I was guessing it was more like two months since my last post. My bad.
I'm working on a few posts that I will hopefully have time to finish in the next few weeks. The biggest one I need to finish (it's been done for months - just need to get a screen shot and make some minor edits) is using AuthAnvil to secure Citrix Web Interface for Presentation Server. We wrote a custom plugin that just adds a passcode field to the login screen. Very handy.
Not really ready to talk about the other ones, but I have experience in a lot of areas. Feel free to shoot me an email or comment if you have anything you'd like to see. Just about anything in the SMB IT market is fair game.
Tuesday, December 16, 2008
Tuesday, September 23, 2008
Home Wi-Fi Security
I remember when just about every household wireless router made it difficult to add security to the connection. It wasn't part of the setup wizard, or the setup wizard didn't do a good enough job explaining why it was important.
I think we have definitely crossed a bridge in this area. Some routers (e.g. 2Wire) enable it out of the gate and put the key on the bottom of the unit (a practice we have started doing whenever we install them in a household now). Others require it as part of the setup wizard. Whatever the reason, people are finally doing it. I opened up my list of wireless networks while sitting on my couch and here's what I saw:
There were three more networks, all secured, below these that are visible. I'm glad the message finally got through. Let's just pray the ISM Band isn't toxic or something with this much Wi-Fi going around. =)
I think we have definitely crossed a bridge in this area. Some routers (e.g. 2Wire) enable it out of the gate and put the key on the bottom of the unit (a practice we have started doing whenever we install them in a household now). Others require it as part of the setup wizard. Whatever the reason, people are finally doing it. I opened up my list of wireless networks while sitting on my couch and here's what I saw:
There were three more networks, all secured, below these that are visible. I'm glad the message finally got through. Let's just pray the ISM Band isn't toxic or something with this much Wi-Fi going around. =)
Tuesday, September 16, 2008
New Hyper-V Server Standalone
Microsoft has announced a new product called Microsoft Hyper-V Server. It's a free, standalone version of Hyper-V server with limited features. Based on what I have read, it's a core-install of Server 2008, meaning you will need to use external tools, or a command shell to configure and maintain it, and all it will run is Hyper-V.
If one of your guest OSes is going to be Windows Server 2008, and you need to license it, you're probably better off just buying a license for Windows Server 2008 Standard. If you run Hyper-V on Standard, you are allowed to extend that license to a single guest OS. This is probably what most small businesses will do, and run it on a full install of Server 2008 so all of the tools to manage it are in the same spot.
I can definitely see how this standalone product will come in handy for a few niche projects. It's always better to have the option for something like this, especially since VMWare has a couple of free virtualization server options.
If one of your guest OSes is going to be Windows Server 2008, and you need to license it, you're probably better off just buying a license for Windows Server 2008 Standard. If you run Hyper-V on Standard, you are allowed to extend that license to a single guest OS. This is probably what most small businesses will do, and run it on a full install of Server 2008 so all of the tools to manage it are in the same spot.
I can definitely see how this standalone product will come in handy for a few niche projects. It's always better to have the option for something like this, especially since VMWare has a couple of free virtualization server options.
Monday, September 15, 2008
Custom NTBackup Script
Here is the script I referenced in the previous post. You can download this script from here, or use the one below along with sendemail, which you can download from here.
Disclaimer: Use this script at your own risk. You assume all responsibility for your data if you choose to use this script to protect any systems. It is assumed that you can understand and modify this script to fit your environment.
@echo off
:: ARTECH-NIGHTLY
:: 19 JULY 2008
::
:: COPYRIGHT (C) 2008 ARTECH SOLUTIONS, INC.
:: Author: Alexander Romp - alex@artechsolutions.com
::
:: THIS SCRIPT IS LICENSED TO THE CLIENT FOR USE
:: AND MAY ONLY BE MODIFIED TO CHANGE VARIABLES AS
:: NEEDED. IT MAY NOT BE MODIFIED IN ANY OTHER WAY OR
:: COPIED EXCEPT BY ARTECH SOLUTIONS, INC.
set semail=administrator@customerdomain.com
set demail=BackupReports@yourdomain.com
set subject=Customer (%computername%) Nightly Backup
set destfile=X:\Nightly-Backup.bkf
set selsetname=Nightly-Backup.bks
set smtpserver=emailserver:25
:: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
:: No Modification Below Here Should Be Required
:: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
for /f "Tokens=1-4 Delims=/ " %%i in ('date /t') do set dt=%%i-%%j-%%k-%%l
for /f "Tokens=1" %%i in ('time /t') do set tm=-%%i
set tm=%tm::=-%
set dtt=%dt%%tm%
if "%1" == "/full" goto full
if "%1" == "/incremental" goto incremental
if "%1" == "/emailtest" goto backdone
echo.
echo Please sepcify backup type with /full or /incremental
echo or /emailtest to test sending the last backup file.
echo.
goto EOF
:full
%windir%\system32\ntbackup.exe backup "@%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%selsetname%" /n "%computername% %dtt%" /d "%computername% %dtt%" /v:no /r:no /rs:no /m normal /j "%dtt%" /l:s /F "%destfile%" /UM
goto backdone
:incremental
%windir%\system32\ntbackup.exe backup "@%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%selsetname%" /a /d "%computername% %dtt%" /v:no /r:no /rs:no /m incremental /j "%dtt%" /l:s /F "%destfile%" /UM
goto backdone
:backdone
cd "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\"
for /f "tokens=1 delims=" %%M in ('dir *.log /B /O-D') do (
if "%%~xM"==".log" (
type "%%~fM" > %computername%-Backup.log
goto next1
)
)
:next1
sendemail -s %smtpserver% -f %semail% -t %demail% -u "%subject%" -a "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%computername%-Backup.log" -m "Logfile Attatched"
del /q "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%computername%-Backup.log"
:EOF
Disclaimer: Use this script at your own risk. You assume all responsibility for your data if you choose to use this script to protect any systems. It is assumed that you can understand and modify this script to fit your environment.
@echo off
:: ARTECH-NIGHTLY
:: 19 JULY 2008
::
:: COPYRIGHT (C) 2008 ARTECH SOLUTIONS, INC.
:: Author: Alexander Romp - alex@artechsolutions.com
::
:: THIS SCRIPT IS LICENSED TO THE CLIENT FOR USE
:: AND MAY ONLY BE MODIFIED TO CHANGE VARIABLES AS
:: NEEDED. IT MAY NOT BE MODIFIED IN ANY OTHER WAY OR
:: COPIED EXCEPT BY ARTECH SOLUTIONS, INC.
set semail=administrator@customerdomain.com
set demail=BackupReports@yourdomain.com
set subject=Customer (%computername%) Nightly Backup
set destfile=X:\Nightly-Backup.bkf
set selsetname=Nightly-Backup.bks
set smtpserver=emailserver:25
:: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
:: No Modification Below Here Should Be Required
:: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
for /f "Tokens=1-4 Delims=/ " %%i in ('date /t') do set dt=%%i-%%j-%%k-%%l
for /f "Tokens=1" %%i in ('time /t') do set tm=-%%i
set tm=%tm::=-%
set dtt=%dt%%tm%
if "%1" == "/full" goto full
if "%1" == "/incremental" goto incremental
if "%1" == "/emailtest" goto backdone
echo.
echo Please sepcify backup type with /full or /incremental
echo or /emailtest to test sending the last backup file.
echo.
goto EOF
:full
%windir%\system32\ntbackup.exe backup "@%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%selsetname%" /n "%computername% %dtt%" /d "%computername% %dtt%" /v:no /r:no /rs:no /m normal /j "%dtt%" /l:s /F "%destfile%" /UM
goto backdone
:incremental
%windir%\system32\ntbackup.exe backup "@%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%selsetname%" /a /d "%computername% %dtt%" /v:no /r:no /rs:no /m incremental /j "%dtt%" /l:s /F "%destfile%" /UM
goto backdone
:backdone
cd "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\"
for /f "tokens=1 delims=" %%M in ('dir *.log /B /O-D') do (
if "%%~xM"==".log" (
type "%%~fM" > %computername%-Backup.log
goto next1
)
)
:next1
sendemail -s %smtpserver% -f %semail% -t %demail% -u "%subject%" -a "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%computername%-Backup.log" -m "Logfile Attatched"
del /q "%userprofile%\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data\%computername%-Backup.log"
:EOF
Backup Solutions for Small Businesses
I think it's probably fair to say that the days of tape are in the past. At least when it comes to the majority of small businesses. I think the only client of ours that still "requires" the use of tape is an advertising agency that frequently has to pull very old files off of tape. And even that is somewhat debatable.
Most of our day-to-day file protection is done using shadow copy now. To me, that is probably one of the best features that was introduced with Server 2003. Most of our clients are using SBS 2003, which includes a front-end for using NTBackup complete with reporting and easy scheduling. However, one huge thing that is missing from this is the ability to recognize portable hard drives as valid backup destinations. It will recognize tape drives, and any drive that shows itself as removable, like the Dell RD1000 drive (which is just a 2.5" SATA drive in a housing that acts like a tape cartridge).
That is why I was glad to hear about the changes to backup in the new SBS 2008. It is specifically geared towards using portable hard drives to protect your data (however it no longer supports tapes). The drives are setup using a configuration wizard which labels the drive and "commandeers" them for use exclusively by the backup system. The system accesses the drives using low-level API and optimizes them for speed, and therefore they are not accessible by drive letter or visible to Windows Explorer.
The system is smart enough to know the difference between multiple drives and performs an ongoing differential backup and keeps the disks so that any of them can be used for full disaster recovery. This greatly simplifies the issues we have had in the past with sites that required cumulative incremental backups due to the size of their backups.
Until all of our clients are on SBS 2008, our current backup script is pretty handy. We had cobbled pieces of it together from various other samples over the years, and I finally put it together into a single script a couple of months ago. You simply define what you want to backup and save the selection set as a BKS file in the usual spot. The script requires one of three parameters. You launch it with either /full, /incremental or /emailtest. The first two should be self-explanatory. The third tests the scripts ability to figure out which of the log files from NTBackup is the most recent, converts it to ASCII (side note: even though NTBackup log files can be opened with Notepad, they are actually binary files) and then sends it to the specified email server and recipient.
Our script calls sendemail.exe by Brandon Zehm to use as the email engine. If you are interested in seeing it for yourself, I will put it up in a separate post, or you can download it here.
Most of our day-to-day file protection is done using shadow copy now. To me, that is probably one of the best features that was introduced with Server 2003. Most of our clients are using SBS 2003, which includes a front-end for using NTBackup complete with reporting and easy scheduling. However, one huge thing that is missing from this is the ability to recognize portable hard drives as valid backup destinations. It will recognize tape drives, and any drive that shows itself as removable, like the Dell RD1000 drive (which is just a 2.5" SATA drive in a housing that acts like a tape cartridge).
That is why I was glad to hear about the changes to backup in the new SBS 2008. It is specifically geared towards using portable hard drives to protect your data (however it no longer supports tapes). The drives are setup using a configuration wizard which labels the drive and "commandeers" them for use exclusively by the backup system. The system accesses the drives using low-level API and optimizes them for speed, and therefore they are not accessible by drive letter or visible to Windows Explorer.
The system is smart enough to know the difference between multiple drives and performs an ongoing differential backup and keeps the disks so that any of them can be used for full disaster recovery. This greatly simplifies the issues we have had in the past with sites that required cumulative incremental backups due to the size of their backups.
Until all of our clients are on SBS 2008, our current backup script is pretty handy. We had cobbled pieces of it together from various other samples over the years, and I finally put it together into a single script a couple of months ago. You simply define what you want to backup and save the selection set as a BKS file in the usual spot. The script requires one of three parameters. You launch it with either /full, /incremental or /emailtest. The first two should be self-explanatory. The third tests the scripts ability to figure out which of the log files from NTBackup is the most recent, converts it to ASCII (side note: even though NTBackup log files can be opened with Notepad, they are actually binary files) and then sends it to the specified email server and recipient.
Our script calls sendemail.exe by Brandon Zehm to use as the email engine. If you are interested in seeing it for yourself, I will put it up in a separate post, or you can download it here.
Friday, September 12, 2008
Creating a Secondary OWA Instance
(continued from previous post: AuthAnvil on OWA 2007)
So I set out on the task of creating a secondary OWA instance in IIS for the purpose of securing using AuthAnvil. First, I bound a second IP address to the server under TCP/IP properties. Then I created a new website named "AA-Secured" and set it to only listen on the new IP address. Then I set it to use the same SSL certificate that the original site used (e.g. webmail.domain.com).
So far, so good. I'm no PowerShell guru, but I'm impressed with how versatile it is. I have used it to perform many of the regular Exchange tasks with ease. I'm a command shell junkie at heart, but I never learned how to do "real" programming beyond some horribly complicated CMD files and some very simple VB.
One of the commandlets is called "New-OwaVirtualDirectory". So I executed the command:
Yes, I know I don't need to specify the version when executing this command - this is just one of the many ways I tried to get it to work.
In researching this issue, it seems that everybody's solution was to uninstall CAS (client access server - component of Exchange 2007), reinstall IIS and then reinstall CAS. Why would I want to do that? The original OWA listener works just fine.
If part of your job involves supporting and troubleshooting of Exchange environments, I really hope you follow the MS Exchange Team's blog. It's full of a lot of useful information. The part that specifically interested me was this article, titled "Supportability for multiple OWA/ Exchange Web Sites on Client Access Servers in Exchange Server 2007 and Exchange Server 2007 Service Pack 1" (quite the long title). However it was exactly what I was looking for.
After removing those other OWA virtual directories from the main site, I was able to execute the command successfully. Here's what IIS Manager and Exchange Manager looked like after all was said and done.
After making the new OWA virtual directory on the second site, we tested it to make sure it was fine on its own. Once we were confident everything was working, we locked it down with AuthAnvil's Web Logon agent, and modified the firewall so external users could only hit the new IP.
So I set out on the task of creating a secondary OWA instance in IIS for the purpose of securing using AuthAnvil. First, I bound a second IP address to the server under TCP/IP properties. Then I created a new website named "AA-Secured" and set it to only listen on the new IP address. Then I set it to use the same SSL certificate that the original site used (e.g. webmail.domain.com).
So far, so good. I'm no PowerShell guru, but I'm impressed with how versatile it is. I have used it to perform many of the regular Exchange tasks with ease. I'm a command shell junkie at heart, but I never learned how to do "real" programming beyond some horribly complicated CMD files and some very simple VB.
One of the commandlets is called "New-OwaVirtualDirectory". So I executed the command:
New-OwaVirtualDirectory -owaversion:exchange2007 -websitename "AA-Secured"I watched the new OWA virtual directory show up in IIS manager while PowerShell plugged away. However after a little bit, it returned an error:
New-OwaVirtualDirectory : An error occurred while creating the IIS virtual directory 'IIS://server.domain.local/W3SVC/448843799/ROOT/owa' on 'SERVER'.
At line:1 char:24
+ New-OwaVirtualDirectory <<<< -owaversion:exchange2007 -websitename "AA-Secured"
Yes, I know I don't need to specify the version when executing this command - this is just one of the many ways I tried to get it to work.
In researching this issue, it seems that everybody's solution was to uninstall CAS (client access server - component of Exchange 2007), reinstall IIS and then reinstall CAS. Why would I want to do that? The original OWA listener works just fine.
If part of your job involves supporting and troubleshooting of Exchange environments, I really hope you follow the MS Exchange Team's blog. It's full of a lot of useful information. The part that specifically interested me was this article, titled "Supportability for multiple OWA/ Exchange Web Sites on Client Access Servers in Exchange Server 2007 and Exchange Server 2007 Service Pack 1" (quite the long title). However it was exactly what I was looking for.
Here was my reaction to these points:
- If you are using Forms-Based Authentication for your /OWA and/or legacy (/Exchange and /ExchWeb) virtual directories, Microsoft supports a single Web site per Client Access Server. Further, the /OWA and legacy virtual directories must be in the same Application Pool (AppPool).
- If you do not use Forms-Based Authentication, you can use as many Exchange Server-related Web sites as needed for your organization.
However, Microsoft recommends that you use a Microsoft ISA Server 2006 server to handle Forms-Based Authentication for your various Web sites, in this circumstance.- If Forms-Based Authentication must be used on the Exchange Server 2007 computer *and legacy virtual directories are not used*, you can use multiple Application Pools (AppPools) for each Web site.
Note: Lack of legacy virtual directories will prevent proxy to Exchange Server 2003 mailbox servers and prevent Entourage clients from synchronizing with the Exchange Server using the Exchange service.
- Crap... We need forms-based authentication.
- Who cares? We need forms-based auth and there's no way we're moving the firewall over to the ISA box (which we use for web proxy).
- BINGO!
Remove-OwaVirtualDirectory "exchange (default web site)"(I should mention that we didn't even have a public store at this site, much less users who use public folders via OWA, however I wanted to include it since most sites probably would have to remove that directory too)
Remove-OwaVirtualDirectory "public (default web site)"
Remove-OwaVirtualDirectory "exchweb (default web site)"
After removing those other OWA virtual directories from the main site, I was able to execute the command successfully. Here's what IIS Manager and Exchange Manager looked like after all was said and done.
After making the new OWA virtual directory on the second site, we tested it to make sure it was fine on its own. Once we were confident everything was working, we locked it down with AuthAnvil's Web Logon agent, and modified the firewall so external users could only hit the new IP.
AuthAnvil on OWA 2007
If you're not familiar with AuthAnvil, you should check it out. It's a great two-factor solution designed for the SMB market. It's easy to install, and the support is great.
They're getting ready to release the 1.6 version of their agents (edit: It was released yesterday). I've been running 1.5 for a while and we use it to secure our desktop machines as well as OWA.
Did I mention that we use Exchange 2007? Exchange 2007 requires a 64-bit server OS. However there's one little problem. There isn't a 64-bit version of the ISAPI available for AuthAnvil yet (I think that's coming out in 1.6).
I've had many conversations with Dana Epp, the owner of Scorpion Software, makers of AuthAnvil. I told him that I wanted to experiment with securing OWA 2007 using their Web Logon Agent. He was kind enough to send me the 64-bit version of the ISAPI DLL and some instructions. I ran into some roadblocks along the way, but was able to get past all of them. We have been running AuthAnvil with our OWA server with no issues for over two months now.
With this in mind, I was confident telling a client of mine that we would have no problem installing it onto their Exchange 2007 OWA server. However their environment was a little bigger than ours. One of the features of AA's web logon agent is the whitelist. You can setup individual IP addresses that don't require two-factor logins. This is handy if you have internal users using OWA and you don't want to buy tokens for them. However this environment has 12 class-C networks spread out across Central Iowa. Many of the internal users use OWA for their email. That means we would have roughly 3000 IP addresses to whitelist.
So my solution was to create a secondary OWA in IIS on a different IP. Internal users would continue to hit the old, unsecured version. However external users would be directed to the new listener in IIS, which would be secured with AuthAnvil. I've had to create secondary OWA listeners in older versions of Exchange. How hard could it be with this shiny new version?
Famous last words...
(to be continued)
So my solution was to create a secondary OWA in IIS on a different IP. Internal users would continue to hit the old, unsecured version. However external users would be directed to the new listener in IIS, which would be secured with AuthAnvil. I've had to create secondary OWA listeners in older versions of Exchange. How hard could it be with this shiny new version?
Famous last words...
(to be continued)
Thursday, September 11, 2008
Hyper-V Stuck at 53%
Just a weird little issue. Seems that the KB article has been out since March but HP is yet to fix the problem.
If you install any updates to Hyper-V on certain HP servers running their NIC management software, after you reboot you will be stuck on "Stage 3 of 3" at 53%. Luckily there were a few good hits for this on Google and we easily fixed it.
The fix involves booting from the CD and using Repair (which is much improved in Server 2008 - I'm impressed), then renaming a file.
I'm sure the Microsoft KB article would have appeared in my results, however it has 54% instead of 53% (I did find some older references online that had 54% in them).
Here's the article in case anybody else runs into this:
http://support.microsoft.com/kb/950792
I'm really digging Hyper-V. Yes, I still like ESX too, so I don't want to hear anything from VMWare fanboys.
If you install any updates to Hyper-V on certain HP servers running their NIC management software, after you reboot you will be stuck on "Stage 3 of 3" at 53%. Luckily there were a few good hits for this on Google and we easily fixed it.
The fix involves booting from the CD and using Repair (which is much improved in Server 2008 - I'm impressed), then renaming a file.
I'm sure the Microsoft KB article would have appeared in my results, however it has 54% instead of 53% (I did find some older references online that had 54% in them).
Here's the article in case anybody else runs into this:
http://support.microsoft.com/kb/950792
I'm really digging Hyper-V. Yes, I still like ESX too, so I don't want to hear anything from VMWare fanboys.
Wednesday, September 10, 2008
Windows Search 4.0
Why does Microsoft like to sneak products into patches?
A recent example of this would be the inclusion of Windows Search 4.0 which was installed if you approved an update patch. The patch was just supposed to update it if it was installed. Not install the full version for everybody.
Personally, I'm a fan of Windows Search. However it seems to *really* slow down machines if they're more than a year old. It landed on a couple of our managed networks and the users really started to complain. At first I thought the complaints would die down once the indexing process completed. However it's been a week and a half and the complaints keep coming.
This is another one of those times that I absolutely LOVE using Kaseya. With just a few clicks, I created a script that tests for the existence of the uninstall file (which is only there if the product is installed), and then runs it in silent mode. I tested it on a machine that I was logged into remotely to make sure the user didn't see anything. Everything worked like a charm.
The command in case anybody needs it is:
Or for you Kaseya Script people:
This just ran in the background. I watched as the search taskbar disappeared followed by the tray icon. I then checked the Add/Remove programs list to make sure that it was indeed gone.
A recent example of this would be the inclusion of Windows Search 4.0 which was installed if you approved an update patch. The patch was just supposed to update it if it was installed. Not install the full version for everybody.
Personally, I'm a fan of Windows Search. However it seems to *really* slow down machines if they're more than a year old. It landed on a couple of our managed networks and the users really started to complain. At first I thought the complaints would die down once the indexing process completed. However it's been a week and a half and the complaints keep coming.
This is another one of those times that I absolutely LOVE using Kaseya. With just a few clicks, I created a script that tests for the existence of the uninstall file (which is only there if the product is installed), and then runs it in silent mode. I tested it on a machine that I was logged into remotely to make sure the user didn't see anything. Everything worked like a charm.
The command in case anybody needs it is:
C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe /quiet /norestart
Or for you Kaseya Script people:
Script Name: Remove Windows Search 4.0
Script Description:
IF Test File
Parameter 1 : C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe
Exists :
THEN
Execute File
Parameter 1 : C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe
Parameter 2 : /quiet /norestart
Parameter 3 : 3
OS Type : 0
ELSE
This just ran in the background. I watched as the search taskbar disappeared followed by the tray icon. I then checked the Add/Remove programs list to make sure that it was indeed gone.
Friday, August 8, 2008
Sysinternals Rocks
I just wanted to say that Windows Sysinternals is probably the single most valuable set of tools I have ever used. Here are my top picks:
Autoruns - Since discovering this tool, I haven't touched HiJackThis. If you're checking a system for spyware, this is probably the single best tool to check all of the entry points for possible malicious programs.
Process Monitor - This is the "marriage" of two of their older tools, FileMon and RegMon. I can use this program to troubleshoot problems with missing files or registry keys, or to see what a suspicious application is accessing on the system.
Process Explorer - This program is like Task Manager on crack. In addition to listing the open applications, as well as process trees, I can see which application has a particular DLL loaded. When using this for spyware removal, you can suspend processes that you can't kill (lsass.exe or winlogon.exe) that can house active malware so you can clean them up without the program adding itself back in.
TCPMon - This is like netstat, but a lot nicer of an interface to run, and you can see it in real time (even reloading netstat every second can miss some things).
Also check out BgInfo, PSTools, RootKitRevealer, and just about every other application on their site.
Just yesterday, I was checking some antivirus logs at a client site and we noticed several machines had old infections of soundmix.exe. The AV program could not remove it since it was currently active and couldn't just be killed. So we took a look at one of the machines and the first program I ran was AutoRuns. I saw that the program had hooked itself into exefile so it was launched every time you ran an executable. However it would come back on its own even if you removed it and killed the process.
So I ran Process Monitor (procmon) to see what exactly the application was doing. I noticed that it was polling the root of the C: drive for a file named stop.txt every second. Out of sheer curiousity, I ran the command "echo. > c:\stop.txt" just to put a file out there to see what it would do. Within a second, I saw the process terminate and the threads exit in procmon, and it removed its own entry points. This had to be the single easiest cleanup I have ever done. It did all of the work for me.
Because this was in a large, distributed network, some of these viruses had been in place for quite a while. We are being brought in to mop up after years of just getting by. Part of this process involved deploying modern Anti Virus clients to all of the machines. We use Kaseya to maintain this network. Rather than waiting to finish deploying all of the AV clients, I just wrote a Kaseya script to place the stop.txt file in the root of the system drive, and then removed the files.
By pushing this script out to every machine on the network with Kaseya, we were able to make sure that it was removed on a broad scale in a matter of minutes. Since the script tested for the existence of the file before performing any of the steps, there was no reason to not just run the script on every machine in the organization, which can be done with about two clicks once the script is written.
It is these types of tools, and management platforms like Kaseya that have enabled (yes, those in the IT consulting space might see the pun there) small consulting businesses like ours to maintain much larger user bases without increasing staff. The ratio of users to consultants is able to increase without losing our ability to take care of the clients.
My next project on this network is to get about 175 machines across 12 locations onto the newly created domain (they're in workgroups now) while preserving the user profile. Should be fun!
Autoruns - Since discovering this tool, I haven't touched HiJackThis. If you're checking a system for spyware, this is probably the single best tool to check all of the entry points for possible malicious programs.
Process Monitor - This is the "marriage" of two of their older tools, FileMon and RegMon. I can use this program to troubleshoot problems with missing files or registry keys, or to see what a suspicious application is accessing on the system.
Process Explorer - This program is like Task Manager on crack. In addition to listing the open applications, as well as process trees, I can see which application has a particular DLL loaded. When using this for spyware removal, you can suspend processes that you can't kill (lsass.exe or winlogon.exe) that can house active malware so you can clean them up without the program adding itself back in.
TCPMon - This is like netstat, but a lot nicer of an interface to run, and you can see it in real time (even reloading netstat every second can miss some things).
Also check out BgInfo, PSTools, RootKitRevealer, and just about every other application on their site.
Just yesterday, I was checking some antivirus logs at a client site and we noticed several machines had old infections of soundmix.exe. The AV program could not remove it since it was currently active and couldn't just be killed. So we took a look at one of the machines and the first program I ran was AutoRuns. I saw that the program had hooked itself into exefile so it was launched every time you ran an executable. However it would come back on its own even if you removed it and killed the process.
So I ran Process Monitor (procmon) to see what exactly the application was doing. I noticed that it was polling the root of the C: drive for a file named stop.txt every second. Out of sheer curiousity, I ran the command "echo. > c:\stop.txt" just to put a file out there to see what it would do. Within a second, I saw the process terminate and the threads exit in procmon, and it removed its own entry points. This had to be the single easiest cleanup I have ever done. It did all of the work for me.
Because this was in a large, distributed network, some of these viruses had been in place for quite a while. We are being brought in to mop up after years of just getting by. Part of this process involved deploying modern Anti Virus clients to all of the machines. We use Kaseya to maintain this network. Rather than waiting to finish deploying all of the AV clients, I just wrote a Kaseya script to place the stop.txt file in the root of the system drive, and then removed the files.
By pushing this script out to every machine on the network with Kaseya, we were able to make sure that it was removed on a broad scale in a matter of minutes. Since the script tested for the existence of the file before performing any of the steps, there was no reason to not just run the script on every machine in the organization, which can be done with about two clicks once the script is written.
It is these types of tools, and management platforms like Kaseya that have enabled (yes, those in the IT consulting space might see the pun there) small consulting businesses like ours to maintain much larger user bases without increasing staff. The ratio of users to consultants is able to increase without losing our ability to take care of the clients.
My next project on this network is to get about 175 machines across 12 locations onto the newly created domain (they're in workgroups now) while preserving the user profile. Should be fun!
Monday, July 7, 2008
Small Biz Thoughts by Karl Palachuk: Pricing: Don't Settle for 1%
Small Biz Thoughts by Karl Palachuk: Pricing: Don't Settle for 1%
Karl has some of the best insight into the SMB consulting arena. Occasionally I will find something that he has written that perfectly expresses how I feel about a topic. This is one of those times.
Thanks again Karl!
Karl has some of the best insight into the SMB consulting arena. Occasionally I will find something that he has written that perfectly expresses how I feel about a topic. This is one of those times.
Thanks again Karl!
Sunday, July 6, 2008
Selecting a Mobile Device
One of the questions I am routinely asked in my line of work has to do with selecting a mobile device. Most of the time, people don't know quite what they need. They just need "a BlackBerry or something".
We can debate all day how much somebody actually needs something like this (my advice: RUN AWAY!). But in the end it comes down to what they want to do with it.
Some people actually need/want the full PIM (Email / Contacts / Tasks / Appointments / Notes / etc) sync ability that comes with something like a BlackBerry, Treo or Windows Mobile device. However, some people just want a qwerty-style keyboard so they can compose text messages a lot easier.
For the purposes of this post, I'm going to focus on those people in the former category (the latter group can proceed to their preferred cell phone store - there are TONS of them).
Most people expect me to just tell them in 3 words or less what they would need. It would be simpler for me too if the answer could be condensed into something like, "an iPhone", "a BlackBerry", or "Verizon XV6800". In reality the answer is a lot more complicated.
My response to them usually has to do with a few factors:
- If they have a preference of device (RIM / Palm / WinMo)
- What they use for email (Exchange / Hotmail / GMail / POP)
- What they need to sync (Email Only / Full PIM)
- Are there any special applications they need (ACT / GoldMine)
If they're running an Exchange Server that's at least version 2003, the simplest thing is to have them get something running Windows Mobile 2005 or later. Aside from the small issue of setting up SSL properly on their server, installation is a breeze. You get a mostly familiar interface, a whole slew of applications, and real-time push synchronization - just like what BlackBerry made famous.
For those people who just really want a BlackBerry (and I'm one of them), you have a couple of options. If you only need to sync email wirelessly (and can wait until you're by your PC to sync everything else), you can configure your email settings right on the handheld. It is very easy to setup and can talk directly to Outlook WebAccess, GMail, or just about any other email service (coming soon for Hotmail).
If you need full PIM sync in real time wirelessly, RIM (BlackBerry) has made it very cheap to install a small BES (BlackBerry Enterprise Server) which can run on your SBS or Exchange server without much hassle. Just make sure the person installing it knows what they're doing, or you can wind up in trouble fast. It's free for the first person and $99/seat after that. Compared to my first 5-user BES license which ran close to $1500, that's a steal. Go beyond 10 users and you'll want to look at a full BES Enterprise install though.
Inaugural Post
It's very likely that this blog will be a constant work in progress. But rest assured it will only contain stuff that matters (to me, that is). Okay, probably not even to me, but then again, this is the Internet.
I wanted a place to talk about technology, trends, and also the occasional rant.
But let's start with something so low, I can only move up from there.
Here's a hilarious video (courtesy Chris Pirillo's Twitter via Greg Hughes' blog) called The Web Site is Down (definitely NSFW). It hits a little too close to home. I think I really lost it at about the 7 minute mark. Check it out.
Subscribe to:
Posts (Atom)
Posts
