RE: malware that creates Outlook rules

2010-08-03 Thread Brian Desmond 
Let me know if you have any questions - I deal with this stuff several times a 
week. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, August 03, 2010 5:13 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

That's awesome. I look forward to playing with it.

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, August 03, 2010 3:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yep it's the same set of cmdlets you use for Exchange (as that's what l...@edu 
runs on). You can also use the OLSync ILM solution they offer. It's $500 + SQL 
Std for the ILM licensing but this will do GALSync from your existing 
AD/Exchange environment in to l...@edu. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Steven Peck [mailto:sep...@gmail.com]
Sent: Tuesday, August 03, 2010 3:30 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Microsoft also has a similar program for EDUs for hosted mail.
http://www.microsoft.com/liveatedu/free-hosted-student-email.aspx

They have powershell cmdlets that work over the web for administrator so there 
should be some ways to accomplish automation of a sort.

Steven Peck
http://www.blkmtn.org


On Tue, Aug 3, 2010 at 12:39 PM, Brian Desmond  wrote:
> Most schools I've worked with either have something that plugs in to the 
> message bus of their ERP/SIS system for provisioning to outsourced services, 
> or, more frequently, they have a job which either scans an Oracle table every 
> so often or a batch job on the ERP side that dumps delta flat files and a 
> second job that picks them up and provisions to Google/etc.
>
> Thanks,
> Brian Desmond
> br...@briandesmond.com
>
> c   - 312.731.3132
>
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 2:27 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> I'm sure it is, and the Va. CC uses PeopleSoft for our Student Info 
> System(SIS) and so they worked together to create an automated process in 
> that, a student applies to the college, registers for classes and the next 
> day, they have the email account active.
> All this is done via the web.
> Maybe google would work with your SIS vendor to create something similar.
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Tuesday, August 03, 2010 12:08 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Hmm, interesting. I like that. Of course, setting it up for all students 
> automatically might prove to be tricky.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 6:44 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> And just after I sent this the light came on, Google Voice should do UM.
> I'd let google handle voice mail, email and anything else they want to give 
> to the students.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 7:42 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Not sure on the UM questions.
> Not an issue here as we don't have student housing or provide phones for them.
> I'm betting that it is possible though.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 5:46 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Yeah, it's on the investigate list.  It does happen with staff on occasion 
> too, but not nearly as much as students.
>
> The major outstanding question I have is how to do Unified Messaging with 
> Exchange if the mailbox is outsourced? It's prolly something simple, but I 
> just haven't looked into it yet.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Monday, August 02, 2010 3:14 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Ah ha.
> Didn't notice the .edu addy.
> In that case, I would seriously investigate outsourcing that to MS or Google.
> The entire Va. Community College System went with Google for student email 
> and so far it has worked really well.
> Can't beat the cost too.  Zero and the student gets to keep their same email 
> as long as they want it.  No advertisements in their account while they are 
> students.  No backups, spam, outages and all that other support headaches for 
> me.  Great big plus.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 4:05 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules

Re: Finding a huge file dump from June...

2010-08-03 Thread Kurt Buff 
On Tue, Aug 3, 2010 at 17:25, Michael B. Smith  wrote:
> In regards to [1], change "-auto" to "-wrap" in the format-table element of 
> the pipeline.

That worked, but not in a way that appealed to me. It keeps output to
a column set, rather than doing a complete wrap to the beginning of
the line - which is kind of cool, actually, just not what I wanted for
this.

I figured out a better way (for me, at this moment) using the -width
parameter for out-file. I specified 275, used it against a test
directory, and that's working well. I'll probably expand it to 300,
just to be sure...

> In regards to [2], on the out-file element of the pipeline, add "-Encoding 
> ASCII".

Excellent. Good to know. I looked at help for out-file, and didn't see
that - even though it was right in front of my face.

> Have I ever spoken with you about incomplete user requirement documents? :-) 
> :-) :-)

Hey! It's an iterative process - as I discover more of what's
happening, I know better which questions to ask!

Heh.

Truly, this is excellent help, and I'm greatly appreciative.

Kurt

> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, August 03, 2010 8:17 PM
> To: NT System Admin Issues
> Subject: Re: Finding a huge file dump from June...
>
> Nuts.
>
> This works, except for two things:
>
> PS K:\Groups> get-childitem k:\groups -force -recurse |?
> {$_.CreationTime.ToString() -match "^2010-06-2[3-6]" } | format-table 
> creationtime,length,fullname -auto | out-file out.txt
>
> 1) The output from the above is truncated - I'm only seeing 150 characters 
> (the width I have the screen at), and many of the files are deeper than that.
>
> 2) Output is in Unicode, not ASCII - this is more annoyance than critical, 
> but it would be nice to know how to get ASCII.
>
>
>
> On Tue, Aug 3, 2010 at 12:22, Michael B. Smith  wrote:
>> get-childitem k:\groups -force -recurse |? {$_.CreationTime.ToString()
>> -match "^2010-06-2[0-9]" } | format-table creationtime,length,fullname
>> -auto
>>
>> Or select-string.
>>
>> No need to drop to findstr.
>>
>> Regards,
>>
>> Michael B. Smith
>> Consultant and Exchange MVP
>> http://TheEssentialExchange.com
>>
>>
>> -Original Message-
>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> Sent: Tuesday, August 03, 2010 3:07 PM
>> To: NT System Admin Issues
>> Subject: Re: Finding a huge file dump from June...
>>
>> I tested this against a small directory, and am now running this:
>>
>> PS K:\> get-childitem k:\groups -force -recurse | format-table
>> creationtime,length,fullname -auto | findstr ^2010-06-2 | findstr /v
>> ^2010-06-20 | findstr /v ^2010-06-21 | findstr /v ^2010-06-22 |
>> findstr /v ^2010-06-23 | findstr /v 2010-06-27 | findstr /v
>> ^2010-06-28 | findstr /v ^2010-06-29 >  out.txt
>>
>> Your hint with 'fullname' was the last piece of the puzzle.
>>
>> I really need to start reading my powershell books - putting them underneath 
>> my pillow just isn't cutting it...
>>
>> Need. More. Time.
>>
>> Kurt
>>
>> On Mon, Aug 2, 2010 at 20:52, Rubens Almeida  wrote:
>>> PowerShell... and here's one of my favorites one-liners to find big files:
>>>
>>> dir c:\temp -force -recurse | sort length -desc | format-table
>>> creationtime,lastwritetime,lastaccesstime,length,fullname -auto
>>>
>>> You can sort the results replacing the length by any of the
>>> properties after format-table
>>>
>>> On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
 All,

 On our file server we have a single 1.5tb partition - it's on a SAN.
 Over the course of 4 days recently it went from about 30% free to
 about 13% free - someone slammed around 200gb onto the file server.

 I have a general idea of where it might be - there are two top-level
 directories that are over 200gb each.

 However, windirstat hasn't been completely helpful, as I can't seem
 to isolate which files were loaded during those days, and none of
 the files that I've been looking at were huge - no ISO or VHD files
 worth mentioning, etc..

 I also am pretty confident that there are a *bunch* of duplicate
 files on those directories.

 So, I'm looking for a couple of things:

 1) A way to get a directory listing that supports a time/date stamp
 (my choice of atime, mtime or ctime) size and a complete path name
 for each file/directory on a single line - something like:

     2009-01-08  16:12   854,509
 K:\Groups\training\On-Site_Special_Training\Customer1.doc

 I've tried every trick I can think of for the 'dir' command and it
 won't do what I want, and the 'ls' command from gunuwin32 doesn't
 seem to want to do this either. Is there a powershell one-liner that
 can do this for me perhaps?

 2) A recommendation for a duplicate file finder - cheap or free
 would be preferred.

RE: malware that creates Outlook rules

2010-08-03 Thread Brian Desmond 
That paragraph and the OP's vertical comprises much of what I do every week so 
like MBS said I assumed some knowledge there.

l...@edu is Microsoft's free offering for education for student email. It runs 
on Exchange 2010 up "in the cloud" and is hosted by Microsoft. OLSync is their 
term for the plugin for Identity Lifecycle Manager which allows you to 
synchronize your AD/Exchange up to l...@edu to provision all the data in to the 
hosted Exchange environment. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, August 03, 2010 5:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Take that paragraph out of contest and it scarcely looks like English...

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, August 03, 2010 1:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yep it's the same set of cmdlets you use for Exchange (as that's what l...@edu 
runs on). You can also use the OLSync ILM solution they offer. It's $500 + SQL 
Std for the ILM licensing but this will do GALSync from your existing 
AD/Exchange environment in to l...@edu. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

2010-08-03 Thread Brian Desmond 
Yes and if you were sneaky you might be able to forward mail to those mailboxes 
(such as UM data) to the cloud. I'm not sure if the voicemail form would be 
retained on the remote side, and you'd have a probably with MWIs on your phones 
and OCS as people would mark messages as read in the cloud but they will be 
unread on-premise.

Also keep in mind that in Exchange 2010 fax is not in the box anymore and 
requires a third party solution. You're going to be paying for the eCAL for all 
your users to do this as well as some hardware. I'm wondering once you factor 
in the relatively cheap storage for Exchange 2010 how much more you're going to 
be burning? Are you giving all your students a VM box or just employees and 
student workers? 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, August 03, 2010 5:13 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Good to know. Is it possible to host additional mailboxes locally just for 
voicemail/faxes and leave the actual mail in the cloud?  Not really UM per se, 
but it would allow us to get off of our 3rd party voicemail server and 
auto-attendant and use Exchange's considerably cheaper versions.

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, August 03, 2010 2:38 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Currently UM in that scenario isn't possible. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) m

RE: Finding a huge file dump from June...

2010-08-03 Thread Michael B. Smith 
In regards to [1], change "-auto" to "-wrap" in the format-table element of the 
pipeline.

In regards to [2], on the out-file element of the pipeline, add "-Encoding 
ASCII".

Have I ever spoken with you about incomplete user requirement documents? :-) 
:-) :-)

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Tuesday, August 03, 2010 8:17 PM
To: NT System Admin Issues
Subject: Re: Finding a huge file dump from June...

Nuts.

This works, except for two things:

PS K:\Groups> get-childitem k:\groups -force -recurse |?
{$_.CreationTime.ToString() -match "^2010-06-2[3-6]" } | format-table 
creationtime,length,fullname -auto | out-file out.txt

1) The output from the above is truncated - I'm only seeing 150 characters (the 
width I have the screen at), and many of the files are deeper than that.

2) Output is in Unicode, not ASCII - this is more annoyance than critical, but 
it would be nice to know how to get ASCII.



On Tue, Aug 3, 2010 at 12:22, Michael B. Smith  wrote:
> get-childitem k:\groups -force -recurse |? {$_.CreationTime.ToString() 
> -match "^2010-06-2[0-9]" } | format-table creationtime,length,fullname 
> -auto
>
> Or select-string.
>
> No need to drop to findstr.
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, August 03, 2010 3:07 PM
> To: NT System Admin Issues
> Subject: Re: Finding a huge file dump from June...
>
> I tested this against a small directory, and am now running this:
>
> PS K:\> get-childitem k:\groups -force -recurse | format-table 
> creationtime,length,fullname -auto | findstr ^2010-06-2 | findstr /v
> ^2010-06-20 | findstr /v ^2010-06-21 | findstr /v ^2010-06-22 | 
> findstr /v ^2010-06-23 | findstr /v 2010-06-27 | findstr /v
> ^2010-06-28 | findstr /v ^2010-06-29 >  out.txt
>
> Your hint with 'fullname' was the last piece of the puzzle.
>
> I really need to start reading my powershell books - putting them underneath 
> my pillow just isn't cutting it...
>
> Need. More. Time.
>
> Kurt
>
> On Mon, Aug 2, 2010 at 20:52, Rubens Almeida  wrote:
>> PowerShell... and here's one of my favorites one-liners to find big files:
>>
>> dir c:\temp -force -recurse | sort length -desc | format-table 
>> creationtime,lastwritetime,lastaccesstime,length,fullname -auto
>>
>> You can sort the results replacing the length by any of the 
>> properties after format-table
>>
>> On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
>>> All,
>>>
>>> On our file server we have a single 1.5tb partition - it's on a SAN.
>>> Over the course of 4 days recently it went from about 30% free to 
>>> about 13% free - someone slammed around 200gb onto the file server.
>>>
>>> I have a general idea of where it might be - there are two top-level 
>>> directories that are over 200gb each.
>>>
>>> However, windirstat hasn't been completely helpful, as I can't seem 
>>> to isolate which files were loaded during those days, and none of 
>>> the files that I've been looking at were huge - no ISO or VHD files 
>>> worth mentioning, etc..
>>>
>>> I also am pretty confident that there are a *bunch* of duplicate 
>>> files on those directories.
>>>
>>> So, I'm looking for a couple of things:
>>>
>>> 1) A way to get a directory listing that supports a time/date stamp 
>>> (my choice of atime, mtime or ctime) size and a complete path name 
>>> for each file/directory on a single line - something like:
>>>
>>>     2009-01-08  16:12   854,509
>>> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>>>
>>> I've tried every trick I can think of for the 'dir' command and it 
>>> won't do what I want, and the 'ls' command from gunuwin32 doesn't 
>>> seem to want to do this either. Is there a powershell one-liner that 
>>> can do this for me perhaps?
>>>
>>> 2) A recommendation for a duplicate file finder - cheap or free 
>>> would be preferred.
>>>
>>> Kurt
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>>>   ~
>>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>>   ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Finding a huge file dump from June...

2010-08-03 Thread Kurt Buff 
Nuts.

This works, except for two things:

PS K:\Groups> get-childitem k:\groups -force -recurse |?
{$_.CreationTime.ToString() -match "^2010-06-2[3-6]" } | format-table
creationtime,length,fullname -auto | out-file out.txt

1) The output from the above is truncated - I'm only seeing 150
characters (the width I have the screen at), and many of the files are
deeper than that.

2) Output is in Unicode, not ASCII - this is more annoyance than
critical, but it would be nice to know how to get ASCII.



On Tue, Aug 3, 2010 at 12:22, Michael B. Smith  wrote:
> get-childitem k:\groups -force -recurse |? {$_.CreationTime.ToString() -match 
> "^2010-06-2[0-9]" } | format-table creationtime,length,fullname -auto
>
> Or select-string.
>
> No need to drop to findstr.
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, August 03, 2010 3:07 PM
> To: NT System Admin Issues
> Subject: Re: Finding a huge file dump from June...
>
> I tested this against a small directory, and am now running this:
>
> PS K:\> get-childitem k:\groups -force -recurse | format-table 
> creationtime,length,fullname -auto | findstr ^2010-06-2 | findstr /v
> ^2010-06-20 | findstr /v ^2010-06-21 | findstr /v ^2010-06-22 | findstr /v 
> ^2010-06-23 | findstr /v 2010-06-27 | findstr /v
> ^2010-06-28 | findstr /v ^2010-06-29 >  out.txt
>
> Your hint with 'fullname' was the last piece of the puzzle.
>
> I really need to start reading my powershell books - putting them underneath 
> my pillow just isn't cutting it...
>
> Need. More. Time.
>
> Kurt
>
> On Mon, Aug 2, 2010 at 20:52, Rubens Almeida  wrote:
>> PowerShell... and here's one of my favorites one-liners to find big files:
>>
>> dir c:\temp -force -recurse | sort length -desc | format-table
>> creationtime,lastwritetime,lastaccesstime,length,fullname -auto
>>
>> You can sort the results replacing the length by any of the properties
>> after format-table
>>
>> On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
>>> All,
>>>
>>> On our file server we have a single 1.5tb partition - it's on a SAN.
>>> Over the course of 4 days recently it went from about 30% free to
>>> about 13% free - someone slammed around 200gb onto the file server.
>>>
>>> I have a general idea of where it might be - there are two top-level
>>> directories that are over 200gb each.
>>>
>>> However, windirstat hasn't been completely helpful, as I can't seem
>>> to isolate which files were loaded during those days, and none of the
>>> files that I've been looking at were huge - no ISO or VHD files worth
>>> mentioning, etc..
>>>
>>> I also am pretty confident that there are a *bunch* of duplicate
>>> files on those directories.
>>>
>>> So, I'm looking for a couple of things:
>>>
>>> 1) A way to get a directory listing that supports a time/date stamp
>>> (my choice of atime, mtime or ctime) size and a complete path name
>>> for each file/directory on a single line - something like:
>>>
>>>     2009-01-08  16:12   854,509
>>> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>>>
>>> I've tried every trick I can think of for the 'dir' command and it
>>> won't do what I want, and the 'ls' command from gunuwin32 doesn't
>>> seem to want to do this either. Is there a powershell one-liner that
>>> can do this for me perhaps?
>>>
>>> 2) A recommendation for a duplicate file finder - cheap or free would
>>> be preferred.
>>>
>>> Kurt
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>>   ~
>>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>   ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: WMI information gathering

2010-08-03 Thread Free, Bob 
That shouldn't even be on the table. You really want to have your domain
admins and server admins thoroughly separated. 

Not to say a person couldn't be both but you don't want every server
admin being a domain admin and often, vice versa.

Having to give up admin on all your servers is one thing, having to give
it up on the entire domain is completely another.

-Original Message-
From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
Sent: Tuesday, August 03, 2010 11:49 AM
To: NT System Admin Issues
Subject: Re: WMI information gathering

Exactly!  Which is why we're trying to figure out if we can comply, by
letting them get whatever info they need, without giving them the keys
to our domain...

>>> James Rankin  8/3/2010 11:38 AM >>>
Domain Admin access not a big deal? Morons. I wouldn't let any third
parties
near a Domain Admin account.

On 3 August 2010 19:15, Joseph Heaton  wrote:

> 1.  Yes, we are required to do this.  It's supposed to be for
information
> gathering only, but we're trying to cover our backsides, in case they
mess
> something up.
> Yes, we can gain benefit, in that we can use this to get WMI
access for
> our Orion product.
> 2.  Documentation is a difficult thing.  The wording of their message
is
> such that they feel it's not a big deal for us to just give them a
domain
> admin account to play with.
>
> >>> Steven Peck  8/3/2010 10:49 AM >>>
> To be honest the real questions are;
> 1.  Are you required to do this?  (Usually yes)
>  - if yes, can you gain benefit? (Usually you can)
> 2.  Do they have documentation on least privilege necessary for their
> tools to run?
>
>
>
> On Tue, Aug 3, 2010 at 10:26 AM, Free, Bob  wrote:
> > My experience with WMI and CMDB or security scanner products tells
me
> > you are out of luck, at some point, the information they require is
> > situated such that they require admin privs just to be able to read
it.
> >
> > -Original Message-
> > From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
> > Sent: Tuesday, August 03, 2010 10:18 AM
> > To: NT System Admin Issues
> > Subject: Re: WMI information gathering
> >
> > Anyone have any idea on this one?
> >
>  Joseph Heaton  8/2/2010 3:42 PM >>>
> > We have a group that wants to come in, and "scan our servers" to
gather
> > information.  We want to cooperate with this effort, but we don't
want
> > to give them access to be able to write back to the servers.  Is
this
> > possible?  Is there a tool that can be used without an admin
account, in
> > order to gather information from within WMI?  Please contact offline
for
> > further details, if needed.  As always, I sincerely appreciate any
> > assistance any of you may be able to provide.
> >
> > Thanks,
> >
> > Joe
> >
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> >
> >
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> >
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put
into
the machine wrong figures, will the right answers come out?' I am not
able
rightly to apprehend the kind of confusion of ideas that could provoke
such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: WMI information gathering

2010-08-03 Thread Free, Bob 
2- Never IME, it is a big fight. And they still end up wanting administrator 
level privs because they can only go so far with delegation via WMI and DCOM. 
BTDTGTTS

Not little guys either, products from HP,IBM,BMC etc. Usually have big time 
backing from mgmt.

Never gave them access to DCs but they did get access to a lot of app servers

-Original Message-
From: Steven Peck [mailto:sep...@gmail.com] 
Sent: Tuesday, August 03, 2010 10:49 AM
To: NT System Admin Issues
Subject: Re: WMI information gathering

To be honest the real questions are;
1.  Are you required to do this?  (Usually yes)
  - if yes, can you gain benefit? (Usually you can)
2.  Do they have documentation on least privilege necessary for their
tools to run?



On Tue, Aug 3, 2010 at 10:26 AM, Free, Bob  wrote:
> My experience with WMI and CMDB or security scanner products tells me
> you are out of luck, at some point, the information they require is
> situated such that they require admin privs just to be able to read it.
>
> -Original Message-
> From: Joseph Heaton [mailto:jhea...@dfg.ca.gov]
> Sent: Tuesday, August 03, 2010 10:18 AM
> To: NT System Admin Issues
> Subject: Re: WMI information gathering
>
> Anyone have any idea on this one?
>
 Joseph Heaton  8/2/2010 3:42 PM >>>
> We have a group that wants to come in, and "scan our servers" to gather
> information.  We want to cooperate with this effort, but we don't want
> to give them access to be able to write back to the servers.  Is this
> possible?  Is there a tool that can be used without an admin account, in
> order to gather information from within WMI?  Please contact offline for
> further details, if needed.  As always, I sincerely appreciate any
> assistance any of you may be able to provide.
>
> Thanks,
>
> Joe
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Guilty, will change after reading this.

2010-08-03 Thread Jon Harris 
Yeah APC goes above a lot of the time if it is something real strange.  Like
a battery that explodes inside the unit after a lightening hit.  They seem
to really care about how their products do in the strange and unusual.

Jon

On Tue, Aug 3, 2010 at 1:49 PM,  wrote:

>
> No...  I was the one who had to console the poor student (giving the melted
> mass time to cool down) and then contact APC.
>
> You'd not believe it, but APC actually wanted to look at the unit to see
> why the breaker did not trip.  They actually replaced it with a new one!
>
> Joseph Heaton  wrote on 08/03/2010 12:17:37 PM:
>
>
> > Personal mishap, Richard?
> >
> > >>>  8/3/2010 10:06 AM >>>
> > Don't plug space heaters into them, either!
> >
> > David Lum  wrote on 08/03/2010 12:01:04 PM:
> >
> > > - do not plug surge protectors into a UPS. If they UPS runs on
> > > batteries it will usually generate a step sine wave which may
> > > destroy surge protectors (in particular tricky to find power strips
> > > without surge protector)
> > >
> > > http://isc.sans.edu/diary.html?storyid=9319
> > >
> > > David Lum // SYSTEMS ENGINEER
> > > NORTHWEST EVALUATION ASSOCIATION
> > > (Desk) 971.222.1025 // (Cell) 503.267.9764
> > >
> > >
> > >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: UGH (Tivoli TSM clients)

2010-08-03 Thread Michael B. Smith 
What is wrong with "reg delete " ??

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, August 03, 2010 5:42 PM
To: NT System Admin Issues
Subject: UGH (Tivoli TSM clients)

So, I need to reinstall the Tivoli TSM client on dozens of machines. For the 
reinstall to work I need to kill one registry key since the uninstaller doesn't 
nuke it: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TSM_SCHEDULER_MACHINENAME

To delete this key I need to change permissions on it which apparently requires 
installing SUBINACL, sound right?

I need to do this for about 70 systems and wonder if there's another way to do 
this, as a script is going to require me to use  a variable for the 
%machinename% part of the reg key name with adds more complexity.

Ideally a .CMD file that nukes : 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TSM_SCHEDULER* 
would be the easiest for me.

Anyone? Bueller? Bueller?
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764






~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

2010-08-03 Thread Webster 
I didn't know we were having a contest!


Webster

> -Original Message-
> From: David Lum [mailto:david@nwea.org]
> Subject: RE: malware that creates Outlook rules
> 
> Take that paragraph out of contest...


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

2010-08-03 Thread Crawford, Scott 
That's awesome. I look forward to playing with it.

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: Tuesday, August 03, 2010 3:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yep it's the same set of cmdlets you use for Exchange (as that's what l...@edu 
runs on). You can also use the OLSync ILM solution they offer. It's $500 + SQL 
Std for the ILM licensing but this will do GALSync from your existing 
AD/Exchange environment in to l...@edu. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Steven Peck [mailto:sep...@gmail.com] 
Sent: Tuesday, August 03, 2010 3:30 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Microsoft also has a similar program for EDUs for hosted mail.
http://www.microsoft.com/liveatedu/free-hosted-student-email.aspx

They have powershell cmdlets that work over the web for administrator so there 
should be some ways to accomplish automation of a sort.

Steven Peck
http://www.blkmtn.org


On Tue, Aug 3, 2010 at 12:39 PM, Brian Desmond  wrote:
> Most schools I've worked with either have something that plugs in to the 
> message bus of their ERP/SIS system for provisioning to outsourced services, 
> or, more frequently, they have a job which either scans an Oracle table every 
> so often or a batch job on the ERP side that dumps delta flat files and a 
> second job that picks them up and provisions to Google/etc.
>
> Thanks,
> Brian Desmond
> br...@briandesmond.com
>
> c   - 312.731.3132
>
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 2:27 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> I'm sure it is, and the Va. CC uses PeopleSoft for our Student Info 
> System(SIS) and so they worked together to create an automated process in 
> that, a student applies to the college, registers for classes and the next 
> day, they have the email account active.
> All this is done via the web.
> Maybe google would work with your SIS vendor to create something similar.
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Tuesday, August 03, 2010 12:08 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Hmm, interesting. I like that. Of course, setting it up for all students 
> automatically might prove to be tricky.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 6:44 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> And just after I sent this the light came on, Google Voice should do UM.
> I'd let google handle voice mail, email and anything else they want to give 
> to the students.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 7:42 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Not sure on the UM questions.
> Not an issue here as we don't have student housing or provide phones for them.
> I'm betting that it is possible though.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 5:46 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Yeah, it's on the investigate list.  It does happen with staff on occasion 
> too, but not nearly as much as students.
>
> The major outstanding question I have is how to do Unified Messaging with 
> Exchange if the mailbox is outsourced? It's prolly something simple, but I 
> just haven't looked into it yet.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Monday, August 02, 2010 3:14 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Ah ha.
> Didn't notice the .edu addy.
> In that case, I would seriously investigate outsourcing that to MS or Google.
> The entire Va. Community College System went with Google for student email 
> and so far it has worked really well.
> Can't beat the cost too.  Zero and the student gets to keep their same email 
> as long as they want it.  No advertisements in their account while they are 
> students.  No backups, spam, outages and all that other support headaches for 
> me.  Great big plus.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 4:05 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Yeah, that sounds nice except we have 2000 students with an average of 500 
> new ones every year so our major issue isn't repeat offenders.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Monday, August 02, 2010 2:51 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> W

RE: malware that creates Outlook rules

2010-08-03 Thread Crawford, Scott 
Good to know. Is it possible to host additional mailboxes locally just for 
voicemail/faxes and leave the actual mail in the cloud?  Not really UM per se, 
but it would allow us to get off of our 3rd party voicemail server and 
auto-attendant and use Exchange's considerably cheaper versions.

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: Tuesday, August 03, 2010 2:38 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Currently UM in that scenario isn't possible. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Monday, August 02, 2010 4:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 25

RE: malware that creates Outlook rules

2010-08-03 Thread Michael B. Smith 
The poster of one of the questions I answered today - I can't remember where - 
emailed me and said "huh? That wasn't clear". So I rewrote my answer using 
lots more words. 

I generally answer questions with short-cut responses, as Brian did, assuming 
that the OP has most of the knowledge to get to the right answer.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, August 03, 2010 6:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Take that paragraph out of contest and it scarcely looks like English...

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com]
Sent: Tuesday, August 03, 2010 1:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yep it's the same set of cmdlets you use for Exchange (as that's what l...@edu 
runs on). You can also use the OLSync ILM solution they offer. It's $500 + SQL 
Std for the ILM licensing but this will do GALSync from your existing 
AD/Exchange environment in to l...@edu. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

2010-08-03 Thread Crawford, Scott 
Outbound anti-spam:
I've been asking sunbelt to add this to Ninja for years. Still waiting on it, 
and I'm not sure why. In any case, I moved off Ninja and Vipre to Forefront so 
I'll let someone else continue the wait :).  Exchange now has outbound message 
throttling so you can set limits like x number of emails per minute. I'm hoping 
to dig into it and see if I can add a trigger to let me know when a user hits 
more than 5 or so emails per minute.

Blacklist removal - These links are the major ones we need:
Comcast
http://www.comcastsupport.com/rbl

ATT
http://wn.att.net/cgi-bin/block_admin.cgi

Microsoft
https://postmaster.live.com/snds/data.aspx
https://support.msn.com/eform.aspx?productKey=edfsmsbl&ct=eformts

Barracuda
http://www.barracudacentral.org/lookups/ip-reputation
http://www.barracudacentral.org/rbl/removal-request

Symantec
http://ipremoval.sms.symantec.com/lookup

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
Sent: Tuesday, August 03, 2010 12:16 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Actually this was happening all weekend.  I was chasing my tail so hard I 
didn't think to e-mail this list until Monday.  Lesson learned.

Just to wrap up: thanks to Glen, Scott, Thomas, and anyone else who suggested 
the spam was coming from OWA via phished accounts.  I looked at the IIS logs on 
the OWA server and found entries like this:
... GET /exchange/bob.smith/Drafts/ Cmd=new 443 bsmith x.x.x.x 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.2;+Crazy+Browser+3.0.3)...

Which I suppose shows new e-mails being created in the Drafts folder.  Any 
advice regarding interpreting these logs would be welcome.

After changing the affected user's passwords I think we are in the clear.  
Exchange queues are quiet since yesterday.

We publish OWA via ISA Server, so the OWA logs only the address of the ISA 
Server.  We checked our firewall logs and found quite a bit of traffic to OWA 
from Nigeria & India.  We're in Tennessee, so we are able to block those 
addresses as we won't have any legitimate traffic from them.

Based on the agent string above, I told URLScan to block Crazy Browser 
(http://www.crazybrowser.com/).  I wonder how many other browsers there are 
I've never even heard of.

Now I need to consider some kind of outbound anti-spam, figure out some 
scripting to notify me if the queues get out of hand, and get off all the 
blacklists I'm on.

--

From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] 
Sent: Monday, August 02, 2010 2:50 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules


We're a Lotus Notes shop using Postini as a relay, if it makes any 
difference... 

We had one desktop system here, and a few in NYC, where spam as being spewed 
out.  This actually had nothing at all to do with Domino/Lotus but rather a 
rogue SMTP server which got snuck onto some workstations. 

We were able to track this down by monitoring SMTP traffic through our 
firewall.  All SMTP traffic was to be comming from only one IP at each 
location, and it was all supposed to be directed to our Postini host. 

At least yours does not seem to be happening on a weekend...
-- 
Richard D. McClary 
Systems Administrator, Information Technology Group 
ASPCA® 
1717 S. Philo Rd, Ste 36 
Urbana, IL  61802 
  
richardmccl...@aspca.org 
  
P: 217-337-9761 
C: 217-417-1182 
F: 217-337-9761 
www.aspca.org 
  
The information contained in this e-mail, and any attachments hereto, is from 
The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is 
intended only for use by the addressee(s) named herein and may contain legally 
privileged and/or confidential information. If you are not the intended 
recipient of this e-mail, you are hereby notified that any dissemination, 
distribution, copying or use of the contents of this e-mail, and any 
attachments hereto, is strictly prohibited. If you have received this e-mail in 
error, please immediately notify me by reply email and permanently delete the 
original and any copy of this e-mail and any printout thereof. 
  

"Osborne, Richard"  wrote on 08/02/2010 02:40:09 PM:

> I have been monitoring the Exchange queues.  It's the only way I can
> tell when it is happening.  I found the aqadmcli.exe utility and 
> have been using it to clean the queues (aqadmcli "delmsg 
> flags=SENDER,sender=bob.sm...@wth.org".
> 
> I'll check the OWA logs ASAP.
> 
> Assuming I have had three users reply to phishing e-mails, is there 
> anything to fix besides changing their passwords?
> 
> Thanks everyone for the suggestions.
> 
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
> Sent: Monday, August 02, 2010 2:35 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
> 
> Also check those exchange smtp queues.
> If it is compromised accounts the spammers can send

Re: Finding a huge file dump from June...

2010-08-03 Thread Steven Peck 
I should have *BOLDED* 'edge case'.  :)
For day to day use, I certainly wouldn't do it.

On Tue, Aug 3, 2010 at 2:27 PM, Michael B. Smith 
wrote:
> I'm not going to suggest that this doesn't work - because it does. At
least where-ever I've tried to use it.
>
> However, be aware that it is NOT SUPPORTED. Microsoft does not support
using versions of the .Net framework later than v2.0 with either PS v1 or PS
v2. It is not (and was not) part of the qualification criteria (i.e., QA
testing) for those releases. This has not changed in the betas for Server
2008 R2 sp1 or Windows 7 sp1, and I don't expect it to for the final
releases of those service packs (although I am not an insider - so that's
just a guess on my part).
>
> Note: this is a fine-line drawn in the sand. The .Net framework for 2.0,
3.0, and 3.5 are all based on 2.0 (and if you install 3.5, it also installs
2.0 sp2 or whatever). But 4.0 is a "break" from that and is a new base
release of .Net.
>
> Joel Bennett  is a PowerShell MVP (as is Thomas
Lee).
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
> -Original Message-
> From: Steven Peck [mailto:sep...@gmail.com]
> Sent: Tuesday, August 03, 2010 4:21 PM
> To: NT System Admin Issues
> Subject: Re: Finding a huge file dump from June...
>
> Here is an advanced look...
>
> For the edge case blogging guys on dotNet4:
> http://tfl09.blogspot.com/2010/08/using-newer-versions-of-net-with.html
>
http://tfl09.blogspot.com/2010/08/more-on-using-different-versions-of-net.html
>
http://tfl09.blogspot.com/2010/08/using-later-versions-of-net-framework.html
>
> Here is the Yahoo Pipes feed I use which is maintained by Joel Bennett
http://pipes.yahoo.com/pipes/pipe.info?_id=uAmYy9xq3BGHcV361fC6Jw
>
> Steven Peck
> http://www.blkmtn.org
>
> On Tue, Aug 3, 2010 at 12:39 PM, Michael B. Smith 
wrote:
>> It is truly unfortunate, but that is actually a .NET framework
limitation.
>>
>> .Net 4, plus a patch, supports "arbitrary length" pathnames (i.e., up
>> to the NTFS limits), so I expect "some future version" of PS will too.
>> I'm not promising anything, just hoping. :-)
>>
>> Regards,
>>
>> Michael B. Smith
>> Consultant and Exchange MVP
>> http://TheEssentialExchange.com
>>
>> -Original Message-
>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> Sent: Tuesday, August 03, 2010 3:30 PM
>> To: NT System Admin Issues
>> Subject: Re: Finding a huge file dump from June...
>>
>> You Rock.
>>
>> Awesome.
>>
>> BTW: I'm running into lots of these errors:
>>
>> Get-ChildItem : The specified path, file name, or both are too long.
>> The fully qualified file name must be less than 260 characters, and the
directory name must be less than 248 characters.
>>
>> I keep yelling at people to shorten their file names, but do they listen?
>>
>> Any way to work around this in powershell?
>>
>> Kurt
>>
>> On Tue, Aug 3, 2010 at 12:22, Michael B. Smith 
wrote:
>>> get-childitem k:\groups -force -recurse |?
>>> {$_.CreationTime.ToString() -match "^2010-06-2[0-9]" } | format-table
>>> creationtime,length,fullname -auto
>>>
>>> Or select-string.
>>>
>>> No need to drop to findstr.
>>>
>>> Regards,
>>>
>>> Michael B. Smith
>>> Consultant and Exchange MVP
>>> http://TheEssentialExchange.com
>>>
>>>
>>> -Original Message-
>>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>>> Sent: Tuesday, August 03, 2010 3:07 PM
>>> To: NT System Admin Issues
>>> Subject: Re: Finding a huge file dump from June...
>>>
>>> I tested this against a small directory, and am now running this:
>>>
>>> PS K:\> get-childitem k:\groups -force -recurse | format-table
>>> creationtime,length,fullname -auto | findstr ^2010-06-2 | findstr /v
>>> ^2010-06-20 | findstr /v ^2010-06-21 | findstr /v ^2010-06-22 |
>>> findstr /v ^2010-06-23 | findstr /v 2010-06-27 | findstr /v
>>> ^2010-06-28 | findstr /v ^2010-06-29 >  out.txt
>>>
>>> Your hint with 'fullname' was the last piece of the puzzle.
>>>
>>> I really need to start reading my powershell books - putting them
underneath my pillow just isn't cutting it...
>>>
>>> Need. More. Time.
>>>
>>> Kurt
>>>
>>> On Mon, Aug 2, 2010 at 20:52, Rubens Almeida 
wrote:
 PowerShell... and here's one of my favorites one-liners to find big
files:

 dir c:\temp -force -recurse | sort length -desc | format-table
 creationtime,lastwritetime,lastaccesstime,length,fullname -auto

 You can sort the results replacing the length by any of the
 properties after format-table

 On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
> All,
>
> On our file server we have a single 1.5tb partition - it's on a SAN.
> Over the course of 4 days recently it went from about 30% free to
> about 13% free - someone slammed around 200gb onto the file server.
>
> I have a general idea of where it might be - there are two
> top-level directories that are over 200gb each.
>
> However, windirstat hasn't been completely helpful,

Re: Guilty, will change after reading this.

2010-08-03 Thread Ben Scott 
On Tue, Aug 3, 2010 at 5:53 PM, Raper, Jonathan - Eagle
 wrote:
> 3. During an ACTUAL strike on the structure, the ambient step potential is
> several gazillion volts per foot for dozens of yards. Grounding does not
> mitigate this fact. Unplugging does not mitigate this fact.

  This.

  We had lightning hit our building once.  It fried NICs and hubs all
over the place, including in stuff that was switched off.  It fried
one serial port in one PC (but not the other serial port in the same
PC).  It causes an electrical outlet with nothing plugged into it to
explode out of the wall into little bitty pieces.  It fried one phase
in a transformer, leaving the other two phases working.  It killed AC
compressors in the basement.

  I've also been told by our ISP about an incident where lightning
apparently found a fiber cable was the best path to ground, and fried
the equipment at one end.  "But it's not a conductor."  Lighting jumps
open air. We're talking millions of volts.  At that kind of potential,
*everything* is a conductor.

  Lightning can do whatever the hell it wants to.  All bets are off.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

2010-08-03 Thread David Lum 
Take that paragraph out of contest and it scarcely looks like English...

-Original Message-
From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: Tuesday, August 03, 2010 1:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yep it's the same set of cmdlets you use for Exchange (as that's what l...@edu 
runs on). You can also use the OLSync ILM solution they offer. It's $500 + SQL 
Std for the ILM licensing but this will do GALSync from your existing 
AD/Exchange environment in to l...@edu. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Guilty, will change after reading this.

2010-08-03 Thread Ben Scott 
On Tue, Aug 3, 2010 at 1:35 PM, Kurt Buff  wrote:
> I don't know if MOVs are still used in surge protectors, or if they're
> sensitive to them, but it's plausible to me that this might be true...

  Putting cheap MOVs on L-G and N-G is still the most common way to
make a TVSS.  Especially the cheap ones.  Some of them don't even put
anything on N-G.

  At the other end of the spectrum, I've seen stuff with multiple
MOVs, diodes, chokes, filters, and who-knows-what-else.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Guilty, will change after reading this.

2010-08-03 Thread Ben Scott 
On Tue, Aug 3, 2010 at 1:31 PM, Maglinger, Paul  wrote:
> Interesting, but isn’t A/C power typically a sine wave?

  Cheaper UPSes use a square or stepped wave as an "approximation".
For many types of equipment (in particular, the switching power
supplies used in most IT gear), that works just fine.  (I've been told
you can run many PC power supplies off a *DC* input at the right
voltage.)

  More expensive UPSes output a "pure" sine wave.  Some equipment
really wants that.  In particular, AC motors.

> 60Hz is the norm, is it not?

  In North America.  In Europe and some other parts of the world, 50
Hz is the standard.

> Surge strips are
> typically no more than some metal oxide varistors placed across hot, neutral
> and ground.  Some put torodial coils for noise reduction, but I don’t know
> of anything in any of them that would damage the UPS or the surge strip.

  Cheap components.  I've seen cheap TVSSes burn up spontaneously, let
alone with a UPS.  I wouldn't put any kind of failure mode past some
of the no-name crap you see these days.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Guilty, will change after reading this.

2010-08-03 Thread Raper, Jonathan - Eagle 
This is possibly the most plausible explanation I've found about plugging a 
power strip into a UPS. I know that Metal Oxide Varistors are by design a 
sacrificial device. Their sole purpose in life is to protect the component or 
device that lies beyond them. Every time they do their job, even though they 
may not be destroyed completely, they do weaken over time. Kind of like bending 
a coat hanger back and forth. Bend it once, it just loses a little bit of 
shape, but it is still useable. Bend it a few times, and you'll notice it start 
to weaken. Bend it back and forth rapidly and you'll experience it get hot and 
break down right before your very eyes:



"What you shouldn't do is plug a surge protector into an UPS. I've never seen a 
great explanation as to why, but what I have read is that the dirty output of 
the UPS operating on battery will look like many small surges to the surge 
protector. This in turn will cause the surge protector to shunt power to the 
ground wire, quickly draining the UPS's battery and destroying the surge 
protector (most surge protectors are the MOV type, which are degraded every 
time they activate)."



>From 
>http://www.hometheaterforum.com/forum/thread/213390/ups-plugged-into-a-surge-protector-bad



And a comment posted to the article that started all of this. Based on what I 
know about electricity (My father is a EE and I've taken a number of courses on 
the subject as well), this guy knows exactly what he is talking about):





Great post, but there's a bit of myth floating around, here - there's a HUGE 
difference between a strike hitting a structure, and the strike hitting a 
tree/pole that's 40 feet from a structure.



First up, the "surge" from a true strike is ambient. Our old shop had a 100 
foot tower attached to the building. It got struck twice, and I was charged 
with making us survive it. These are the realities:

1. Creating deliberate strike points, and CORRECT grounding of the strike 
points is key, lest you burn down your building. Having it grounded is not 
enough; run the cable wrong, and the cable will start a fire (or several fires) 
inside the walls and attic spaces.

2. When you see plasma flowing along the grids of your drop ceiling, you'll 
realize that the touting of surge protectors and "ground everything and it'll 
be fine" is a cute concept.

3. During an ACTUAL strike on the structure, the ambient step potential is 
several gazillion volts per foot for dozens of yards. Grounding does not 
mitigate this fact. Unplugging does not mitigate this fact.


4. Your hardware devices will live or die based on their shielding and 
orientation to the strikepoint/ground path, since every conductor in them is a 
low resistance path along that step potential. If there happens to be a little 
silicon in the way, well, there won't be when it's over. Note that we're 
talking KV per inch within a dozen yards of the strike point OR its grounding 
cable. Your UPS is not even relevant at this point; the grounding path is a 
huge inductor; every uncaged conductive sub-path in the area will have some 
amount of current induced, including inside the chip-level.

5. You will lose things like spare mice and keyboards that are not even plugged 
in, depending on orientation. And, you'll notice that the survival/loss is 
consistent with that orientation. :)

6. A faraday cage can work wonders, but only if it is done correctly. Many PCs 
with a cheap metal case will actually survive in some part, possibly enough to 
cannibalize. Plastic cased PCs will probably need to be removed from production 
unless the mainboard was exactly flat along the gradient; if they don't fail 
outright, they typically will before the month is over. Since most rack mounted 
devices have metal enclosures, the servers etc typically are ok regardless of 
the rack type, but connectivity may be lost depending on luck, cable shielding, 
etc. Fully enclosed (metallic all four sides) racks will generally fare 
slightly better as far as connectivity. Racks with plastic (or no) doors will 
typically lose NICs, switches, etc in bulk. As with any production, you already 
keep a stack of old NICs handy - so if lightning is likely, just keep them in a 
faraday cage of some type (metal storage box or foil wrap).



For hubs, routers and switches... plastic case = dead device, doesn't matter 
how you ground/surge-protect it or the Cat5/6.



So, revision of your quick summary:

Surge protectors work fair for NEARBY strikes; they become mostly useless as 
the strike becomes a direct hit. Mitigation of a direct hit requires a 
different type of engineering (shielding, etc), since you're dealing with a 
huge ambient EMF gradient, and induced current, neither of which cares about 
grounding.



posted by Steven, Tue Aug 03 2010, 18:02











Jonathan L. Raper, A+, MCSA, MCSE

Technology Coordinator

Eagle Physicians & Associates, PA

jra...@eaglemds.com

www.eaglemds.com





-Original Message

RE: UGH (Tivoli TSM clients)

2010-08-03 Thread Brian Desmond 
Can you run the script under the context of LocalSystem and just delete the reg 
key that way?

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132

From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, August 03, 2010 4:42 PM
To: NT System Admin Issues
Subject: UGH (Tivoli TSM clients)

So, I need to reinstall the Tivoli TSM client on dozens of machines. For the 
reinstall to work I need to kill one registry key since the uninstaller doesn't 
nuke it: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TSM_SCHEDULER_MACHINENAME

To delete this key I need to change permissions on it which apparently requires 
installing SUBINACL, sound right?

I need to do this for about 70 systems and wonder if there's another way to do 
this, as a script is going to require me to use  a variable for the 
%machinename% part of the reg key name with adds more complexity.

Ideally a .CMD file that nukes : 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TSM_SCHEDULER* 
would be the easiest for me.

Anyone? Bueller? Bueller?
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764






~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Guilty, will change after reading this.

2010-08-03 Thread Ben Scott 
On Tue, Aug 3, 2010 at 1:01 PM, David Lum  wrote:
> - do not plug surge protectors into a UPS. If they UPS runs on batteries it
> will usually generate a step sine wave which may destroy surge protectors

  It can, in theory, be a problem, although I've never seen it happen.
 But it's easy enough to avoid even taking the chance.

  You can also run into issues daisy-chaining even power strips.

  Most TVSSes (Transient Voltage Surge Suppressors) work by shunting
excess energy into the equipment grounding line ("third prong").  What
happens if you have multiple devices shunting is generally not part of
the design assumption.  Again, best to avoid it.

  Note that most UPSes also include TVSS circuitry.

  I haven't had any trouble finding RPTs (Relocatable Power Taps, the
official term for a "power strip") with*out* TVSS circuitry.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

UGH (Tivoli TSM clients)

2010-08-03 Thread David Lum 
So, I need to reinstall the Tivoli TSM client on dozens of machines. For the 
reinstall to work I need to kill one registry key since the uninstaller doesn't 
nuke it: 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TSM_SCHEDULER_MACHINENAME

To delete this key I need to change permissions on it which apparently requires 
installing SUBINACL, sound right?

I need to do this for about 70 systems and wonder if there's another way to do 
this, as a script is going to require me to use  a variable for the 
%machinename% part of the reg key name with adds more complexity.

Ideally a .CMD file that nukes : 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TSM_SCHEDULER* 
would be the easiest for me.

Anyone? Bueller? Bueller?
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Finding a huge file dump from June...

2010-08-03 Thread Michael B. Smith 
I'm not going to suggest that this doesn't work - because it does. At least 
where-ever I've tried to use it.

However, be aware that it is NOT SUPPORTED. Microsoft does not support using 
versions of the .Net framework later than v2.0 with either PS v1 or PS v2. It 
is not (and was not) part of the qualification criteria (i.e., QA testing) for 
those releases. This has not changed in the betas for Server 2008 R2 sp1 or 
Windows 7 sp1, and I don't expect it to for the final releases of those service 
packs (although I am not an insider - so that's just a guess on my part).

Note: this is a fine-line drawn in the sand. The .Net framework for 2.0, 3.0, 
and 3.5 are all based on 2.0 (and if you install 3.5, it also installs 2.0 sp2 
or whatever). But 4.0 is a "break" from that and is a new base release of .Net.

Joel Bennett  is a PowerShell MVP (as is Thomas Lee).

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

-Original Message-
From: Steven Peck [mailto:sep...@gmail.com] 
Sent: Tuesday, August 03, 2010 4:21 PM
To: NT System Admin Issues
Subject: Re: Finding a huge file dump from June...

Here is an advanced look...

For the edge case blogging guys on dotNet4:
http://tfl09.blogspot.com/2010/08/using-newer-versions-of-net-with.html
http://tfl09.blogspot.com/2010/08/more-on-using-different-versions-of-net.html
http://tfl09.blogspot.com/2010/08/using-later-versions-of-net-framework.html

Here is the Yahoo Pipes feed I use which is maintained by Joel Bennett 
http://pipes.yahoo.com/pipes/pipe.info?_id=uAmYy9xq3BGHcV361fC6Jw

Steven Peck
http://www.blkmtn.org

On Tue, Aug 3, 2010 at 12:39 PM, Michael B. Smith  wrote:
> It is truly unfortunate, but that is actually a .NET framework limitation.
>
> .Net 4, plus a patch, supports "arbitrary length" pathnames (i.e., up 
> to the NTFS limits), so I expect "some future version" of PS will too. 
> I'm not promising anything, just hoping. :-)
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, August 03, 2010 3:30 PM
> To: NT System Admin Issues
> Subject: Re: Finding a huge file dump from June...
>
> You Rock.
>
> Awesome.
>
> BTW: I'm running into lots of these errors:
>
> Get-ChildItem : The specified path, file name, or both are too long.
> The fully qualified file name must be less than 260 characters, and the 
> directory name must be less than 248 characters.
>
> I keep yelling at people to shorten their file names, but do they listen?
>
> Any way to work around this in powershell?
>
> Kurt
>
> On Tue, Aug 3, 2010 at 12:22, Michael B. Smith  wrote:
>> get-childitem k:\groups -force -recurse |? 
>> {$_.CreationTime.ToString() -match "^2010-06-2[0-9]" } | format-table 
>> creationtime,length,fullname -auto
>>
>> Or select-string.
>>
>> No need to drop to findstr.
>>
>> Regards,
>>
>> Michael B. Smith
>> Consultant and Exchange MVP
>> http://TheEssentialExchange.com
>>
>>
>> -Original Message-
>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> Sent: Tuesday, August 03, 2010 3:07 PM
>> To: NT System Admin Issues
>> Subject: Re: Finding a huge file dump from June...
>>
>> I tested this against a small directory, and am now running this:
>>
>> PS K:\> get-childitem k:\groups -force -recurse | format-table 
>> creationtime,length,fullname -auto | findstr ^2010-06-2 | findstr /v
>> ^2010-06-20 | findstr /v ^2010-06-21 | findstr /v ^2010-06-22 | 
>> findstr /v ^2010-06-23 | findstr /v 2010-06-27 | findstr /v
>> ^2010-06-28 | findstr /v ^2010-06-29 >  out.txt
>>
>> Your hint with 'fullname' was the last piece of the puzzle.
>>
>> I really need to start reading my powershell books - putting them underneath 
>> my pillow just isn't cutting it...
>>
>> Need. More. Time.
>>
>> Kurt
>>
>> On Mon, Aug 2, 2010 at 20:52, Rubens Almeida  wrote:
>>> PowerShell... and here's one of my favorites one-liners to find big files:
>>>
>>> dir c:\temp -force -recurse | sort length -desc | format-table 
>>> creationtime,lastwritetime,lastaccesstime,length,fullname -auto
>>>
>>> You can sort the results replacing the length by any of the 
>>> properties after format-table
>>>
>>> On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
 All,

 On our file server we have a single 1.5tb partition - it's on a SAN.
 Over the course of 4 days recently it went from about 30% free to 
 about 13% free - someone slammed around 200gb onto the file server.

 I have a general idea of where it might be - there are two 
 top-level directories that are over 200gb each.

 However, windirstat hasn't been completely helpful, as I can't seem 
 to isolate which files were loaded during those days, and none of 
 the files that I've been looking at were huge - no ISO or VHD files 
 worth mentioning, etc..

 I also am pretty confident that there are a *bunch* of duplica

RE: Desktop/Laptop Backup Software

2010-08-03 Thread N Parr 
After looking at the storagecraft product it looks like it would also solve the 
problem we had during the discussion last week of going back and forth between 
physical and virtual hardware. 

-Original Message-
From: Jay Dale [mailto:jd...@emlogis.com] 
Sent: Tuesday, August 03, 2010 3:37 PM
To: NT System Admin Issues
Subject: RE: Desktop/Laptop Backup Software

Shadowprotect from Storagecraft works well for me!

Jay Dale
 Senior Systems Administrator
o:713.785.0960 x290


-Original Message-
From: Juma, Lumumba [mailto:lcj...@icipe.org]
Sent: Tuesday, August 03, 2010 6:32 AM
To: NT System Admin Issues
Subject: Desktop/Laptop Backup Software


Hi All,

We are looking at options to enable us backup desktops and laptops 
automatically to a central storage system. I am aware of Symantec DLO. Anybody 
aware of alternatives cheaper in cost?

Thanks,

Lumumba.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Acronis Backup & Recovery Advanced Workstation 10

2010-08-03 Thread justino garcia 
I also get that problem Any solution?

On Tue, Jul 13, 2010 at 10:28 AM, Bob Hartung  wrote:

>  We have it working here. We're running the license server on a Windows
> 2003 SP2 server and run the Acronis Mgt Console on it as well.
>
> I've never seen your error message. Is it possible your problem is caused
> by workstation firewall settings? I checked a couple of my XP systems and
> they have firewall exceptions for Acronis.
>
> If you have to go to Acronis for tech support, you have my sympathy.
> Advice: use the bathroom first ;-)
>
> --
>
> Bob Hartung
> Wisco Industries, Inc.
> 736 Janesville St.
> Oregon, WI 53575
> Tel: (608) 835-3106 x215
> Fax: (608) 835-7399
> e-mail: bhartung(at)wiscoind.com
>
> --
> *From:* IS Technical [mailto:ist...@intsolcan.com]
> *To:* NT System Admin Issues [mailto:ntsysadmin@lyris.sunbelt-software.com
> ]
> *Sent:* Mon, 12 Jul 2010 15:10:16 -0500
> *Subject:* Acronis Backup & Recovery Advanced Workstation 10
>
>
> Has anyone been able to get Acronis Backup & Recovery Advanced
> Workstation working. I've installed all the components of the
> licensed version a number of times on various machines without
> success. I've even tried various builds including the latest one
> without success.
>
> The persistent problem across all the installations is that I get
> this pop up in the system tray: "acornis managed machine service
> in unavailable" (presumably it's the reason I can't connect to
> the agent on the test machine). Of course, the service is
> running.
>
> I found the problem reported in the Acronis forums a year ago,
> and Acronic support claiming that it would be fixed in "the next
> build' (presumably released some time ago).
>
> Next step: go throughout the painful process of dealing with
> Acronis support.
>
>
> Regards,
> Charles
>
> ---
> Charles Figueiredo PhD
> Integrated Solutions - Enhancing Small Business Systems
> ---
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~  ~
>
>
>
>
>
>


-- 
Justin
IT-TECH

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

2010-08-03 Thread Brian Desmond 
Yep it's the same set of cmdlets you use for Exchange (as that's what l...@edu 
runs on). You can also use the OLSync ILM solution they offer. It's $500 + SQL 
Std for the ILM licensing but this will do GALSync from your existing 
AD/Exchange environment in to l...@edu. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Steven Peck [mailto:sep...@gmail.com] 
Sent: Tuesday, August 03, 2010 3:30 PM
To: NT System Admin Issues
Subject: Re: malware that creates Outlook rules

Microsoft also has a similar program for EDUs for hosted mail.
http://www.microsoft.com/liveatedu/free-hosted-student-email.aspx

They have powershell cmdlets that work over the web for administrator so there 
should be some ways to accomplish automation of a sort.

Steven Peck
http://www.blkmtn.org


On Tue, Aug 3, 2010 at 12:39 PM, Brian Desmond  wrote:
> Most schools I've worked with either have something that plugs in to the 
> message bus of their ERP/SIS system for provisioning to outsourced services, 
> or, more frequently, they have a job which either scans an Oracle table every 
> so often or a batch job on the ERP side that dumps delta flat files and a 
> second job that picks them up and provisions to Google/etc.
>
> Thanks,
> Brian Desmond
> br...@briandesmond.com
>
> c   - 312.731.3132
>
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 2:27 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> I'm sure it is, and the Va. CC uses PeopleSoft for our Student Info 
> System(SIS) and so they worked together to create an automated process in 
> that, a student applies to the college, registers for classes and the next 
> day, they have the email account active.
> All this is done via the web.
> Maybe google would work with your SIS vendor to create something similar.
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Tuesday, August 03, 2010 12:08 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Hmm, interesting. I like that. Of course, setting it up for all students 
> automatically might prove to be tricky.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 6:44 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> And just after I sent this the light came on, Google Voice should do UM.
> I'd let google handle voice mail, email and anything else they want to give 
> to the students.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 7:42 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Not sure on the UM questions.
> Not an issue here as we don't have student housing or provide phones for them.
> I'm betting that it is possible though.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 5:46 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Yeah, it's on the investigate list.  It does happen with staff on occasion 
> too, but not nearly as much as students.
>
> The major outstanding question I have is how to do Unified Messaging with 
> Exchange if the mailbox is outsourced? It's prolly something simple, but I 
> just haven't looked into it yet.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Monday, August 02, 2010 3:14 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Ah ha.
> Didn't notice the .edu addy.
> In that case, I would seriously investigate outsourcing that to MS or Google.
> The entire Va. Community College System went with Google for student email 
> and so far it has worked really well.
> Can't beat the cost too.  Zero and the student gets to keep their same email 
> as long as they want it.  No advertisements in their account while they are 
> students.  No backups, spam, outages and all that other support headaches for 
> me.  Great big plus.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 4:05 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Yeah, that sounds nice except we have 2000 students with an average of 500 
> new ones every year so our major issue isn't repeat offenders.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Monday, August 02, 2010 2:51 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> When this happened here, we disabled their email account until they completed 
> our security awareness training, for the second time.
> With supervisors complete support.
>
> -Original Message-
> From: Osborne, Richard [mailto:richard.osbo

Re: Acronis + trueimagecmd.exe, + scripting. Any scripted acronis echo bacups?

2010-08-03 Thread justino garcia 
Ahh yea, I notice about bettween both data and OS backup it is 40 gigs each
day, and  20 gig weekly backup (that I keep 4 weeks worth) on a 500 gig NAS,
should be enough storage right?? IT a five user office, with small data
backups. 7X40gigs + 4 X20 gigs at one time. Plus log files.

On Tue, Aug 3, 2010 at 3:31 PM, Andrew S. Baker  wrote:

> As long as you have the space to backup the data, there's no particular
> problem with that.
>
> I have a daily script that creates systemstate backups (for the appropriate
> OSes, of course) and uses the same format.Overwrite the backups named
> for .
>
> This keeps 7 days worth of backups available.
>
> -ASB: http://XeeSM.com/AndrewBaker
>
>
>
> On Tue, Aug 3, 2010 at 3:05 PM, justino garcia wrote:
>
>> So far my script for each day is one image backup OF OS, one image backup
>> of data.
>> Script (I have scripts one for each day of the week).
>>  echo Monday Backup W drive
>> "D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
>> /partition:1-1,1-2,1-3 /filename:"w:\OSimageBackup\Monday.tib"
>> ping -w 1000 -n 20 0.0.0.0 >nul
>> "D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
>> /partition:2-1 /filename:"w:\DataImageBackup\Mondaydata.tib"
>> --
>>
>> 
>> I have  a task for each day, and on friday two task, one for weekly and one
>> for fridays. Most backup take up 20 gigs most for OS, and 20 gigs for data.
>> Small office. Is this good idea the way I setup script.
>> Script 2
>> "D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
>> /partition:2-1 /filename:"V:\DataImageBackup\week\week1data.tib" frist
>> friday of the month
>>
>> -
>> script 3
>> "D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
>> /partition:2-1 /filename:"V:\DataImageBackup\week\week2data.tib" second
>> friday of the month
>>
>> 
>> script 4
>> "D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
>> /partition:2-1 /filename:"V:\DataImageBackup\week\week3data.tib"  third
>> friday of the month
>> -
>> script5
>> "D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
>> /partition:2-1 /filename:"V:\DataImageBackup\week\week4data.tib" last friday
>> of the month
>> --
>>
>>
>> What would you change if anything, the NAS I am backing up to is 500 gigs,
>> and backup full are around 40gigs, one 20 gig OS image, and one 20 gig data
>> image.
>> Task scheduler runs the task. Acronis Echo CLI version does replace old
>> *.tib with new one (e.g. TUESDAY.TIB from last week, is replace with
>> TUESDAY.TIB of this week...
>> --
>> AM I safe with this backup scripts.
>> Justin
>> IT-TECH
>>
>>
>>
>>
>>
>>
>
>
>
>
>


-- 
Justin
IT-TECH

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Desktop/Laptop Backup Software

2010-08-03 Thread Jay Dale 
Shadowprotect from Storagecraft works well for me!

Jay Dale
 Senior Systems Administrator
o:713.785.0960 x290


-Original Message-
From: Juma, Lumumba [mailto:lcj...@icipe.org] 
Sent: Tuesday, August 03, 2010 6:32 AM
To: NT System Admin Issues
Subject: Desktop/Laptop Backup Software


Hi All,

We are looking at options to enable us backup desktops and laptops 
automatically to a central storage system. I am aware of Symantec DLO. Anybody 
aware of alternatives cheaper in cost?

Thanks,

Lumumba.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: malware that creates Outlook rules

2010-08-03 Thread Steven Peck 
Microsoft also has a similar program for EDUs for hosted mail.
http://www.microsoft.com/liveatedu/free-hosted-student-email.aspx

They have powershell cmdlets that work over the web for administrator
so there should be some ways to accomplish automation of a sort.

Steven Peck
http://www.blkmtn.org


On Tue, Aug 3, 2010 at 12:39 PM, Brian Desmond  wrote:
> Most schools I've worked with either have something that plugs in to the 
> message bus of their ERP/SIS system for provisioning to outsourced services, 
> or, more frequently, they have a job which either scans an Oracle table every 
> so often or a batch job on the ERP side that dumps delta flat files and a 
> second job that picks them up and provisions to Google/etc.
>
> Thanks,
> Brian Desmond
> br...@briandesmond.com
>
> c   - 312.731.3132
>
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 2:27 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> I'm sure it is, and the Va. CC uses PeopleSoft for our Student Info 
> System(SIS) and so they worked together to create an automated process in 
> that, a student applies to the college, registers for classes and the next 
> day, they have the email account active.
> All this is done via the web.
> Maybe google would work with your SIS vendor to create something similar.
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Tuesday, August 03, 2010 12:08 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Hmm, interesting. I like that. Of course, setting it up for all students 
> automatically might prove to be tricky.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 6:44 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> And just after I sent this the light came on, Google Voice should do UM.
> I'd let google handle voice mail, email and anything else they want to give 
> to the students.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Tuesday, August 03, 2010 7:42 AM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Not sure on the UM questions.
> Not an issue here as we don't have student housing or provide phones for them.
> I'm betting that it is possible though.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 5:46 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Yeah, it's on the investigate list.  It does happen with staff on occasion 
> too, but not nearly as much as students.
>
> The major outstanding question I have is how to do Unified Messaging with 
> Exchange if the mailbox is outsourced? It's prolly something simple, but I 
> just haven't looked into it yet.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Monday, August 02, 2010 3:14 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Ah ha.
> Didn't notice the .edu addy.
> In that case, I would seriously investigate outsourcing that to MS or Google.
> The entire Va. Community College System went with Google for student email 
> and so far it has worked really well.
> Can't beat the cost too.  Zero and the student gets to keep their same email 
> as long as they want it.  No advertisements in their account while they are 
> students.  No backups, spam, outages and all that other support headaches for 
> me.  Great big plus.
>
>
> -Original Message-
> From: Crawford, Scott [mailto:crawfo...@evangel.edu]
> Sent: Monday, August 02, 2010 4:05 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> Yeah, that sounds nice except we have 2000 students with an average of 500 
> new ones every year so our major issue isn't repeat offenders.
>
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu]
> Sent: Monday, August 02, 2010 2:51 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> When this happened here, we disabled their email account until they completed 
> our security awareness training, for the second time.
> With supervisors complete support.
>
> -Original Message-
> From: Osborne, Richard [mailto:richard.osbo...@wth.org]
> Sent: Monday, August 02, 2010 3:40 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
>
> I have been monitoring the Exchange queues.  It's the only way I can tell 
> when it is happening.  I found the aqadmcli.exe utility and have been using 
> it to clean the queues (aqadmcli "delmsg 
> flags=SENDER,sender=bob.sm...@wth.org".
>
> I'll check the OWA logs ASAP.
>
> Assuming I have had three users reply to phishing e-mails, is there anything 
> to fix besides changing their pass

Win firewall

2010-08-03 Thread Glen Johnson 
We've been having intermittent group policy processing errors, other
servers losing time sync with domain controllers and just flaky
networking issues.

Sometimes uses will boot up in the morning, and the mapping to a file
share will be gone.  Almost every time, rebooting will fix it.

While troubleshooting, I'm seeing packets dropped by the windows
firewall on the DCs.

Packed is from a local machine, destined to port 389 on the DC.

The firewall has rules for Active Directory Domain Services enabled.

The LSASS exe is listening on 389 and it appears that the FW isn't
blocking all port 389 traffic, just random.

DCs are win2k8 R2. Workstations are xp, vista, 7 and other 2003 servers.

I found one post googling that said to disable the AD Domain Services
firewall rule and create a plain allow rule for port 389.

Anyone tried this or seen this behavior and know of a sure fire fix?

Thanks.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Guilty, will change after reading this.

2010-08-03 Thread Steven Peck 
A surge protector generally lacks the electronics to care enough at
the difference.  It would have to be a fairly edge case to destroy
something.

If a stepped sine wave won't destroy an PSU then a surge protector
should for hte most part be fine.

Steven Peck
http://www.blkmtn.org

On Tue, Aug 3, 2010 at 12:34 PM, John Hornbuckle
 wrote:
> I know pretty much nothing about electricity, so this is news to me. I’ve
> done this before, like others, in order to allow UPSs to support more
> devices (without overloading them, of course—I only get the kind with load
> meters on them).
>
>
>
> So, a step sine wave created by a UPS could destroy a surge protector, but
> wouldn’t harm equipment plugged directly into the UPS?
>
>
>
>
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
> From: David Lum [mailto:david@nwea.org]
> Sent: Tuesday, August 03, 2010 1:01 PM
> To: NT System Admin Issues
> Subject: Guilty, will change after reading this.
>
>
>
> - do not plug surge protectors into a UPS. If they UPS runs on batteries it
> will usually generate a step sine wave which may destroy surge protectors
> (in particular tricky to find power strips without surge protector)
>
>
>
> http://isc.sans.edu/diary.html?storyid=9319
>
>
>
> David Lum // SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 // (Cell) 503.267.9764
>
>
>
>
>
>
>
>
>
>
>
> NOTICE: Florida has a broad public records law. Most written communications
> to or from this entity are public records that will be disclosed to the
> public and the media upon request. E-mail communications may be subject to
> public disclosure.
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Finding a huge file dump from June...

2010-08-03 Thread Steven Peck 
Here is an advanced look...

For the edge case blogging guys on dotNet4:
http://tfl09.blogspot.com/2010/08/using-newer-versions-of-net-with.html
http://tfl09.blogspot.com/2010/08/more-on-using-different-versions-of-net.html
http://tfl09.blogspot.com/2010/08/using-later-versions-of-net-framework.html

Here is the Yahoo Pipes feed I use which is maintained by Joel Bennett
http://pipes.yahoo.com/pipes/pipe.info?_id=uAmYy9xq3BGHcV361fC6Jw

Steven Peck
http://www.blkmtn.org

On Tue, Aug 3, 2010 at 12:39 PM, Michael B. Smith  wrote:
> It is truly unfortunate, but that is actually a .NET framework limitation.
>
> .Net 4, plus a patch, supports "arbitrary length" pathnames (i.e., up to the 
> NTFS limits), so I expect "some future version" of PS will too. I'm not 
> promising anything, just hoping. :-)
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, August 03, 2010 3:30 PM
> To: NT System Admin Issues
> Subject: Re: Finding a huge file dump from June...
>
> You Rock.
>
> Awesome.
>
> BTW: I'm running into lots of these errors:
>
> Get-ChildItem : The specified path, file name, or both are too long.
> The fully qualified file name must be less than 260 characters, and the 
> directory name must be less than 248 characters.
>
> I keep yelling at people to shorten their file names, but do they listen?
>
> Any way to work around this in powershell?
>
> Kurt
>
> On Tue, Aug 3, 2010 at 12:22, Michael B. Smith  wrote:
>> get-childitem k:\groups -force -recurse |? {$_.CreationTime.ToString()
>> -match "^2010-06-2[0-9]" } | format-table creationtime,length,fullname
>> -auto
>>
>> Or select-string.
>>
>> No need to drop to findstr.
>>
>> Regards,
>>
>> Michael B. Smith
>> Consultant and Exchange MVP
>> http://TheEssentialExchange.com
>>
>>
>> -Original Message-
>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> Sent: Tuesday, August 03, 2010 3:07 PM
>> To: NT System Admin Issues
>> Subject: Re: Finding a huge file dump from June...
>>
>> I tested this against a small directory, and am now running this:
>>
>> PS K:\> get-childitem k:\groups -force -recurse | format-table
>> creationtime,length,fullname -auto | findstr ^2010-06-2 | findstr /v
>> ^2010-06-20 | findstr /v ^2010-06-21 | findstr /v ^2010-06-22 |
>> findstr /v ^2010-06-23 | findstr /v 2010-06-27 | findstr /v
>> ^2010-06-28 | findstr /v ^2010-06-29 >  out.txt
>>
>> Your hint with 'fullname' was the last piece of the puzzle.
>>
>> I really need to start reading my powershell books - putting them underneath 
>> my pillow just isn't cutting it...
>>
>> Need. More. Time.
>>
>> Kurt
>>
>> On Mon, Aug 2, 2010 at 20:52, Rubens Almeida  wrote:
>>> PowerShell... and here's one of my favorites one-liners to find big files:
>>>
>>> dir c:\temp -force -recurse | sort length -desc | format-table
>>> creationtime,lastwritetime,lastaccesstime,length,fullname -auto
>>>
>>> You can sort the results replacing the length by any of the
>>> properties after format-table
>>>
>>> On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
 All,

 On our file server we have a single 1.5tb partition - it's on a SAN.
 Over the course of 4 days recently it went from about 30% free to
 about 13% free - someone slammed around 200gb onto the file server.

 I have a general idea of where it might be - there are two top-level
 directories that are over 200gb each.

 However, windirstat hasn't been completely helpful, as I can't seem
 to isolate which files were loaded during those days, and none of
 the files that I've been looking at were huge - no ISO or VHD files
 worth mentioning, etc..

 I also am pretty confident that there are a *bunch* of duplicate
 files on those directories.

 So, I'm looking for a couple of things:

 1) A way to get a directory listing that supports a time/date stamp
 (my choice of atime, mtime or ctime) size and a complete path name
 for each file/directory on a single line - something like:

     2009-01-08  16:12   854,509
 K:\Groups\training\On-Site_Special_Training\Customer1.doc

 I've tried every trick I can think of for the 'dir' command and it
 won't do what I want, and the 'ls' command from gunuwin32 doesn't
 seem to want to do this either. Is there a powershell one-liner that
 can do this for me perhaps?

 2) A recommendation for a duplicate file finder - cheap or free
 would be preferred.

 Kurt

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
   ~

>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>>   ~
>>>
>>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>

Re: Finding a huge file dump from June...

2010-08-03 Thread Kurt Buff 
We all live in hope.

Now at least I have some more ammunition for users.

Thanks,

Kurt

On Tue, Aug 3, 2010 at 12:39, Michael B. Smith  wrote:
> It is truly unfortunate, but that is actually a .NET framework limitation.
>
> .Net 4, plus a patch, supports "arbitrary length" pathnames (i.e., up to the 
> NTFS limits), so I expect "some future version" of PS will too. I'm not 
> promising anything, just hoping. :-)
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, August 03, 2010 3:30 PM
> To: NT System Admin Issues
> Subject: Re: Finding a huge file dump from June...
>
> You Rock.
>
> Awesome.
>
> BTW: I'm running into lots of these errors:
>
> Get-ChildItem : The specified path, file name, or both are too long.
> The fully qualified file name must be less than 260 characters, and the 
> directory name must be less than 248 characters.
>
> I keep yelling at people to shorten their file names, but do they listen?
>
> Any way to work around this in powershell?
>
> Kurt
>
> On Tue, Aug 3, 2010 at 12:22, Michael B. Smith  wrote:
>> get-childitem k:\groups -force -recurse |? {$_.CreationTime.ToString()
>> -match "^2010-06-2[0-9]" } | format-table creationtime,length,fullname
>> -auto
>>
>> Or select-string.
>>
>> No need to drop to findstr.
>>
>> Regards,
>>
>> Michael B. Smith
>> Consultant and Exchange MVP
>> http://TheEssentialExchange.com
>>
>>
>> -Original Message-
>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>> Sent: Tuesday, August 03, 2010 3:07 PM
>> To: NT System Admin Issues
>> Subject: Re: Finding a huge file dump from June...
>>
>> I tested this against a small directory, and am now running this:
>>
>> PS K:\> get-childitem k:\groups -force -recurse | format-table
>> creationtime,length,fullname -auto | findstr ^2010-06-2 | findstr /v
>> ^2010-06-20 | findstr /v ^2010-06-21 | findstr /v ^2010-06-22 |
>> findstr /v ^2010-06-23 | findstr /v 2010-06-27 | findstr /v
>> ^2010-06-28 | findstr /v ^2010-06-29 >  out.txt
>>
>> Your hint with 'fullname' was the last piece of the puzzle.
>>
>> I really need to start reading my powershell books - putting them underneath 
>> my pillow just isn't cutting it...
>>
>> Need. More. Time.
>>
>> Kurt
>>
>> On Mon, Aug 2, 2010 at 20:52, Rubens Almeida  wrote:
>>> PowerShell... and here's one of my favorites one-liners to find big files:
>>>
>>> dir c:\temp -force -recurse | sort length -desc | format-table
>>> creationtime,lastwritetime,lastaccesstime,length,fullname -auto
>>>
>>> You can sort the results replacing the length by any of the
>>> properties after format-table
>>>
>>> On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
 All,

 On our file server we have a single 1.5tb partition - it's on a SAN.
 Over the course of 4 days recently it went from about 30% free to
 about 13% free - someone slammed around 200gb onto the file server.

 I have a general idea of where it might be - there are two top-level
 directories that are over 200gb each.

 However, windirstat hasn't been completely helpful, as I can't seem
 to isolate which files were loaded during those days, and none of
 the files that I've been looking at were huge - no ISO or VHD files
 worth mentioning, etc..

 I also am pretty confident that there are a *bunch* of duplicate
 files on those directories.

 So, I'm looking for a couple of things:

 1) A way to get a directory listing that supports a time/date stamp
 (my choice of atime, mtime or ctime) size and a complete path name
 for each file/directory on a single line - something like:

     2009-01-08  16:12   854,509
 K:\Groups\training\On-Site_Special_Training\Customer1.doc

 I've tried every trick I can think of for the 'dir' command and it
 won't do what I want, and the 'ls' command from gunuwin32 doesn't
 seem to want to do this either. Is there a powershell one-liner that
 can do this for me perhaps?

 2) A recommendation for a duplicate file finder - cheap or free
 would be preferred.

 Kurt

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
   ~

>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>>   ~
>>>
>>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>   ~
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>   ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN

RE: Guilty, will change after reading this.

2010-08-03 Thread Jacob 
Along with the laser printer.

 

From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] 
Sent: Tuesday, August 03, 2010 10:07 AM
To: NT System Admin Issues
Subject: Re: Guilty, will change after reading this.

 


Don't plug space heaters into them, either! 

David Lum  wrote on 08/03/2010 12:01:04 PM:

> - do not plug surge protectors into a UPS. If they UPS runs on 
> batteries it will usually generate a step sine wave which may 
> destroy surge protectors (in particular tricky to find power strips 
> without surge protector) 
>   
> http://isc.sans.edu/diary.html?storyid=9319 
>   
> David Lum // SYSTEMS ENGINEER 
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 // (Cell) 503.267.9764 
>   
>   
>   

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

2010-08-03 Thread Brian Desmond 
Most schools I've worked with either have something that plugs in to the 
message bus of their ERP/SIS system for provisioning to outsourced services, 
or, more frequently, they have a job which either scans an Oracle table every 
so often or a batch job on the ERP side that dumps delta flat files and a 
second job that picks them up and provisions to Google/etc. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Tuesday, August 03, 2010 2:27 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm sure it is, and the Va. CC uses PeopleSoft for our Student Info System(SIS) 
and so they worked together to create an automated process in that, a student 
applies to the college, registers for classes and the next day, they have the 
email account active.
All this is done via the web.
Maybe google would work with your SIS vendor to create something similar.

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Tuesday, August 03, 2010 12:08 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Hmm, interesting. I like that. Of course, setting it up for all students 
automatically might prove to be tricky.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Tuesday, August 03, 2010 6:44 AM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

And just after I sent this the light came on, Google Voice should do UM.
I'd let google handle voice mail, email and anything else they want to give to 
the students.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Tuesday, August 03, 2010 7:42 AM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Not sure on the UM questions.
Not an issue here as we don't have student housing or provide phones for them.
I'm betting that it is possible though.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 5:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.os

RE: multihomed SQL, same subnet feasible?

2010-08-03 Thread Brian Desmond 
I'm lost. What's the second NIC got to do with anything? 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Salvador Manzo [mailto:ma...@usc.edu] 
Sent: Tuesday, August 03, 2010 12:44 PM
To: NT System Admin Issues
Subject: multihomed SQL, same subnet feasible?

Per subject line, as I've never dealt with a multiple NIC SQL server where both 
NICs are on the same IP range before. 

I have a situation where a production SQL instance has gone offline, and I lack 
the budget or time to simply replace it (out of warranty hardware, of course.). 
I DO have another server which I can transfer the load/backup to, but they 
would by necessity be on the same subnet and share the same gateway. 

Given this scenario, could I reasonably enable another NIC on my second server, 
using the IP of the downed machine, and enable a new instance of SQL for that 
network card?  I don't need to worry about NetBIOS connections, as the client 
dumb devices and PCs are configured to use either the IP(dumb devices) or 
FQDN(PCs) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

2010-08-03 Thread Brian Desmond 
Currently UM in that scenario isn't possible. 

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Monday, August 02, 2010 4:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info from an error message our external MTA sent 
to me (our Exchange guys are looking into the matter):

Transcript of session follows.

 Out: 220 mail3.wise.k12.va.us ESMTP
 In:  EHLO mail.wise.k12.va.us
 Out: 250-mail3.wise.k12.va.us
 Out: 250-PIPELINING
 Out: 250-SIZE 8
 Out: 250-VRFY
 Out: 250-ETRN
 Out: 250-ENHANCEDSTATUSCODES
 Out: 250-8BITMIME
 Out: 250 DSN
 In:  MAIL FROM: SIZE=1163
 Out: 250 2.1.0 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCPT TO:
 Out: 250 2.1.5 Ok
 In:  RCP

RE: Finding a huge file dump from June...

2010-08-03 Thread Michael B. Smith 
It is truly unfortunate, but that is actually a .NET framework limitation.

.Net 4, plus a patch, supports "arbitrary length" pathnames (i.e., up to the 
NTFS limits), so I expect "some future version" of PS will too. I'm not 
promising anything, just hoping. :-)

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Tuesday, August 03, 2010 3:30 PM
To: NT System Admin Issues
Subject: Re: Finding a huge file dump from June...

You Rock.

Awesome.

BTW: I'm running into lots of these errors:

Get-ChildItem : The specified path, file name, or both are too long.
The fully qualified file name must be less than 260 characters, and the 
directory name must be less than 248 characters.

I keep yelling at people to shorten their file names, but do they listen?

Any way to work around this in powershell?

Kurt

On Tue, Aug 3, 2010 at 12:22, Michael B. Smith  wrote:
> get-childitem k:\groups -force -recurse |? {$_.CreationTime.ToString() 
> -match "^2010-06-2[0-9]" } | format-table creationtime,length,fullname 
> -auto
>
> Or select-string.
>
> No need to drop to findstr.
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, August 03, 2010 3:07 PM
> To: NT System Admin Issues
> Subject: Re: Finding a huge file dump from June...
>
> I tested this against a small directory, and am now running this:
>
> PS K:\> get-childitem k:\groups -force -recurse | format-table 
> creationtime,length,fullname -auto | findstr ^2010-06-2 | findstr /v
> ^2010-06-20 | findstr /v ^2010-06-21 | findstr /v ^2010-06-22 | 
> findstr /v ^2010-06-23 | findstr /v 2010-06-27 | findstr /v
> ^2010-06-28 | findstr /v ^2010-06-29 >  out.txt
>
> Your hint with 'fullname' was the last piece of the puzzle.
>
> I really need to start reading my powershell books - putting them underneath 
> my pillow just isn't cutting it...
>
> Need. More. Time.
>
> Kurt
>
> On Mon, Aug 2, 2010 at 20:52, Rubens Almeida  wrote:
>> PowerShell... and here's one of my favorites one-liners to find big files:
>>
>> dir c:\temp -force -recurse | sort length -desc | format-table 
>> creationtime,lastwritetime,lastaccesstime,length,fullname -auto
>>
>> You can sort the results replacing the length by any of the 
>> properties after format-table
>>
>> On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
>>> All,
>>>
>>> On our file server we have a single 1.5tb partition - it's on a SAN.
>>> Over the course of 4 days recently it went from about 30% free to 
>>> about 13% free - someone slammed around 200gb onto the file server.
>>>
>>> I have a general idea of where it might be - there are two top-level 
>>> directories that are over 200gb each.
>>>
>>> However, windirstat hasn't been completely helpful, as I can't seem 
>>> to isolate which files were loaded during those days, and none of 
>>> the files that I've been looking at were huge - no ISO or VHD files 
>>> worth mentioning, etc..
>>>
>>> I also am pretty confident that there are a *bunch* of duplicate 
>>> files on those directories.
>>>
>>> So, I'm looking for a couple of things:
>>>
>>> 1) A way to get a directory listing that supports a time/date stamp 
>>> (my choice of atime, mtime or ctime) size and a complete path name 
>>> for each file/directory on a single line - something like:
>>>
>>>     2009-01-08  16:12   854,509
>>> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>>>
>>> I've tried every trick I can think of for the 'dir' command and it 
>>> won't do what I want, and the 'ls' command from gunuwin32 doesn't 
>>> seem to want to do this either. Is there a powershell one-liner that 
>>> can do this for me perhaps?
>>>
>>> 2) A recommendation for a duplicate file finder - cheap or free 
>>> would be preferred.
>>>
>>> Kurt
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>>>   ~
>>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>>   ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Guilty, will change after reading this.

2010-08-03 Thread John Hornbuckle 
I know pretty much nothing about electricity, so this is news to me. I've done 
this before, like others, in order to allow UPSs to support more devices 
(without overloading them, of course-I only get the kind with load meters on 
them).

So, a step sine wave created by a UPS could destroy a surge protector, but 
wouldn't harm equipment plugged directly into the UPS?





John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us



From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, August 03, 2010 1:01 PM
To: NT System Admin Issues
Subject: Guilty, will change after reading this.

- do not plug surge protectors into a UPS. If they UPS runs on batteries it 
will usually generate a step sine wave which may destroy surge protectors (in 
particular tricky to find power strips without surge protector)

http://isc.sans.edu/diary.html?storyid=9319

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764








NOTICE: Florida has a broad public records law. Most written communications to 
or from this entity are public records that will be disclosed to the public and 
the media upon request. E-mail communications may be subject to public 
disclosure.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Acronis + trueimagecmd.exe, + scripting. Any scripted acronis echo bacups?

2010-08-03 Thread Andrew S. Baker 
As long as you have the space to backup the data, there's no particular
problem with that.

I have a daily script that creates systemstate backups (for the appropriate
OSes, of course) and uses the same format.Overwrite the backups named
for .

This keeps 7 days worth of backups available.

-ASB: http://XeeSM.com/AndrewBaker


On Tue, Aug 3, 2010 at 3:05 PM, justino garcia wrote:

> So far my script for each day is one image backup OF OS, one image backup
> of data.
> Script (I have scripts one for each day of the week).
> echo Monday Backup W drive
> "D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
> /partition:1-1,1-2,1-3 /filename:"w:\OSimageBackup\Monday.tib"
> ping -w 1000 -n 20 0.0.0.0 >nul
> "D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
> /partition:2-1 /filename:"w:\DataImageBackup\Mondaydata.tib"
> --
>
> 
> I have  a task for each day, and on friday two task, one for weekly and one
> for fridays. Most backup take up 20 gigs most for OS, and 20 gigs for data.
> Small office. Is this good idea the way I setup script.
> Script 2
> "D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
> /partition:2-1 /filename:"V:\DataImageBackup\week\week1data.tib" frist
> friday of the month
>
> -
> script 3
> "D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
> /partition:2-1 /filename:"V:\DataImageBackup\week\week2data.tib" second
> friday of the month
>
> 
> script 4
> "D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
> /partition:2-1 /filename:"V:\DataImageBackup\week\week3data.tib"  third
> friday of the month
> -
> script5
> "D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
> /partition:2-1 /filename:"V:\DataImageBackup\week\week4data.tib" last friday
> of the month
> --
>
>
> What would you change if anything, the NAS I am backing up to is 500 gigs,
> and backup full are around 40gigs, one 20 gig OS image, and one 20 gig data
> image.
> Task scheduler runs the task. Acronis Echo CLI version does replace old
> *.tib with new one (e.g. TUESDAY.TIB from last week, is replace with
> TUESDAY.TIB of this week...
> --
> AM I safe with this backup scripts.
> Justin
> IT-TECH
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Finding a huge file dump from June...

2010-08-03 Thread Kurt Buff 
You Rock.

Awesome.

BTW: I'm running into lots of these errors:

Get-ChildItem : The specified path, file name, or both are too long.
The fully qualified file name must be less than 260 characters, and
the directory name must be less than 248 characters.

I keep yelling at people to shorten their file names, but do they listen?

Any way to work around this in powershell?

Kurt

On Tue, Aug 3, 2010 at 12:22, Michael B. Smith  wrote:
> get-childitem k:\groups -force -recurse |? {$_.CreationTime.ToString() -match 
> "^2010-06-2[0-9]" } | format-table creationtime,length,fullname -auto
>
> Or select-string.
>
> No need to drop to findstr.
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, August 03, 2010 3:07 PM
> To: NT System Admin Issues
> Subject: Re: Finding a huge file dump from June...
>
> I tested this against a small directory, and am now running this:
>
> PS K:\> get-childitem k:\groups -force -recurse | format-table 
> creationtime,length,fullname -auto | findstr ^2010-06-2 | findstr /v
> ^2010-06-20 | findstr /v ^2010-06-21 | findstr /v ^2010-06-22 | findstr /v 
> ^2010-06-23 | findstr /v 2010-06-27 | findstr /v
> ^2010-06-28 | findstr /v ^2010-06-29 >  out.txt
>
> Your hint with 'fullname' was the last piece of the puzzle.
>
> I really need to start reading my powershell books - putting them underneath 
> my pillow just isn't cutting it...
>
> Need. More. Time.
>
> Kurt
>
> On Mon, Aug 2, 2010 at 20:52, Rubens Almeida  wrote:
>> PowerShell... and here's one of my favorites one-liners to find big files:
>>
>> dir c:\temp -force -recurse | sort length -desc | format-table
>> creationtime,lastwritetime,lastaccesstime,length,fullname -auto
>>
>> You can sort the results replacing the length by any of the properties
>> after format-table
>>
>> On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
>>> All,
>>>
>>> On our file server we have a single 1.5tb partition - it's on a SAN.
>>> Over the course of 4 days recently it went from about 30% free to
>>> about 13% free - someone slammed around 200gb onto the file server.
>>>
>>> I have a general idea of where it might be - there are two top-level
>>> directories that are over 200gb each.
>>>
>>> However, windirstat hasn't been completely helpful, as I can't seem
>>> to isolate which files were loaded during those days, and none of the
>>> files that I've been looking at were huge - no ISO or VHD files worth
>>> mentioning, etc..
>>>
>>> I also am pretty confident that there are a *bunch* of duplicate
>>> files on those directories.
>>>
>>> So, I'm looking for a couple of things:
>>>
>>> 1) A way to get a directory listing that supports a time/date stamp
>>> (my choice of atime, mtime or ctime) size and a complete path name
>>> for each file/directory on a single line - something like:
>>>
>>>     2009-01-08  16:12   854,509
>>> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>>>
>>> I've tried every trick I can think of for the 'dir' command and it
>>> won't do what I want, and the 'ls' command from gunuwin32 doesn't
>>> seem to want to do this either. Is there a powershell one-liner that
>>> can do this for me perhaps?
>>>
>>> 2) A recommendation for a duplicate file finder - cheap or free would
>>> be preferred.
>>>
>>> Kurt
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>>   ~
>>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>   ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

2010-08-03 Thread Glen Johnson 
I'm sure it is, and the Va. CC uses PeopleSoft for our Student Info System(SIS) 
and so they worked together to create an automated process in that, a student 
applies to the college, registers for classes and the next day, they have the 
email account active.
All this is done via the web.
Maybe google would work with your SIS vendor to create something similar.

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: Tuesday, August 03, 2010 12:08 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Hmm, interesting. I like that. Of course, setting it up for all students 
automatically might prove to be tricky.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Tuesday, August 03, 2010 6:44 AM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

And just after I sent this the light came on, Google Voice should do UM.
I'd let google handle voice mail, email and anything else they want to give to 
the students.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Tuesday, August 03, 2010 7:42 AM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Not sure on the UM questions.
Not an issue here as we don't have student housing or provide phones for them.
I'm betting that it is possible though.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 5:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC wit

Re: Finding a huge file dump from June...

2010-08-03 Thread Kurt Buff 
Heh.

I knew that something was available, but didn't have time to research it.

Thanks.

Kurt

On Tue, Aug 3, 2010 at 12:19, Rubens Almeida  wrote:
> You can also replace FindStr with native PowerShell CMDLet
> Select-String! I've even created me a nice alias to it suggestively
> called "grep" ;)
>
> On Tue, Aug 3, 2010 at 4:07 PM, Kurt Buff  wrote:
>> I tested this against a small directory, and am now running this:
>>
>> PS K:\> get-childitem k:\groups -force -recurse | format-table
>> creationtime,length,fullname -auto | findstr ^2010-06-2 | findstr /v
>> ^2010-06-20 | findstr /v ^2010-06-21 | findstr /v ^2010-06-22 |
>> findstr /v ^2010-06-23 | findstr /v 2010-06-27 | findstr /v
>> ^2010-06-28 | findstr /v ^2010-06-29 >  out.txt
>>
>> Your hint with 'fullname' was the last piece of the puzzle.
>>
>> I really need to start reading my powershell books - putting them
>> underneath my pillow just isn't cutting it...
>>
>> Need. More. Time.
>>
>> Kurt
>>
>> On Mon, Aug 2, 2010 at 20:52, Rubens Almeida  wrote:
>>> PowerShell... and here's one of my favorites one-liners to find big files:
>>>
>>> dir c:\temp -force -recurse | sort length -desc | format-table
>>> creationtime,lastwritetime,lastaccesstime,length,fullname -auto
>>>
>>> You can sort the results replacing the length by any of the properties
>>> after format-table
>>>
>>> On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
 All,

 On our file server we have a single 1.5tb partition - it's on a SAN.
 Over the course of 4 days recently it went from about 30% free to
 about 13% free - someone slammed around 200gb onto the file server.

 I have a general idea of where it might be - there are two top-level
 directories that are over 200gb each.

 However, windirstat hasn't been completely helpful, as I can't seem to
 isolate which files were loaded during those days, and none of the
 files that I've been looking at were huge - no ISO or VHD files worth
 mentioning, etc..

 I also am pretty confident that there are a *bunch* of duplicate files
 on those directories.

 So, I'm looking for a couple of things:

 1) A way to get a directory listing that supports a time/date stamp
 (my choice of atime, mtime or ctime) size and a complete path name for
 each file/directory on a single line - something like:

     2009-01-08  16:12   854,509
 K:\Groups\training\On-Site_Special_Training\Customer1.doc

 I've tried every trick I can think of for the 'dir' command and it
 won't do what I want, and the 'ls' command from gunuwin32 doesn't seem
 to want to do this either. Is there a powershell one-liner that can do
 this for me perhaps?

 2) A recommendation for a duplicate file finder - cheap or free would
 be preferred.

 Kurt

 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
 ~   ~

>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>>
>>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Finding a huge file dump from June...

2010-08-03 Thread Rubens Almeida 
That's a nice one-liner Michael! Another nice trick to my PoSh black book!

On Tue, Aug 3, 2010 at 4:22 PM, Michael B. Smith  wrote:
> get-childitem k:\groups -force -recurse |? {$_.CreationTime.ToString() -match 
> "^2010-06-2[0-9]" } | format-table creationtime,length,fullname -auto
>
> Or select-string.
>
> No need to drop to findstr.
>
> Regards,
>
> Michael B. Smith
> Consultant and Exchange MVP
> http://TheEssentialExchange.com
>
>
> -Original Message-
> From: Kurt Buff [mailto:kurt.b...@gmail.com]
> Sent: Tuesday, August 03, 2010 3:07 PM
> To: NT System Admin Issues
> Subject: Re: Finding a huge file dump from June...
>
> I tested this against a small directory, and am now running this:
>
> PS K:\> get-childitem k:\groups -force -recurse | format-table 
> creationtime,length,fullname -auto | findstr ^2010-06-2 | findstr /v
> ^2010-06-20 | findstr /v ^2010-06-21 | findstr /v ^2010-06-22 | findstr /v 
> ^2010-06-23 | findstr /v 2010-06-27 | findstr /v
> ^2010-06-28 | findstr /v ^2010-06-29 >  out.txt
>
> Your hint with 'fullname' was the last piece of the puzzle.
>
> I really need to start reading my powershell books - putting them underneath 
> my pillow just isn't cutting it...
>
> Need. More. Time.
>
> Kurt
>
> On Mon, Aug 2, 2010 at 20:52, Rubens Almeida  wrote:
>> PowerShell... and here's one of my favorites one-liners to find big files:
>>
>> dir c:\temp -force -recurse | sort length -desc | format-table
>> creationtime,lastwritetime,lastaccesstime,length,fullname -auto
>>
>> You can sort the results replacing the length by any of the properties
>> after format-table
>>
>> On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
>>> All,
>>>
>>> On our file server we have a single 1.5tb partition - it's on a SAN.
>>> Over the course of 4 days recently it went from about 30% free to
>>> about 13% free - someone slammed around 200gb onto the file server.
>>>
>>> I have a general idea of where it might be - there are two top-level
>>> directories that are over 200gb each.
>>>
>>> However, windirstat hasn't been completely helpful, as I can't seem
>>> to isolate which files were loaded during those days, and none of the
>>> files that I've been looking at were huge - no ISO or VHD files worth
>>> mentioning, etc..
>>>
>>> I also am pretty confident that there are a *bunch* of duplicate
>>> files on those directories.
>>>
>>> So, I'm looking for a couple of things:
>>>
>>> 1) A way to get a directory listing that supports a time/date stamp
>>> (my choice of atime, mtime or ctime) size and a complete path name
>>> for each file/directory on a single line - something like:
>>>
>>>     2009-01-08  16:12   854,509
>>> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>>>
>>> I've tried every trick I can think of for the 'dir' command and it
>>> won't do what I want, and the 'ls' command from gunuwin32 doesn't
>>> seem to want to do this either. Is there a powershell one-liner that
>>> can do this for me perhaps?
>>>
>>> 2) A recommendation for a duplicate file finder - cheap or free would
>>> be preferred.
>>>
>>> Kurt
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>>   ~
>>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>   ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Finding a huge file dump from June...

2010-08-03 Thread Michael B. Smith 
get-childitem k:\groups -force -recurse |? {$_.CreationTime.ToString() -match 
"^2010-06-2[0-9]" } | format-table creationtime,length,fullname -auto

Or select-string.

No need to drop to findstr.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Tuesday, August 03, 2010 3:07 PM
To: NT System Admin Issues
Subject: Re: Finding a huge file dump from June...

I tested this against a small directory, and am now running this:

PS K:\> get-childitem k:\groups -force -recurse | format-table 
creationtime,length,fullname -auto | findstr ^2010-06-2 | findstr /v
^2010-06-20 | findstr /v ^2010-06-21 | findstr /v ^2010-06-22 | findstr /v 
^2010-06-23 | findstr /v 2010-06-27 | findstr /v
^2010-06-28 | findstr /v ^2010-06-29 >  out.txt

Your hint with 'fullname' was the last piece of the puzzle.

I really need to start reading my powershell books - putting them underneath my 
pillow just isn't cutting it...

Need. More. Time.

Kurt

On Mon, Aug 2, 2010 at 20:52, Rubens Almeida  wrote:
> PowerShell... and here's one of my favorites one-liners to find big files:
>
> dir c:\temp -force -recurse | sort length -desc | format-table 
> creationtime,lastwritetime,lastaccesstime,length,fullname -auto
>
> You can sort the results replacing the length by any of the properties 
> after format-table
>
> On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
>> All,
>>
>> On our file server we have a single 1.5tb partition - it's on a SAN.
>> Over the course of 4 days recently it went from about 30% free to 
>> about 13% free - someone slammed around 200gb onto the file server.
>>
>> I have a general idea of where it might be - there are two top-level 
>> directories that are over 200gb each.
>>
>> However, windirstat hasn't been completely helpful, as I can't seem 
>> to isolate which files were loaded during those days, and none of the 
>> files that I've been looking at were huge - no ISO or VHD files worth 
>> mentioning, etc..
>>
>> I also am pretty confident that there are a *bunch* of duplicate 
>> files on those directories.
>>
>> So, I'm looking for a couple of things:
>>
>> 1) A way to get a directory listing that supports a time/date stamp 
>> (my choice of atime, mtime or ctime) size and a complete path name 
>> for each file/directory on a single line - something like:
>>
>>     2009-01-08  16:12   854,509
>> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>>
>> I've tried every trick I can think of for the 'dir' command and it 
>> won't do what I want, and the 'ls' command from gunuwin32 doesn't 
>> seem to want to do this either. Is there a powershell one-liner that 
>> can do this for me perhaps?
>>
>> 2) A recommendation for a duplicate file finder - cheap or free would 
>> be preferred.
>>
>> Kurt
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>>   ~
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Finding a huge file dump from June...

2010-08-03 Thread Rubens Almeida 
You can also replace FindStr with native PowerShell CMDLet
Select-String! I've even created me a nice alias to it suggestively
called "grep" ;)

On Tue, Aug 3, 2010 at 4:07 PM, Kurt Buff  wrote:
> I tested this against a small directory, and am now running this:
>
> PS K:\> get-childitem k:\groups -force -recurse | format-table
> creationtime,length,fullname -auto | findstr ^2010-06-2 | findstr /v
> ^2010-06-20 | findstr /v ^2010-06-21 | findstr /v ^2010-06-22 |
> findstr /v ^2010-06-23 | findstr /v 2010-06-27 | findstr /v
> ^2010-06-28 | findstr /v ^2010-06-29 >  out.txt
>
> Your hint with 'fullname' was the last piece of the puzzle.
>
> I really need to start reading my powershell books - putting them
> underneath my pillow just isn't cutting it...
>
> Need. More. Time.
>
> Kurt
>
> On Mon, Aug 2, 2010 at 20:52, Rubens Almeida  wrote:
>> PowerShell... and here's one of my favorites one-liners to find big files:
>>
>> dir c:\temp -force -recurse | sort length -desc | format-table
>> creationtime,lastwritetime,lastaccesstime,length,fullname -auto
>>
>> You can sort the results replacing the length by any of the properties
>> after format-table
>>
>> On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
>>> All,
>>>
>>> On our file server we have a single 1.5tb partition - it's on a SAN.
>>> Over the course of 4 days recently it went from about 30% free to
>>> about 13% free - someone slammed around 200gb onto the file server.
>>>
>>> I have a general idea of where it might be - there are two top-level
>>> directories that are over 200gb each.
>>>
>>> However, windirstat hasn't been completely helpful, as I can't seem to
>>> isolate which files were loaded during those days, and none of the
>>> files that I've been looking at were huge - no ISO or VHD files worth
>>> mentioning, etc..
>>>
>>> I also am pretty confident that there are a *bunch* of duplicate files
>>> on those directories.
>>>
>>> So, I'm looking for a couple of things:
>>>
>>> 1) A way to get a directory listing that supports a time/date stamp
>>> (my choice of atime, mtime or ctime) size and a complete path name for
>>> each file/directory on a single line - something like:
>>>
>>>     2009-01-08  16:12   854,509
>>> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>>>
>>> I've tried every trick I can think of for the 'dir' command and it
>>> won't do what I want, and the 'ls' command from gunuwin32 doesn't seem
>>> to want to do this either. Is there a powershell one-liner that can do
>>> this for me perhaps?
>>>
>>> 2) A recommendation for a duplicate file finder - cheap or free would
>>> be preferred.
>>>
>>> Kurt
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Finding a huge file dump from June...

2010-08-03 Thread Kurt Buff 
I tested this against a small directory, and am now running this:

PS K:\> get-childitem k:\groups -force -recurse | format-table
creationtime,length,fullname -auto | findstr ^2010-06-2 | findstr /v
^2010-06-20 | findstr /v ^2010-06-21 | findstr /v ^2010-06-22 |
findstr /v ^2010-06-23 | findstr /v 2010-06-27 | findstr /v
^2010-06-28 | findstr /v ^2010-06-29 >  out.txt

Your hint with 'fullname' was the last piece of the puzzle.

I really need to start reading my powershell books - putting them
underneath my pillow just isn't cutting it...

Need. More. Time.

Kurt

On Mon, Aug 2, 2010 at 20:52, Rubens Almeida  wrote:
> PowerShell... and here's one of my favorites one-liners to find big files:
>
> dir c:\temp -force -recurse | sort length -desc | format-table
> creationtime,lastwritetime,lastaccesstime,length,fullname -auto
>
> You can sort the results replacing the length by any of the properties
> after format-table
>
> On Mon, Aug 2, 2010 at 9:48 PM, Kurt Buff  wrote:
>> All,
>>
>> On our file server we have a single 1.5tb partition - it's on a SAN.
>> Over the course of 4 days recently it went from about 30% free to
>> about 13% free - someone slammed around 200gb onto the file server.
>>
>> I have a general idea of where it might be - there are two top-level
>> directories that are over 200gb each.
>>
>> However, windirstat hasn't been completely helpful, as I can't seem to
>> isolate which files were loaded during those days, and none of the
>> files that I've been looking at were huge - no ISO or VHD files worth
>> mentioning, etc..
>>
>> I also am pretty confident that there are a *bunch* of duplicate files
>> on those directories.
>>
>> So, I'm looking for a couple of things:
>>
>> 1) A way to get a directory listing that supports a time/date stamp
>> (my choice of atime, mtime or ctime) size and a complete path name for
>> each file/directory on a single line - something like:
>>
>>     2009-01-08  16:12   854,509
>> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>>
>> I've tried every trick I can think of for the 'dir' command and it
>> won't do what I want, and the 'ls' command from gunuwin32 doesn't seem
>> to want to do this either. Is there a powershell one-liner that can do
>> this for me perhaps?
>>
>> 2) A recommendation for a duplicate file finder - cheap or free would
>> be preferred.
>>
>> Kurt
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Acronis + trueimagecmd.exe, + scripting. Any scripted acronis echo bacups?

2010-08-03 Thread justino garcia 
So far my script for each day is one image backup OF OS, one image backup of
data.
Script (I have scripts one for each day of the week).
echo Monday Backup W drive
"D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
/partition:1-1,1-2,1-3 /filename:"w:\OSimageBackup\Monday.tib"
ping -w 1000 -n 20 0.0.0.0 >nul
"D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
/partition:2-1 /filename:"w:\DataImageBackup\Mondaydata.tib"
--


I have  a task for each day, and on friday two task, one for weekly and one
for fridays. Most backup take up 20 gigs most for OS, and 20 gigs for data.
Small office. Is this good idea the way I setup script.
Script 2
"D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
/partition:2-1 /filename:"V:\DataImageBackup\week\week1data.tib" frist
friday of the month
-
script 3
"D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
/partition:2-1 /filename:"V:\DataImageBackup\week\week2data.tib" second
friday of the month

script 4
"D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
/partition:2-1 /filename:"V:\DataImageBackup\week\week3data.tib"  third
friday of the month
-
script5
"D:\Program Files\Acronis\TrueImageEchoServer\TrueImageCmd.exe"  /create
/partition:2-1 /filename:"V:\DataImageBackup\week\week4data.tib" last friday
of the month
--


What would you change if anything, the NAS I am backing up to is 500 gigs,
and backup full are around 40gigs, one 20 gig OS image, and one 20 gig data
image.
Task scheduler runs the task. Acronis Echo CLI version does replace old
*.tib with new one (e.g. TUESDAY.TIB from last week, is replace with
TUESDAY.TIB of this week...
-- 
AM I safe with this backup scripts.
Justin
IT-TECH

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: WMI information gathering

2010-08-03 Thread James Rankin 
I would go and test MBS's suggestion. Either that or I'd set up a standard
user account myself and see what needed tweaking to make their WMI stuff
work. Procmon may be a particular help here.

This reminds me sometimes about the perception of "admin access". When I
used to work for a big outsourcer we got a lot of complaining from their
previous IT guys about how they "needed" admin access to do certain things
(I remember AutoCAD being a particular pain). We simply gave them a new
account which was prefixed "admin" and added the Create Global Objects user
right via GPO, which let AutoCAD function, and they were happy as pigs in
poo. Despite the fact that their "admin" account couldn't really do much
more than the account of a bog-standard user.

On 3 August 2010 19:49, Joseph Heaton  wrote:

> Exactly!  Which is why we're trying to figure out if we can comply, by
> letting them get whatever info they need, without giving them the keys to
> our domain...
>
> >>> James Rankin  8/3/2010 11:38 AM >>>
> Domain Admin access not a big deal? Morons. I wouldn't let any third
> parties
> near a Domain Admin account.
>
> On 3 August 2010 19:15, Joseph Heaton  wrote:
>
> > 1.  Yes, we are required to do this.  It's supposed to be for information
> > gathering only, but we're trying to cover our backsides, in case they
> mess
> > something up.
> > Yes, we can gain benefit, in that we can use this to get WMI access
> for
> > our Orion product.
> > 2.  Documentation is a difficult thing.  The wording of their message is
> > such that they feel it's not a big deal for us to just give them a domain
> > admin account to play with.
> >
> > >>> Steven Peck  8/3/2010 10:49 AM >>>
> > To be honest the real questions are;
> > 1.  Are you required to do this?  (Usually yes)
> >  - if yes, can you gain benefit? (Usually you can)
> > 2.  Do they have documentation on least privilege necessary for their
> > tools to run?
> >
> >
> >
> > On Tue, Aug 3, 2010 at 10:26 AM, Free, Bob  wrote:
> > > My experience with WMI and CMDB or security scanner products tells me
> > > you are out of luck, at some point, the information they require is
> > > situated such that they require admin privs just to be able to read it.
> > >
> > > -Original Message-
> > > From: Joseph Heaton [mailto:jhea...@dfg.ca.gov]
> > > Sent: Tuesday, August 03, 2010 10:18 AM
> > > To: NT System Admin Issues
> > > Subject: Re: WMI information gathering
> > >
> > > Anyone have any idea on this one?
> > >
> >  Joseph Heaton  8/2/2010 3:42 PM >>>
> > > We have a group that wants to come in, and "scan our servers" to gather
> > > information.  We want to cooperate with this effort, but we don't want
> > > to give them access to be able to write back to the servers.  Is this
> > > possible?  Is there a tool that can be used without an admin account,
> in
> > > order to gather information from within WMI?  Please contact offline
> for
> > > further details, if needed.  As always, I sincerely appreciate any
> > > assistance any of you may be able to provide.
> > >
> > > Thanks,
> > >
> > > Joe
> > >
> > >
> > >
> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > > ~   ~
> > >
> > >
> > >
> > >
> > >
> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > > ~   ~
> > >
> > >
> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > > ~   ~
> > >
> > >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> >
> >
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> >
>
>
> --
> "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
> the machine wrong figures, will the right answers come out?' I am not able
> rightly to apprehend the kind of confusion of ideas that could provoke such
> a question."
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: WMI information gathering

2010-08-03 Thread Rod Trent 
Scripts can do this - check out the Script-o-matics on the Microsoft
scripting pages for both a PowerShell version and a VB Script version.

Also, Kim Opalfens has done some really good articles on WMI recently:

http://www.myitforum.com/absolutenm/default.aspx?zoneid=89&search=Kim+Oppalf
ens 


-Original Message-
From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
Sent: Tuesday, August 03, 2010 7:49 PM
To: NT System Admin Issues
Subject: Re: WMI information gathering

Exactly!  Which is why we're trying to figure out if we can comply, by
letting them get whatever info they need, without giving them the keys to
our domain...

>>> James Rankin  8/3/2010 11:38 AM >>>
Domain Admin access not a big deal? Morons. I wouldn't let any third parties
near a Domain Admin account.

On 3 August 2010 19:15, Joseph Heaton  wrote:

> 1.  Yes, we are required to do this.  It's supposed to be for 
> information gathering only, but we're trying to cover our backsides, 
> in case they mess something up.
> Yes, we can gain benefit, in that we can use this to get WMI 
> access for our Orion product.
> 2.  Documentation is a difficult thing.  The wording of their message 
> is such that they feel it's not a big deal for us to just give them a 
> domain admin account to play with.
>
> >>> Steven Peck  8/3/2010 10:49 AM >>>
> To be honest the real questions are;
> 1.  Are you required to do this?  (Usually yes)
>  - if yes, can you gain benefit? (Usually you can) 2.  Do they have 
> documentation on least privilege necessary for their tools to run?
>
>
>
> On Tue, Aug 3, 2010 at 10:26 AM, Free, Bob  wrote:
> > My experience with WMI and CMDB or security scanner products tells 
> > me you are out of luck, at some point, the information they require 
> > is situated such that they require admin privs just to be able to read
it.
> >
> > -Original Message-
> > From: Joseph Heaton [mailto:jhea...@dfg.ca.gov]
> > Sent: Tuesday, August 03, 2010 10:18 AM
> > To: NT System Admin Issues
> > Subject: Re: WMI information gathering
> >
> > Anyone have any idea on this one?
> >
>  Joseph Heaton  8/2/2010 3:42 PM >>>
> > We have a group that wants to come in, and "scan our servers" to 
> > gather information.  We want to cooperate with this effort, but we 
> > don't want to give them access to be able to write back to the 
> > servers.  Is this possible?  Is there a tool that can be used 
> > without an admin account, in order to gather information from within 
> > WMI?  Please contact offline for further details, if needed.  As 
> > always, I sincerely appreciate any assistance any of you may be able to
provide.
> >
> > Thanks,
> >
> > Joe
> >
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> >   ~
> >
> >
> >
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> >   ~
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> >   ~
> >
> >
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>   ~
>
>


--
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: WMI information gathering

2010-08-03 Thread Joseph Heaton 
Exactly!  Which is why we're trying to figure out if we can comply, by letting 
them get whatever info they need, without giving them the keys to our domain...

>>> James Rankin  8/3/2010 11:38 AM >>>
Domain Admin access not a big deal? Morons. I wouldn't let any third parties
near a Domain Admin account.

On 3 August 2010 19:15, Joseph Heaton  wrote:

> 1.  Yes, we are required to do this.  It's supposed to be for information
> gathering only, but we're trying to cover our backsides, in case they mess
> something up.
> Yes, we can gain benefit, in that we can use this to get WMI access for
> our Orion product.
> 2.  Documentation is a difficult thing.  The wording of their message is
> such that they feel it's not a big deal for us to just give them a domain
> admin account to play with.
>
> >>> Steven Peck  8/3/2010 10:49 AM >>>
> To be honest the real questions are;
> 1.  Are you required to do this?  (Usually yes)
>  - if yes, can you gain benefit? (Usually you can)
> 2.  Do they have documentation on least privilege necessary for their
> tools to run?
>
>
>
> On Tue, Aug 3, 2010 at 10:26 AM, Free, Bob  wrote:
> > My experience with WMI and CMDB or security scanner products tells me
> > you are out of luck, at some point, the information they require is
> > situated such that they require admin privs just to be able to read it.
> >
> > -Original Message-
> > From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
> > Sent: Tuesday, August 03, 2010 10:18 AM
> > To: NT System Admin Issues
> > Subject: Re: WMI information gathering
> >
> > Anyone have any idea on this one?
> >
>  Joseph Heaton  8/2/2010 3:42 PM >>>
> > We have a group that wants to come in, and "scan our servers" to gather
> > information.  We want to cooperate with this effort, but we don't want
> > to give them access to be able to write back to the servers.  Is this
> > possible?  Is there a tool that can be used without an admin account, in
> > order to gather information from within WMI?  Please contact offline for
> > further details, if needed.  As always, I sincerely appreciate any
> > assistance any of you may be able to provide.
> >
> > Thanks,
> >
> > Joe
> >
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> >
> >
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> >
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: WMI information gathering

2010-08-03 Thread James Rankin 
Domain Admin access not a big deal? Morons. I wouldn't let any third parties
near a Domain Admin account.

On 3 August 2010 19:15, Joseph Heaton  wrote:

> 1.  Yes, we are required to do this.  It's supposed to be for information
> gathering only, but we're trying to cover our backsides, in case they mess
> something up.
> Yes, we can gain benefit, in that we can use this to get WMI access for
> our Orion product.
> 2.  Documentation is a difficult thing.  The wording of their message is
> such that they feel it's not a big deal for us to just give them a domain
> admin account to play with.
>
> >>> Steven Peck  8/3/2010 10:49 AM >>>
> To be honest the real questions are;
> 1.  Are you required to do this?  (Usually yes)
>  - if yes, can you gain benefit? (Usually you can)
> 2.  Do they have documentation on least privilege necessary for their
> tools to run?
>
>
>
> On Tue, Aug 3, 2010 at 10:26 AM, Free, Bob  wrote:
> > My experience with WMI and CMDB or security scanner products tells me
> > you are out of luck, at some point, the information they require is
> > situated such that they require admin privs just to be able to read it.
> >
> > -Original Message-
> > From: Joseph Heaton [mailto:jhea...@dfg.ca.gov]
> > Sent: Tuesday, August 03, 2010 10:18 AM
> > To: NT System Admin Issues
> > Subject: Re: WMI information gathering
> >
> > Anyone have any idea on this one?
> >
>  Joseph Heaton  8/2/2010 3:42 PM >>>
> > We have a group that wants to come in, and "scan our servers" to gather
> > information.  We want to cooperate with this effort, but we don't want
> > to give them access to be able to write back to the servers.  Is this
> > possible?  Is there a tool that can be used without an admin account, in
> > order to gather information from within WMI?  Please contact offline for
> > further details, if needed.  As always, I sincerely appreciate any
> > assistance any of you may be able to provide.
> >
> > Thanks,
> >
> > Joe
> >
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> >
> >
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> >
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>


-- 
"On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into
the machine wrong figures, will the right answers come out?' I am not able
rightly to apprehend the kind of confusion of ideas that could provoke such
a question."

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Guilty, will change after reading this.

2010-08-03 Thread Erik Goldoff 
I have used the board room analogy for surge protectors into UPSs as using a
stack of coffee filters in the coffee maker basket.  If one filter is good,
then 10 should be great, right ?  But what happens, you impede the proper
flow through the filter.

I know, a crude analogy that is not technically accurrate to the details,
but prevents the Charlie-Brown's Teacher (wa-wa-wah-wah )effect when
I speak.

On Tue, Aug 3, 2010 at 1:01 PM, David Lum  wrote:

>  - do not plug surge protectors into a UPS. If they UPS runs on batteries
> it will usually generate a step sine wave which may destroy surge protectors
> (in particular tricky to find power strips without surge protector)
>
>
>
> http://isc.sans.edu/diary.html?storyid=9319
>
>
>
> *David Lum** **// *SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 *// *(Cell) 503.267.9764
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: WMI information gathering

2010-08-03 Thread Joseph Heaton 
Orion is our internal benefit to implementing WMI, but the outside people 
coming in and wanting to use it to gather some mysterious, as of yet undefined, 
information is what concerns us.

>>> Steven Peck  8/3/2010 11:21 AM >>>
Oh.  Orion.  Yes, that response is somehow not a surprise to me.

On Tue, Aug 3, 2010 at 11:15 AM, Joseph Heaton  wrote:
> 1.  Yes, we are required to do this.  It's supposed to be for information 
> gathering only, but we're trying to cover our backsides, in case they mess 
> something up.
> Yes, we can gain benefit, in that we can use this to get WMI access for 
> our Orion product.
> 2.  Documentation is a difficult thing.  The wording of their message is such 
> that they feel it's not a big deal for us to just give them a domain admin 
> account to play with.
>
 Steven Peck  8/3/2010 10:49 AM >>>
> To be honest the real questions are;
> 1.  Are you required to do this?  (Usually yes)
>  - if yes, can you gain benefit? (Usually you can)
> 2.  Do they have documentation on least privilege necessary for their
> tools to run?
>
>
>
> On Tue, Aug 3, 2010 at 10:26 AM, Free, Bob  wrote:
>> My experience with WMI and CMDB or security scanner products tells me
>> you are out of luck, at some point, the information they require is
>> situated such that they require admin privs just to be able to read it.
>>
>> -Original Message-
>> From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
>> Sent: Tuesday, August 03, 2010 10:18 AM
>> To: NT System Admin Issues
>> Subject: Re: WMI information gathering
>>
>> Anyone have any idea on this one?
>>
> Joseph Heaton  8/2/2010 3:42 PM >>>
>> We have a group that wants to come in, and "scan our servers" to gather
>> information.  We want to cooperate with this effort, but we don't want
>> to give them access to be able to write back to the servers.  Is this
>> possible?  Is there a tool that can be used without an admin account, in
>> order to gather information from within WMI?  Please contact offline for
>> further details, if needed.  As always, I sincerely appreciate any
>> assistance any of you may be able to provide.
>>
>> Thanks,
>>
>> Joe
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Guilty, will change after reading this.

2010-08-03 Thread Mike Hoffman 
We replaced a UPS for a client where the old unit was used on a ship. Due to 
the fact the unit was not suitable it failed and left a diver at the bottom of 
the sea - they had to resort to tugging on ropes to get the guy back! They also 
had the most important bit of equipment plugged into the surge-only socket. In 
the UK it is a bit easier to control as power tools tend to have 3-pin plugs 
while UPS units have the IEC plugs and sockets 

Mike

-Original Message-
From: Raper, Jonathan - Eagle [mailto:jra...@eaglemds.com] 
Sent: 03 August 2010 19:17
To: NT System Admin Issues
Subject: RE: Guilty, will change after reading this.

We actually had a cabling contractor come in one time that plugged a fiber 
termination heater into a UPS that powered the main switch for a large 4 story 
multi-tenant building. Fortunately it didn't cause any damage - all it did was 
overload the UPS and consequently the switch lost power. Needless to say, I was 
not happy, as practically every tenant in the building at the time needed 
hospital connectivity, which was fed through the switch that he took down.

Jonathan L. Raper, A+, MCSA, MCSE
Technology Coordinator
Eagle Physicians & Associates, PA
jra...@eaglemds.com
www.eaglemds.com


-Original Message-
From: Steven Peck [mailto:sep...@gmail.com]
Sent: Tuesday, August 03, 2010 1:54 PM
To: NT System Admin Issues
Subject: Re: Guilty, will change after reading this.

I would.  Even if something like that is a 'no no', I can imagine it would 
disturb APC to no end that it happened without the unit shutting itself off at 
all.

The closest I had was when I very forcefully explained to the electrician that 
he could NOT plug his drill into my UPS and he could get a damn extension cord 
as there were no other outlets available in the server room.  We had dedicated 
plugs to the UPS and a few non-UPS outlets in the toom but they were all in 
use.  He was not our regular guy.

Steven



On Tue, Aug 3, 2010 at 10:49 AM,   wrote:
>
> No...  I was the one who had to console the poor student (giving the 
> melted mass time to cool down) and then contact APC.
>
> You'd not believe it, but APC actually wanted to look at the unit to 
> see why the breaker did not trip.  They actually replaced it with a new one!
>
> Joseph Heaton  wrote on 08/03/2010 12:17:37 PM:
>
>> Personal mishap, Richard?
>>
>> >>>  8/3/2010 10:06 AM >>>
>> Don't plug space heaters into them, either!
>>
>> David Lum  wrote on 08/03/2010 12:01:04 PM:
>>
>> > - do not plug surge protectors into a UPS. If they UPS runs on 
>> > batteries it will usually generate a step sine wave which may 
>> > destroy surge protectors (in particular tricky to find power strips 
>> > without surge protector)
>> >
>> > http://isc.sans.edu/diary.html?storyid=9319
>> >
>> > David Lum // SYSTEMS ENGINEER
>> > NORTHWEST EVALUATION ASSOCIATION
>> > (Desk) 971.222.1025 // (Cell) 503.267.9764
>> >
>> >
>> >
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>>   ~
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
>>   ~
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~


Any medical information contained in this electronic message is CONFIDENTIAL 
and privileged. It is unlawful for unauthorized persons to view, copy, 
disclose, or disseminate CONFIDENTIAL information. This electronic message may 
contain information that is confidential and/or legally privileged. It is 
intended only for the use of the individual(s) and/or entity named as 
recipients in the message. If you are not an intended recipient of this 
message, please notify the sender immediately and delete this material from 
your computer. Do not deliver, distribute or copy this message, and do not 
disclose its contents or take any action in reliance on the information that it 
contains.


Any medical information contained in this electronic message is CONFIDENTIAL 
and privileged. It is unlawful for unauthorized persons to view, copy, 
disclose, or disseminate CONFIDENTIAL information. This electronic message may 
contain information that is confidential and/or legally privileged. It is 
intended only for the use of the individual(s) and/or entity named as 
recipients in the message. If you are not an intended recipient of this 
message, please notify the sender immediately and delete this material from 
your computer. Do not deliver, distribute or copy this message, and do not 
disclose its contents or take any action in reliance on the information that it 
contains.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~

Re: WMI information gathering

2010-08-03 Thread Steven Peck 
Oh.  Orion.  Yes, that response is somehow not a surprise to me.

On Tue, Aug 3, 2010 at 11:15 AM, Joseph Heaton  wrote:
> 1.  Yes, we are required to do this.  It's supposed to be for information 
> gathering only, but we're trying to cover our backsides, in case they mess 
> something up.
>     Yes, we can gain benefit, in that we can use this to get WMI access for 
> our Orion product.
> 2.  Documentation is a difficult thing.  The wording of their message is such 
> that they feel it's not a big deal for us to just give them a domain admin 
> account to play with.
>
 Steven Peck  8/3/2010 10:49 AM >>>
> To be honest the real questions are;
> 1.  Are you required to do this?  (Usually yes)
>  - if yes, can you gain benefit? (Usually you can)
> 2.  Do they have documentation on least privilege necessary for their
> tools to run?
>
>
>
> On Tue, Aug 3, 2010 at 10:26 AM, Free, Bob  wrote:
>> My experience with WMI and CMDB or security scanner products tells me
>> you are out of luck, at some point, the information they require is
>> situated such that they require admin privs just to be able to read it.
>>
>> -Original Message-
>> From: Joseph Heaton [mailto:jhea...@dfg.ca.gov]
>> Sent: Tuesday, August 03, 2010 10:18 AM
>> To: NT System Admin Issues
>> Subject: Re: WMI information gathering
>>
>> Anyone have any idea on this one?
>>
> Joseph Heaton  8/2/2010 3:42 PM >>>
>> We have a group that wants to come in, and "scan our servers" to gather
>> information.  We want to cooperate with this effort, but we don't want
>> to give them access to be able to write back to the servers.  Is this
>> possible?  Is there a tool that can be used without an admin account, in
>> order to gather information from within WMI?  Please contact offline for
>> further details, if needed.  As always, I sincerely appreciate any
>> assistance any of you may be able to provide.
>>
>> Thanks,
>>
>> Joe
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Guilty, will change after reading this.

2010-08-03 Thread Raper, Jonathan - Eagle 
We actually had a cabling contractor come in one time that plugged a fiber 
termination heater into a UPS that powered the main switch for a large 4 story 
multi-tenant building. Fortunately it didn't cause any damage - all it did was 
overload the UPS and consequently the switch lost power. Needless to say, I was 
not happy, as practically every tenant in the building at the time needed 
hospital connectivity, which was fed through the switch that he took down.

Jonathan L. Raper, A+, MCSA, MCSE
Technology Coordinator
Eagle Physicians & Associates, PA
jra...@eaglemds.com
www.eaglemds.com


-Original Message-
From: Steven Peck [mailto:sep...@gmail.com]
Sent: Tuesday, August 03, 2010 1:54 PM
To: NT System Admin Issues
Subject: Re: Guilty, will change after reading this.

I would.  Even if something like that is a 'no no', I can imagine it
would disturb APC to no end that it happened without the unit shutting
itself off at all.

The closest I had was when I very forcefully explained to the
electrician that he could NOT plug his drill into my UPS and he could
get a damn extension cord as there were no other outlets available in
the server room.  We had dedicated plugs to the UPS and a few non-UPS
outlets in the toom but they were all in use.  He was not our regular
guy.

Steven



On Tue, Aug 3, 2010 at 10:49 AM,   wrote:
>
> No...  I was the one who had to console the poor student (giving the melted
> mass time to cool down) and then contact APC.
>
> You'd not believe it, but APC actually wanted to look at the unit to see why
> the breaker did not trip.  They actually replaced it with a new one!
>
> Joseph Heaton  wrote on 08/03/2010 12:17:37 PM:
>
>> Personal mishap, Richard?
>>
>> >>>  8/3/2010 10:06 AM >>>
>> Don't plug space heaters into them, either!
>>
>> David Lum  wrote on 08/03/2010 12:01:04 PM:
>>
>> > - do not plug surge protectors into a UPS. If they UPS runs on
>> > batteries it will usually generate a step sine wave which may
>> > destroy surge protectors (in particular tricky to find power strips
>> > without surge protector)
>> >
>> > http://isc.sans.edu/diary.html?storyid=9319
>> >
>> > David Lum // SYSTEMS ENGINEER
>> > NORTHWEST EVALUATION ASSOCIATION
>> > (Desk) 971.222.1025 // (Cell) 503.267.9764
>> >
>> >
>> >
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


Any medical information contained in this electronic message is CONFIDENTIAL 
and privileged. It is unlawful for unauthorized persons to view, copy, 
disclose, or disseminate CONFIDENTIAL information. This electronic message may 
contain information that is confidential and/or legally privileged. It is 
intended only for the use of the individual(s) and/or entity named as 
recipients in the message. If you are not an intended recipient of this 
message, please notify the sender immediately and delete this material from 
your computer. Do not deliver, distribute or copy this message, and do not 
disclose its contents or take any action in reliance on the information that it 
contains.


Any medical information contained in this electronic message is CONFIDENTIAL 
and privileged. It is unlawful for unauthorized persons to view, copy, 
disclose, or disseminate CONFIDENTIAL information. This electronic message may 
contain information that is confidential and/or legally privileged. It is 
intended only for the use of the individual(s) and/or entity named as 
recipients in the message. If you are not an intended recipient of this 
message, please notify the sender immediately and delete this material from 
your computer. Do not deliver, distribute or copy this message, and do not 
disclose its contents or take any action in reliance on the information that it 
contains.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: WMI information gathering

2010-08-03 Thread Joseph Heaton 
1.  Yes, we are required to do this.  It's supposed to be for information 
gathering only, but we're trying to cover our backsides, in case they mess 
something up.
 Yes, we can gain benefit, in that we can use this to get WMI access for 
our Orion product.
2.  Documentation is a difficult thing.  The wording of their message is such 
that they feel it's not a big deal for us to just give them a domain admin 
account to play with.

>>> Steven Peck  8/3/2010 10:49 AM >>>
To be honest the real questions are;
1.  Are you required to do this?  (Usually yes)
  - if yes, can you gain benefit? (Usually you can)
2.  Do they have documentation on least privilege necessary for their
tools to run?



On Tue, Aug 3, 2010 at 10:26 AM, Free, Bob  wrote:
> My experience with WMI and CMDB or security scanner products tells me
> you are out of luck, at some point, the information they require is
> situated such that they require admin privs just to be able to read it.
>
> -Original Message-
> From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
> Sent: Tuesday, August 03, 2010 10:18 AM
> To: NT System Admin Issues
> Subject: Re: WMI information gathering
>
> Anyone have any idea on this one?
>
 Joseph Heaton  8/2/2010 3:42 PM >>>
> We have a group that wants to come in, and "scan our servers" to gather
> information.  We want to cooperate with this effort, but we don't want
> to give them access to be able to write back to the servers.  Is this
> possible?  Is there a tool that can be used without an admin account, in
> order to gather information from within WMI?  Please contact offline for
> further details, if needed.  As always, I sincerely appreciate any
> assistance any of you may be able to provide.
>
> Thanks,
>
> Joe
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Guilty, will change after reading this.

2010-08-03 Thread Steven Peck 
I would.  Even if something like that is a 'no no', I can imagine it
would disturb APC to no end that it happened without the unit shutting
itself off at all.

The closest I had was when I very forcefully explained to the
electrician that he could NOT plug his drill into my UPS and he could
get a damn extension cord as there were no other outlets available in
the server room.  We had dedicated plugs to the UPS and a few non-UPS
outlets in the toom but they were all in use.  He was not our regular
guy.

Steven



On Tue, Aug 3, 2010 at 10:49 AM,   wrote:
>
> No...  I was the one who had to console the poor student (giving the melted
> mass time to cool down) and then contact APC.
>
> You'd not believe it, but APC actually wanted to look at the unit to see why
> the breaker did not trip.  They actually replaced it with a new one!
>
> Joseph Heaton  wrote on 08/03/2010 12:17:37 PM:
>
>> Personal mishap, Richard?
>>
>> >>>  8/3/2010 10:06 AM >>>
>> Don't plug space heaters into them, either!
>>
>> David Lum  wrote on 08/03/2010 12:01:04 PM:
>>
>> > - do not plug surge protectors into a UPS. If they UPS runs on
>> > batteries it will usually generate a step sine wave which may
>> > destroy surge protectors (in particular tricky to find power strips
>> > without surge protector)
>> >
>> > http://isc.sans.edu/diary.html?storyid=9319
>> >
>> > David Lum // SYSTEMS ENGINEER
>> > NORTHWEST EVALUATION ASSOCIATION
>> > (Desk) 971.222.1025 // (Cell) 503.267.9764
>> >
>> >
>> >
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Guilty, will change after reading this.

2010-08-03 Thread RichardMcClary 
No...  I was the one who had to console the poor student (giving the 
melted mass time to cool down) and then contact APC.

You'd not believe it, but APC actually wanted to look at the unit to see 
why the breaker did not trip.  They actually replaced it with a new one!

Joseph Heaton  wrote on 08/03/2010 12:17:37 PM:

> Personal mishap, Richard?
> 
> >>>  8/3/2010 10:06 AM >>>
> Don't plug space heaters into them, either!
> 
> David Lum  wrote on 08/03/2010 12:01:04 PM:
> 
> > - do not plug surge protectors into a UPS. If they UPS runs on 
> > batteries it will usually generate a step sine wave which may 
> > destroy surge protectors (in particular tricky to find power strips 
> > without surge protector)
> > 
> > http://isc.sans.edu/diary.html?storyid=9319 
> > 
> > David Lum // SYSTEMS ENGINEER 
> > NORTHWEST EVALUATION ASSOCIATION
> > (Desk) 971.222.1025 // (Cell) 503.267.9764
> > 
> > 
> > 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
> 
> 
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
> 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: WMI information gathering

2010-08-03 Thread Steven Peck 
To be honest the real questions are;
1.  Are you required to do this?  (Usually yes)
  - if yes, can you gain benefit? (Usually you can)
2.  Do they have documentation on least privilege necessary for their
tools to run?



On Tue, Aug 3, 2010 at 10:26 AM, Free, Bob  wrote:
> My experience with WMI and CMDB or security scanner products tells me
> you are out of luck, at some point, the information they require is
> situated such that they require admin privs just to be able to read it.
>
> -Original Message-
> From: Joseph Heaton [mailto:jhea...@dfg.ca.gov]
> Sent: Tuesday, August 03, 2010 10:18 AM
> To: NT System Admin Issues
> Subject: Re: WMI information gathering
>
> Anyone have any idea on this one?
>
 Joseph Heaton  8/2/2010 3:42 PM >>>
> We have a group that wants to come in, and "scan our servers" to gather
> information.  We want to cooperate with this effort, but we don't want
> to give them access to be able to write back to the servers.  Is this
> possible?  Is there a tool that can be used without an admin account, in
> order to gather information from within WMI?  Please contact offline for
> further details, if needed.  As always, I sincerely appreciate any
> assistance any of you may be able to provide.
>
> Thanks,
>
> Joe
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Guilty, will change after reading this.

2010-08-03 Thread Steven Peck 
http://thomaswilburn.net/source/images/sample_sine.jpg
A utility company sine wave is the blue line.  The gray represents a
stepped sine wave.

In reality the utility output is generally full of jagged spikes :)


On Tue, Aug 3, 2010 at 10:31 AM, Maglinger, Paul  wrote:
> Interesting, but isn’t A/C power typically a sine wave?  Or is it implying
> that the UPS generates a “special” sine wave that is different than what the
> utility company generates?  60Hz is the norm, is it not?  Surge strips are
> typically no more than some metal oxide varistors placed across hot, neutral
> and ground.  Some put torodial coils for noise reduction, but I don’t know
> of anything in any of them that would damage the UPS or the surge strip.
>
>
>
> IMHO, I think the more accepted reason not to do it is because of the
> temptation to plug in more devices than the UPS is designed to handle, and
> thereby overload it.
>
>
>
> -Paul
>
>
>
>
>
> From: David Lum [mailto:david@nwea.org]
> Sent: Tuesday, August 03, 2010 12:01 PM
> To: NT System Admin Issues
> Subject: Guilty, will change after reading this.
>
>
>
> - do not plug surge protectors into a UPS. If they UPS runs on batteries it
> will usually generate a step sine wave which may destroy surge protectors
> (in particular tricky to find power strips without surge protector)
>
>
>
> http://isc.sans.edu/diary.html?storyid=9319
>
>
>
> David Lum // SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 // (Cell) 503.267.9764
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Guilty, will change after reading this.

2010-08-03 Thread John Aldrich 
Ditto.

 

John-AldrichTile-Tools

 

From: Jeff Cain [mailto:je...@sunbelt-software.com] 
Sent: Tuesday, August 03, 2010 1:38 PM
To: NT System Admin Issues
Subject: RE: Guilty, will change after reading this.

 

When the UPS switches to battery power, it _can_ cause a dip or a spike
which the surge protector may react to. I believe each time they do this it
degrades the unit until it fails completely.

 

I'm guilty of this too, but I've never had an issue with it. J

 

Thanks,

 

Jeff Cain - supp...@sunbeltsoftware.com

Technical Support Analyst

 

Sunbelt Software, part of the GFI Software family

www.sunbeltsoftware.com  

Tel: 1-877-757-4094

Fax: +1 727-562-3402

 

From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Tuesday, August 03, 2010 1:31 PM
To: NT System Admin Issues
Subject: RE: Guilty, will change after reading this.

 

Interesting, but isn't A/C power typically a sine wave?  Or is it implying
that the UPS generates a "special" sine wave that is different than what the
utility company generates?  60Hz is the norm, is it not?  Surge strips are
typically no more than some metal oxide varistors placed across hot, neutral
and ground.  Some put torodial coils for noise reduction, but I don't know
of anything in any of them that would damage the UPS or the surge strip.

 

IMHO, I think the more accepted reason not to do it is because of the
temptation to plug in more devices than the UPS is designed to handle, and
thereby overload it.

 

-Paul

 

 

From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, August 03, 2010 12:01 PM
To: NT System Admin Issues
Subject: Guilty, will change after reading this.

 

- do not plug surge protectors into a UPS. If they UPS runs on batteries it
will usually generate a step sine wave which may destroy surge protectors
(in particular tricky to find power strips without surge protector)

 

http://isc.sans.edu/diary.html?storyid=9319

 

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

 

 

 

... 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>

multihomed SQL, same subnet feasible?

2010-08-03 Thread Salvador Manzo 
Per subject line, as I've never dealt with a multiple NIC SQL server where both 
NICs are on the same IP range before. 

I have a situation where a production SQL instance has gone offline, and I lack 
the budget or time to simply replace it (out of warranty hardware, of course.). 
I DO have another server which I can transfer the load/backup to, but they 
would by necessity be on the same subnet and share the same gateway. 

Given this scenario, could I reasonably enable another NIC on my second server, 
using the IP of the downed machine, and enable a new instance of SQL for that 
network card?  I don't need to worry about NetBIOS connections, as the client 
dumb devices and PCs are configured to use either the IP(dumb devices) or 
FQDN(PCs)
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Guilty, will change after reading this.

2010-08-03 Thread David Lum 
Neither have I, but I have clients that are not immediately accessible to me 
and some of them have 2-3 power outages/year, long enough for the UPS to send a 
shutdown to systems. I *think* I'm ok for most of them but I wouldn't be 
surprised if somewhere I have a surge protector plugged into a UPS.

Probably the client that will get a power outage 15 minutes after I hit *send* 
on this e-mail

Dave

From: Jeff Cain [mailto:je...@sunbelt-software.com]
Sent: Tuesday, August 03, 2010 10:38 AM
To: NT System Admin Issues
Subject: RE: Guilty, will change after reading this.

When the UPS switches to battery power, it _can_ cause a dip or a spike which 
the surge protector may react to. I believe each time they do this it degrades 
the unit until it fails completely.

I'm guilty of this too, but I've never had an issue with it. :)

Thanks,

Jeff Cain - supp...@sunbeltsoftware.com
Technical Support Analyst

Sunbelt Software, part of the GFI Software family
www.sunbeltsoftware.com
Tel: 1-877-757-4094
Fax: +1 727-562-3402

From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
Sent: Tuesday, August 03, 2010 1:31 PM
To: NT System Admin Issues
Subject: RE: Guilty, will change after reading this.

Interesting, but isn't A/C power typically a sine wave?  Or is it implying that 
the UPS generates a "special" sine wave that is different than what the utility 
company generates?  60Hz is the norm, is it not?  Surge strips are typically no 
more than some metal oxide varistors placed across hot, neutral and ground.  
Some put torodial coils for noise reduction, but I don't know of anything in 
any of them that would damage the UPS or the surge strip.

IMHO, I think the more accepted reason not to do it is because of the 
temptation to plug in more devices than the UPS is designed to handle, and 
thereby overload it.

-Paul


From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, August 03, 2010 12:01 PM
To: NT System Admin Issues
Subject: Guilty, will change after reading this.

- do not plug surge protectors into a UPS. If they UPS runs on batteries it 
will usually generate a step sine wave which may destroy surge protectors (in 
particular tricky to find power strips without surge protector)

http://isc.sans.edu/diary.html?storyid=9319

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764









...





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Guilty, will change after reading this.

2010-08-03 Thread Jeff Cain 
When the UPS switches to battery power, it _can_ cause a dip or a spike which 
the surge protector may react to. I believe each time they do this it degrades 
the unit until it fails completely.

I'm guilty of this too, but I've never had an issue with it. :)

Thanks,

Jeff Cain - supp...@sunbeltsoftware.com
Technical Support Analyst

Sunbelt Software, part of the GFI Software family
www.sunbeltsoftware.com
Tel: 1-877-757-4094
Fax: +1 727-562-3402

From: Maglinger, Paul [mailto:pmaglin...@scvl.com]
Sent: Tuesday, August 03, 2010 1:31 PM
To: NT System Admin Issues
Subject: RE: Guilty, will change after reading this.

Interesting, but isn't A/C power typically a sine wave?  Or is it implying that 
the UPS generates a "special" sine wave that is different than what the utility 
company generates?  60Hz is the norm, is it not?  Surge strips are typically no 
more than some metal oxide varistors placed across hot, neutral and ground.  
Some put torodial coils for noise reduction, but I don't know of anything in 
any of them that would damage the UPS or the surge strip.

IMHO, I think the more accepted reason not to do it is because of the 
temptation to plug in more devices than the UPS is designed to handle, and 
thereby overload it.

-Paul


From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, August 03, 2010 12:01 PM
To: NT System Admin Issues
Subject: Guilty, will change after reading this.

- do not plug surge protectors into a UPS. If they UPS runs on batteries it 
will usually generate a step sine wave which may destroy surge protectors (in 
particular tricky to find power strips without surge protector)

http://isc.sans.edu/diary.html?storyid=9319

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764










...

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Guilty, will change after reading this.

2010-08-03 Thread Kurt Buff 
A stepped sine wave isn't really a sine wave. It's a multi-part set of
square waves that somewhat approximate a since wave, and there are
some electronic components that don't like them.

I don't know if MOVs are still used in surge protectors, or if they're
sensitive to them, but it's plausible to me that this might be true...

Kurt

On Tue, Aug 3, 2010 at 10:31, Maglinger, Paul  wrote:
> Interesting, but isn’t A/C power typically a sine wave?  Or is it implying
> that the UPS generates a “special” sine wave that is different than what the
> utility company generates?  60Hz is the norm, is it not?  Surge strips are
> typically no more than some metal oxide varistors placed across hot, neutral
> and ground.  Some put torodial coils for noise reduction, but I don’t know
> of anything in any of them that would damage the UPS or the surge strip.
>
>
>
> IMHO, I think the more accepted reason not to do it is because of the
> temptation to plug in more devices than the UPS is designed to handle, and
> thereby overload it.
>
>
>
> -Paul
>
>
>
>
>
> From: David Lum [mailto:david@nwea.org]
> Sent: Tuesday, August 03, 2010 12:01 PM
> To: NT System Admin Issues
> Subject: Guilty, will change after reading this.
>
>
>
> - do not plug surge protectors into a UPS. If they UPS runs on batteries it
> will usually generate a step sine wave which may destroy surge protectors
> (in particular tricky to find power strips without surge protector)
>
>
>
> http://isc.sans.edu/diary.html?storyid=9319
>
>
>
> David Lum // SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 // (Cell) 503.267.9764
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Guilty, will change after reading this.

2010-08-03 Thread James Kerr 
Make sure you always plug your copiers and laser printers into UPSs. :-P
  - Original Message - 
  From: Maglinger, Paul 
  To: NT System Admin Issues 
  Sent: Tuesday, August 03, 2010 1:31 PM
  Subject: RE: Guilty, will change after reading this.


  Interesting, but isn't A/C power typically a sine wave?  Or is it implying 
that the UPS generates a "special" sine wave that is different than what the 
utility company generates?  60Hz is the norm, is it not?  Surge strips are 
typically no more than some metal oxide varistors placed across hot, neutral 
and ground.  Some put torodial coils for noise reduction, but I don't know of 
anything in any of them that would damage the UPS or the surge strip.

   

  IMHO, I think the more accepted reason not to do it is because of the 
temptation to plug in more devices than the UPS is designed to handle, and 
thereby overload it.

   

  -Paul

   

   

  From: David Lum [mailto:david@nwea.org] 
  Sent: Tuesday, August 03, 2010 12:01 PM
  To: NT System Admin Issues
  Subject: Guilty, will change after reading this.

   

  - do not plug surge protectors into a UPS. If they UPS runs on batteries it 
will usually generate a step sine wave which may destroy surge protectors (in 
particular tricky to find power strips without surge protector)

   

  http://isc.sans.edu/diary.html?storyid=9319

   

  David Lum // SYSTEMS ENGINEER 
  NORTHWEST EVALUATION ASSOCIATION
  (Desk) 971.222.1025 // (Cell) 503.267.9764

   

   

 


 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Guilty, will change after reading this.

2010-08-03 Thread Maglinger, Paul 
Interesting, but isn't A/C power typically a sine wave?  Or is it
implying that the UPS generates a "special" sine wave that is different
than what the utility company generates?  60Hz is the norm, is it not?
Surge strips are typically no more than some metal oxide varistors
placed across hot, neutral and ground.  Some put torodial coils for
noise reduction, but I don't know of anything in any of them that would
damage the UPS or the surge strip.

 

IMHO, I think the more accepted reason not to do it is because of the
temptation to plug in more devices than the UPS is designed to handle,
and thereby overload it.

 

-Paul

 

 

From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, August 03, 2010 12:01 PM
To: NT System Admin Issues
Subject: Guilty, will change after reading this.

 

- do not plug surge protectors into a UPS. If they UPS runs on batteries
it will usually generate a step sine wave which may destroy surge
protectors (in particular tricky to find power strips without surge
protector)

 

http://isc.sans.edu/diary.html?storyid=9319

 

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: WMI information gathering

2010-08-03 Thread Free, Bob 
My experience with WMI and CMDB or security scanner products tells me
you are out of luck, at some point, the information they require is
situated such that they require admin privs just to be able to read it. 

-Original Message-
From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
Sent: Tuesday, August 03, 2010 10:18 AM
To: NT System Admin Issues
Subject: Re: WMI information gathering

Anyone have any idea on this one?

>>> Joseph Heaton  8/2/2010 3:42 PM >>>
We have a group that wants to come in, and "scan our servers" to gather
information.  We want to cooperate with this effort, but we don't want
to give them access to be able to write back to the servers.  Is this
possible?  Is there a tool that can be used without an admin account, in
order to gather information from within WMI?  Please contact offline for
further details, if needed.  As always, I sincerely appreciate any
assistance any of you may be able to provide.

Thanks,

Joe



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: WMI information gathering

2010-08-03 Thread Damien Solodow 
A quick Google for "wmi access non administrator" turned up quite a lot
of hits, a number of which look like HowTo docs..

-Original Message-
From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
Sent: Tuesday, August 03, 2010 1:18 PM
To: NT System Admin Issues
Subject: Re: WMI information gathering

Anyone have any idea on this one?

>>> Joseph Heaton  8/2/2010 3:42 PM >>>
We have a group that wants to come in, and "scan our servers" to gather
information.  We want to cooperate with this effort, but we don't want
to give them access to be able to write back to the servers.  Is this
possible?  Is there a tool that can be used without an admin account, in
order to gather information from within WMI?  Please contact offline for
further details, if needed.  As always, I sincerely appreciate any
assistance any of you may be able to provide.

Thanks,

Joe



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~





~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: WMI information gathering

2010-08-03 Thread Michael B. Smith 
Yes. You can give them a normal domain user's account and then set a GPO that 
assigns security via "WMI Control" at the root to give that user full read 
access.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-Original Message-
From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
Sent: Tuesday, August 03, 2010 1:18 PM
To: NT System Admin Issues
Subject: Re: WMI information gathering

Anyone have any idea on this one?

>>> Joseph Heaton  8/2/2010 3:42 PM >>>
We have a group that wants to come in, and "scan our servers" to gather 
information.  We want to cooperate with this effort, but we don't want to give 
them access to be able to write back to the servers.  Is this possible?  Is 
there a tool that can be used without an admin account, in order to gather 
information from within WMI?  Please contact offline for further details, if 
needed.  As always, I sincerely appreciate any assistance any of you may be 
able to provide.

Thanks,

Joe



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~





~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: WMI information gathering

2010-08-03 Thread Joseph Heaton 
Anyone have any idea on this one?

>>> Joseph Heaton  8/2/2010 3:42 PM >>>
We have a group that wants to come in, and "scan our servers" to gather 
information.  We want to cooperate with this effort, but we don't want to give 
them access to be able to write back to the servers.  Is this possible?  Is 
there a tool that can be used without an admin account, in order to gather 
information from within WMI?  Please contact offline for further details, if 
needed.  As always, I sincerely appreciate any assistance any of you may be 
able to provide.

Thanks,

Joe



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Guilty, will change after reading this.

2010-08-03 Thread Joseph Heaton 
Personal mishap, Richard?

>>>  8/3/2010 10:06 AM >>>
Don't plug space heaters into them, either!

David Lum  wrote on 08/03/2010 12:01:04 PM:

> - do not plug surge protectors into a UPS. If they UPS runs on 
> batteries it will usually generate a step sine wave which may 
> destroy surge protectors (in particular tricky to find power strips 
> without surge protector)
> 
> http://isc.sans.edu/diary.html?storyid=9319 
> 
> David Lum // SYSTEMS ENGINEER 
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 // (Cell) 503.267.9764
> 
> 
> 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

2010-08-03 Thread Osborne, Richard 
Actually this was happening all weekend.  I was chasing my tail so hard I 
didn't think to e-mail this list until Monday.  Lesson learned.

Just to wrap up: thanks to Glen, Scott, Thomas, and anyone else who suggested 
the spam was coming from OWA via phished accounts.  I looked at the IIS logs on 
the OWA server and found entries like this:
... GET /exchange/bob.smith/Drafts/ Cmd=new 443 bsmith x.x.x.x 
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+InfoPath.2;+Crazy+Browser+3.0.3)...

Which I suppose shows new e-mails being created in the Drafts folder.  Any 
advice regarding interpreting these logs would be welcome.

After changing the affected user's passwords I think we are in the clear.  
Exchange queues are quiet since yesterday.

We publish OWA via ISA Server, so the OWA logs only the address of the ISA 
Server.  We checked our firewall logs and found quite a bit of traffic to OWA 
from Nigeria & India.  We're in Tennessee, so we are able to block those 
addresses as we won't have any legitimate traffic from them.

Based on the agent string above, I told URLScan to block Crazy Browser 
(http://www.crazybrowser.com/).  I wonder how many other browsers there are 
I've never even heard of.

Now I need to consider some kind of outbound anti-spam, figure out some 
scripting to notify me if the queues get out of hand, and get off all the 
blacklists I'm on.

--

From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] 
Sent: Monday, August 02, 2010 2:50 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules


We're a Lotus Notes shop using Postini as a relay, if it makes any 
difference... 

We had one desktop system here, and a few in NYC, where spam as being spewed 
out.  This actually had nothing at all to do with Domino/Lotus but rather a 
rogue SMTP server which got snuck onto some workstations. 

We were able to track this down by monitoring SMTP traffic through our 
firewall.  All SMTP traffic was to be comming from only one IP at each 
location, and it was all supposed to be directed to our Postini host. 

At least yours does not seem to be happening on a weekend...
-- 
Richard D. McClary 
Systems Administrator, Information Technology Group 
ASPCA® 
1717 S. Philo Rd, Ste 36 
Urbana, IL  61802 
  
richardmccl...@aspca.org 
  
P: 217-337-9761 
C: 217-417-1182 
F: 217-337-9761 
www.aspca.org 
  
The information contained in this e-mail, and any attachments hereto, is from 
The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is 
intended only for use by the addressee(s) named herein and may contain legally 
privileged and/or confidential information. If you are not the intended 
recipient of this e-mail, you are hereby notified that any dissemination, 
distribution, copying or use of the contents of this e-mail, and any 
attachments hereto, is strictly prohibited. If you have received this e-mail in 
error, please immediately notify me by reply email and permanently delete the 
original and any copy of this e-mail and any printout thereof. 
  

"Osborne, Richard"  wrote on 08/02/2010 02:40:09 PM:

> I have been monitoring the Exchange queues.  It's the only way I can
> tell when it is happening.  I found the aqadmcli.exe utility and 
> have been using it to clean the queues (aqadmcli "delmsg 
> flags=SENDER,sender=bob.sm...@wth.org".
> 
> I'll check the OWA logs ASAP.
> 
> Assuming I have had three users reply to phishing e-mails, is there 
> anything to fix besides changing their passwords?
> 
> Thanks everyone for the suggestions.
> 
> -Original Message-
> From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
> Sent: Monday, August 02, 2010 2:35 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
> 
> Also check those exchange smtp queues.
> If it is compromised accounts the spammers can send spam via you owa
> faster than your exchange server can process so it will get backed 
> up so disabling accounts or changing passwords wont stop it until 
> the queues are emptied.
> 
> 
> -Original Message-
> From: Osborne, Richard [mailto:richard.osbo...@wth.org] 
> Sent: Monday, August 02, 2010 3:32 PM
> To: NT System Admin Issues
> Subject: RE: malware that creates Outlook rules
> 
> I'm glad I'm not the only sufferer!
> 
> I'll try and answer the other questions that were asked:
> 
> 1) yes, the spam continued even with the user's account disabled and
> their PC powered off
> 2) yes, only our Exchange server can send SMTP to the Internet
> 3) my OWA servers are clean according to VIPRE & MalwareBytes
> 
> So far this has hit 3 users (out of ~5000).  I have not seen any 
> spam sent in the last 5 hours but I don't have any confidence that I
> have found the source.  Maybe there's a PC with a high-privileged 
> account that has been compromised and is sending out spam runs on a 
> schedule?  Currently I am getting up-to-date on patches on all my 
> Exchange boxes.
>

Re: Guilty, will change after reading this.

2010-08-03 Thread RichardMcClary 
Don't plug space heaters into them, either!

David Lum  wrote on 08/03/2010 12:01:04 PM:

> - do not plug surge protectors into a UPS. If they UPS runs on 
> batteries it will usually generate a step sine wave which may 
> destroy surge protectors (in particular tricky to find power strips 
> without surge protector)
> 
> http://isc.sans.edu/diary.html?storyid=9319
> 
> David Lum // SYSTEMS ENGINEER 
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 // (Cell) 503.267.9764
> 
> 
> 
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Guilty, will change after reading this.

2010-08-03 Thread David Lum 
- do not plug surge protectors into a UPS. If they UPS runs on batteries it 
will usually generate a step sine wave which may destroy surge protectors (in 
particular tricky to find power strips without surge protector)

http://isc.sans.edu/diary.html?storyid=9319

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Desktop/Laptop Backup Software

2010-08-03 Thread Matthew W. Ross 
BackupPC is a Linux based backup solution which I like for backing up 
laptops/desktops on at a file-based level. Version 3.2 was released a few days 
ago. http://backuppc.sourceforge.net/

Pros:
 * Free! (in both senses)
 * File-based full and incremental backups with versioning.
 * File-based de-duplication by linux hard-links.
 * Web based access to setup backups and restore.
 * Users can initiate their own backups, or restore their own files using the 
web interface.

Cons:
 * SMB transfer is not VSS aware, so it doesn't copy open files.
 * Requires Linux experience (Although, you can just install a package on most 
distros, such as Ubuntu.)
 * Read the docs! Use a filesystem that supports large numbers of files. 
Ext(2|3|4) not recommended, but I've used XFS with success.


--Matt Ross
Ephrata School District


- Original Message -
From: Juma, Lumumba
[mailto:lcj...@icipe.org]
To: NT System Admin Issues
[mailto:ntsysad...@lyris.sunbelt-software.com]
Sent: Tue, 03 Aug 2010
04:32:15 -0700
Subject: Desktop/Laptop Backup Software


> 
> Hi All,
> 
> We are looking at options to enable us backup desktops and laptops
> automatically to a central storage system. I am aware of Symantec DLO.
> Anybody aware of alternatives cheaper in cost?
> 
> Thanks,
> 
> Lumumba.
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
> 
> 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Hyper-V and 'Default Gateway'

2010-08-03 Thread Ken Schaefer 
Then, there is no need for the IPs (host and guest) to be on the same subnet. 

The NIC that is used for the guests needs to be allocated to one VLAN (on your 
L3 switch, or otherwise connected to the appropriate interface on your router), 
and the NIC used by the host needs to be patched to a switch port on the other 
VLAN.

Cheers
Ken

-Original Message-
From: Stephen Wimberly [mailto:swimbe...@gmail.com] 
Sent: Tuesday, 3 August 2010 11:13 PM
To: NT System Admin Issues
Subject: Re: Hyper-V and 'Default Gateway'

The box has four NICs in it.  Although we currently only have two connected, 
one is the "Host NIC" and the other is used for the different virtual machines. 
 We have two others we can grow into as need arises.  Our Network department 
charges us per network connection, so we are trying to limit our connections 
until need arises.  The free alternative would be to request multiple IP 
Addresses in the same range and grow into them as needed.



On Sun, Aug 1, 2010 at 10:33 AM, Ken Schaefer  wrote:
> If you have multiple NICs on your machine, then there is no need for them to 
> be all in the same subnet. Obviously they would connect to different 
> interfaces of a router, or to ports on a switch that are on different VLANs.
>
> My guess is that you only have a single NIC. In that case, the virtual NIC on 
> the guest, and the physical NIC on the host are both connected *at the other 
> end* to a single switch port that needs to be connected to a single VLAN or 
> router interface. In that case, they need to be on the same subnet.
>
> Cheers
> Ken
>
> -Original Message-
> From: Stephen Wimberly [mailto:swimbe...@gmail.com]
> Sent: Saturday, 31 July 2010 5:41 AM
> To: NT System Admin Issues
> Subject: Re: Hyper-V and 'Default Gateway'
>
> Thanks for the replies!  Now I just need to beg our network team for 
> addresses in the same subnet!!!


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: malware that creates Outlook rules

2010-08-03 Thread Crawford, Scott 
Hmm, interesting. I like that. Of course, setting it up for all students 
automatically might prove to be tricky.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Tuesday, August 03, 2010 6:44 AM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

And just after I sent this the light came on, Google Voice should do UM.
I'd let google handle voice mail, email and anything else they want to give to 
the students.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu] 
Sent: Tuesday, August 03, 2010 7:42 AM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Not sure on the UM questions.
Not an issue here as we don't have student housing or provide phones for them.
I'm betting that it is possible though.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 5:46 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, it's on the investigate list.  It does happen with staff on occasion too, 
but not nearly as much as students.

The major outstanding question I have is how to do Unified Messaging with 
Exchange if the mailbox is outsourced? It's prolly something simple, but I just 
haven't looked into it yet.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 3:14 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Ah ha.
Didn't notice the .edu addy.
In that case, I would seriously investigate outsourcing that to MS or Google.
The entire Va. Community College System went with Google for student email and 
so far it has worked really well.
Can't beat the cost too.  Zero and the student gets to keep their same email as 
long as they want it.  No advertisements in their account while they are 
students.  No backups, spam, outages and all that other support headaches for 
me.  Great big plus.


-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: Monday, August 02, 2010 4:05 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Yeah, that sounds nice except we have 2000 students with an average of 500 new 
ones every year so our major issue isn't repeat offenders.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:51 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

When this happened here, we disabled their email account until they completed 
our security awareness training, for the second time.
With supervisors complete support.

-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:40 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I have been monitoring the Exchange queues.  It's the only way I can tell when 
it is happening.  I found the aqadmcli.exe utility and have been using it to 
clean the queues (aqadmcli "delmsg flags=SENDER,sender=bob.sm...@wth.org".

I'll check the OWA logs ASAP.

Assuming I have had three users reply to phishing e-mails, is there anything to 
fix besides changing their passwords?

Thanks everyone for the suggestions.

-Original Message-
From: Glen Johnson [mailto:gjohn...@vhcc.edu]
Sent: Monday, August 02, 2010 2:35 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

Also check those exchange smtp queues.
If it is compromised accounts the spammers can send spam via you owa faster 
than your exchange server can process so it will get backed up so disabling 
accounts or changing passwords wont stop it until the queues are emptied.


-Original Message-
From: Osborne, Richard [mailto:richard.osbo...@wth.org]
Sent: Monday, August 02, 2010 3:32 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

I'm glad I'm not the only sufferer!

I'll try and answer the other questions that were asked:

1) yes, the spam continued even with the user's account disabled and their PC 
powered off
2) yes, only our Exchange server can send SMTP to the Internet
3) my OWA servers are clean according to VIPRE & MalwareBytes

So far this has hit 3 users (out of ~5000).  I have not seen any spam sent in 
the last 5 hours but I don't have any confidence that I have found the source.  
Maybe there's a PC with a high-privileged account that has been compromised and 
is sending out spam runs on a schedule?  Currently I am getting up-to-date on 
patches on all my Exchange boxes.

-Original Message-
From: Thomas Mullins [mailto:tsmull...@wise.k12.va.us]
Sent: Monday, August 02, 2010 2:17 PM
To: NT System Admin Issues
Subject: RE: malware that creates Outlook rules

We are having a similar issue.  We changed the users password, and since that 
user is in a meeting, we turned his machine off.  Looks like it has to be 
coming from OWA.  Here is some info fr

Re: Hyper-V and 'Default Gateway'

2010-08-03 Thread Stephen Wimberly 
The box has four NICs in it.  Although we currently only have two
connected, one is the "Host NIC" and the other is used for the
different virtual machines.  We have two others we can grow into as
need arises.  Our Network department charges us per network
connection, so we are trying to limit our connections until need
arises.  The free alternative would be to request multiple IP
Addresses in the same range and grow into them as needed.



On Sun, Aug 1, 2010 at 10:33 AM, Ken Schaefer  wrote:
> If you have multiple NICs on your machine, then there is no need for them to 
> be all in the same subnet. Obviously they would connect to different 
> interfaces of a router, or to ports on a switch that are on different VLANs.
>
> My guess is that you only have a single NIC. In that case, the virtual NIC on 
> the guest, and the physical NIC on the host are both connected *at the other 
> end* to a single switch port that needs to be connected to a single VLAN or 
> router interface. In that case, they need to be on the same subnet.
>
> Cheers
> Ken
>
> -Original Message-
> From: Stephen Wimberly [mailto:swimbe...@gmail.com]
> Sent: Saturday, 31 July 2010 5:41 AM
> To: NT System Admin Issues
> Subject: Re: Hyper-V and 'Default Gateway'
>
> Thanks for the replies!  Now I just need to beg our network team for 
> addresses in the same subnet!!!
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Desktop/Laptop Backup Software

2010-08-03 Thread Richard Stovall 
Acronis workstation does image backups and can be centrally managed, but
costs $74 US per license (per the website).  I use it on my $WORK computer
and it has been excellent.

I have played around with Storegrid (
http://www.storegrid.com/online-backup/network-backup.php) and Robobak (
http://www.robobak.com/Solutions/smb.aspx), but haven't ever used either of
them past the demonstration/POC phase.

GFI has an interesting, and aggressively priced, product, but I have never
tried it.  http://www.gfi.com/business-backup-software/backup-be-pricing.htm
  Other GFI software I have used has been rock solid.

If you don't have to manage the workstations centrally, there are tons of
additional possibilities from reputable firms, and any number of FOSS
options can be managed or unmanaged.

Hope this helps,

RS

On Tue, Aug 3, 2010 at 9:03 AM, Juma, Lumumba  wrote:

>  Centrally managed backups will be a better option, cant be too sure with
> users doing it themselves. I'd appreciate your proposals for image-based
> backup solns as well. Costs will determine what to go for.
>
>  --
> *From:* Richard Stovall [mailto:rich...@gmail.com]
> *Sent:* Tuesday, August 03, 2010 3:56 PM
> *To:* NT System Admin Issues
> *Subject:* Re: Desktop/Laptop Backup Software
>
> Are you looking to centrally manage the backups, or would each one backing
> up independently to a common storage area be good enough?  Are you looking
> primarily for file based backup for important data, or do you need the
> up-and-running-quickly convenience of image based backup?
>
> On Tue, Aug 3, 2010 at 7:32 AM, Juma, Lumumba  wrote:
>
>>
>> Hi All,
>>
>> We are looking at options to enable us backup desktops and laptops
>> automatically to a central storage system. I am aware of Symantec DLO.
>> Anybody aware of alternatives cheaper in cost?
>>
>> Thanks,
>>
>> Lumumba.
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Favs gone as result of KB2286198?

2010-08-03 Thread Steven M. Caesare 
Reboot fixed it. Wonder why my box didn't, nor was I given notification
I needed to... I don't appear to have had anything open that would have
prevented it, altho it does look like Security Essentials may have been
in the middle of a scan.

 

Thanks all.

 

-sc

 

From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Sent: Tuesday, August 03, 2010 10:13 AM
To: NT System Admin Issues
Subject: RE: Favs gone as result of KB2286198?

 

Blank completely... no reverting.

 

-sc

 

From: Richard Stovall [mailto:rich...@gmail.com] 
Sent: Tuesday, August 03, 2010 10:08 AM
To: NT System Admin Issues
Subject: Re: Favs gone as result of KB2286198?

 

No such behavior here on both Pro and Home versions of Win7 x64.  I
installed it manually on a couple of machines and each required a
reboot.  When they came back up the favorites were still there.  (Though
I don't have many because I rarely use IE.)

 

Are they gone, gone, or did they revert to the default set?  (MSN, Live,
Microsoft, etc.)

On Tue, Aug 3, 2010 at 9:57 AM, Steven M. Caesare 
wrote:

Well, that's interesting: Windows Update grabbed KB2286198 (the .lnk
shell vuln fix) for me last night on my Win7x64 box. Now all my IE
favorites are gone. It doesn't appear as if the box rebooted after the
hotfix install.

 

Anybody else?

 

Perhaps I'll reboot the box.

 

-sc

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Favs gone as result of KB2286198?

2010-08-03 Thread Maglinger, Paul 
Windows XP SP3, IE 7.0.  Favs still here, no probs.

 

From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Sent: Tuesday, August 03, 2010 8:57 AM
To: NT System Admin Issues
Subject: Favs gone as result of KB2286198?

 

Well, that's interesting: Windows Update grabbed KB2286198 (the .lnk
shell vuln fix) for me last night on my Win7x64 box. Now all my IE
favorites are gone. It doesn't appear as if the box rebooted after the
hotfix install.

 

Anybody else?

 

Perhaps I'll reboot the box.

 

-sc

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Favs gone as result of KB2286198?

2010-08-03 Thread Steven M. Caesare 
Blank completely... no reverting.

 

-sc

 

From: Richard Stovall [mailto:rich...@gmail.com] 
Sent: Tuesday, August 03, 2010 10:08 AM
To: NT System Admin Issues
Subject: Re: Favs gone as result of KB2286198?

 

No such behavior here on both Pro and Home versions of Win7 x64.  I
installed it manually on a couple of machines and each required a
reboot.  When they came back up the favorites were still there.  (Though
I don't have many because I rarely use IE.)

 

Are they gone, gone, or did they revert to the default set?  (MSN, Live,
Microsoft, etc.)

On Tue, Aug 3, 2010 at 9:57 AM, Steven M. Caesare 
wrote:

Well, that's interesting: Windows Update grabbed KB2286198 (the .lnk
shell vuln fix) for me last night on my Win7x64 box. Now all my IE
favorites are gone. It doesn't appear as if the box rebooted after the
hotfix install.

 

Anybody else?

 

Perhaps I'll reboot the box.

 

-sc

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Favs gone as result of KB2286198?

2010-08-03 Thread Terry Dickson 
Three or four so far all windows 7 64-Bit, and all have come up just fine, 
Favorites are still there.


From: Steven M. Caesare [mailto:scaes...@caesare.com]
Sent: Tuesday, August 03, 2010 8:57 AM
To: NT System Admin Issues
Subject: Favs gone as result of KB2286198?

Well, that's interesting: Windows Update grabbed KB2286198 (the .lnk shell vuln 
fix) for me last night on my Win7x64 box. Now all my IE favorites are gone. It 
doesn't appear as if the box rebooted after the hotfix install.

Anybody else?

Perhaps I'll reboot the box.

-sc







~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Holy mother of Vlad Tepes...

2010-08-03 Thread Andrew S. Baker 
No, I had quite forgotten...

Thanks for reactivating that portion of my brain.  There are other things
there which were better left dormant.  :)

-ASB: http://XeeSM.com/AndrewBaker


On Tue, Aug 3, 2010 at 9:36 AM, Michael B. Smith wrote:

> Don’t you remember tape sorts?
>
>
>
> If you have two sets of sorted data, “A” and “B”, creating a joined set of
> sorted data “C” involves only comparing one record each of “A” and “B” to
> determine which goes first. Then iterate.
>
>
>
> You can optimize that by retaining indices for each set of sorted data.
>
>
>
> So…joining the data is the easy part. Sorting the chunks is still the hard
> part. J
>
>
>
> Regards,
>
>
>
> Michael B. Smith
>
> Consultant and Exchange MVP
>
> http://TheEssentialExchange.com
>
>
>
> *From:* Andrew S. Baker [mailto:asbz...@gmail.com]
> *Sent:* Tuesday, August 03, 2010 6:26 AM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Holy mother of Vlad Tepes...
>
>
>
> Very nice!!
>
>
>
> I'd love to see how they managed the sorting algorithm for the "Indy"
> category when they had to do it with chunks of data, rather than the whole
> data set at one time.
>
>
>
> There is only a *little* bit more data here: http://sortbenchmark.org/
>
>
>
> *ASB *(My XeeSM Profile) 
> *Exploiting Technology for Business Advantage...*
> * *
>
> Signature powered by WiseStamp 
>
>
>
> On Tue, Aug 3, 2010 at 12:53 AM, Kurt Buff  wrote:
>
>
> http://scienceblog.com/36957/data-sorting-world-record-falls-computer-scientists-break-terabyte-sort-barrier-in-60-seconds/
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Favs gone as result of KB2286198?

2010-08-03 Thread Webster 
All my IE faves are still there on my Win7 Ult x64 laptop.

 

 

Webster

 

From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Subject: Favs gone as result of KB2286198?

 

Well, that's interesting: Windows Update grabbed KB2286198 (the .lnk shell
vuln fix) for me last night on my Win7x64 box. Now all my IE favorites are
gone. It doesn't appear as if the box rebooted after the hotfix install.

 

Anybody else?

 

Perhaps I'll reboot the box.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Favs gone as result of KB2286198?

2010-08-03 Thread Richard Stovall 
No such behavior here on both Pro and Home versions of Win7 x64.  I
installed it manually on a couple of machines and each required a reboot.
 When they came back up the favorites were still there.  (Though I don't
have many because I rarely use IE.)

Are they gone, gone, or did they revert to the default set?  (MSN, Live,
Microsoft, etc.)

On Tue, Aug 3, 2010 at 9:57 AM, Steven M. Caesare wrote:

> Well, that’s interesting: Windows Update grabbed KB2286198 (the .lnk shell
> vuln fix) for me last night on my Win7x64 box. Now all my IE favorites are
> gone. It doesn’t appear as if the box rebooted after the hotfix install.
>
>
>
> Anybody else?
>
>
>
> Perhaps I’ll reboot the box.
>
>
>
> -sc
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Favs gone as result of KB2286198?

2010-08-03 Thread John Aldrich 
Well, on my XP (SP3) box, my favorites are still here, and my box *did*
reboot overnight.

 

John-AldrichTile-Tools

 

From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Sent: Tuesday, August 03, 2010 9:57 AM
To: NT System Admin Issues
Subject: Favs gone as result of KB2286198?

 

Well, that's interesting: Windows Update grabbed KB2286198 (the .lnk shell
vuln fix) for me last night on my Win7x64 box. Now all my IE favorites are
gone. It doesn't appear as if the box rebooted after the hotfix install.

 

Anybody else?

 

Perhaps I'll reboot the box.

 

-sc

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>

RE: Favs gone as result of KB2286198?

2010-08-03 Thread Don Guyer 
Win7 32-bit here, favs still there, although I rebooted right away after
install.

 

64-bit box at home, will see what happened after I installed last night
(at shutdown).

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox & Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com  

 

From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Sent: Tuesday, August 03, 2010 9:57 AM
To: NT System Admin Issues
Subject: Favs gone as result of KB2286198?

 

Well, that's interesting: Windows Update grabbed KB2286198 (the .lnk
shell vuln fix) for me last night on my Win7x64 box. Now all my IE
favorites are gone. It doesn't appear as if the box rebooted after the
hotfix install.

 

Anybody else?

 

Perhaps I'll reboot the box.

 

-sc

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Favs gone as result of KB2286198?

2010-08-03 Thread Steven M. Caesare 
Well, that's interesting: Windows Update grabbed KB2286198 (the .lnk
shell vuln fix) for me last night on my Win7x64 box. Now all my IE
favorites are gone. It doesn't appear as if the box rebooted after the
hotfix install.

 

Anybody else?

 

Perhaps I'll reboot the box.

 

-sc

 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Holy mother of Vlad Tepes...

2010-08-03 Thread Michael B. Smith 
Don't you remember tape sorts?

If you have two sets of sorted data, "A" and "B", creating a joined set of 
sorted data "C" involves only comparing one record each of "A" and "B" to 
determine which goes first. Then iterate.

You can optimize that by retaining indices for each set of sorted data.

So...joining the data is the easy part. Sorting the chunks is still the hard 
part. :)

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com

From: Andrew S. Baker [mailto:asbz...@gmail.com]
Sent: Tuesday, August 03, 2010 6:26 AM
To: NT System Admin Issues
Subject: Re: Holy mother of Vlad Tepes...

Very nice!!

I'd love to see how they managed the sorting algorithm for the "Indy" category 
when they had to do it with chunks of data, rather than the whole data set at 
one time.

There is only a *little* bit more data here: http://sortbenchmark.org/


ASB (My XeeSM Profile)
Exploiting Technology for Business Advantage...

Signature powered by WiseStamp

On Tue, Aug 3, 2010 at 12:53 AM, Kurt Buff 
mailto:kurt.b...@gmail.com>> wrote:
http://scienceblog.com/36957/data-sorting-world-record-falls-computer-scientists-break-terabyte-sort-barrier-in-60-seconds/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Desktop/Laptop Backup Software

2010-08-03 Thread Roger Wright 
Not centrally managed, but we use Syncback (freeware) on our laptops
to automagically backup the local Docs & Settings folders to the
server when they log in to the network.

Desktop users know their locally stored files are at risk and are
instructed to always save on the server shares.


Die dulci fruere!

Roger Wright
___




On Tue, Aug 3, 2010 at 7:32 AM, Juma, Lumumba  wrote:
>
> Hi All,
>
> We are looking at options to enable us backup desktops and laptops 
> automatically to a central storage system. I am aware of Symantec DLO. 
> Anybody aware of alternatives cheaper in cost?
>
> Thanks,
>
> Lumumba.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Desktop/Laptop Backup Software

2010-08-03 Thread Juma, Lumumba 
Centrally managed backups will be a better option, cant be too sure with users 
doing it themselves. I'd appreciate your proposals for image-based backup solns 
as well. Costs will determine what to go for.


From: Richard Stovall [mailto:rich...@gmail.com]
Sent: Tuesday, August 03, 2010 3:56 PM
To: NT System Admin Issues
Subject: Re: Desktop/Laptop Backup Software

Are you looking to centrally manage the backups, or would each one backing up 
independently to a common storage area be good enough?  Are you looking 
primarily for file based backup for important data, or do you need the 
up-and-running-quickly convenience of image based backup?

On Tue, Aug 3, 2010 at 7:32 AM, Juma, Lumumba 
mailto:lcj...@icipe.org>> wrote:

Hi All,

We are looking at options to enable us backup desktops and laptops 
automatically to a central storage system. I am aware of Symantec DLO. Anybody 
aware of alternatives cheaper in cost?

Thanks,

Lumumba.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~







~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Finding a huge file dump from June...

2010-08-03 Thread Bob Hartung 
Treesize Pro has a file search utility that let's you specify date ranges based 
on creation, changed and last access dates as well as name, size range, 
attributes and ownership.

--

Bob Hartung
Wisco Industries, Inc.
736 Janesville St.
Oregon, WI 53575
Tel: (608) 835-3106 x215
Fax: (608) 835-7399
e-mail: bhartung(at)wiscoind.com
  _  

From: Kurt Buff [mailto:kurt.b...@gmail.com]
To: NT System Admin Issues [mailto:ntsysad...@lyris.sunbelt-software.com]
Sent: Mon, 02 Aug 2010 19:48:59 -0500
Subject: Finding a huge file dump from June...

All,
  
  On our file server we have a single 1.5tb partition - it's on a SAN.
  Over the course of 4 days recently it went from about 30% free to
  about 13% free - someone slammed around 200gb onto the file server.
  
  I have a general idea of where it might be - there are two top-level
  directories that are over 200gb each.
  
  However, windirstat hasn't been completely helpful, as I can't seem to
  isolate which files were loaded during those days, and none of the
  files that I've been looking at were huge - no ISO or VHD files worth
  mentioning, etc..
  
  I also am pretty confident that there are a *bunch* of duplicate files
  on those directories.
  
  So, I'm looking for a couple of things:
  
  1) A way to get a directory listing that supports a time/date stamp
  (my choice of atime, mtime or ctime) size and a complete path name for
  each file/directory on a single line - something like:
  
   2009-01-08  16:12   854,509
  K:\Groups\training\On-Site_Special_Training\Customer1.doc
  
  I've tried every trick I can think of for the 'dir' command and it
  won't do what I want, and the 'ls' command from gunuwin32 doesn't seem
  to want to do this either. Is there a powershell one-liner that can do
  this for me perhaps?
  
  2) A recommendation for a duplicate file finder - cheap or free would
  be preferred.
  
  Kurt
  
  ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
  ~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Desktop/Laptop Backup Software

2010-08-03 Thread Richard Stovall 
Are you looking to centrally manage the backups, or would each one backing
up independently to a common storage area be good enough?  Are you looking
primarily for file based backup for important data, or do you need the
up-and-running-quickly convenience of image based backup?

On Tue, Aug 3, 2010 at 7:32 AM, Juma, Lumumba  wrote:

>
> Hi All,
>
> We are looking at options to enable us backup desktops and laptops
> automatically to a central storage system. I am aware of Symantec DLO.
> Anybody aware of alternatives cheaper in cost?
>
> Thanks,
>
> Lumumba.
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Finding a huge file dump from June...

2010-08-03 Thread Maglinger, Paul 
We're running Windows Storage Server 2003 R2 on one of our file servers here.  
As somewhat mentioned in the article, the reports are good but can be 
misleading.  The reports are based on file ownership.  If you have quotas set 
up for your user's home directories and all of the files in the directory are 
not owned by the user, then the reports don't come out right.  We've had cases 
where users have filled their hard quota, yet the report states that they still 
have room.  It's not perfect, but it came with the OS and does provide quota 
management and some useful, if not totally accurate, reporting.

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Tuesday, August 03, 2010 12:07 AM
To: NT System Admin Issues
Subject: Re: Finding a huge file dump from June...

Thanks - looks like a good read.

On Mon, Aug 2, 2010 at 21:47, Sean Martin  wrote:
> I like the command line options but the file resource reporting features are
> a good way to trend utilization.
>
> http://technet.microsoft.com/en-us/magazine/2006.05.getcontrol.aspx
>
> - Sean
>
>
>
> On Aug 2, 2010, at 8:14 PM, Kurt Buff  wrote:
>
>> The other thing that comes to mind is to check the backup logs from
>> those dates. I don't know if my minion has set the logs to record
>> files backed up, but if they are set that way, I can diff them and see
>> what happened.
>>
>> If they aren't set that way, I'll have to see what kind of impact that
>> logging will entail, and make a judgment...
>>
>> Kurt
>>
>> On Mon, Aug 2, 2010 at 17:59, Michael B. Smith 
>> wrote:
>>>
>>> In re: [1], either 'du' or 'find' can do what you want.
>>>
>>> I'm pretty sure that I had a native Windows application called
>>> "scanner.exe" that did that too - but I'm unable to locate it right now.
>>>
>>> Regards,
>>>
>>> Michael B. Smith
>>> Consultant and Exchange MVP
>>> http://TheEssentialExchange.com
>>>
>>>
>>> -Original Message-
>>> From: Kurt Buff [mailto:kurt.b...@gmail.com]
>>> Sent: Monday, August 02, 2010 8:49 PM
>>> To: NT System Admin Issues
>>> Subject: Finding a huge file dump from June...
>>>
>>> All,
>>>
>>> On our file server we have a single 1.5tb partition - it's on a SAN.
>>> Over the course of 4 days recently it went from about 30% free to about
>>> 13% free - someone slammed around 200gb onto the file server.
>>>
>>> I have a general idea of where it might be - there are two top-level
>>> directories that are over 200gb each.
>>>
>>> However, windirstat hasn't been completely helpful, as I can't seem to
>>> isolate which files were loaded during those days, and none of the files
>>> that I've been looking at were huge - no ISO or VHD files worth mentioning,
>>> etc..
>>>
>>> I also am pretty confident that there are a *bunch* of duplicate files on
>>> those directories.
>>>
>>> So, I'm looking for a couple of things:
>>>
>>> 1) A way to get a directory listing that supports a time/date stamp (my
>>> choice of atime, mtime or ctime) size and a complete path name for each
>>> file/directory on a single line - something like:
>>>
>>>    2009-01-08  16:12   854,509
>>> K:\Groups\training\On-Site_Special_Training\Customer1.doc
>>>
>>> I've tried every trick I can think of for the 'dir' command and it won't
>>> do what I want, and the 'ls' command from gunuwin32 doesn't seem to want to
>>> do this either. Is there a powershell one-liner that can do this for me
>>> perhaps?
>>>
>>> 2) A recommendation for a duplicate file finder - cheap or free would be
>>> preferred.
>>>
>>> Kurt
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>>>   ~
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

  1   2   >