Trouble with UAC

 
 
By Andrew Garcia  |  Posted 2010-05-11
 
 
 

Rove Mobile Admin Delivers on the Go Management


Rove Mobile Admin 5.1 provides an excellent way for data center administrators to monitor and troubleshoot server and application issues from their mobile device, granting administrators better control and faster response times when they are out of the office.

Mobile Admin adds a presentation layer tailored for mobile devices that reorganizes server, operating system and enterprise application native APIs and instrumentations into an easy to use set of troubleshooting tools that fits well on the small screens of today's smartphones. Although typical remote access technologies such as VNC or Remote Desktop are baked into the Mobile Admin client as well, the Mobile Admin presentation affords faster and more intuitive access given the form factor.

Rove offers two versions of Mobile Admin: Professional and Basics. Basics costs $295 per user account, offering remote access via SSH, TN3270/TN5250 or RDP plus a standard suite of Microsoft server management and monitoring capabilities allowing the administrator to peruse event logs or file explorer, run applications or schedule tasks, reboot machines or restart services, or perform various troubleshooting tasks. 

I tested Professional ($595 per user), which adds to the Basics feature set with management support for third-party monitoring platforms (Nagios, BMC Remedy or Microsoft System Center Operations Manager), virtualization platforms (VMware or Hyper-V), databases (Oracle or Microsoft SQL Server), mobile device management suites (BlackBerry Enterprise Server or Microsoft's Mobile Device Manager), and Microsoft applications such as Exchange and IIS.

Mobile Admin 5.1, which was released in February, implemented changes in the remote interface to better reflect the way some administrators or organizations look at their network. In prior versions, administration was organized by server- so an administrator would drill down into a particular machine to find the tool or application they wished to access remotely. But with 5.1, Rove added a Services view that organizes the infrastructure according to the management tool in question. In this way, all Exchange servers or all IIS servers are automatically organized together under that application within the Mobile Admin UI, for instance. 

Rove offers client applications for an array of mobile devices. I performed the bulk of my testing using the iPhone and BlackBerry iterations-each of which were downloadable from the respective mobile application stores. Mobile Admin also offers a client application for Windows Mobile 6.0 and higher, or administrators can access the Web interface from a PC browser. Rove also recently started a beta program for a new client application for Android devices. 

Mobile Admin offers a few avenues for administrators to secure their remote management traffic. Mobile Admin supports HTTPS, so I could configure my mobile clients to access the Mobile Admin server directly by punching a hole in my perimeter firewall for TCP port 4055. However, Rove recommends using the existing VPN infrastructure to access the protected resources instead, provided a VPN client exists for the devices used for management. 

More elegant, however, is Rove's BlackBerry mobile application, which utilizes the MDS channel built into an existing BlackBerry Enterprise Server infrastructure. This leverages the 3DES- or AES-encrypted channel utilized for all other enterprise BlackBerry traffic as it travels from the device, over the BlackBerry network to the BES, where it is decrypted and forwarded to the Mobile Admin server. 

In my tests, I used Mobile Admin to administer a series of Windows servers-both in the same domain as the Mobile Admin server and those in a Workgroup-and found it quite simple to administer basic Windows functionality. I was able to quickly stop and start services, add users to the domain, schedule tasks and perform an NSLookup. For Windows enterprise applications, I was able to manage incoming and outgoing message size restrictions and manage queues and stores within an Exchange 2003 environment. And for IIS, I found I could remotely start and stop Websites or change site security settings.

I set up Mobile Admin to administer my BlackBerry Enterprise Server 5.0 environment, which allowed me to see BES server status, ID and licensing information as well my BES failover configuration and status. I could stop and start the dispatch service, which conveniently warned me that if I was managing via a BlackBerry device that stopping the service would kill my management connection. I could see various information about an individual user's usage such as failed and successful logins, status, defined BlackBerry policy in effect and message delivery status. I could also add users and send an activation e-mail, provided the user was already in the BlackBerry database. I could see no way to trigger a live synchronization between the BlackBerry database and the Windows domain to add a user who was just added to Active Directory. 

I also set up Mobile Admin to remotely access eWeek Labs' VMware vSphere infrastructure. From within the Mobile Admin UI, I could see my entire VMware data center and drill down to see clusters with all their included host servers. I could see which client machines were running on each host in the cluster and monitor CPU and memory usage, as well as IP and DNS information. I could perform a limited number of actions on virtual machines. I could powercycle or suspend client VMs or view assigned and completed tasks and events. I could also edit virtual settings, increasing or decreasing the amount of processors and RAM assigned to a VM. Unfortunately, Mobile Admin doesn't account for the state of the VM when editing configuration, so it would send the job to VMware whether the machine was powered on. If the VM was off, the change was effected. But if the VM was running, the command from Mobile Admin was simply ignored by VMware.   

Trouble with UAC


 

I was disappointed to find that Mobile Admin did not allow me to perform VMotion migrations of VMs between host servers. However, Rove officials state that is a commonly requested feature that they are working to add.

Rove designed Mobile Admin to connect and manage backend servers without requiring an agent on the managed hosts, instead using existing interfaces and APIs to foster the connection to the Mobile Admin server. However, administrators may need to install new software or change server configurations to enable these connections, mitigating the light touch on the server infrastructure promised by Mobile Admin.

To manage several resources, I needed to install components directly onto our Mobile Admin server. For instance, to manage our VMWare 4.0 infrastructure, I needed to install both the VMware vSphere PowerCLI and PowerShell (as I installed Mobile Admin on Windows Server 2003, for which PowerShell is a separate installation). Or to manage Exchange 2003, I needed to install the Exchange System Management Tools and its prerequisites on the Mobile Admin server.

In other cases, changes were needed on the managed servers. For instance, to manage our BES 5.0 infrastructure via Mobile Admin, I needed to ensure the BlackBerry Administration API was installed on the BES servers (or the BlackBerry Enterprise Resource Kit for BES 4.x instances). While the API is included with BES 5.0 Service Pack 1, unpatched BES installations need the API installed separately.  Also, the need for BlackBerry Administration API means that Mobile Admin won't work with the new BlackBerry Server Express, which does not support the API.

More troubling, however, is the requirement spelled out in the Mobile Admin documentation that specifies UAC (User Account Control) must be disabled on managed servers running Windows Server 2008 or above. During my tests, I found that when trying to control a UAC-enabled Windows 2008 Server via Mobile Admin, I could essentially only see the Active Directory and RDP services. Disabling UAC on the server opened up access to the rest of the core Windows management functions.

Rove representatives explained that their Windows management capabilities are performed using WMI (Windows Management Instrumentation), requiring access to the default Administrative share on the managed server to help communicate the results of these WMI operations back to Mobile Admin server. UAC by default denies remote access to this share in some cases.

In spite of what was written in the documentation, Rove's Server Development manager, Rob McAteer, iterated, "We do not wish for our customers to turn UAC off...  If the Rove Mobile Admin user managing the remote 2008 server has administrative rights on the remote 2008 server, then there is no issue utilizing the Administrative Share."

However, I discovered this only to be the case when the Mobile Admin server and the managed host are members of the Windows domain. In my case, trying to access a managed server not in the domain, I found that even though the credentials I entered to manage the Windows Server 2008 instance were part of the Administrators group, UAC blocked management via Mobile Admin. However, if I entered the credentials for the Administrator account, it worked.

While disabling UAC certainly resolved these problems, I would not recommend that solution for production machines. Another workaround I discovered is to add a registry key, which also allows remote sessions to access the Administrative share. While this workaround still lessens overall system security, it is more targeted a solution than simply disabling UAC entirely.  

McAteer concurred that this solution works in this scenario and acknowledged that Rove is removing the demand to disable UAC from future documentation. 

Rocket Fuel