any others.

NOTE: If you wish to score an A+ on Qualys SSLLabs, you will have to disable both TLS 1.0 and 1.1 to prevent the protocol from being able to “Fallback” to other protocols and potentially suffering from a protocol downgrade attack such as POODLE.


The only ciphers that should be enabled are:

  • Triple DES 168
  • AES 128/128
  • AES 256/256

Uncheck any others.


Uncheck the MD5 hash as this is the only one in the list that is known to be weak.

Key Exchanges

All the key exchanges that are listed are fine and can be left enabled.

Cipher Suite Ordering

The order in which your server offers up its cipher suites to browsers can have a significant impact on your implementation of TLS. To take the maximum advantage of the suites shipped with Windows Server 2016 ensure the order of the cipher suites are as follows:

  • TLS_ECDHE_RSA ciphers suites should be first in the list.
  • TLS_DHE_RSA should come after any of the above ciphers.

If you have an elliptic curve digital signature algorithm (ECDSA) certificate, you could move the TLS_ECDHE_ECSA ciphers to the top to ensure the most robust cipher is used, however, most of us do not have one of these certificates so these ciphers can be disabled to speed up negotiation.

Finally, it is important to ensure that all ELS_DHE ciphers are disabled. The Diffie Hellman Key Exchange cipher is known to have issues that I won’t get in to here in this article, but suffice to say this should be disabled from your server.

That’s it.

Hope this guide has been useful.

Thanks to Blue Coat Photos for the post image.
Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Microsoft’s New Intune Troubleshooting Portal is a Real Plus For Useful Support

Microsoft’s Intune product is not something that I have blogged much about, in fact this is the first blog I’ve ever written on the product. But that’s all about to change….

Microsoft Intune was originally designed as an online “Lite” version of System Center Configuration Manager for those smaller organisations with a very mobile workforce. It was very slow to gain much momentum as many organizations already has System Center Configuration Manager and could not see the value for the product.

Over the years Microsoft have slowly but surely moved focus of the Intune product to a more Mobile Device Management focus and even started to integrate in a “Hybrid” method in to System Center Configuration Manager. (More on this in later blog posts)

In late October this year (26th October 2016 to be precise) the Enterprise Mobility and Security team announced a new Troubleshooting Portal for the Azure platform.

This new troubleshooting portal provides analysts with a range of critical data exactly when and where they need it to resolve issues for end users who may be experiencing issues with their Intune connected mobile devices.

As the Microsoft Intune Team says in their announcement blog post:

Having the right data at your fingertips is a must when you’re troubleshooting issues with your end users. Intune’s new Troubleshooting Portal provides a “single pane of glass” for reviewing device status, assignments and policies affecting a user, eliminating the need to click into multiple workloads to diagnose issues.

…..this is a big win for IT Pros and Support or Helpdesk workers who want resolve end user issues faster with less effort.

The user details that an analyst can view for each user are:

  • User status
  • Group assignment
  • Application and policy assignments
  • App protection status
  • Compliance issues
  • Device status
  • Device details (Such as OS type and version)

But I don’t want to give my Helpdesk staff access to my Intune environment!

No worries there.

Intune’s inbuilt Role Based Access Control (RBAC) solution allows for admins to grant access to support and helpdesk staff to just the items that they require and nothing else. The inbuilt Helpdesk Operator role grants members access to end users assignments, policies devices apps etc. and even see if their devices are registered in AD and in the future you will even be able to see applications installation status and enrollment status of devices.

Getting access to this level of information on the helpdesk at the time of a users call to the service desk is very powerful to assist staff in resolving any issues at first contact and getting your end users back to fully functional work as soon as possible.

If only Configuration Manager had a nice friendly website that we could give easy RBAC access to for Helpdesk and Support staff to get basic troubleshooting information without them needing the console or giving away the keys to the ConfigMgr kingdom……   Oh wait….   I’m sure I’ve blogged about that before…..  🙂


Cireson Software Asset Management – Tracking Operating Systems

The question of tracking Operating Systems within the Cireson Asset Management solution came up the other day and I thought I’d put together a quick blog post to cover off why we would do this and more importantly how.

Why Track OS Versions in Asset Management?

First off, I think it is important to ask yourself why you would want to track Operating Systems within your organisation as it might not give you any useful metrics or data that would be useful in any way to us.

For example: If your organisation has an Enterprise Agreement with Microsoft that covers Windows for all of your PC’s then why do we need to report on it? If we know for sure that we are covered regardless of what version of the OS is used, then there is no useful reports that we can gain about licensing of OS’s.

However, we could get some reports about how our upgrades are going or if a particular threat is seen for a specific OS we could quickly report on what our exposure would be.

So the first thing that you really need to do is determine if it is worth tracking Operating Systems before investing time and effort in to setting these up.

How to Track OS Versions in Asset Management

If we have decided to track OS versions then we need to make sure we cover all OS’s that we want to track by creating Software Assets for each of the branches that we want to track.

For Example: If you are wanting to track just major versions (Windows 7, 8, 10) then it is possible to create a Software Asset for each of these without needing to go any lower level.

However, if you are trying to ensure workstations are up-to-date, then you will have to create a software asset for each SKU of Windows OS (e.g. Windows 10 Home, Windows 10 Enterprise)

Once all individual OS’s are tracked then I would also suggest creating two Software asset called “All Windows Desktop OS’s” and “All Windows Server OS’s”. These will have bundle rules for all of the OS’s so you can track licensing if you have a limited number of OS Licenses.

Below is a list of OS’s that could be tracked, but it would be up to the individual as to which ones to use.

Server OS’s

Microsoft Windows Server 2003 Enterprise Edition R2
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Standard Edition R2
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2008 Enterprise
Microsoft Windows Server 2008 R2 Enterprise
Microsoft Windows Server 2008 R2 Standard
Microsoft Windows Server 2008 Standard
Microsoft Windows Server 2012 Datacenter
Microsoft Windows Server 2012 R2 Datacenter
Microsoft Windows Server 2012 R2 Standard
Microsoft Windows Server 2012 Standard
Windows Server 2016 Datacenter
Windows Server 2016 Standard

Desktop OS’s

Microsoft Windows 10 Enterprise
Microsoft Windows 10 Pro
Microsoft Windows 7 Enterprise
Microsoft Windows 7 Professional
Microsoft Windows 7 Ultimate
Windows 7 Enterprise
Windows 7 Professional
Windows 7 Ultimate
Microsoft Windows 8 Enterprise
Microsoft Windows 8 Professional
Microsoft Windows 8.1 Enterprise
Microsoft Windows 8.1 Professional
Microsoft Windows Vista
Windows XP Professional

How to Enter OS Versions in Asset Management

Now all you have to do is enter these in the Cireson Asset Management and we are done right?

Not so fast.

We have a few options to play with here including an option that is “This is an OS”. Seems fairly obvious that we would select this right?

Not so much.

This option looks in a separate location of the ConfigMgr data instead of the Add or Remove Programs list, But the Windows OS is also recorded in the Add or Remove Programs list and can often have more detail, so it is better not to use this option.

Entering Software Assets one at a time can be a challenge and take a lot of time, so to make it easier, here is an Excel file filled with all the information you need to make this happen by importing via Cireson Asset Import, or Cireson Asset Excel.


Happy reporting.

A New Way to Look at System Center Configuration Manager

If you are like me and have spent many years (even decades) looking at the Configuration Manager console you probably can’t think that there could possibly be any other way to do you work on a day-to-day basis. Navigating the Configuration Manager console becomes second nature after a while and we don’t really think about it.

However, what if there was a new way to look at the Configuration Manager console that was easy to teach new staff members to learn and use, gives staff members access to just the features they need (and no more) and is available everywhere we need it without needing an app installed?

Well now there is!

Cireson, Your System Center Experts, have announced the Cireson Portal for Configuration Manager. It is a web-based experience to help manage and standardise daily tasks outside of the native Configuration Manager Console. This new approach to the ConfigMgr console empowers everyone on your IT team with anywhere, anytime access to inventory data, collection membership, software management and deployment, OSD management and deployment, and more.

Full Disclaimer: At this point I want to make the disclaimer that I work for Cireson. I also want to point out that I have worked with ConfigMgr since SMS v2.0 and that I will try my utmost to not let my involvement with Cireson colour my judgement of this tool and what it means for the SysAdmin’s daily workload.

With that out of the way….. This product is the best thing since ADR’s!

Any admin who uses ConfigMgr on a daily basis knows what a HUGE relief it was when we got ADR’s in the 2012 release of ConfigMgr. It saved us hours of packaging and testing and mucking about. In my opinion, the Cireson Portal for Configuration Manager is the most important innovation to the administration of  ConfigMgr since ADR’s were introduced.

Why am I so confident about this portal and it’s claims? The answer is that it is build is being directed and overseen by Wally Mead himself. For anyone involved ins the Configuration Manager world for more than 5 minutes knows who Wally is, but in case you don’t Wally was involved with the ConfigMgr product within Microsoft for 22 years and literally wrote the book on all things ConfigMgr. So when I say this solution has pedigree, you know I mean it.

Enough talk, let’s take a look at some of the ways the Configuration Manager Portal changes the way people will use and interact with ConfigMgr on a daily basis.

If you are a ConfigMgr admin in Australia, no doubt you know, and often tell stories at dinner parties, about the incident where “SCCM Task Sequence blew up Australia’s CommBank” also reported as “Disastrous patch cripples CommBank“. Many ConfigMgr admins shudder at the thought of how easy this mistake was and often bring this up when explaining to their managers why they don’t want to give Service Desk or other IT teams access to the ConfigMgr console.

The Configuration Manager Portal is designed to give Configuration Manager Admins what they have always dreamed of… a way to easily give others access to the parts of Configuration Manager they require and nothing else! With the Configuration Manager Portal, Admins can easily configure targeted access for different Analyst Groups using Role-Based Access Control (RBAC) so that these Analysts can add Configuration Manager to their tool belt and maximise the value they bring to the business without the keys to the kingdom….   and potential disaster.

At the core of why the Configuration Manager Portal is it is a localized web-based portal and therefore there is no Configuration Manager Console deployment that needs to be created and maintained. Also it is a simplified interface that makes it easy to use and intuitive, thereby reducing the time that is required to spend on training Analysts.


Easy to scope security for all support teams

Don’t get me wrong, the Configuration Manager Portal is not designed to replace the OOB Configuration Manager Console for actual Configuration Manager Administrators. The traditional console has everything and admin needs to not only operate day-to-day, but also upgrade, plan, expand, migrate etc. But for non-admins, or non-admin tasks, the Configuration Manager Portal is perfect to get in and get the job done.

What about a specific example?

For many organisations, the Service Desk (Level 1 Support) is a volume business.  Time management and efficiency are the keys to success for incident and request triage, first-call resolution, and escalation. Correctly gathering and analysing required information about an incident or service request in an expedient manner allows for a faster resolutions or fulfillment of service.

Leveraging the Cireson Portal for Service Manager with the Configuration Manager Portal gives Service Desk Analysts the tools they need to gather and analyze the info they need to do their jobs more efficiently. Upon receiving an Incident Request, they can quickly use the Configuration Manager Portal to gain information on affected resources such as:

  • User Device Affinity lookup and edit
  • Current Inventory
  • Software Deployment Status

The Service Desk Analyst can also use the Configuration Manager Portal to initiate a Software Deployment on demand if you as the admin allows it via RBAC right.


Simple console interface from any browser

What about Desktop Support or the Server team?

Desktop Support staff spend much of their time away from their assigned workstations resolving issues and providing services at the end user’s location. Having to access a locally installed Configuration Manager Console can add unnecessary time when needing to get the end user back to being productive. Server Support teams put a premium on time, especially when dealing with server outages. Therefore, Server Analysts need quick access to information and remediation tools for servers either from their desk or in the Data Center, and sometimes from remote locations.

Having a web based ConfigMgr console allows Desktop and Server teams to:

  • Get software update status and apply patches when necessary
  • Deploy or upgrade software, if required
  • Deploy a new OS Image to a computer or server
  • Migrate a computer to an new OS (such as Windows 10 + Office 365) using MDT
  • View reporting for all of the above

Easily deploy software, even when not at your desk.

Finally, Managers can easily report and track the overall health of the organisation using simple to access dashboards to get a high level view of the entire IT operation.

Watch a sneak peek of the solution featuring Cireson Co-Founder, Shaun Ericson, and Microsoft MVP, Wally Mead. View now.

The Cireson Portal for Configuration Manager will be generally available in early 2017. Learn more and sign-up for first-priority access here.

Hardening Guide for Cireson Portal

I had a partner call me the other day and ask if Cireson had a “Hardening Guide” for our SCSM Self-Service and Analyst portals.

This is not a frequent request as it is usually only government or Defence industries that lock down their system to this extent. So it was no surprise that we had never been asked this question before. After much back and forth we were able to put together a hardening guide for our portal and I thought I would share with you all what that looks like and how to achieve it for the rare occasion that this level of security is required.

Some Basic IIS Hardening Details

Within IIS it is possible to restrict the type of file extensions that can be executed within IIS and also what “Verbs” (Core IIS Code commands) that are allowed to be called.

This reduces the exposure of what type of code can be executed and therefore reduces the ability of an attacker to execute malicious code. It is never possible to remove all possible attack surfaces from any internet server as it must execute some code or the web page would never be rendered! Instead, hardening IIS is about just reducing the types of code that can be executed so we are only concerned with what we need and not with surplus to requirement code types.

IIS allows us to do this by restricting the file extensions of the type of code we want to allow.

This is done in the “Request Filtering” section of our website within IIS.


This allows us to filter by file extension, URL, Verbs, headers and several more.

For the purpose of this article we are going to be very generic and only allow specific extensions to be run. In a higher security model it may be required to block anything outside of very specific file names, dates, URL’s etc. but in my opinion, if you need to lock down your web server that far, then it shouldn’t be on the web. 🙂

The file Extension tab shows a bunch of pre-defined file extensions and if they are allowed or blocked. One other setting that is not shown on the main screen is the File Name Extension settings.

This has some generic rules like “Allow unlisted file extensions” which is turned on by default. This basically says, if the file extension has not been specifically blocked then let it run.

You can see where this can be a bad thing….

Basic Hardening Rules

The rules can be administered from the IIS GUI or directly from the configuration files within the web page.

Using the GUI, our first requirement is to disable unlisted file extensions from running. This is as simple as unchecking the checkbox within the “Edit Request Filtering Settings” screen inside the IIS website we are editing.


After this, we need to add the following list of extensions as allowed extensions.

  • .js
  • .svg
  • .css
  • .ttf
  • .png
  • .woff
  • .html
  • .

Yes, there is an extension of just  .

This is to allow pages without any extension whatsoever to run. This is common as the IIS server will render the code in back ground and the present the page with no extension. NOTE: This is not the same as *.* that will allow ALL extensions to run, this simply allows pages with no extension to be shown.


All these settings are stored within the Web.config file on the file system and that gives advanced admins a faster way to do this than via the GUI.

Using the Web.config file, open the file in a XML editor of choice (Notepad or Notepad++ for example) and search for the <Security> section with the file.

Replace the default settings with the following section.



        <requestLimits maxAllowedContentLength=”1073741824″ />

                <fileExtensions allowUnlisted=”false”>

                    <add fileExtension=”.” allowed=”true” />

                    <add fileExtension=”.js” allowed=”true” />

                    <add fileExtension=”.svg” allowed=”true” />

                    <add fileExtension=”.css” allowed=”true” />

                    <add fileExtension=”.ttf” allowed=”true” />

                    <add fileExtension=”.png” allowed=”true” />

                    <add fileExtension=”.gif” allowed=”true” />

                    <add fileExtension=”.woff” allowed=”true” />

                    <add fileExtension=”.html” allowed=”true” />




And that’s it.

So if you ever come across the requirement to “Harden” your web pages, this should help you.

How to use the Cireson Asset Import Connector

A little while ago on the Cireson Community Forum a member asked for more details on how the Cireson Asset Import Connector works. So I decided to write a blog post about it to clear up exactly what the connector is and how it works. I also recorded a short video for those of you who do not like long winded blog posts. You can find the video here.

The Cireson Asset Import Connector is one of the solutions contained within the Cireson Asset Management Stream of products and allows for Asset Administrators to take the guesswork out of importing external data into System Center Service Manager. This app allows any out-of-the-box CMDB data, or any information in the Cireson Asset Management app, to be imported from external CSV, SQL, ODBC or LDAP sources of truth, exposing an intuitive interface that provides the ability to map columns and schedule imports when required.

All little know pub quiz fact is that the Cireson Asset Import App grew from the CSV import app which was the very first Cireson app to hit the market. Next time this question comes up in a pub quiz, rest easy knowing that you now have the answer and are in a pub that is so cool it asks question like that one! 🙂

When you add the Cireson Asset Import app to a Service Manager environment, importing data becomes seamless. One-time imports and configuring XML files become a thing of the past. The straightforward app provides the organization with the ability to build an asset repository of information that is relevant and accurate when working with requests in Service Manager.

So lets get in to it… throughout the following post, I will call out important things to note and also what is generally regarded as “Best Practice” but always consider the requirements and impact these settings may have.

1. Creating a new Asset Import Connector

  1. Within the SCSM console, select the Administration workspace.
  2. Right click the Connectors Node.
  3. Select Create Connector from the drop down menu.
  4. Select Asset Management Import Connector from the sub menu.
 ami02 NOTE:

The sub menu option for Asset Management Import Connector (Import) is for creating pre-created or backed up Import Connectors.

Enter a name for the connector that will make sense to other administrators for future maintenance tasks.

Select a Management Pack (or create a new one) that will be used to contain the workflow information required for the workflow of the connector.

 ami04 Cireson Best Practice:

Best practice for creation of Management Packs is to create these Management Packs via the SCSM authoring tool and giving it an internal and full name in the format of “ – Asset management Import Connectors”.

This then assists to identify the Management Pack when exported or backed up at a later date.

The next step will be different depending on the input data source. Select and use one of the following sections below before continuing.

2. Using a CSV Source

After completing the steps in the section below, browse to the location of the .CSV file that contains the asset data to import and select the Encoding Format of the file.

The selected path can be either a local path (on the SCSM workflow server) or a network share that has read permissions by the Workflow account.

The first line of the CSV file must contain the header row information for the data contained within.

 ami04 Cireson Best Practice:

It is Cireson best practice to create a single folder that contains all the CSV import files for any connector that is being used. It is also best to configure the connectors to use a UNC path as the location path of the file selected as this allows the connector to be edited successfully from other computers.

 Continue the connector settings.

 3. Using a SQL Source

For Microsoft SQL Server data source:

Enter the SQL Connection string by clicking the ellipse button and entering the required connection information.

 ami02 NOTE:

If Windows Authentication is to be used, the SCSM Workflow account must have read access to the source database.

Enter the SQL query that will be used to extract the data required for this connector.

Click Execute Query to test the query and gather field name requirements for class property mapping.

The SQL Query Results field will show the number of row returned if the query was successful.

Continue the connector settings.

4. Using a ODBC Source

For ODBC Server data source:

Create a File Data Source Name (DSN) that contains the Server, Database and username for the data source.

Browse the file system and select the File DSN.

 ami02 NOTE:

The SCSM Workflow account must have read access to the File DSN.

Enter the File DSN Password for the username within the File DSN.

Enter the SQL query that will be used to extract the data required for this connector.

Click Execute Query to test the query and gather field name requirements for class property mapping.

The SQL Query Results field will show the number of row returned if the query was successful.

Continue the connector settings.

 5. Using an LDAP Source

For an LDAP data source:

Enter the LDAP Server or Namespace and the LDAP Port (If required).

If the SCSM Workflow account does not have read access to the LDAP source, enter alternative credentials with the required rights.

Enter the LDAP Attributes that are required to be returned separated by commas.

Enter an LDAP search starting path to reduce the search scope as required.

Enter any LDAP Filter needed to refine the results to the specific required data.

Click Execute Query to test the query and gather field name requirements for class property mapping.

The LDAP Query Result field will show the number of row returned if the query was successful.

Continue the connector settings.

6. Connector Settings

Select the target class that the records will be imported in to. This might be one of the base classes (Such as Hardware Asset) or, if other relationships are required, selecting a combination class (Type Projection) that contains the relationships required for the import.

Enter a Workflow log path to track import results and reporting on success\failure.

Set the required options for the instance of the Asset Import connector. See below for more details on these options.

Once all options are selected, click Next.

Asset Import Connector Options:

Test Mode The connector will run and create log file for inspection without commiting any changes to the SCSM database.
This connector can create new items When enabled, this option will allow the connector to create new records within the database.

This is used to allow the import of new records.

This connector can update existing items When enabled, this option will allow the connector to update existing records that match the key fields the selected class.
This connector will DELETE ALL matching items only This option changes the behaviour from creation to deleting of records. Any record matched from the import data to an instance of the class will be removed from the SCSM database.

WARNING! If data is deleted it can not be recovered.

This connector will update multiple existing items matching specific custom keys
Do not replace \n with a linefeed By default, the improt connector will interperate any \n text as representing a new line and therefore will replcae it with a linefeed character within SQL.

7. Mapping Fields

Data Mappings allow the mapping of the specified input data to the properties of the selected target class within SCSM.

On the Data Mapping screen, if the option for “This connector will update multiple existing items matching apecific custom keys” is selected on the previous screen the first option that will show is for Custom Keys. Custom Keys are used to fins all existing matching items and update them as normal via the mappings below. At least one custom key is required.

The Custom Key can be any of the properties for the class that was selected for this connector.

Add the custom keys as required and map these to the data from the import source.

 ami02 NOTE:

All Key Properties for the selected class as well as any Custom Keys are required fields and must be mapped to continue.

The property displayed in the left column will show all properties of the selected class, along with any extended properties that have been added for the class.

The Data Type in the middle column will show what input data type the property will expect. String (Key) identifies the primary key for the selected class.

The Mapped To value displayed in the right column will show drop-down values for each available column header from the specified source

The Hardware Asset ID should be mapped to the primary key selection you chose in the Asset Management Settings. (Serial Number, Asset Tag, GUID, etc.)

Map all additional properties to the input data that is defined from the Input source.

Any properties that are mapped will be updated or entered as defined.

Any properties that are not mapped will not be updated.

If a Combination Class is selected for the connector there will be additional mapping fields under the Relationship heading.

These can be used to map data from multiple classes together as relationships as required.

Once all mappings are complete, click Next.

8. Connector Workflow Schedule

Some connectors will be run as a once off to import bulk data in to the SCSM database, whereas others might be run on a schedule to keep other data sources up-to-date within the database.

An example of a scheduled data source might be a connector in to a Mobile Device Management (MDM) solution or an accounting or purchase system (for invoices and Purchase Orders).

For connectors that will be only run once, select the option marked This connector will be run manually.

When using this option, a warning message will be displayed to remind administrators that the connector will only run when using the Synchronize Now task within the console.

For a reoccurring schedule, enter the frequency as either daily or as a regular reoccurrence with a set frequency.

Ensure the Connector Enabled option is enabled to all ow the connector to run. This option may help with the administration of the connector at a later date if it needs to be turned off for a period of time for maintenance or fault finding.

When the scheduling information has been entered, click Create.  ami17

9. Manually Running a Connector

Once a connector has been created it will show within the Connectors node in the Administration workspace of the SCSM console. Within this node, administrators are able to see the current status of all connectors, when they were last started and finished and their percentage complete.

Administrators are also able to manually run a connector to either force the synchronization regardless of workflow schedule or to trigger a non-repeating connector.

To manually run a connector:

Within the SCSM console, select the Administration workspace.

Select the Connectors node.

Select the Connector to be run and click the Synchronize Now task within the tasks pane.  ami19
If the connector does not have a schedule set (is disabled) then a message will appear informing that the connector is disabled and asking if it should still be run.

Click Yes to run the Synchronization.

The connector workflow will then be scheduled to start at the next opportunity for the workflow engine.

10. Exporting and Importing a Connector

Once a connector has been configured the settings can be exported to allow administrators to copy the connector to a different environment (dev to prod).

To export and import a connector:

Within the environment to export from:

Within the SCSM console, select the Administration workspace.

Select the Connectors node.

Select the Connector to be run and click the Export task within the tasks pane.

Save the connector XML file to a path and click Save.

Within the environment to import in to:

On the Connectors node, select Create Connector from the drop down menu.

Select Asset Management Import Connector (Import) from the sub menu.

Browse to the folder containing the exported XML file, select the xml file to import and click OK.

A window will appear to rename the Connector from its original name if required and change the Management Pack that holds the information.

If the connector is importing from a CSV file, an additional field will appear that is used to provide the source location of the CSV file required.

Enter the values needed and click OK.

The connector will be imported and will now appear in the connectors node.

11. Deleting a Connector

If a connector is no longer needed, then it can be removed from the SCSM environment by deleting the connector from the console.

To delete a connector:

Within the environment to export from:

Within the SCSM console, select the Administration workspace.

Select the Connectors node.

Click the Delete task from the tasks pane on the right of the screen.

Click OK on the message that appears to confirm the connector to be deleted.

The connector has previously imported data a second message will appear asking if the data that was imported from the connector should be deleted.


Hope this gives you a clear idea of how this app comes together and works for your organization.

Leave a comment if you have any additional questions.


Cireson Portal: Hiding Search Types from the Page Search

I had a rather interesting question the other day about hiding unwanted types of search form the Cireson Portals page search feature located at the top of the Cireson Portal.

Search Locations 1

The user was trying to remove the option for Knowledge Management as they are not currently using it within their environment.

At first the solution seems easy and that is to find the element in CSS and set it to hidden for that Index.

However, as it turns out, the list items are generate at build time and depending on if you are an analyst or an end user the index value of the list item will change. Hiding Knowledge Management for Analysts hides Service Catalog for End Users or hiding Knowledge Management for End Users hides Work Items for analysts.

So how do we fix this with CSS?

Answer? We don’t…..      We use Java Script instead.

By copying the following code in to the Custom.js file located int he Custom Space of the Cireson portal (Default location: C:\inetpub\CiresonPortal\CustomSpace)

/* Hide knowledge articles from all users, based on static “Knowledge Base” text. */
$(“.dropdown-menu”).find(“li:contains(Knowledge Base)”).hide();

This code looks for the dropdown menu that contains a list item labeled “Knowledge Base” it will hide the list item.

By changing out the text in bold with the list name you wish to hide (Work Items or Request Offerings) you can hide these menu items too.

The end result, the search item list no longer has Knowledge Base available to search on.

Search Locations 2

New Role. Same Focus.

After 5 years with Data#3 I have taken up a Solutions Architect role with Cireson to assist them in supporting and promoting Cireson customers and partners here in the Asia Pacific region.

I am very excited to be joining the team and to contribute to this amazing growth the company is seeing across the globe. I’ve worked with Cireson service & asset management solutions for over three years now, and I look forward to helping customers and partners make the most out of their Microsoft System Center investment in the APAC region.

Cireson has also continued their local investment by expanding the support team in to the Asia Pacific region. Joe Burrows has joined the support team and brings outstanding knowledge and experience with the Service Manager product as well as the Cireson products.

I am looking forward to working with the System Center more closely across Australia and the rest of the Asia Pacific Region.