I think it's probably fair to say that the days of tape are in the past. At least when it comes to the majority of small businesses. I think the only client of ours that still "requires" the use of tape is an advertising agency that frequently has to pull very old files off of tape. And even that is somewhat debatable.
Most of our day-to-day file protection is done using shadow copy now. To me, that is probably one of the best features that was introduced with Server 2003. Most of our clients are using SBS 2003, which includes a front-end for using NTBackup complete with reporting and easy scheduling. However, one huge thing that is missing from this is the ability to recognize portable hard drives as valid backup destinations. It will recognize tape drives, and any drive that shows itself as removable, like the Dell RD1000 drive (which is just a 2.5" SATA drive in a housing that acts like a tape cartridge).
That is why I was glad to hear about the changes to backup in the new SBS 2008. It is specifically geared towards using portable hard drives to protect your data (however it no longer supports tapes). The drives are setup using a configuration wizard which labels the drive and "commandeers" them for use exclusively by the backup system. The system accesses the drives using low-level API and optimizes them for speed, and therefore they are not accessible by drive letter or visible to Windows Explorer.
The system is smart enough to know the difference between multiple drives and performs an ongoing differential backup and keeps the disks so that any of them can be used for full disaster recovery. This greatly simplifies the issues we have had in the past with sites that required cumulative incremental backups due to the size of their backups.
Until all of our clients are on SBS 2008, our current backup script is pretty handy. We had cobbled pieces of it together from various other samples over the years, and I finally put it together into a single script a couple of months ago. You simply define what you want to backup and save the selection set as a BKS file in the usual spot. The script requires one of three parameters. You launch it with either /full, /incremental or /emailtest. The first two should be self-explanatory. The third tests the scripts ability to figure out which of the log files from NTBackup is the most recent, converts it to ASCII (side note: even though NTBackup log files can be opened with Notepad, they are actually binary files) and then sends it to the specified email server and recipient.
Our script calls sendemail.exe by Brandon Zehm to use as the email engine. If you are interested in seeing it for yourself, I will put it up in a separate post, or you can download it here.
Showing posts with label SMB. Show all posts
Showing posts with label SMB. Show all posts
Monday, September 15, 2008
Friday, August 8, 2008
Sysinternals Rocks
I just wanted to say that Windows Sysinternals is probably the single most valuable set of tools I have ever used. Here are my top picks:
Autoruns - Since discovering this tool, I haven't touched HiJackThis. If you're checking a system for spyware, this is probably the single best tool to check all of the entry points for possible malicious programs.
Process Monitor - This is the "marriage" of two of their older tools, FileMon and RegMon. I can use this program to troubleshoot problems with missing files or registry keys, or to see what a suspicious application is accessing on the system.
Process Explorer - This program is like Task Manager on crack. In addition to listing the open applications, as well as process trees, I can see which application has a particular DLL loaded. When using this for spyware removal, you can suspend processes that you can't kill (lsass.exe or winlogon.exe) that can house active malware so you can clean them up without the program adding itself back in.
TCPMon - This is like netstat, but a lot nicer of an interface to run, and you can see it in real time (even reloading netstat every second can miss some things).
Also check out BgInfo, PSTools, RootKitRevealer, and just about every other application on their site.
Just yesterday, I was checking some antivirus logs at a client site and we noticed several machines had old infections of soundmix.exe. The AV program could not remove it since it was currently active and couldn't just be killed. So we took a look at one of the machines and the first program I ran was AutoRuns. I saw that the program had hooked itself into exefile so it was launched every time you ran an executable. However it would come back on its own even if you removed it and killed the process.
So I ran Process Monitor (procmon) to see what exactly the application was doing. I noticed that it was polling the root of the C: drive for a file named stop.txt every second. Out of sheer curiousity, I ran the command "echo. > c:\stop.txt" just to put a file out there to see what it would do. Within a second, I saw the process terminate and the threads exit in procmon, and it removed its own entry points. This had to be the single easiest cleanup I have ever done. It did all of the work for me.
Because this was in a large, distributed network, some of these viruses had been in place for quite a while. We are being brought in to mop up after years of just getting by. Part of this process involved deploying modern Anti Virus clients to all of the machines. We use Kaseya to maintain this network. Rather than waiting to finish deploying all of the AV clients, I just wrote a Kaseya script to place the stop.txt file in the root of the system drive, and then removed the files.
By pushing this script out to every machine on the network with Kaseya, we were able to make sure that it was removed on a broad scale in a matter of minutes. Since the script tested for the existence of the file before performing any of the steps, there was no reason to not just run the script on every machine in the organization, which can be done with about two clicks once the script is written.
It is these types of tools, and management platforms like Kaseya that have enabled (yes, those in the IT consulting space might see the pun there) small consulting businesses like ours to maintain much larger user bases without increasing staff. The ratio of users to consultants is able to increase without losing our ability to take care of the clients.
My next project on this network is to get about 175 machines across 12 locations onto the newly created domain (they're in workgroups now) while preserving the user profile. Should be fun!
Autoruns - Since discovering this tool, I haven't touched HiJackThis. If you're checking a system for spyware, this is probably the single best tool to check all of the entry points for possible malicious programs.
Process Monitor - This is the "marriage" of two of their older tools, FileMon and RegMon. I can use this program to troubleshoot problems with missing files or registry keys, or to see what a suspicious application is accessing on the system.
Process Explorer - This program is like Task Manager on crack. In addition to listing the open applications, as well as process trees, I can see which application has a particular DLL loaded. When using this for spyware removal, you can suspend processes that you can't kill (lsass.exe or winlogon.exe) that can house active malware so you can clean them up without the program adding itself back in.
TCPMon - This is like netstat, but a lot nicer of an interface to run, and you can see it in real time (even reloading netstat every second can miss some things).
Also check out BgInfo, PSTools, RootKitRevealer, and just about every other application on their site.
Just yesterday, I was checking some antivirus logs at a client site and we noticed several machines had old infections of soundmix.exe. The AV program could not remove it since it was currently active and couldn't just be killed. So we took a look at one of the machines and the first program I ran was AutoRuns. I saw that the program had hooked itself into exefile so it was launched every time you ran an executable. However it would come back on its own even if you removed it and killed the process.
So I ran Process Monitor (procmon) to see what exactly the application was doing. I noticed that it was polling the root of the C: drive for a file named stop.txt every second. Out of sheer curiousity, I ran the command "echo. > c:\stop.txt" just to put a file out there to see what it would do. Within a second, I saw the process terminate and the threads exit in procmon, and it removed its own entry points. This had to be the single easiest cleanup I have ever done. It did all of the work for me.
Because this was in a large, distributed network, some of these viruses had been in place for quite a while. We are being brought in to mop up after years of just getting by. Part of this process involved deploying modern Anti Virus clients to all of the machines. We use Kaseya to maintain this network. Rather than waiting to finish deploying all of the AV clients, I just wrote a Kaseya script to place the stop.txt file in the root of the system drive, and then removed the files.
By pushing this script out to every machine on the network with Kaseya, we were able to make sure that it was removed on a broad scale in a matter of minutes. Since the script tested for the existence of the file before performing any of the steps, there was no reason to not just run the script on every machine in the organization, which can be done with about two clicks once the script is written.
It is these types of tools, and management platforms like Kaseya that have enabled (yes, those in the IT consulting space might see the pun there) small consulting businesses like ours to maintain much larger user bases without increasing staff. The ratio of users to consultants is able to increase without losing our ability to take care of the clients.
My next project on this network is to get about 175 machines across 12 locations onto the newly created domain (they're in workgroups now) while preserving the user profile. Should be fun!
Monday, July 7, 2008
Small Biz Thoughts by Karl Palachuk: Pricing: Don't Settle for 1%
Small Biz Thoughts by Karl Palachuk: Pricing: Don't Settle for 1%
Karl has some of the best insight into the SMB consulting arena. Occasionally I will find something that he has written that perfectly expresses how I feel about a topic. This is one of those times.
Thanks again Karl!
Karl has some of the best insight into the SMB consulting arena. Occasionally I will find something that he has written that perfectly expresses how I feel about a topic. This is one of those times.
Thanks again Karl!
Subscribe to:
Posts (Atom)
Posts
