ClickJack, MIME, Code Injection and CSS attack in HTTP header

I was working on SCCM server vulnerabilities in terms of OS and application installed on it.

There are four specific HTTP header attacks which your IT security team ask you to fix on those SCCM server where IIS is running.


Normally below four HTTP headers are important to add and set with value(value may differ as per the requirement) in your SCCM server with IIS not added earlier.

X-XSS-Protection: To prevent XSS(Cross Site Scripting) attack, header name  'X-XSS-Protection' has been set with value '1;mode=block' means XSS filter enabled and prevented rendering the page if attack detected.

X-Frame-Options : To prevent from ClickJacking attack on website, X-Frame-Options' header has been set with value 'SAMEORIGIN' means Frame/iframe of content is only allowed from the same site origin. It not good to set value of 'DENY'.

X-Content-Type-Options : To prevent from MIME attack, header name 'X-Content-Type-Options' has been set with value 'nosniff'' means to prevent content sniffing. 

Content-Security-Policy : To prevent from code injection attack, 'Content-Security-Policy' header has been set with value 'default-src 'self'' which means Load everything from defined source.

How to set the header and its value?

1) Open CMD or Open Run and type 'inetmgr' to open the IIS console. In my case, its IIS version 8.

2) Expend the IIS console node at left side and browse to your target website. In my SCCM server case, it was Default Web Site.

3) Click the target website.

4) Go to 'HTTP Response Headers' option(at middle) and double click to open it.

5) Click “Add” under Actions.

6) Enter Name, Value(as mentioned above) and click OK to apply. 

7) Restart the IIS.

Thats it !! Your are done.

Read More

Content Library Migration in SCCM 2012 and onwards

Situation may come to SCCM engineer's life that he/she may need to transfer the Content Library from one drive to another drive. Normally we do Content Library migration when we face disk space issue in existing drive and to create free space we have to move CL location to new drive where we can have sufficient space to accommodate existing size as well as future file size. 

I want to share the migration activity from real world scenario perspective.

Content Library folder contains three sub folders i) DataLib ii) FileLib and iii) Pkglib. Apart from CL folder, we SMSPKG and SMSPKGSIG folder are also important and which all are moved from source to target folder.

ContentLib folder along with PKG and SIG folder.

Inside SCCMContentLib folder

Steps to be taken to perform the Content Library(CL) migration from one drive to another:

1) Make sure you have Net backup(tape backup) of entire drive where CL exists or at least take tape backup of SCCMContentLib, SMSPKG and SPSPKGSIG folder.

2) Check SCCM back of that site where you need CL migration and if the backup is not latest(max of 5 days can accpeted), get the backup done and keep it.

3) Inform to depended teams who use the site for any kind of automation that use SCCM to create packages etc. and ask them to stop the activity until the migration activity will get completed. 

4) Follow the Change Management process and raise the CR with required approvals.

5) Once you have above 4s ready, you can perform CL migration on schedule date and time. Please remember that CL migration duration depends on size of the CL. More size, more time it will take. So keep patience.

To perform CL migration, you need ContentLibraryTransfer.exe tool which is a part of Microsoft's ConfigMgr 2012 Toolkit R2 and you can download the toolkit from HERE. 

Install the toolkit(with ServerSide tool) and open Powershell or CMD in elevated moe. Browse to Server Tools folder of ConfigMgr 2012 Toolkit R2 folder and type below command:

ContentLibraryTransfer.exe -SourceDrive <nameofthesourcedrive> -TargetDrive <nameofthedestinationdrive>  > C:\contentlib.log

In below screenshot, sourcedrive is I drive and target drive is G drive and I kept log file(which is must and useful to track the CL migration activity) in C drive.

6) You need to track the log file generated by the CLTransfer tool. Tool validates source and target drive, check free space at target drive with comparison to existing space in source drive. After that it stops SMS EXECUTIVE and COMPONENT services(to stop any incoming activity in CL folder) and then initiates the migration(it moves all folders from source to target folder).  

Once all folders are copied successfully to target drive, it drops no_sms_on_drive.sms file in source drive to avoid CL folder creation in source drive, start SMS EXECUTIVE and COMPONENT services and remove CL folders from source drive.

7) Post successful migration, you need to do following in order to check CL folder is working fine in new location.

i) Create one or two new package, distribute to couple of DP servers and check whether package is getting distributed successfully and entries are created in all sub folders of CL folder.

ii) Check validation of any existing packages.

iii) Check site server components.

iv) Check replication link.

If above checks(under Point No.7) go fine and components and link are fine, you need to understand that the activity is completed successfully.

8) Inform to dependent team to resume their works at site where you perform the CL migration. 


Note: There is no need to check pending packages at DPs and no need to remove them during CL migration because before starting the migration activity, CL migration tool stops the SCCM executive and component services which means the target site is inactive during the migration period. Once migration is completed, tool automatically restart the services to bring site into normal state. 

Read More