RE: C$ Permissions on a Domain Controller????
Hi, The security permissions that are applied to files/folders when running dcpromo are in a template file on your DC in %systemroot%\security\templates. The DC security.inf template is what is used by secedit during the DCPromo process to re-ACL files/folders on your new DC. C$ is a share - not a folder/file/drive. You can't set the permissions on this normally. It should be restricted to those in the Administrators group. Permissions on the root folder of the C: drive are different to C$ permissions. Everyone (or Authenticated User) should have Read+Execute and List Folder Contents permission by default. Check the inf file for more info, or use secedit to re-ACL your box if you need to. Cheers Ken -Original Message- From: Jon D [mailto:rekcahp...@gmail.com] Sent: Tuesday, 30 December 2008 8:53 AM To: NT System Admin Issues Subject: C$ Permissions on a Domain Controller Anyone know what the proper permissions are on the C: drive of a Domain Controller? Are they special or no? I'm doing a security audit and I came across 2 domain controllers that do not require a password to access their C$ share. You can't view the permissions of the share itself, but the permissions on the C drive have authenicated users with full control. That can't be right. Anyone see anything like that before? Anyone know how dangerous it is to change the permissions(once I determine the correct permissions)? Thanks in advance, Jon ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
LDAP over SSL using wildcard cert
Has anyone used a wildcard cert to configure secure LDAP connects in a Windows 2003-R2 domain? Our security team is now asking to put certs on all the DC;s to allow SSL LDAP connections. The easiest thing to do would be to use our internal wildcard certificate, just not sure if Windows 2003 AD will accept it. Thanks and have a Happy New Year ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Good point, Ken. Thanks for chiming in... Shook From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 6:33 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LDAP over SSL using wildcard cert
Whilst I haven't actually done this, I don't imagine it will be a problem. SSL/TLS connections are handled by LSASS (user mode processing) or ksecdd.sys (kernel mode processing) - AD itself wouldn't re-implement the wheel just to have it's own SSL/TLS connection capability. Cheers Ken From: Senter, John [mailto:john.sen...@etrade.com] Sent: Wednesday, 31 December 2008 12:08 AM To: NT System Admin Issues Subject: LDAP over SSL using wildcard cert Has anyone used a wildcard cert to configure secure LDAP connects in a Windows 2003-R2 domain? Our security team is now asking to put certs on all the DC;s to allow SSL LDAP connections. The easiest thing to do would be to use our internal wildcard certificate, just not sure if Windows 2003 AD will accept it. Thanks and have a Happy New Year ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
That's an interesting point. Have you actually seen this in practice? What I mean is, in every shop I've been in, the virtualization group is composed of the same people who hold the keys to the kingdom anyway (AD admins, or Linux/UNIX admins). I've never seen a group brought in to manage the virtual environment that didn't already have that type of access. YMMV Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 _ From: k...@adopenstatic.com [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 6:33 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: NT issue
Doh, yes, server manager sorry Erik Goldoff IT Consultant Systems, Networks, Security _ From: Eric Brouwer [mailto:er...@forestpost.com] Sent: Tuesday, December 30, 2008 12:27 AM To: NT System Admin Issues Subject: RE: NT issue Do you mean server manager? I'm not seeing a computer manager. In server manager, at the PDC, the PBC and BDC are recorded properly. At the BDC, I can't get into Server Manager. There is a remote procedure call error, and I get the option to connect to a different domain. I assume this is happening because the BDC is looking for the PDC to populate the information. Trying to access User Manager from the BDC has similar results. - Original Message - From: Erik Goldoff egold...@gmail.com Sent: Mon, December 29, 2008 21:54 Subject: RE: NT issue using the computer manager does the BDC *think* it's a PDC ? Erik Goldoff IT Consultant Systems, Networks, Security _ From: Eric Brouwer [mailto:er...@forestpost.com] Sent: Monday, December 29, 2008 8:00 PM To: NT System Admin Issues Subject: RE: NT issue I figured out the SET command. I was wrong. The problem server is not a member, but a BDC. It authenticated to itself, but it is not seeing the PDC. For instance, I can not run User Manager on the BDC, and I am seeing Event ID:3096 in the logs. The message is about not finding a domain controller on the network. _ From: Eric Brouwer [mailto:er...@forestpost.com] Sent: Monday, December 29, 2008 7:49 PM To: NT System Admin Issues Subject: RE: NT issue Server and Net Logon services are running on both servers. Yes, they are on the same subnet. How do I check the preferred server setting? How do I look at the environment variables from the command line? _ From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Monday, December 29, 2008 7:33 PM To: NT System Admin Issues Subject: RE: NT issue on the server look for the server service, and netlogon service ... are they on the same subnet ? Maybe check your WINS server too, and on the member server that won't authenticate you can check for an incorrect preferred server setting ( and from cmd look at environment variables for netlogon server ) Erik Goldoff IT Consultant Systems, Networks, Security _ From: Eric Brouwer [mailto:er...@forestpost.com] Sent: Monday, December 29, 2008 7:06 PM To: NT System Admin Issues Subject: NT issue Good evening, Yes, I am still running a few NT servers on an old network! We had a power outage, and now we're having authentication issues. The PDC seems to be coming up fine, but one of my NT member servers won't authenticate to it. I see a NETLOGON message in the event viewer stating no domain controllers could be found. How can I determine if the PDC is running properly? How can I verify the proper services are running, etc. to service logon requests? Thanks! Eric Brouwer IT Manager Forest Post Productions er...@forestpost.com (248) 855-4333 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: NT issue
if the BDC doesn't see the domain from his own copy, you've got other issues... you should be able to bring up the BDC all alone and he'll still see the domain in read-only until/unless he's promoted to PDC ... Is the Computer Browser service running on the BDC ? what happens from the command line if you execute a 'NET VIEW' command ? Erik Goldoff IT Consultant Systems, Networks, Security _ From: Eric Brouwer [mailto:er...@forestpost.com] Sent: Tuesday, December 30, 2008 12:27 AM To: NT System Admin Issues Subject: RE: NT issue Do you mean server manager? I'm not seeing a computer manager. In server manager, at the PDC, the PBC and BDC are recorded properly. At the BDC, I can't get into Server Manager. There is a remote procedure call error, and I get the option to connect to a different domain. I assume this is happening because the BDC is looking for the PDC to populate the information. Trying to access User Manager from the BDC has similar results. - Original Message - From: Erik Goldoff egold...@gmail.com Sent: Mon, December 29, 2008 21:54 Subject: RE: NT issue using the computer manager does the BDC *think* it's a PDC ? Erik Goldoff IT Consultant Systems, Networks, Security _ From: Eric Brouwer [mailto:er...@forestpost.com] Sent: Monday, December 29, 2008 8:00 PM To: NT System Admin Issues Subject: RE: NT issue I figured out the SET command. I was wrong. The problem server is not a member, but a BDC. It authenticated to itself, but it is not seeing the PDC. For instance, I can not run User Manager on the BDC, and I am seeing Event ID:3096 in the logs. The message is about not finding a domain controller on the network. _ From: Eric Brouwer [mailto:er...@forestpost.com] Sent: Monday, December 29, 2008 7:49 PM To: NT System Admin Issues Subject: RE: NT issue Server and Net Logon services are running on both servers. Yes, they are on the same subnet. How do I check the preferred server setting? How do I look at the environment variables from the command line? _ From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Monday, December 29, 2008 7:33 PM To: NT System Admin Issues Subject: RE: NT issue on the server look for the server service, and netlogon service ... are they on the same subnet ? Maybe check your WINS server too, and on the member server that won't authenticate you can check for an incorrect preferred server setting ( and from cmd look at environment variables for netlogon server ) Erik Goldoff IT Consultant Systems, Networks, Security _ From: Eric Brouwer [mailto:er...@forestpost.com] Sent: Monday, December 29, 2008 7:06 PM To: NT System Admin Issues Subject: NT issue Good evening, Yes, I am still running a few NT servers on an old network! We had a power outage, and now we're having authentication issues. The PDC seems to be coming up fine, but one of my NT member servers won't authenticate to it. I see a NETLOGON message in the event viewer stating no domain controllers could be found. How can I determine if the PDC is running properly? How can I verify the proper services are running, etc. to service logon requests? Thanks! Eric Brouwer IT Manager Forest Post Productions er...@forestpost.com (248) 855-4333 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: NT issue
meant to address this earlier ... it is NOT the HOSTS file to look at ... HOSTS is the file based version of DNS, to resolve an FQDN to an IP address for NT Domain issues, the LMHOSTS file is the one that works like WINS to resolve NetBIOS names ( Browse ) to IP Erik Goldoff IT Consultant Systems, Networks, Security _ From: David James [mailto:bigdadd...@gmail.com] Sent: Tuesday, December 30, 2008 1:16 AM To: NT System Admin Issues Subject: RE: NT issue Does your hosts file have the #DOM entry? From: Eric Brouwer [mailto:er...@forestpost.com] Sent: Monday, December 29, 2008 11:28 PM To: NT System Admin Issues Subject: RE: NT issue I've rebooted the PDC numerous times tonight. Onc in a while when it comes up, I se a message about a slow network connection, and I get the option to download my profile, or load the local profile. Could this be an issue, and what does it point to? I've moved the PDC to a new port, new cable, etc. which I am relatively certain is okay. I was using it for hours with my laptop which does not belong to the domain, and it seems fine. - Original Message - From: Eric Brouwer er...@forestpost.com Sent: Mon, December 29, 2008 19:59 Subject: RE: NT issue I figured out the SET command. I was wrong. The problem server is not a member, but a BDC. It authenticated to itself, but it is not seeing the PDC. For instance, I can not run User Manager on the BDC, and I am seeing Event ID:3096 in the logs. The message is about not finding a domain controller on the network. _ From: Eric Brouwer [mailto:er...@forestpost.com] Sent: Monday, December 29, 2008 7:49 PM To: NT System Admin Issues Subject: RE: NT issue Server and Net Logon services are running on both servers. Yes, they are on the same subnet. How do I check the preferred server setting? How do I look at the environment variables from the command line? _ From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Monday, December 29, 2008 7:33 PM To: NT System Admin Issues Subject: RE: NT issue on the server look for the server service, and netlogon service ... are they on the same subnet ? Maybe check your WINS server too, and on the member server that won't authenticate you can check for an incorrect preferred server setting ( and from cmd look at environment variables for netlogon server ) Erik Goldoff IT Consultant Systems, Networks, Security _ From: Eric Brouwer [mailto:er...@forestpost.com] Sent: Monday, December 29, 2008 7:06 PM To: NT System Admin Issues Subject: NT issue Good evening, Yes, I am still running a few NT servers on an old network! We had a power outage, and now we're having authentication issues. The PDC seems to be coming up fine, but one of my NT member servers won't authenticate to it. I see a NETLOGON message in the event viewer stating no domain controllers could be found. How can I determine if the PDC is running properly? How can I verify the proper services are running, etc. to service logon requests? Thanks! Eric Brouwer IT Manager Forest Post Productions er...@forestpost.com (248) 855-4333 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Citrix client?
Does anyone know of any issues with backwards compatibility issues with the newest Citrix client? I have to deploy the Citrix client thorughout our Association so users can connect to another hospitals Citrix farm. Can only find the 11.0 client. I know it works with the 10.2 client just want to make sure it works with the 11.0 client before I deploy it. Unfortunately we dont have a test account either. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Server migration assistance
On Mon, Dec 29, 2008 at 11:42 PM, Scott Klassen klas9...@msn.com wrote: Would I have to add /DCOPY:T to get the directory timestamps? Looks to me as though /COPYALL might only take care of files, but not folders. Ah, correct. I missed that point in your original message. On Tue, Dec 30, 2008 at 12:30 AM, Scott Klassen klas9...@msn.com wrote: The actual migration will be taking place after business hours, with VPN access turned off, on new years eve, so I won't have to worry about in-use or locked files. I'd still suggest doing a pre-copy in advance. That way if you run into unexpected problems, you'll have time to sort it out. :) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
LogMeIn
I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
I work for Avanade - we deal mostly with large enterprises (Global 500 type companies). In those types of orgs the AD team is usually separate from Virtualisation (which is predominantly VMWare), which is again separate from the hardware components (network, security, storage). Even as a directory, AD is usually limited to the Wintel area, and most large orgs have significant investment in *nix, midrange/mainframe systems as well. The source of truth is generally other systems like HR/payroll. As I said before - in smaller shops, there's usually significant overlap, so it's not really an issue. In larger shops (once there isn't a predominance of Windows), and AD isn't king, it starts to become something that needs to be dealt with in some way. Cheers Ken From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Wednesday, 31 December 2008 12:31 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's That's an interesting point. Have you actually seen this in practice? What I mean is, in every shop I've been in, the virtualization group is composed of the same people who hold the keys to the kingdom anyway (AD admins, or Linux/UNIX admins). I've never seen a group brought in to manage the virtual environment that didn't already have that type of access. YMMV Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.commailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From: k...@adopenstatic.com [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 6:33 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Aaaiiiyyyeeeeee!!! OOO notices! (OT)
Nice. We are a GroupWise shop here. We instruct our users to just create a rule and reply only to messages that have his/her name in the to field. I can also just override it for outside users by disabling all rule-based messages. Can this be done with Exchange (since we'll be migrating in a few years anyway)? At my last gig we were Outlook and had the same problem. That was fun in an excruciatingly painful sort of way. Simon Butler si...@amset.co.uk 12/29/2008 1:43 PM I have just posted to the Exchange list and received 31 OOTO messages, and 30 minutes later they are still coming in. Simon. -- Simon Butler MVP: Exchange, MCSE Amset IT Solutions Ltd. e: si...@amset.co.uk w: www.amset.co.uk w: www.amset.info Need cheap certificates for Exchange, compatible with Windows Mobile 5.0? http://CertificatesForExchange.com/ for certificates from just $23.99. Need a domain for your certificate? http://DomainsForExchange.net/ -Original Message- From: John Cook [mailto:john.c...@pfsf.org] Sent: 29 December 2008 18:20 To: NT System Admin Issues Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT) Did you get an OOO from me last week? I'm on E2007 and Olk2007 and specifically said no OOF outside of my domain. John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ -Original Message- From: Martin Blackstone [mailto:mblackst...@gmail.com] Sent: Monday, December 29, 2008 1:20 PM To: NT System Admin Issues Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT) You must be new around here. :) -Original Message- From: Edward B. DREGER [mailto:eddy+public+s...@noc.everquick.net] Sent: Monday, December 29, 2008 10:03 AM To: NT System Admin Issues Subject: Aaaiiiyyyee!!! OOO notices! (OT) I normally get a few OOOs in response to a post... but _thirteen_ just now?! Hint: If a message is addressed to a list (not to oneself), from a list server, et cetera, an OOO response might not be appropriate. And telling random people that you'll be out of state for two months is unwise from a security perspective. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
Lots of reasons. Security compliancy (HIPAA) come to mind. With a VPN, you know (and have control) who is on the network. From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LogMeIn
On Tue, Dec 30, 2008 at 9:01 AM, David Lum david@nwea.org wrote: I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems ... You're letting an outside organization have control of one of your computers. You're okay with that? Cool, can I have control of one of your computers, too? I promise I won't do anything bad. Pinky swear! Sure, all these remote-control companies claim to have great security. *Everybody* claims that. And yet, major security problems keep on happening, all over the place, all the time. From this, we can conclude that claims of great security mean precisely nothing. Security problems don't have to mean them taking over the world. It doesn't have to mean organization-wide intent. It could be one employee with a grudge. Or maybe an undetected remote compromise on a server in their datacenter -- these are high-profile targets, and custom malware would be undetectable by signature-based virus scanners. Or maybe they cut back on security spending when the economy tanked. It might not be something you could detect -- passive monitoring would be invisible. It might not even be something with specific intent -- maybe random malware makes it into their systems, and then propagates over the remote-control system to you. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
Oh? Any idea where I would find that? This page mentions nothing about Free for personal use only https://secure.logmein.com/products/free/ It just says 100% Free to use with no caveat added. The closest thing I see is For home and personal use, but my read is that from a functionality standpoint. Am I wrong? I hope not, but... David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: John Cook [mailto:john.c...@pfsf.org] Sent: Tuesday, December 30, 2008 6:04 AM To: NT System Admin Issues Subject: RE: LogMeIn Is there some verbatim in the LogMeIn agreement that says for personal use only? This sounds like business use to me ;-) John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
On a separate note we expressly forbid users to install ANY unapproved software, specifically remote control software, as it opens the network up to potential HIPAA violations (your regulatory obligations may come into play as well) Just say no! John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
* What about the fact that it bypasses (using encrypted traffic even) any protections you have in place to filter/monitor/scan traffic passing through your gateway? * It introduces a new attack vector (files can get on that computer in ways they couldn't have before). * You are trusting logmein with credentials that allow access to your internal network. Companies bigger than them get usernames/passwords stolen. * You have less logging of intrusion attempts (to my knowledge) than if you were going through your own equipment * It is another piece of software to keep updated on your clients * How do you protect the usernames/passwords users use to access logmein? (hopefully any vpn solution would have two-factor auth so creds aren't a free path in to your network). I know they have some sort of two factor integration options, but I don't think it's at the first username/password prompt. From: John Cook [mailto:john.c...@pfsf.org] Sent: Tuesday, December 30, 2008 9:04 AM To: NT System Admin Issues Subject: RE: LogMeIn Is there some verbatim in the LogMeIn agreement that says for personal use only? This sounds like business use to me ;-) John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~~~ Derek Lidbom Director of Technology and Interactive Development, Trone 336.812.2010 dlid...@trone.com http://www.trone.com/ Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
And make that apart of the acceptable use policy or another network policy that includes the terms, violation of this policy, can subject the violator(s) to punishment up to and including termination of employment The fire them, that will send the message. Logmein is not to be trusted and any business seeking to do business with you that uses that as a Remote access sytem for support should be shown the door as quickly as they came in. ( Had to deal with one here, and they went bye bye) Z Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + From: John Cook [mailto:john.c...@pfsf.org] Sent: Tuesday, December 30, 2008 9:15 AM To: NT System Admin Issues Subject: RE: LogMeIn On a separate note we expressly forbid users to install ANY unapproved software, specifically remote control software, as it opens the network up to potential HIPAA violations (your regulatory obligations may come into play as well) Just say no! John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
Exactly. I would add to that list * Free to use, but how much does it cost you if it stops working correctly? * What will your auditors or the BSA think of the setup? (It would be very interesting to see their recommendation.) * Does the company actually have a paid and supported version? That is usually an indicator that the free version is for personal use only-not business/organizational use. From: Derek Lidbom [mailto:dlid...@trone.com] Sent: Tuesday, December 30, 2008 6:19 AM To: NT System Admin Issues Subject: RE: LogMeIn * What about the fact that it bypasses (using encrypted traffic even) any protections you have in place to filter/monitor/scan traffic passing through your gateway? * It introduces a new attack vector (files can get on that computer in ways they couldn't have before). * You are trusting logmein with credentials that allow access to your internal network. Companies bigger than them get usernames/passwords stolen. * You have less logging of intrusion attempts (to my knowledge) than if you were going through your own equipment * It is another piece of software to keep updated on your clients * How do you protect the usernames/passwords users use to access logmein? (hopefully any vpn solution would have two-factor auth so creds aren't a free path in to your network). I know they have some sort of two factor integration options, but I don't think it's at the first username/password prompt. From: John Cook [mailto:john.c...@pfsf.org] Sent: Tuesday, December 30, 2008 9:04 AM To: NT System Admin Issues Subject: RE: LogMeIn Is there some verbatim in the LogMeIn agreement that says for personal use only? This sounds like business use to me ;-) John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~~~ Derek Lidbom Director of Technology and Interactive Development, Trone 336.812.2010 dlid...@trone.com http://www.trone.com/ Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LogMeIn
You wouldn't allow any support via logmein rescue or webec etc. Do the install through web use and then no further access type solutions? May I ask how large your organisation is? Graeme On 30/12/2008, Ziots, Edward ezi...@lifespan.org wrote: And make that apart of the acceptable use policy or another network policy that includes the terms, violation of this policy, can subject the violator(s) to punishment up to and including termination of employment The fire them, that will send the message. Logmein is not to be trusted and any business seeking to do business with you that uses that as a Remote access sytem for support should be shown the door as quickly as they came in. ( Had to deal with one here, and they went bye bye) Z Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + From: John Cook [mailto:john.c...@pfsf.org] Sent: Tuesday, December 30, 2008 9:15 AM To: NT System Admin Issues Subject: RE: LogMeIn On a separate note we expressly forbid users to install ANY unapproved software, specifically remote control software, as it opens the network up to potential HIPAA violations (your regulatory obligations may come into play as well) Just say no! John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ -- Carbon credits are a bit like beating someone up on this side of the world and sponsoring one of those poor starving kids on the other side of the world to make up for the fact that you're a complete shit at home. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Aaaiiiyyyeeeeee!!! OOO notices! (OT)
I'm sure I'm one of the guilty party. Exchange 2003 had a registry hack that was supposed to minimize occurrences of OOO's going to mailing lists, but I believe that has gone away with 2007. Exchange 2007 does support separating the handling of OOO's between internal and external senders, but I turn both on. I need people outside of my organization (vendors, members of the public, etc.) to know I'm OOO just as much as I need people within my organization to know it. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us -Original Message- From: Edward B. DREGER [mailto:eddy+public+s...@noc.everquick.net] Sent: Monday, December 29, 2008 1:03 PM To: NT System Admin Issues Subject: Aaaiiiyyyee!!! OOO notices! (OT) I normally get a few OOOs in response to a post... but _thirteen_ just now?! Hint: If a message is addressed to a list (not to oneself), from a list server, et cetera, an OOO response might not be appropriate. And telling random people that you'll be out of state for two months is unwise from a security perspective. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
BSA? From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com] Sent: Tuesday, December 30, 2008 6:35 AM To: NT System Admin Issues Subject: RE: LogMeIn Exactly. I would add to that list * Free to use, but how much does it cost you if it stops working correctly? * What will your auditors or the BSA think of the setup? (It would be very interesting to see their recommendation.) * Does the company actually have a paid and supported version? That is usually an indicator that the free version is for personal use only-not business/organizational use. From: Derek Lidbom [mailto:dlid...@trone.com] Sent: Tuesday, December 30, 2008 6:19 AM To: NT System Admin Issues Subject: RE: LogMeIn * What about the fact that it bypasses (using encrypted traffic even) any protections you have in place to filter/monitor/scan traffic passing through your gateway? * It introduces a new attack vector (files can get on that computer in ways they couldn't have before). * You are trusting logmein with credentials that allow access to your internal network. Companies bigger than them get usernames/passwords stolen. * You have less logging of intrusion attempts (to my knowledge) than if you were going through your own equipment * It is another piece of software to keep updated on your clients * How do you protect the usernames/passwords users use to access logmein? (hopefully any vpn solution would have two-factor auth so creds aren't a free path in to your network). I know they have some sort of two factor integration options, but I don't think it's at the first username/password prompt. From: John Cook [mailto:john.c...@pfsf.org] Sent: Tuesday, December 30, 2008 9:04 AM To: NT System Admin Issues Subject: RE: LogMeIn Is there some verbatim in the LogMeIn agreement that says for personal use only? This sounds like business use to me ;-) John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~~~ Derek Lidbom Director of Technology and Interactive Development, Trone 336.812.2010 dlid...@trone.com [http://www.trone.com/RemoteImages/TroneSignature.jpg]http://www.trone.com/ Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Aaaiiiyyyeeeeee!!! OOO notices! (OT)
Same here I was just under the (apparently mistaken)impression that when you tell Outlook (2007) to not send OOFs to people outside your domain that's what it did. John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Tuesday, December 30, 2008 9:38 AM To: NT System Admin Issues Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT) I'm sure I'm one of the guilty party. Exchange 2003 had a registry hack that was supposed to minimize occurrences of OOO's going to mailing lists, but I believe that has gone away with 2007. Exchange 2007 does support separating the handling of OOO's between internal and external senders, but I turn both on. I need people outside of my organization (vendors, members of the public, etc.) to know I'm OOO just as much as I need people within my organization to know it. John Hornbuckle MIS Department Taylor County School District www.taylor.k12.fl.us -Original Message- From: Edward B. DREGER [mailto:eddy+public+s...@noc.everquick.net] Sent: Monday, December 29, 2008 1:03 PM To: NT System Admin Issues Subject: Aaaiiiyyyee!!! OOO notices! (OT) I normally get a few OOOs in response to a post... but _thirteen_ just now?! Hint: If a message is addressed to a list (not to oneself), from a list server, et cetera, an OOO response might not be appropriate. And telling random people that you'll be out of state for two months is unwise from a security perspective. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita DO NOT send mail to the following addresses: dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
Big stinkin' A-hole? Shook From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:42 AM To: NT System Admin Issues Subject: RE: LogMeIn BSA? From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com] Sent: Tuesday, December 30, 2008 6:35 AM To: NT System Admin Issues Subject: RE: LogMeIn Exactly. I would add to that list * Free to use, but how much does it cost you if it stops working correctly? * What will your auditors or the BSA think of the setup? (It would be very interesting to see their recommendation.) * Does the company actually have a paid and supported version? That is usually an indicator that the free version is for personal use only-not business/organizational use. From: Derek Lidbom [mailto:dlid...@trone.com] Sent: Tuesday, December 30, 2008 6:19 AM To: NT System Admin Issues Subject: RE: LogMeIn * What about the fact that it bypasses (using encrypted traffic even) any protections you have in place to filter/monitor/scan traffic passing through your gateway? * It introduces a new attack vector (files can get on that computer in ways they couldn't have before). * You are trusting logmein with credentials that allow access to your internal network. Companies bigger than them get usernames/passwords stolen. * You have less logging of intrusion attempts (to my knowledge) than if you were going through your own equipment * It is another piece of software to keep updated on your clients * How do you protect the usernames/passwords users use to access logmein? (hopefully any vpn solution would have two-factor auth so creds aren't a free path in to your network). I know they have some sort of two factor integration options, but I don't think it's at the first username/password prompt. From: John Cook [mailto:john.c...@pfsf.org] Sent: Tuesday, December 30, 2008 9:04 AM To: NT System Admin Issues Subject: RE: LogMeIn Is there some verbatim in the LogMeIn agreement that says for personal use only? This sounds like business use to me ;-) John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~~~ Derek Lidbom Director of Technology and Interactive Development, Trone 336.812.2010 dlid...@trone.com [http://www.trone.com/RemoteImages/TroneSignature.jpg]http://www.trone.com/ Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Aaaiiiyyyeeeeee!!! OOO notices! (OT)
Sure it does, that is how ours is I just retested it to be certain. Internals get OOF's and externals do not. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Tuesday, December 30, 2008 9:38 AM To: NT System Admin Issues Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT) Exchange 2007 does support separating the handling of OOO's between internal and external senders... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
Business Software Alliance www.bsa.org http://www.bsa.org/ these guys are the #1 software compliance and anti-piracy organization world-wide. They can come in and audit any organization for proper software use and licensing. They currently use Centennial Discovery software for their audits. They are out there to protect the rights of software companies like Microsoft get all the money from people who use their stuff. From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 6:42 AM To: NT System Admin Issues Subject: RE: LogMeIn BSA? From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com] Sent: Tuesday, December 30, 2008 6:35 AM To: NT System Admin Issues Subject: RE: LogMeIn Exactly. I would add to that list * Free to use, but how much does it cost you if it stops working correctly? * What will your auditors or the BSA think of the setup? (It would be very interesting to see their recommendation.) * Does the company actually have a paid and supported version? That is usually an indicator that the free version is for personal use only-not business/organizational use. From: Derek Lidbom [mailto:dlid...@trone.com] Sent: Tuesday, December 30, 2008 6:19 AM To: NT System Admin Issues Subject: RE: LogMeIn * What about the fact that it bypasses (using encrypted traffic even) any protections you have in place to filter/monitor/scan traffic passing through your gateway? * It introduces a new attack vector (files can get on that computer in ways they couldn't have before). * You are trusting logmein with credentials that allow access to your internal network. Companies bigger than them get usernames/passwords stolen. * You have less logging of intrusion attempts (to my knowledge) than if you were going through your own equipment * It is another piece of software to keep updated on your clients * How do you protect the usernames/passwords users use to access logmein? (hopefully any vpn solution would have two-factor auth so creds aren't a free path in to your network). I know they have some sort of two factor integration options, but I don't think it's at the first username/password prompt. From: John Cook [mailto:john.c...@pfsf.org] Sent: Tuesday, December 30, 2008 9:04 AM To: NT System Admin Issues Subject: RE: LogMeIn Is there some verbatim in the LogMeIn agreement that says for personal use only? This sounds like business use to me ;-) John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~~~ Derek Lidbom Director of Technology and Interactive Development, Trone 336.812.2010 dlid...@trone.com http://www.trone.com/ Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review,
RE: Label printers
I have found that P-Touch labels do not adhere well to the material used for patch cables and you wind up needing to make flags, or find ways to deal with labels peeling off. What I have found that works fabulously are Brady cable markers. You can use an ultra-fine Sharpie to write on them, they are self-laminating and they do not come off easily like P-touch labels do. I buy what they call the 'porta-pack' (just a booklet of labels) PWC-PK-1. You can get that label material in a roll and use it in one of Brady's labeller machines, but their label makers tend to be quite expensive (but there is a ton of functionality built into it). I find the porta-pak and a Sharpie to do just as good of a job for a lot less money. You can get them from Grainger or other similar supply house. Wayne -Original Message- From: Steve Pruitt [mailto:adminli...@bytampabay.com] Sent: Monday, December 29, 2008 6:17 PM To: NT System Admin Issues Subject: Re: Label printers I use a Brother P-Touch, and I'm very happy with it. I'm compulsive about labeling both ends of every cable, and the jacks on non-standard devices. Steve - Original Message - From: Mike French mike.fre...@theequitybank.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Monday, December 29, 2008 5:01 PM Subject: RE: Label printers I use a Rino 3000 (http://www.rhinopromo.com/Printers_3000_Features.shtm) From: Orland, Kathleen [mailto:korl...@rogers.com] Sent: Saturday, December 27, 2008 10:09 PM To: NT System Admin Issues Subject: RE: Label printers I use the same thing. In addition I purchase bright yellow tapes to make identification distinct and easy. From: Jacob [mailto:ja...@excaliburfilms.com] Sent: Saturday, December 27, 2008 3:34 PM To: NT System Admin Issues Subject: RE: Label printers Brother P Touch III What I use to label cable, tapes, etc... From: Gavin Wilby [mailto:gavin.wi...@gmail.com] Sent: Saturday, December 27, 2008 12:24 PM To: NT System Admin Issues Subject: Label printers Not as off topic as it might sound - I want to get my own lable printer, to do things like patch cables, patch panels, back up tapes and the like. Anyone got any favorites? Gavin. Hope you have all had a great Christmas break! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
Folks, Its more about security of your systems and controlling whom has access with what, with Logmein you basically are giving up that control to an unknown, untrusted 3rd party, that you can't audit, you don't have a BAA ( business associate agreement, or MOU ( memorandum of understanding ( only applies to Govt entities)) which are violations of HIPPA. The sections are the following. NOTE: I am not a Lawyer, none of this constitutes LEGAL ADVICE, and I can't be held responsible for you following any of this advice and causing harm to your organization, you should talk with your Lawyers/Management C levels before doing any of this. I am just interpreting the HIPPA regulations as per what they state in the final rule. Transmissions Security: Section 164.312(e)(1) ( encrypted communications or viewing of EPHI on carious systems access by Logmein) Person or Entity Authentication: Section 164.312(d)(8) (Failure to accurate authenticate who is accessing your EPHI, you don't control the logmein authentication mechanism, you can't audit it, and you can't tie it back into a person or process that you can verifiably claim did or didn't access the EPHI in question) Integrity: Section 164.312 ( c ) (1): If you can audit who has access to your data, then you don't know if its been manipulated or changed from its current state and if its valid or not anymore, thus violation the Integrity of the data. Audit Controls: Section 164.312(b): Again u can't audit who did and didn't login via Logmein, or tie that back to a person, or entity that will state up in a court of law if you take it that far ( Forensically sound logs of the information access and manipulation etc etc) Access Controls: Section 164.312(a)(1): Again you are allowing a 3rd party without a BAA, or MOU access to your systems via an untrusted mechanism that you can't secure or control, access into your information systems? I think we all see the blaring problem is this reguard, you are opening yourself up to all kinds of bad things. Security Management Process: Section 164.308(a)(1): You probably haven't completed a Risk Assessment for this new technology that would have easily outlined the inheirent harm that Logmein and similar Remote Access Solutions can cause with the Confidentially, Integrity and Availability of your systems and data. Security Incident Proceedures: Section 164.308(a)(6): Think about your incident response plan if or probably when one or more of your systems become hacked by a malicious 3rd party that has found a flaw or bug in the logmein process and starts access or stealing your data, corrupting your systems, rootkits, malware, Trojans, backdoors, etc etc, Information blackmail, or general denial service from within your network. What are you going to do then, You let it in the door, you agreed to have your systems access via an insecure mechanism, I don't think you are going to win many court battles trying to argue that you did due diligence or due care process in those reguards. So you might as well write that big fat check and notify the people that there PHI is history and in some hackers hands floating around in 3rd world countries or other nerfarious places of the earth, and that there lives are going to be affected adversely and probably there identity is going to be stolen, or attempt to be stolen via information leaks and lack of judgement. If that doesn't wake up some C levels eyes and have the lawyers stirring, and management putting the Kabosh on Logmein and similar Remote access solutions, then not quiet sure what will. PS: If you want the breakdown of the sections of HIPPA I have and excel spreadsheet that covers each section and the types of questions you all need to be asking yourselves when you deal with these type of issues. Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] Sent: Tuesday, December 30, 2008 9:15 AM To: NT System Admin Issues Subject: RE: LogMeIn Lots of reasons. Security compliancy (HIPAA) come to mind. With a VPN, you know (and have control) who is on the network. From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a
RE: LogMeIn
Yep, We have our own secure support access solution, and for security reasons I can't tell you what it is or how it works. ( lets just say 256BIT AES FIPS 140-2 compliant, enuff said) Z Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + -Original Message- From: Graeme Carstairs [mailto:loonyto...@gmail.com] Sent: Tuesday, December 30, 2008 9:37 AM To: NT System Admin Issues Subject: Re: LogMeIn You wouldn't allow any support via logmein rescue or webec etc. Do the install through web use and then no further access type solutions? May I ask how large your organisation is? Graeme On 30/12/2008, Ziots, Edward ezi...@lifespan.org wrote: And make that apart of the acceptable use policy or another network policy that includes the terms, violation of this policy, can subject the violator(s) to punishment up to and including termination of employment The fire them, that will send the message. Logmein is not to be trusted and any business seeking to do business with you that uses that as a Remote access sytem for support should be shown the door as quickly as they came in. ( Had to deal with one here, and they went bye bye) Z Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + From: John Cook [mailto:john.c...@pfsf.org] Sent: Tuesday, December 30, 2008 9:15 AM To: NT System Admin Issues Subject: RE: LogMeIn On a separate note we expressly forbid users to install ANY unapproved software, specifically remote control software, as it opens the network up to potential HIPAA violations (your regulatory obligations may come into play as well) Just say no! John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ -- Carbon credits are a bit like beating someone up on this side of the world and sponsoring one of those poor starving kids on the other side of the world to make up for the fact that you're a complete shit at home. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
and as in the case of PCI and other compliance certifications, you might have to prove that any 'connected' partner also passes compliance testing Erik Goldoff IT Consultant Systems, Networks, Security _ From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com] Sent: Tuesday, December 30, 2008 9:35 AM To: NT System Admin Issues Subject: RE: LogMeIn Exactly. I would add to that list * Free to use, but how much does it cost you if it stops working correctly? * What will your auditors or the BSA think of the setup? (It would be very interesting to see their recommendation.) * Does the company actually have a paid and supported version? That is usually an indicator that the free version is for personal use only-not business/organizational use. _ From: Derek Lidbom [mailto:dlid...@trone.com] Sent: Tuesday, December 30, 2008 6:19 AM To: NT System Admin Issues Subject: RE: LogMeIn * What about the fact that it bypasses (using encrypted traffic even) any protections you have in place to filter/monitor/scan traffic passing through your gateway? * It introduces a new attack vector (files can get on that computer in ways they couldn't have before). * You are trusting logmein with credentials that allow access to your internal network. Companies bigger than them get usernames/passwords stolen. * You have less logging of intrusion attempts (to my knowledge) than if you were going through your own equipment * It is another piece of software to keep updated on your clients * How do you protect the usernames/passwords users use to access logmein? (hopefully any vpn solution would have two-factor auth so creds aren't a free path in to your network). I know they have some sort of two factor integration options, but I don't think it's at the first username/password prompt. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
does the business software alliance really deserve capitalization ? g Erik Goldoff IT Consultant Systems, Networks, Security _ From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, December 30, 2008 9:46 AM To: NT System Admin Issues Subject: RE: LogMeIn Big stinkin' A-hole? Shook From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:42 AM To: NT System Admin Issues Subject: RE: LogMeIn BSA? From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com] Sent: Tuesday, December 30, 2008 6:35 AM To: NT System Admin Issues Subject: RE: LogMeIn Exactly. I would add to that list . Free to use, but how much does it cost you if it stops working correctly? . What will your auditors or the BSA think of the setup? (It would be very interesting to see their recommendation.) . Does the company actually have a paid and supported version? That is usually an indicator that the free version is for personal use only-not business/organizational use. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Virtualization Questions - More Q's
On Tue, Dec 30, 2008 at 5:33 AM, Ken Schaefer k...@adopenstatic.com wrote: Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken I don't see a lot of difference here between virtual environment vs physical. A) The guest virtual machines have the same security as their physical counterparts. (ie you still need a login/password to get into the operating systems). Same in a physical environment. It's the same as walking up to a KVM or logging into an IP KVM. B) If you have access to the virtual environment, you could power off the machines (reboot, etc). It's the same if you have physical access to the data center/server room/etc or access to a remote PDU (aka walk up and press the off button on a machine). The only difference is that you could change resource allocation, but in a compliance/audit scenario, you're not accessing the actual data or the guest OS itself, just the box itself. Changing resources does affect change control, but so would someone removing RAM out of a physical box or adding a CPU. I'm only speaking for VMWare here (since that's what I know and run), but you can set up a lot of different levels of access in the virtual environment. You can group the machines, set administrators for those groups, or break it down to only allow certain groups to have access to certain machines. For example, I myself have full access to the entire network, but I only allow my programmers to have access to only a couple of machines, and only restart ability to those. When they log in, all they see are their machines only. Their only options are console or power on/off/reboot, the same access they've had when the servers where physical. It ties into Active Directory, and you can set groups to as much or as little access as you want. I do agree, there is some security concerns that you'll need to address, but virtualizing your servers won't give anyone any more additional access to the machines over walking into the server room IMO. Seth ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
But that can be a nightmare. How can you prove your business partner meets compliance testing? Run your own pentest? And what if that company has a relationship with another company that supports them? HIPAA answers that with the Chain of Trust guidelines. I'm not sure about PCI or Redflag rules, though. But for all of them, I would assume the reasonable man defense would apply if questioned by a government agency. Paul Chinnery Network Administrator Memorial Medical Center 231-845-2319 _ From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Tuesday, December 30, 2008 10:03 AM To: NT System Admin Issues Subject: RE: LogMeIn and as in the case of PCI and other compliance certifications, you might have to prove that any 'connected' partner also passes compliance testing Erik Goldoff IT Consultant Systems, Networks, Security _ From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com] Sent: Tuesday, December 30, 2008 9:35 AM To: NT System Admin Issues Subject: RE: LogMeIn Exactly. I would add to that list * Free to use, but how much does it cost you if it stops working correctly? * What will your auditors or the BSA think of the setup? (It would be very interesting to see their recommendation.) * Does the company actually have a paid and supported version? That is usually an indicator that the free version is for personal use only-not business/organizational use. _ From: Derek Lidbom [mailto:dlid...@trone.com] Sent: Tuesday, December 30, 2008 6:19 AM To: NT System Admin Issues Subject: RE: LogMeIn * What about the fact that it bypasses (using encrypted traffic even) any protections you have in place to filter/monitor/scan traffic passing through your gateway? * It introduces a new attack vector (files can get on that computer in ways they couldn't have before). * You are trusting logmein with credentials that allow access to your internal network. Companies bigger than them get usernames/passwords stolen. * You have less logging of intrusion attempts (to my knowledge) than if you were going through your own equipment * It is another piece of software to keep updated on your clients * How do you protect the usernames/passwords users use to access logmein? (hopefully any vpn solution would have two-factor auth so creds aren't a free path in to your network). I know they have some sort of two factor integration options, but I don't think it's at the first username/password prompt. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
LogMeInRescue FTW for supporting remote users. Sonicwall SSL VPN Products for remote access. Using the Java or ActiveX RDP agents provide a more productive user experience than logmein free. In logmein free's defense as a security measure... I had a customer who used logmein on their systems, it was a small business. Someone stole a computer, and since LogMeIn auto connects from anywhere on the net, they were able to track the system down. Kind of a free lowjack utility. Before I worked for myself, I would have argued that software like this was not useful, but it has it's place in the SMB. The corporate compliance set forbids it, but I have found that the ultimate question is how productive your users are, and how secure are their passwords. LogMeIn is just another door to the building, another key to keep track of, so depending on the business type/model, and it's obligations for compliance, it may or may not have its place. I know lots of network admins who keep it on their servers but yell at every user that wants to use it. Sometimes productivity demands it. If you've got a user who needs to print at home to a Multifunction device to be more productive, sometimes logmein pro is the best solution, since RDP doesn't support certain printers. In these rare cases, a simple signed policy will suffice to cover your ___. It's about helping your users use technology to be more productive, not having a power trip. The company must survive tight economic times, so use all your tools to provide them ways to produce from anywhere at anytime, and you'll be a hero to your users and company management. -Original Message- From: Graeme Carstairs [mailto:loonyto...@gmail.com] Sent: Tuesday, December 30, 2008 8:37 AM To: NT System Admin Issues Subject: Re: LogMeIn You wouldn't allow any support via logmein rescue or webec etc. Do the install through web use and then no further access type solutions? May I ask how large your organisation is? Graeme On 30/12/2008, Ziots, Edward ezi...@lifespan.org wrote: And make that apart of the acceptable use policy or another network policy that includes the terms, violation of this policy, can subject the violator(s) to punishment up to and including termination of employment The fire them, that will send the message. Logmein is not to be trusted and any business seeking to do business with you that uses that as a Remote access sytem for support should be shown the door as quickly as they came in. ( Had to deal with one here, and they went bye bye) Z Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + From: John Cook [mailto:john.c...@pfsf.org] Sent: Tuesday, December 30, 2008 9:15 AM To: NT System Admin Issues Subject: RE: LogMeIn On a separate note we expressly forbid users to install ANY unapproved software, specifically remote control software, as it opens the network up to potential HIPAA violations (your regulatory obligations may come into play as well) Just say no! John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal
Re: Label printers
I've used a few different types of P-Touches. There is the variant that has three spools in the cartridge - the adhesive tape layer, the thermal ink ribbon, and the laminating layer They are much easier to apply since the backing seems to come off the adhesive layer much easier, but they dont stick for crap. There are cheaper P-touches that use a cartridge that is a single spool that just uses thermal paper on a pre-adhered spool of paper/adhesive. Those seem to work just fine, they never come loose, and stick wonderfully, but often its a bitch to get the substrate of the adhesive off of the label. On Dec 30, 2008, at 9:50 AM, Eisenberg, Wayne wrote: I have found that P-Touch labels do not adhere well to the material used for patch cables and you wind up needing to make flags, or find ways to deal with labels peeling off. What I have found that works fabulously are Brady cable markers. You can use an ultra-fine Sharpie to write on them, they are self-laminating and they do not come off easily like P-touch labels do. I buy what they call the 'porta-pack' (just a booklet of labels) PWC-PK-1. You can get that label material in a roll and use it in one of Brady's labeller machines, but their label makers tend to be quite expensive (but there is a ton of functionality built into it). I find the porta-pak and a Sharpie to do just as good of a job for a lot less money. You can get them from Grainger or other similar supply house. Wayne -Original Message- From: Steve Pruitt [mailto:adminli...@bytampabay.com] Sent: Monday, December 29, 2008 6:17 PM To: NT System Admin Issues Subject: Re: Label printers I use a Brother P-Touch, and I'm very happy with it. I'm compulsive about labeling both ends of every cable, and the jacks on non-standard devices. Steve - Original Message - From: Mike French mike.fre...@theequitybank.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Monday, December 29, 2008 5:01 PM Subject: RE: Label printers I use a Rino 3000 (http://www.rhinopromo.com/Printers_3000_Features.shtm) From: Orland, Kathleen [mailto:korl...@rogers.com] Sent: Saturday, December 27, 2008 10:09 PM To: NT System Admin Issues Subject: RE: Label printers I use the same thing. In addition I purchase bright yellow tapes to make identification distinct and easy. From: Jacob [mailto:ja...@excaliburfilms.com] Sent: Saturday, December 27, 2008 3:34 PM To: NT System Admin Issues Subject: RE: Label printers Brother P Touch III What I use to label cable, tapes, etc... From: Gavin Wilby [mailto:gavin.wi...@gmail.com] Sent: Saturday, December 27, 2008 12:24 PM To: NT System Admin Issues Subject: Label printers Not as off topic as it might sound - I want to get my own lable printer, to do things like patch cables, patch panels, back up tapes and the like. Anyone got any favorites? Gavin. Hope you have all had a great Christmas break! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ -- If this email is spam, report it here: http://www.onlymyemail.com/view/?action=reportSpamId=ODEzNjQ6ODIxMjA1Mjg2OnBqcEBwc25ldC5jb20%3D THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION, COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: NT issue
Either way, I'm wondering if a quick install of WINS and targeting at least his servers at it would help over come this issue. From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Tuesday, December 30, 2008 7:37 AM To: NT System Admin Issues Subject: RE: NT issue meant to address this earlier ... it is NOT the HOSTS file to look at ... HOSTS is the file based version of DNS, to resolve an FQDN to an IP address for NT Domain issues, the LMHOSTS file is the one that works like WINS to resolve NetBIOS names ( Browse ) to IP Erik Goldoff IT Consultant Systems, Networks, Security _ From: David James [mailto:bigdadd...@gmail.com] Sent: Tuesday, December 30, 2008 1:16 AM To: NT System Admin Issues Subject: RE: NT issue Does your hosts file have the #DOM entry? From: Eric Brouwer [mailto:er...@forestpost.com] Sent: Monday, December 29, 2008 11:28 PM To: NT System Admin Issues Subject: RE: NT issue I've rebooted the PDC numerous times tonight. Onc in a while when it comes up, I se a message about a slow network connection, and I get the option to download my profile, or load the local profile. Could this be an issue, and what does it point to? I've moved the PDC to a new port, new cable, etc. which I am relatively certain is okay. I was using it for hours with my laptop which does not belong to the domain, and it seems fine. - Original Message - From: Eric Brouwer er...@forestpost.com Sent: Mon, December 29, 2008 19:59 Subject: RE: NT issue I figured out the SET command. I was wrong. The problem server is not a member, but a BDC. It authenticated to itself, but it is not seeing the PDC. For instance, I can not run User Manager on the BDC, and I am seeing Event ID:3096 in the logs. The message is about not finding a domain controller on the network. _ From: Eric Brouwer [mailto:er...@forestpost.com] Sent: Monday, December 29, 2008 7:49 PM To: NT System Admin Issues Subject: RE: NT issue Server and Net Logon services are running on both servers. Yes, they are on the same subnet. How do I check the preferred server setting? How do I look at the environment variables from the command line? _ From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Monday, December 29, 2008 7:33 PM To: NT System Admin Issues Subject: RE: NT issue on the server look for the server service, and netlogon service ... are they on the same subnet ? Maybe check your WINS server too, and on the member server that won't authenticate you can check for an incorrect preferred server setting ( and from cmd look at environment variables for netlogon server ) Erik Goldoff IT Consultant Systems, Networks, Security _ From: Eric Brouwer [mailto:er...@forestpost.com] Sent: Monday, December 29, 2008 7:06 PM To: NT System Admin Issues Subject: NT issue Good evening, Yes, I am still running a few NT servers on an old network! We had a power outage, and now we're having authentication issues. The PDC seems to be coming up fine, but one of my NT member servers won't authenticate to it. I see a NETLOGON message in the event viewer stating no domain controllers could be found. How can I determine if the PDC is running properly? How can I verify the proper services are running, etc. to service logon requests? Thanks! Eric Brouwer IT Manager Forest Post Productions er...@forestpost.com (248) 855-4333 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LogMeIn
Perhaps I missed this point in the replies, but what about user separation? I'm not keen on giving any user access that I can't revoke the moment they get fired. Also, access logs go a long way when you're having HR issues.. Seth On Tue, Dec 30, 2008 at 8:01 AM, David Lum david@nwea.org wrote: I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Label printers
And... Now that you all got me interested in the topic again, I went trolling on the Brother site, and it seems that they have a label that *may* be similar to the Brady vinyl/acrylic label that works so well for me. I don't think the specific labelling machine is as important as the material the label itself is made from. If this Brother tape (TZFX231) tests as well as the Brady does and costs less, then I might go back to that... Wayne -Original Message- From: Eisenberg, Wayne [mailto:wayne.eisenb...@pbvllc.com] Sent: Tuesday, December 30, 2008 9:50 AM To: NT System Admin Issues Subject: RE: Label printers I have found that P-Touch labels do not adhere well to the material used for patch cables and you wind up needing to make flags, or find ways to deal with labels peeling off. What I have found that works fabulously are Brady cable markers. You can use an ultra-fine Sharpie to write on them, they are self-laminating and they do not come off easily like P-touch labels do. I buy what they call the 'porta-pack' (just a booklet of labels) PWC-PK-1. You can get that label material in a roll and use it in one of Brady's labeller machines, but their label makers tend to be quite expensive (but there is a ton of functionality built into it). I find the porta-pak and a Sharpie to do just as good of a job for a lot less money. You can get them from Grainger or other similar supply house. Wayne -Original Message- From: Steve Pruitt [mailto:adminli...@bytampabay.com] Sent: Monday, December 29, 2008 6:17 PM To: NT System Admin Issues Subject: Re: Label printers I use a Brother P-Touch, and I'm very happy with it. I'm compulsive about labeling both ends of every cable, and the jacks on non-standard devices. Steve - Original Message - From: Mike French mike.fre...@theequitybank.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Monday, December 29, 2008 5:01 PM Subject: RE: Label printers I use a Rino 3000 (http://www.rhinopromo.com/Printers_3000_Features.shtm) From: Orland, Kathleen [mailto:korl...@rogers.com] Sent: Saturday, December 27, 2008 10:09 PM To: NT System Admin Issues Subject: RE: Label printers I use the same thing. In addition I purchase bright yellow tapes to make identification distinct and easy. From: Jacob [mailto:ja...@excaliburfilms.com] Sent: Saturday, December 27, 2008 3:34 PM To: NT System Admin Issues Subject: RE: Label printers Brother P Touch III What I use to label cable, tapes, etc... From: Gavin Wilby [mailto:gavin.wi...@gmail.com] Sent: Saturday, December 27, 2008 12:24 PM To: NT System Admin Issues Subject: Label printers Not as off topic as it might sound - I want to get my own lable printer, to do things like patch cables, patch panels, back up tapes and the like. Anyone got any favorites? Gavin. Hope you have all had a great Christmas break! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Cert vulnerability
PS3's used to crack MD5 certs. http://blogs.zdnet.com/security/?p=2339 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
The logging in LogMein can be set up to go to syslog, and all sessions can be recorded to an .avi file, or just the plain ol loggin is great. To prevent access from a punted employee you just remove it. -Original Message- From: S Conn. [mailto:sysadminli...@gmail.com] Sent: Tuesday, December 30, 2008 9:17 AM To: NT System Admin Issues Subject: Re: LogMeIn Perhaps I missed this point in the replies, but what about user separation? I'm not keen on giving any user access that I can't revoke the moment they get fired. Also, access logs go a long way when you're having HR issues.. Seth On Tue, Dec 30, 2008 at 8:01 AM, David Lum david@nwea.org wrote: I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: NT issue
we do somewhat agree there ... it does sound at least on the surface, like a WINS or maybe browse list issue Erik Goldoff IT Consultant Systems, Networks, Security _ From: David James [mailto:bigdadd...@gmail.com] Sent: Tuesday, December 30, 2008 10:20 AM To: NT System Admin Issues Subject: RE: NT issue Either way, I'm wondering if a quick install of WINS and targeting at least his servers at it would help over come this issue. From: Erik Goldoff [mailto:egold...@gmail.com] Sent: Tuesday, December 30, 2008 7:37 AM To: NT System Admin Issues Subject: RE: NT issue meant to address this earlier ... it is NOT the HOSTS file to look at ... HOSTS is the file based version of DNS, to resolve an FQDN to an IP address for NT Domain issues, the LMHOSTS file is the one that works like WINS to resolve NetBIOS names ( Browse ) to IP Erik Goldoff IT Consultant Systems, Networks, Security ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
We're not even CLOSE to being that buttoned down, all our users here are local administrators, we allow more than one browser on the desktop, etc. I know I KNOW! :) I'm making progress, but the inertia of 200+ users and the (lack of) policies before I got here are not insignificant. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Ziots, Edward [mailto:ezi...@lifespan.org] Sent: Tuesday, December 30, 2008 6:31 AM To: NT System Admin Issues Subject: RE: LogMeIn And make that apart of the acceptable use policy or another network policy that includes the terms, violation of this policy, can subject the violator(s) to punishment up to and including termination of employment The fire them, that will send the message. Logmein is not to be trusted and any business seeking to do business with you that uses that as a Remote access sytem for support should be shown the door as quickly as they came in. ( Had to deal with one here, and they went bye bye) Z Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.orgmailto:ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + From: John Cook [mailto:john.c...@pfsf.org] Sent: Tuesday, December 30, 2008 9:15 AM To: NT System Admin Issues Subject: RE: LogMeIn On a separate note we expressly forbid users to install ANY unapproved software, specifically remote control software, as it opens the network up to potential HIPAA violations (your regulatory obligations may come into play as well) Just say no! John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LogMeIn
On Tue, Dec 30, 2008 at 10:16 AM, David James bigdadd...@gmail.com wrote: It's about helping your users use technology to be more productive, not having a power trip. The problem is that security *never* shows up as a profit. (Unless you're a security firm, heh.) So if we follow that logic, all security should be banished. Of course, security failures show up -- as losses, when it's too late. The thing that really gets me about this is that people simply *assume* LogMeIn, GoToMyPC, etc., are trustworthy. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
So Blackberries and any other service shouldn't be used either. That's a 3rd party who can view all your email. -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, December 30, 2008 9:27 AM To: NT System Admin Issues Subject: Re: LogMeIn On Tue, Dec 30, 2008 at 10:16 AM, David James bigdadd...@gmail.com wrote: It's about helping your users use technology to be more productive, not having a power trip. The problem is that security *never* shows up as a profit. (Unless you're a security firm, heh.) So if we follow that logic, all security should be banished. Of course, security failures show up -- as losses, when it's too late. The thing that really gets me about this is that people simply *assume* LogMeIn, GoToMyPC, etc., are trustworthy. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
Well stated ... I've always had to battle for budget for ANYTHING that doesn't directly participate in generating revenue Erik Goldoff IT Consultant Systems, Networks, Security -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, December 30, 2008 10:27 AM To: NT System Admin Issues Subject: Re: LogMeIn On Tue, Dec 30, 2008 at 10:16 AM, David James bigdadd...@gmail.com wrote: It's about helping your users use technology to be more productive, not having a power trip. The problem is that security *never* shows up as a profit. (Unless you're a security firm, heh.) So if we follow that logic, all security should be banished. Of course, security failures show up -- as losses, when it's too late. The thing that really gets me about this is that people simply *assume* LogMeIn, GoToMyPC, etc., are trustworthy. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Wow, that's really compartmentalized... I dunno if I'd want to work somewhere that limits me that much as far as what I'm working with. And yet, I'm sure if you apply for one of those positions, you are still required to have 10+ years experience, and expertise with Windows, Unix, mainframes, every desktop OS known to man, etc... Joe Heaton Employment Training Panel From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 6:14 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's I work for Avanade - we deal mostly with large enterprises (Global 500 type companies). In those types of orgs the AD team is usually separate from Virtualisation (which is predominantly VMWare), which is again separate from the hardware components (network, security, storage). Even as a directory, AD is usually limited to the Wintel area, and most large orgs have significant investment in *nix, midrange/mainframe systems as well. The source of truth is generally other systems like HR/payroll. As I said before - in smaller shops, there's usually significant overlap, so it's not really an issue. In larger shops (once there isn't a predominance of Windows), and AD isn't king, it starts to become something that needs to be dealt with in some way. Cheers Ken From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Wednesday, 31 December 2008 12:31 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's That's an interesting point. Have you actually seen this in practice? What I mean is, in every shop I've been in, the virtualization group is composed of the same people who hold the keys to the kingdom anyway (AD admins, or Linux/UNIX admins). I've never seen a group brought in to manage the virtual environment that didn't already have that type of access. YMMV Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From: k...@adopenstatic.com [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 6:33 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Citrix client?
Haven't read anything on it myself, but maybe install it on one and see what happens, before deploying it widely. Joe Heaton Employment Training Panel -Original Message- From: Craig Gauss [mailto:gau...@rhahealthcare.org] Sent: Tuesday, December 30, 2008 5:54 AM To: NT System Admin Issues Subject: Citrix client? Does anyone know of any issues with backwards compatibility issues with the newest Citrix client? I have to deploy the Citrix client thorughout our Association so users can connect to another hospitals Citrix farm. Can only find the 11.0 client. I know it works with the 10.2 client just want to make sure it works with the 11.0 client before I deploy it. Unfortunately we dont have a test account either. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LogMeIn
On Tue, Dec 30, 2008 at 9:25 AM, Erik Goldoff egold...@gmail.com wrote: You're letting an outside organization have control of one of your computers. You're okay with that? Ever read the Microsoft EULA, especially regarding the Service Packs and automatic update ??? Indeed. Heck, I'm not really overly comfortable with Microsoft, either. Their track record on business ethics and practices isn't exactly a glowing recommendation. And they're huge; big enough for a rogue element to go undetected for years. There are some key differences, though: A1. Various organizations audit at least some of the Windows source. A2. Various organizations audit at least some of the Windows machine code (binaries/executables). A3. There are *lots* of A1 and A2. Windows is under a tremendous amount of scrutiny. A4. Windows doesn't have the ability to bypass our firewall or other non-Microsoft security measures. We have defense-in-depth, both in terms of technology and vendors. A5. Windows runs on systems under our control. The remote-control services violate all of the above. In particular, major parts of all remote-control services run through servers and software *nobody else can see*. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LogMeIn
I'm with you logmein rescue rocks we use it to support our customers and our remote sites. We support many users on many remote networks. Mainly in sme space. Large corporates and compliance is all good if you can do that but for sme it's difficult to get budget for anything. But everyones advice is good. I wouldn't want logmein installed on work pc's. Gotomypc is advertised constantly on UK radio to access your work of from home, using the dragons from dragons den. But doesn't mention securit or company policy. Graeme On 30/12/2008, David James bigdadd...@gmail.com wrote: LogMeInRescue FTW for supporting remote users. Sonicwall SSL VPN Products for remote access. Using the Java or ActiveX RDP agents provide a more productive user experience than logmein free. In logmein free's defense as a security measure... I had a customer who used logmein on their systems, it was a small business. Someone stole a computer, and since LogMeIn auto connects from anywhere on the net, they were able to track the system down. Kind of a free lowjack utility. Before I worked for myself, I would have argued that software like this was not useful, but it has it's place in the SMB. The corporate compliance set forbids it, but I have found that the ultimate question is how productive your users are, and how secure are their passwords. LogMeIn is just another door to the building, another key to keep track of, so depending on the business type/model, and it's obligations for compliance, it may or may not have its place. I know lots of network admins who keep it on their servers but yell at every user that wants to use it. Sometimes productivity demands it. If you've got a user who needs to print at home to a Multifunction device to be more productive, sometimes logmein pro is the best solution, since RDP doesn't support certain printers. In these rare cases, a simple signed policy will suffice to cover your ___. It's about helping your users use technology to be more productive, not having a power trip. The company must survive tight economic times, so use all your tools to provide them ways to produce from anywhere at anytime, and you'll be a hero to your users and company management. -Original Message- From: Graeme Carstairs [mailto:loonyto...@gmail.com] Sent: Tuesday, December 30, 2008 8:37 AM To: NT System Admin Issues Subject: Re: LogMeIn You wouldn't allow any support via logmein rescue or webec etc. Do the install through web use and then no further access type solutions? May I ask how large your organisation is? Graeme On 30/12/2008, Ziots, Edward ezi...@lifespan.org wrote: And make that apart of the acceptable use policy or another network policy that includes the terms, violation of this policy, can subject the violator(s) to punishment up to and including termination of employment The fire them, that will send the message. Logmein is not to be trusted and any business seeking to do business with you that uses that as a Remote access sytem for support should be shown the door as quickly as they came in. ( Had to deal with one here, and they went bye bye) Z Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + From: John Cook [mailto:john.c...@pfsf.org] Sent: Tuesday, December 30, 2008 9:15 AM To: NT System Admin Issues Subject: RE: LogMeIn On a separate note we expressly forbid users to install ANY unapproved software, specifically remote control software, as it opens the network up to potential HIPAA violations (your regulatory obligations may come into play as well) Just say no! John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 9:02 AM To: NT System Admin Issues Subject: LogMeIn I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or
Re: LogMeIn
On Tue, Dec 30, 2008 at 10:33 AM, David James bigdadd...@gmail.com wrote: So Blackberries and any other service shouldn't be used either. That's a 3rd party who can view all your email. Regarding BlackBerries: Email is already public. Anyone who thinks general Internet email is secure is just plain wrong. We educate our users that email is not secure. They all want it to be, of course, but it's a case of wanting what can't be had. (Good crypto will address this, of course, but that's a customer-interaction issue that needs to be sorted out on a case-by-case basis, and most people don't actually want to pay for security, they want free lip-service. We give them all the free lip-service they want.) Regarding other services: Depends on the situation, as evidenced by the email example above. But generally, no, we're not overly trusting, because the world's filled with dangerous, scary people, and the Internet brings them all to your doorstep. Life's hard; get a helmet. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
BB's are managed by the company (at least mine are) and can be locked down (to some extent - you can't solve stupid!) AND remotely wiped. Our users have to sign a security form before they get their hands on one and all of our devices are company owned. John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ -Original Message- From: David James [mailto:bigdadd...@gmail.com] Sent: Tuesday, December 30, 2008 10:34 AM To: NT System Admin Issues Subject: RE: LogMeIn So Blackberries and any other service shouldn't be used either. That's a 3rd party who can view all your email. -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, December 30, 2008 9:27 AM To: NT System Admin Issues Subject: Re: LogMeIn On Tue, Dec 30, 2008 at 10:16 AM, David James bigdadd...@gmail.com wrote: It's about helping your users use technology to be more productive, not having a power trip. The problem is that security *never* shows up as a profit. (Unless you're a security firm, heh.) So if we follow that logic, all security should be banished. Of course, security failures show up -- as losses, when it's too late. The thing that really gets me about this is that people simply *assume* LogMeIn, GoToMyPC, etc., are trustworthy. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LogMeIn
On Tue, Dec 30, 2008 at 10:41 AM, Graeme Carstairs loonyto...@gmail.com wrote: Large corporates and compliance is all good if you can do that but for sme it's difficult to get budget for anything. Smaller organizations have less to lose. As always, it's risk management, cost/benefit. If the cost of counter-measures exceeds the sum total value of the organization, then it's actually worth it to just roll the dice and take the risk, since the business just isn't worth that much. Of course, nobody ever likes to be told their livelihood is of lesser value. One reason few people like security analysis is that it's largely about facing unpleasant truths. Sheesh, I sound like a political advertisement. Vote for me, or the hackers will get you! -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Aaaiiiyyyeeeeee!!! OOO notices! (OT)
Isn't that what I said? :-) But my biggest issue is that in our organization, that's not particularly useful. We need everyone to get OOFs, including people outside the organization. Although customizing the message sent internally vs. externally is nice. -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, December 30, 2008 9:46 AM To: NT System Admin Issues Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT) Sure it does, that is how ours is I just retested it to be certain. Internals get OOF's and externals do not. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Tuesday, December 30, 2008 9:38 AM To: NT System Admin Issues Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT) Exchange 2007 does support separating the handling of OOO's between internal and external senders... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Aaaiiiyyyeeeeee!!! OOO notices! (OT)
Ok, I am off to get more coffee. I saw doesn't instead of what you actually wrote. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Tuesday, December 30, 2008 10:48 AM To: NT System Admin Issues Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT) Isn't that what I said? :-) But my biggest issue is that in our organization, that's not particularly useful. We need everyone to get OOFs, including people outside the organization. Although customizing the message sent internally vs. externally is nice. -Original Message- From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] Sent: Tuesday, December 30, 2008 9:46 AM To: NT System Admin Issues Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT) Sure it does, that is how ours is I just retested it to be certain. Internals get OOF's and externals do not. -Original Message- From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us] Sent: Tuesday, December 30, 2008 9:38 AM To: NT System Admin Issues Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT) Exchange 2007 does support separating the handling of OOO's between internal and external senders... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
Productive, but at what cost to the business? It only takes one security incident, to cost you more than the productivity of a years worth of work. Heck some of the penalities are in the 250K+ range at the most severe for HIPPA and I am sure its higher in the other regulations ( PCI, GLB, SarbOx) Its not about a power trip either, its about following process, using good risk management techniques and being able to prove that people are accessing only what you gave them access to and no more. ( due diligence, Least Privilege rules) Actually security could show up in making sure the profits you are earning by doing your work as shown. Just imagine the laptop that the C-Level is using that wasn't Lo-Jacked and you didn't think about adding full hard drive encryption, but those juicy insider details are being pushed to your competition, because he/she/it had its laptop stolen and didn't encrypt the information that was confident/sensitive in nature. Now it's the hands of the people that shouldn't have had it in the first place. That is just one of a lot of ways you can show how working securely and following security protocol helps you stay profitable and avoid these types of situations that when you look at the bottom line cost the organization/business more money per-incident than they might make in a month or even year. Food for thought, Z Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, December 30, 2008 10:27 AM To: NT System Admin Issues Subject: Re: LogMeIn On Tue, Dec 30, 2008 at 10:16 AM, David James bigdadd...@gmail.com wrote: It's about helping your users use technology to be more productive, not having a power trip. The problem is that security *never* shows up as a profit. (Unless you're a security firm, heh.) So if we follow that logic, all security should be banished. Of course, security failures show up -- as losses, when it's too late. The thing that really gets me about this is that people simply *assume* LogMeIn, GoToMyPC, etc., are trustworthy. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
A/V on VM Host
Would the anti-virus package on a host machine also protect the guest VMs? I was wondering if, say, VirusScan is installed on the host box, wouldn't it be scanning all data streaming across the NIC, including that which is destined for the VMs? Is there a flaw in my thinking? Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image003.jpg
RE: LogMeIn
It definitely is a risk, and a lot of companies are taking it. Why not have Blackberry sign a BAA with you before you sign up for there service to CYA.. Z Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + -Original Message- From: David James [mailto:bigdadd...@gmail.com] Sent: Tuesday, December 30, 2008 10:34 AM To: NT System Admin Issues Subject: RE: LogMeIn So Blackberries and any other service shouldn't be used either. That's a 3rd party who can view all your email. -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, December 30, 2008 9:27 AM To: NT System Admin Issues Subject: Re: LogMeIn On Tue, Dec 30, 2008 at 10:16 AM, David James bigdadd...@gmail.com wrote: It's about helping your users use technology to be more productive, not having a power trip. The problem is that security *never* shows up as a profit. (Unless you're a security firm, heh.) So if we follow that logic, all security should be banished. Of course, security failures show up -- as losses, when it's too late. The thing that really gets me about this is that people simply *assume* LogMeIn, GoToMyPC, etc., are trustworthy. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
It's encrypted to blackberry, but they can still pry if they want, which is what people's point against logmein is. I'm just saying, you inherently trust a lot of companies, and to say one service that is used like Blackberry in a high percentage of businesses, then 'flush' other services which may help your users be productive seems silly to me. But I digress. I just want the point made that LogMeIn does have its place if it's implemented properly. They wouldn't be in business if they hacked their customers networks. DPJ -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, December 30, 2008 9:42 AM To: NT System Admin Issues Subject: Re: LogMeIn On Tue, Dec 30, 2008 at 10:33 AM, David James bigdadd...@gmail.com wrote: So Blackberries and any other service shouldn't be used either. That's a 3rd party who can view all your email. Regarding BlackBerries: Email is already public. Anyone who thinks general Internet email is secure is just plain wrong. We educate our users that email is not secure. They all want it to be, of course, but it's a case of wanting what can't be had. (Good crypto will address this, of course, but that's a customer-interaction issue that needs to be sorted out on a case-by-case basis, and most people don't actually want to pay for security, they want free lip-service. We give them all the free lip-service they want.) Regarding other services: Depends on the situation, as evidenced by the email example above. But generally, no, we're not overly trusting, because the world's filled with dangerous, scary people, and the Internet brings them all to your doorstep. Life's hard; get a helmet. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: C$ Permissions on a Domain Controller????
Thanks everyone. After reading everyones advise that the permissions were okay I looked further and found that the problem was that a special group was added to the local administrators groups on most of the servers. Ends up, an administrator added code to the users login scripts to do add this group locally, and another administrator had the users login script in his super user account. Thanks everyone! On Tue, Dec 30, 2008 at 6:04 AM, Ken Schaefer k...@adopenstatic.com wrote: Hi, The security permissions that are applied to files/folders when running dcpromo are in a template file on your DC in %systemroot%\security\templates. The DC security.inf template is what is used by secedit during the DCPromo process to re-ACL files/folders on your new DC. C$ is a share - not a folder/file/drive. You can't set the permissions on this normally. It should be restricted to those in the Administrators group. Permissions on the root folder of the C: drive are different to C$ permissions. Everyone (or Authenticated User) should have Read+Execute and List Folder Contents permission by default. Check the inf file for more info, or use secedit to re-ACL your box if you need to. Cheers Ken -Original Message- From: Jon D [mailto:rekcahp...@gmail.com] Sent: Tuesday, 30 December 2008 8:53 AM To: NT System Admin Issues Subject: C$ Permissions on a Domain Controller Anyone know what the proper permissions are on the C: drive of a Domain Controller? Are they special or no? I'm doing a security audit and I came across 2 domain controllers that do not require a password to access their C$ share. You can't view the permissions of the share itself, but the permissions on the C drive have authenicated users with full control. That can't be right. Anyone see anything like that before? Anyone know how dangerous it is to change the permissions(once I determine the correct permissions)? Thanks in advance, Jon ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: A/V on VM Host
Normally the AV autoprotect monitors files, not network traffic From: Roger Wright [mailto:rwri...@evatone.com] Sent: Tuesday, December 30, 2008 10:50 AM To: NT System Admin Issues Subject: A/V on VM Host Would the anti-virus package on a host machine also protect the guest VMs? I was wondering if, say, VirusScan is installed on the host box, wouldn't it be scanning all data streaming across the NIC, including that which is destined for the VMs? Is there a flaw in my thinking? Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpg
Re: Label printers
[reply to multiple posts] On Tue, Dec 30, 2008 at 9:50 AM, Eisenberg, Wayne wayne.eisenb...@pbvllc.com wrote: I have found that P-Touch labels do not adhere well to the material used for patch cables and you wind up needing to make flags ... The Dymo tape doesn't stick especially well, either. I print two labels without cutting, and loop it around the cable, sticking the label backs together. Pretty easy. I guess that's making a flag, but it works. I actually find it easier to read the label that way; you don't need to move the cable as much, just the label. On Tue, Dec 30, 2008 at 10:12 AM, Phillip Partipilo p...@psnet.com wrote: They are much easier to apply since the backing seems to come off the adhesive layer much easier ... One thing I like about the Dymo tape is that they split the backing, so peeling it off is really easy. One thing I don't like is we apparently had a bad batch a while back, several cartridges kept getting having the tape stick together on the roll. Didn't show up until a good portion of the roll was gone, and this is one of those products that's expensive enough for that to be irritating, but not quite worth the probable fuss of filing a warranty claim over a small issue. Haven't had the problem since. If it comes back, then I'll b*tch. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: A/V on VM Host
And from the host's perspective, the VMs are files, right? Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ From: Damien Solodow [mailto:damien.solo...@ibcschools.edu] Sent: Tuesday, December 30, 2008 10:56 AM To: NT System Admin Issues Subject: RE: A/V on VM Host Normally the AV autoprotect monitors files, not network traffic From: Roger Wright [mailto:rwri...@evatone.com] Sent: Tuesday, December 30, 2008 10:50 AM To: NT System Admin Issues Subject: A/V on VM Host Would the anti-virus package on a host machine also protect the guest VMs? I was wondering if, say, VirusScan is installed on the host box, wouldn't it be scanning all data streaming across the NIC, including that which is destined for the VMs? Is there a flaw in my thinking? Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpg
Re: Aaaiiiyyyeeeeee!!! OOO notices! (OT)
On Tue, Dec 30, 2008 at 9:38 AM, John Hornbuckle john.hornbuc...@taylor.k12.fl.us wrote: Exchange 2003 had a registry hack that was supposed to minimize occurrences of OOO's going to mailing lists, but I believe that has gone away with 2007. #ifdef RANT WTF? Why is this so hard for Microsoft to figure out? The vacation program I used on the university's DEC Ultrix machines back in 1996 did this right, for crying out loud. After 10+ years, Microsoft can't get an auto-responder to work right? Free tip to anyone at Microsoft: Send auto-responses to the RFC-821 envelope reverse-path address, not the RFC-822 header From address, like the standards say to. Grr. #endif -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: A/V on VM Host
Mostly. However, I don't know that it can efficiently scan the vmdk files for it. I would be easy enough to test... Put AV on your host, and put eicars on one of the guests and see if the host notices it. I'm fairly sure the answer will be no though.. From: Roger Wright [mailto:rwri...@evatone.com] Sent: Tuesday, December 30, 2008 11:02 AM To: NT System Admin Issues Subject: RE: A/V on VM Host And from the host's perspective, the VMs are files, right? Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ From: Damien Solodow [mailto:damien.solo...@ibcschools.edu] Sent: Tuesday, December 30, 2008 10:56 AM To: NT System Admin Issues Subject: RE: A/V on VM Host Normally the AV autoprotect monitors files, not network traffic From: Roger Wright [mailto:rwri...@evatone.com] Sent: Tuesday, December 30, 2008 10:50 AM To: NT System Admin Issues Subject: A/V on VM Host Would the anti-virus package on a host machine also protect the guest VMs? I was wondering if, say, VirusScan is installed on the host box, wouldn't it be scanning all data streaming across the NIC, including that which is destined for the VMs? Is there a flaw in my thinking? Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpg
Re: LogMeIn
On Tue, Dec 30, 2008 at 10:57 AM, David James bigdadd...@gmail.com wrote: They wouldn't be in business if they hacked their customers networks. I believe I provided some arguments as to why that's a logical fallacy. Again, you're not actually doing any analysis. If you presented some kind of evaluation, it would be one thing. Example: Small art design firm; seven employees; no HIPAA/PCI/etc.; low profile organization; no radical trade secrets; alternative solutions would cost $%LARGE%; alternatives exceed the value of assets. That's valid risk management. (I might quibble with the alternative solutions cost, but that's a lot more subjective.) But you're just hoping things will be okay. Wanting something doesn't make it real (unless you're an xkcd fan). I'm sure it pisses you off to no end that I keep calling you on your flimsy logic. Sorry. I don't mean to anger you, but security is about facing harsh realities. I've found most people would rather be happily unaware than unhappily informed. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Citrix client?
I've never experienced any compatibility issues. At one point we were using the 10.2 client with our TS, which is running the ancient (late 2003 vintage) Metaframe XP. Craig Gauss wrote: Does anyone know of any issues with backwards compatibility issues with the newest Citrix client? I have to deploy the Citrix client thorughout our Association so users can connect to another hospitals Citrix farm. Can only find the 11.0 client. I know it works with the 10.2 client just want to make sure it works with the 11.0 client before I deploy it. Unfortunately we dont have a test account either. -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: A/V on VM Host
Agreed; even if the host could scan the VMs, they're disk images. Scanning a 20gb file (or however big your virtual hard drive is) isn't going to be fast. Jeff On Tue, Dec 30, 2008 at 11:10 AM, Damien Solodow damien.solo...@ibcschools.edu wrote: Mostly. However, I don't know that it can efficiently scan the vmdk files for it. I would be easy enough to test… Put AV on your host, and put eicars on one of the guests and see if the host notices it. I'm fairly sure the answer will be no though.. From: Roger Wright [mailto:rwri...@evatone.com] Sent: Tuesday, December 30, 2008 11:02 AM To: NT System Admin Issues Subject: RE: A/V on VM Host And from the host's perspective, the VMs are files, right? Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ From: Damien Solodow [mailto:damien.solo...@ibcschools.edu] Sent: Tuesday, December 30, 2008 10:56 AM To: NT System Admin Issues Subject: RE: A/V on VM Host Normally the AV autoprotect monitors files, not network traffic…. From: Roger Wright [mailto:rwri...@evatone.com] Sent: Tuesday, December 30, 2008 10:50 AM To: NT System Admin Issues Subject: A/V on VM Host Would the anti-virus package on a host machine also protect the guest VMs? I was wondering if, say, VirusScan is installed on the host box, wouldn't it be scanning all data streaming across the NIC, including that which is destined for the VMs? Is there a flaw in my thinking? Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: A/V on VM Host
On Tue, Dec 30, 2008 at 10:49 AM, Roger Wright rwri...@evatone.com wrote: Would the anti-virus package on a host machine also protect the guest VMs? No. To the host OS, the virtual disk image is just a giant binary file. You wouldn't want to scan that with AV; it would kill performance. And even if the AV found something, all it could do would be to quarantine or delete your virtual disk -- essentially causing your VM to spontaneously disappear from existence. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Label printers
This Brother tape is M-2312PK, 8 meters of tape per cart. It's extremely thin so there isnt much stress trying to pull it apart when you wrap it around and stick it to itself - in fact I've labeled dozens of cables in that fashion with this tape and it is excellent (probably because it isnt laminated). A nice aspect is that the labeler itself is dirt cheap, it's a Home Hobby labeler, model PT-65. Phillip Partipilo Parametric Solutions Inc. Jupiter, Florida (561) 747-6107 -Original Message- From: Eisenberg, Wayne [mailto:wayne.eisenb...@pbvllc.com] Sent: Tuesday, December 30, 2008 10:18 AM To: NT System Admin Issues Subject: RE: Label printers And... Now that you all got me interested in the topic again, I went trolling on the Brother site, and it seems that they have a label that *may* be similar to the Brady vinyl/acrylic label that works so well for me. I don't think the specific labelling machine is as important as the material the label itself is made from. If this Brother tape (TZFX231) tests as well as the Brady does and costs less, then I might go back to that... Wayne -Original Message- From: Eisenberg, Wayne [mailto:wayne.eisenb...@pbvllc.com] Sent: Tuesday, December 30, 2008 9:50 AM To: NT System Admin Issues Subject: RE: Label printers I have found that P-Touch labels do not adhere well to the material used for patch cables and you wind up needing to make flags, or find ways to deal with labels peeling off. What I have found that works fabulously are Brady cable markers. You can use an ultra-fine Sharpie to write on them, they are self-laminating and they do not come off easily like P-touch labels do. I buy what they call the 'porta-pack' (just a booklet of labels) PWC-PK-1. You can get that label material in a roll and use it in one of Brady's labeller machines, but their label makers tend to be quite expensive (but there is a ton of functionality built into it). I find the porta-pak and a Sharpie to do just as good of a job for a lot less money. You can get them from Grainger or other similar supply house. Wayne -Original Message- From: Steve Pruitt [mailto:adminli...@bytampabay.com] Sent: Monday, December 29, 2008 6:17 PM To: NT System Admin Issues Subject: Re: Label printers I use a Brother P-Touch, and I'm very happy with it. I'm compulsive about labeling both ends of every cable, and the jacks on non-standard devices. Steve - Original Message - From: Mike French mike.fre...@theequitybank.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Sent: Monday, December 29, 2008 5:01 PM Subject: RE: Label printers I use a Rino 3000 (http://www.rhinopromo.com/Printers_3000_Features.shtm) From: Orland, Kathleen [mailto:korl...@rogers.com] Sent: Saturday, December 27, 2008 10:09 PM To: NT System Admin Issues Subject: RE: Label printers I use the same thing. In addition I purchase bright yellow tapes to make identification distinct and easy. From: Jacob [mailto:ja...@excaliburfilms.com] Sent: Saturday, December 27, 2008 3:34 PM To: NT System Admin Issues Subject: RE: Label printers Brother P Touch III What I use to label cable, tapes, etc... From: Gavin Wilby [mailto:gavin.wi...@gmail.com] Sent: Saturday, December 27, 2008 12:24 PM To: NT System Admin Issues Subject: Label printers Not as off topic as it might sound - I want to get my own lable printer, to do things like patch cables, patch panels, back up tapes and the like. Anyone got any favorites? Gavin. Hope you have all had a great Christmas break! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ -- If this email is spam, report it here: http://www.onlymyemail.com/view/?action=reportSpamId=ODEzNjQ6ODIxMjIxMjQwOn BqcEBwc25ldC5jb20%3D THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION, COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED. IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER. THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION, COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS
RE: LogMeIn
It doesn't piss me off. I made my points earlier, stating that I use SSL VPN appliances/RDP for regulated access. I also said it's situation based, and products like this can be utilized properly for the SMB. That's all I'm saying. Have a great day! -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, December 30, 2008 10:13 AM To: NT System Admin Issues Subject: Re: LogMeIn On Tue, Dec 30, 2008 at 10:57 AM, David James bigdadd...@gmail.com wrote: They wouldn't be in business if they hacked their customers networks. I believe I provided some arguments as to why that's a logical fallacy. Again, you're not actually doing any analysis. If you presented some kind of evaluation, it would be one thing. Example: Small art design firm; seven employees; no HIPAA/PCI/etc.; low profile organization; no radical trade secrets; alternative solutions would cost $%LARGE%; alternatives exceed the value of assets. That's valid risk management. (I might quibble with the alternative solutions cost, but that's a lot more subjective.) But you're just hoping things will be okay. Wanting something doesn't make it real (unless you're an xkcd fan). I'm sure it pisses you off to no end that I keep calling you on your flimsy logic. Sorry. I don't mean to anger you, but security is about facing harsh realities. I've found most people would rather be happily unaware than unhappily informed. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LogMeIn
Agreed +1.. Z Edward E. Ziots Network Engineer Lifespan Organization Email: ezi...@lifespan.org Phone: 401-639-3505 MCSE, MCP+I, ME, CCA, Security +, Network + -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, December 30, 2008 11:13 AM To: NT System Admin Issues Subject: Re: LogMeIn On Tue, Dec 30, 2008 at 10:57 AM, David James bigdadd...@gmail.com wrote: They wouldn't be in business if they hacked their customers networks. I believe I provided some arguments as to why that's a logical fallacy. Again, you're not actually doing any analysis. If you presented some kind of evaluation, it would be one thing. Example: Small art design firm; seven employees; no HIPAA/PCI/etc.; low profile organization; no radical trade secrets; alternative solutions would cost $%LARGE%; alternatives exceed the value of assets. That's valid risk management. (I might quibble with the alternative solutions cost, but that's a lot more subjective.) But you're just hoping things will be okay. Wanting something doesn't make it real (unless you're an xkcd fan). I'm sure it pisses you off to no end that I keep calling you on your flimsy logic. Sorry. I don't mean to anger you, but security is about facing harsh realities. I've found most people would rather be happily unaware than unhappily informed. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: A/V on VM Host
So how do you protect your VM? Or do you simply keep a supposedly known good backup of it in case the active gets infected? Joe Heaton Employment Training Panel -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, December 30, 2008 8:15 AM To: NT System Admin Issues Subject: Re: A/V on VM Host On Tue, Dec 30, 2008 at 10:49 AM, Roger Wright rwri...@evatone.com wrote: Would the anti-virus package on a host machine also protect the guest VMs? No. To the host OS, the virtual disk image is just a giant binary file. You wouldn't want to scan that with AV; it would kill performance. And even if the AV found something, all it could do would be to quarantine or delete your virtual disk -- essentially causing your VM to spontaneously disappear from existence. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: A/V on VM Host
Load AV on it just like you would a physical machine? -Original Message- From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, December 30, 2008 11:28 AM To: NT System Admin Issues Subject: RE: A/V on VM Host So how do you protect your VM? Or do you simply keep a supposedly known good backup of it in case the active gets infected? Joe Heaton Employment Training Panel -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, December 30, 2008 8:15 AM To: NT System Admin Issues Subject: Re: A/V on VM Host On Tue, Dec 30, 2008 at 10:49 AM, Roger Wright rwri...@evatone.com wrote: Would the anti-virus package on a host machine also protect the guest VMs? No. To the host OS, the virtual disk image is just a giant binary file. You wouldn't want to scan that with AV; it would kill performance. And even if the AV found something, all it could do would be to quarantine or delete your virtual disk -- essentially causing your VM to spontaneously disappear from existence. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: A/V on VM Host
Ok, so I must have misunderstood the initial question...doh! Joe Heaton Employment Training Panel -Original Message- From: Damien Solodow [mailto:damien.solo...@ibcschools.edu] Sent: Tuesday, December 30, 2008 8:30 AM To: NT System Admin Issues Subject: RE: A/V on VM Host Load AV on it just like you would a physical machine? -Original Message- From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, December 30, 2008 11:28 AM To: NT System Admin Issues Subject: RE: A/V on VM Host So how do you protect your VM? Or do you simply keep a supposedly known good backup of it in case the active gets infected? Joe Heaton Employment Training Panel -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, December 30, 2008 8:15 AM To: NT System Admin Issues Subject: Re: A/V on VM Host On Tue, Dec 30, 2008 at 10:49 AM, Roger Wright rwri...@evatone.com wrote: Would the anti-virus package on a host machine also protect the guest VMs? No. To the host OS, the virtual disk image is just a giant binary file. You wouldn't want to scan that with AV; it would kill performance. And even if the AV found something, all it could do would be to quarantine or delete your virtual disk -- essentially causing your VM to spontaneously disappear from existence. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Citrix client?
-Original Message- From: Craig Gauss [mailto:gau...@rhahealthcare.org] Subject: Citrix client? Does anyone know of any issues with backwards compatibility issues with the newest Citrix client? There are a couple if you use the free Citrix Secure Gateway software. The main issues deal with streaming apps (and those apps generated using the Citrix Streaming Profiler Server). I have to deploy the Citrix client thorughout our Association so users can connect to another hospitals Citrix farm. Can only find the 11.0 client. I know it works with the 10.2 client just want to make sure it works with the 11.0 client before I deploy it. U, I know where you can get the 10.x and 9.x software if you ask nice enough off list. :) Unfortunately we dont have a test account either. Weird, you should have, or ask for, a test account just for issues like this. The test account can be disabled/enabled on an as needed basis. When I work on Citrix farms, I ask for two test accounts: an admin one and a regular standard user one. Webster The Accidental Citrix Admin http://CarlWebster.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
No, you don't that type of experience. But when you have 1000 IT personnel, they can't all be AD people, or even domain admins. Cheers Ken From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Wednesday, 31 December 2008 2:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Wow, that's really compartmentalized... I dunno if I'd want to work somewhere that limits me that much as far as what I'm working with. And yet, I'm sure if you apply for one of those positions, you are still required to have 10+ years experience, and expertise with Windows, Unix, mainframes, every desktop OS known to man, etc... Joe Heaton Employment Training Panel From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 6:14 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's I work for Avanade - we deal mostly with large enterprises (Global 500 type companies). In those types of orgs the AD team is usually separate from Virtualisation (which is predominantly VMWare), which is again separate from the hardware components (network, security, storage). Even as a directory, AD is usually limited to the Wintel area, and most large orgs have significant investment in *nix, midrange/mainframe systems as well. The source of truth is generally other systems like HR/payroll. As I said before - in smaller shops, there's usually significant overlap, so it's not really an issue. In larger shops (once there isn't a predominance of Windows), and AD isn't king, it starts to become something that needs to be dealt with in some way. Cheers Ken From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Wednesday, 31 December 2008 12:31 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's That's an interesting point. Have you actually seen this in practice? What I mean is, in every shop I've been in, the virtualization group is composed of the same people who hold the keys to the kingdom anyway (AD admins, or Linux/UNIX admins). I've never seen a group brought in to manage the virtual environment that didn't already have that type of access. YMMV Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.commailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From: k...@adopenstatic.com [mailto:k...@adopenstatic.com] Sent: Tuesday, December 30, 2008 6:33 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. Cheers Ken From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Tuesday, 30 December 2008 2:57 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's 1. As long as the resources are available for the VM, then transparent. I know in the past that processors had to be in the same family as well as the same brand for Vmotion but I heard that this has changed with (ESX) update 3. I don't know the details yet, so someone please chime in here for clarification. 2. No 3. Most environments will have both. Shared for the lightweight servers and dedicated for VMotion\HA\DRS and the heavy hitting servers. 4. An OS license is an OS license is an OS license. Doubtful but check with the vendors in question. Shook From: Roger Wright [mailto:rwri...@evatone.com] Sent: Monday, December 29, 2008 10:32 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's Great responses so far! You've all given me even more to think about. A few other questions: 1. From a DR perspective, or perhaps just for rebalancing the load on a host machine, how does moving from one host to another with different HW impact the VM, or is it transparent? 2. Does Virtualization impact your domain security requirements in any way? 3. NIC Utilization - Shared NICs or separate for each VM? 4. OS App licensing - can we expect any reduction in licensing requirements? Thanks! This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender
RE: Virtualization Questions - More Q's
-Original Message- From: S Conn. [mailto:sysadminli...@gmail.com] Subject: Re: Virtualization Questions - More Q's On Tue, Dec 30, 2008 at 5:33 AM, Ken Schaefer k...@adopenstatic.com wrote: Most people have said no to question #2. I would say that there is a definite impact. Your virtualisation team are pretty much now an additional god in the organisation. For smaller shops this isn't an issue. For bigger shops, or where compliance/auditing/change control are important, then this is another layer of people who have significant privileges, who must be worked into your change control process. I don't see a lot of difference here between virtual environment vs physical. Physical access can mean control - but you can control physical access. Not to mention detecting network changes and preventing/detecting BIOS changes (via passwords and ILO/DRAC etc) In a virtual environment, your virtualisation people control the BIOS, the boot sequence, the virtual networks that are exposed, and even the hard disks of the VMs themselves. And they can do that remotely. In a physical world, your virtualisation people wouldn't have access to the cabinets that store your physical domain controllers or other physical servers. Just the servers that host the VM hosts. Additionally, there are occasionally vulnerabilities in virtualisation software (a couple for VMWare and a more for other products). These can be used to gain access to VMs by holding privileges on the host. Cheers Ken A) The guest virtual machines have the same security as their physical counterparts. (ie you still need a login/password to get into the operating systems). Same in a physical environment. It's the same as walking up to a KVM or logging into an IP KVM. B) If you have access to the virtual environment, you could power off the machines (reboot, etc). It's the same if you have physical access to the data center/server room/etc or access to a remote PDU (aka walk up and press the off button on a machine). The only difference is that you could change resource allocation, but in a compliance/audit scenario, you're not accessing the actual data or the guest OS itself, just the box itself. Changing resources does affect change control, but so would someone removing RAM out of a physical box or adding a CPU. I'm only speaking for VMWare here (since that's what I know and run), but you can set up a lot of different levels of access in the virtual environment. You can group the machines, set administrators for those groups, or break it down to only allow certain groups to have access to certain machines. For example, I myself have full access to the entire network, but I only allow my programmers to have access to only a couple of machines, and only restart ability to those. When they log in, all they see are their machines only. Their only options are console or power on/off/reboot, the same access they've had when the servers where physical. It ties into Active Directory, and you can set groups to as much or as little access as you want. I do agree, there is some security concerns that you'll need to address, but virtualizing your servers won't give anyone any more additional access to the machines over walking into the server room IMO. Seth ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: A/V on VM Host
If I had an ESX Server and a Windows VM in there, I would install AV on the Windows VM. But I wouldn't run AV on the ESX host. -Original Message- From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, December 30, 2008 8:28 AM To: NT System Admin Issues Subject: RE: A/V on VM Host So how do you protect your VM? Or do you simply keep a supposedly known good backup of it in case the active gets infected? Joe Heaton Employment Training Panel -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, December 30, 2008 8:15 AM To: NT System Admin Issues Subject: Re: A/V on VM Host On Tue, Dec 30, 2008 at 10:49 AM, Roger Wright rwri...@evatone.com wrote: Would the anti-virus package on a host machine also protect the guest VMs? No. To the host OS, the virtual disk image is just a giant binary file. You wouldn't want to scan that with AV; it would kill performance. And even if the AV found something, all it could do would be to quarantine or delete your virtual disk -- essentially causing your VM to spontaneously disappear from existence. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
From: Ken Schaefer [mailto:k...@adopenstatic.com] Subject: RE: Virtualization Questions - More Q's No, you don't that type of experience. But when you have 1000 IT personnel, they can't all be AD people, or even domain admins. I did some AD/GPO/WSUS troubleshooting for a company in the Global Fortune 15. For the one small segment of their network I worked on, they had over 6,000 servers and over 35,000 PCs. They had two dedicated IT staff who did nothing but maintain the huge Excel SS of all their DHCP scopes, reservations, server static IPs and server/scope options. They had people who did nothing but monitor NetBackup, people who changed tapes, people who handled Iron Mountain, etc. Extremely granular and an extreme PITA to do any work for. Need a VM for testing purposes? A minimum 3 month process as it went thru all the change control processes. Webster From: Joe Heaton [mailto:jhea...@etp.ca.gov] Subject: RE: Virtualization Questions - More Q's Wow, that's really compartmentalized. I dunno if I'd want to work somewhere that limits me that much as far as what I'm working with. And yet, I'm sure if you apply for one of those positions, you are still required to have 10+ years experience, and expertise with Windows, Unix, mainframes, every desktop OS known to man, etc. Joe Heaton Employment Training Panel From: Ken Schaefer [mailto:k...@adopenstatic.com] Subject: RE: Virtualization Questions - More Q's I work for Avanade - we deal mostly with large enterprises (Global 500 type companies). In those types of orgs the AD team is usually separate from Virtualisation (which is predominantly VMWare), which is again separate from the hardware components (network, security, storage). Even as a directory, AD is usually limited to the Wintel area, and most large orgs have significant investment in *nix, midrange/mainframe systems as well. The source of truth is generally other systems like HR/payroll. As I said before - in smaller shops, there's usually significant overlap, so it's not really an issue. In larger shops (once there isn't a predominance of Windows), and AD isn't king, it starts to become something that needs to be dealt with in some way. Cheers Ken ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Aaaiiiyyyeeeeee!!! OOO notices! (OT)
Note to whoever publishes L*yris - Set the headers correctly on the lists, too. On Tue, Dec 30, 2008 at 8:03 AM, Ben Scott mailvor...@gmail.com wrote: On Tue, Dec 30, 2008 at 9:38 AM, John Hornbuckle john.hornbuc...@taylor.k12.fl.us wrote: Exchange 2003 had a registry hack that was supposed to minimize occurrences of OOO's going to mailing lists, but I believe that has gone away with 2007. #ifdef RANT WTF? Why is this so hard for Microsoft to figure out? The vacation program I used on the university's DEC Ultrix machines back in 1996 did this right, for crying out loud. After 10+ years, Microsoft can't get an auto-responder to work right? Free tip to anyone at Microsoft: Send auto-responses to the RFC-821 envelope reverse-path address, not the RFC-822 header From address, like the standards say to. Grr. #endif -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Wow, I've never worked for anything even close to that big. Where I'm at now is the largest IT department I've been in, and there's only 6 of us, 3 of which are developers, one is the manager, me on the server side, and one guy doing desktops. And I may be laid off soon, if the Governator has his way... Joe Heaton Employment Training Panel From: Webster [mailto:carlwebs...@gmail.com] Sent: Tuesday, December 30, 2008 9:05 AM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's From: Ken Schaefer [mailto:k...@adopenstatic.com] Subject: RE: Virtualization Questions - More Q's No, you don't that type of experience. But when you have 1000 IT personnel, they can't all be AD people, or even domain admins. I did some AD/GPO/WSUS troubleshooting for a company in the Global Fortune 15. For the one small segment of their network I worked on, they had over 6,000 servers and over 35,000 PCs. They had two dedicated IT staff who did nothing but maintain the huge Excel SS of all their DHCP scopes, reservations, server static IPs and server/scope options. They had people who did nothing but monitor NetBackup, people who changed tapes, people who handled Iron Mountain, etc. Extremely granular and an extreme PITA to do any work for. Need a VM for testing purposes? A minimum 3 month process as it went thru all the change control processes. Webster From: Joe Heaton [mailto:jhea...@etp.ca.gov] Subject: RE: Virtualization Questions - More Q's Wow, that's really compartmentalized... I dunno if I'd want to work somewhere that limits me that much as far as what I'm working with. And yet, I'm sure if you apply for one of those positions, you are still required to have 10+ years experience, and expertise with Windows, Unix, mainframes, every desktop OS known to man, etc... Joe Heaton Employment Training Panel From: Ken Schaefer [mailto:k...@adopenstatic.com] Subject: RE: Virtualization Questions - More Q's I work for Avanade - we deal mostly with large enterprises (Global 500 type companies). In those types of orgs the AD team is usually separate from Virtualisation (which is predominantly VMWare), which is again separate from the hardware components (network, security, storage). Even as a directory, AD is usually limited to the Wintel area, and most large orgs have significant investment in *nix, midrange/mainframe systems as well. The source of truth is generally other systems like HR/payroll. As I said before - in smaller shops, there's usually significant overlap, so it's not really an issue. In larger shops (once there isn't a predominance of Windows), and AD isn't king, it starts to become something that needs to be dealt with in some way. Cheers Ken ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Yes there are definitely shops out there of that size. And they are silo'd to use IBM terminology. I've been part of a Global Services outsourcing and experienced that. But keep in mind that there aren't that many companies out there with that scope. My last employer had 100,000 users globally and didn't have that sort of granularity. Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 _ From: Webster [mailto:carlwebs...@gmail.com] Sent: Tuesday, December 30, 2008 12:05 PM To: NT System Admin Issues Subject: RE: Virtualization Questions - More Q's From: Ken Schaefer [mailto:k...@adopenstatic.com] Subject: RE: Virtualization Questions - More Q's No, you don't that type of experience. But when you have 1000 IT personnel, they can't all be AD people, or even domain admins. I did some AD/GPO/WSUS troubleshooting for a company in the Global Fortune 15. For the one small segment of their network I worked on, they had over 6,000 servers and over 35,000 PCs. They had two dedicated IT staff who did nothing but maintain the huge Excel SS of all their DHCP scopes, reservations, server static IPs and server/scope options. They had people who did nothing but monitor NetBackup, people who changed tapes, people who handled Iron Mountain, etc. Extremely granular and an extreme PITA to do any work for. Need a VM for testing purposes? A minimum 3 month process as it went thru all the change control processes. Webster From: Joe Heaton [mailto:jhea...@etp.ca.gov] Subject: RE: Virtualization Questions - More Q's Wow, that's really compartmentalized. I dunno if I'd want to work somewhere that limits me that much as far as what I'm working with. And yet, I'm sure if you apply for one of those positions, you are still required to have 10+ years experience, and expertise with Windows, Unix, mainframes, every desktop OS known to man, etc. Joe Heaton Employment Training Panel From: Ken Schaefer [mailto:k...@adopenstatic.com] Subject: RE: Virtualization Questions - More Q's I work for Avanade - we deal mostly with large enterprises (Global 500 type companies). In those types of orgs the AD team is usually separate from Virtualisation (which is predominantly VMWare), which is again separate from the hardware components (network, security, storage). Even as a directory, AD is usually limited to the Wintel area, and most large orgs have significant investment in *nix, midrange/mainframe systems as well. The source of truth is generally other systems like HR/payroll. As I said before - in smaller shops, there's usually significant overlap, so it's not really an issue. In larger shops (once there isn't a predominance of Windows), and AD isn't king, it starts to become something that needs to be dealt with in some way. Cheers Ken - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LogMeIn
Thoroughly agree. Hell, I'm fighting a battle now to keep personal machines from connecting via VPN. My mantra: If the hardware isn't owned and controlled by the company, I don't want it on the company network. I'm beginning to wonder if all companies should maintain two physically separate networks and provide their employees with two computers - one that connects to the world, and one that is for core applications *only*. Kurt On Tue, Dec 30, 2008 at 6:15 AM, Ben Scott mailvor...@gmail.com wrote: On Tue, Dec 30, 2008 at 9:01 AM, David Lum david@nwea.org wrote: I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems ... You're letting an outside organization have control of one of your computers. You're okay with that? Cool, can I have control of one of your computers, too? I promise I won't do anything bad. Pinky swear! Sure, all these remote-control companies claim to have great security. *Everybody* claims that. And yet, major security problems keep on happening, all over the place, all the time. From this, we can conclude that claims of great security mean precisely nothing. Security problems don't have to mean them taking over the world. It doesn't have to mean organization-wide intent. It could be one employee with a grudge. Or maybe an undetected remote compromise on a server in their datacenter -- these are high-profile targets, and custom malware would be undetectable by signature-based virus scanners. Or maybe they cut back on security spending when the economy tanked. It might not be something you could detect -- passive monitoring would be invisible. It might not even be something with specific intent -- maybe random malware makes it into their systems, and then propagates over the remote-control system to you. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: A/V on VM Host
I run AV on our VMWare server host boxes and exclude the local folder for the guests. I am contemplating removing this to recapture the AV licenses. Actually I plan on moving these boxes to ESXi. Betcha ESXi won't run AV software (have not checked that). But that's three of four projects from now :-/ I consider it kind of like running file based AV on an SQL or Exchange server. Yes you can do it but exlcude everything of value (so why do it anyway?). Devin On Tue, Dec 30, 2008 at 9:49 AM, Roger Wright rwri...@evatone.com wrote: Would the anti-virus package on a host machine also protect the guest VMs? I was wondering if, say, VirusScan is installed on the host box, wouldn't it be scanning all data streaming across the NIC, including that which is destined for the VMs? Is there a flaw in my thinking? Roger Wright Network Administrator Evatone, Inc. 727.572.7076 x388 _ -- Devin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LogMeIn
On Tue, Dec 30, 2008 at 7:16 AM, David James bigdadd...@gmail.com wrote: It's about helping your users use technology to be more productive, not having a power trip. The company must survive tight economic times, so use all your tools to provide them ways to produce from anywhere at anytime, and you'll be a hero to your users and company management. As computer professionals, our ethics should be similar to other professions. Here's one statement that I think should be kept in mind, from another profession: First, do no harm. Logmein and other 3rd party remote access products, IMNSHO, are the rough equivalent of sending a 3 year old to play in the auto wrecking yard. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Search software
Looking at Express, and it looks pretty good. Free doesn't hurt either...lol. Joe Heaton Employment Training Panel -Original Message- From: Kevin Lundy [mailto:klu...@gmail.com] Sent: Monday, December 29, 2008 3:18 PM To: NT System Admin Issues Subject: Re: Search software Search Server Express should work for you just fine. On 12/29/08, Joe Heaton jhea...@etp.ca.gov wrote: A little under 56,000 files, at 5 GB. They're accessed over a mapped drive from the desktops. I haven't gone through the directories, but I'm sure some of those are going to be screenshots saved as PDFs... I don't expect to search within those, and I have no plan of getting any OCR software... Joe Heaton Employment Training Panel From: Kevin Lundy [mailto:klu...@gmail.com] Sent: Monday, December 29, 2008 1:38 PM To: NT System Admin Issues Subject: Re: Search software No, not at all. I've got it running under 2k3. How many files and what total size are you talking about? On Mon, Dec 29, 2008 at 4:33 PM, Joe Heaton jhea...@etp.ca.gov wrote: I looked at Search Server, but that's just a 2k8 thing, right? Joe Heaton Employment Training Panel -Original Message- From: Kevin Lundy [mailto:klu...@gmail.com] Sent: Monday, December 29, 2008 12:05 PM To: NT System Admin Issues Subject: Re: Search software +1 for the MS Search Server. Or have a look at the Google appliance I'd recommend against a desktop search if these are network shares of any size. Desktop search will index them across the network ... For each desktop. On 12/29/08, Michael B. Smith mich...@theessentialexchange.com wrote: Have you looked at Windows Search Server? Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Monday, December 29, 2008 1:52 PM To: NT System Admin Issues Subject: Search software Anyone using any third party search software? We have archived contract folders going back years, and we have a department that has to search through these folders for keywords, dates, etc. Windows Search is extremely lacking and extremely hit and miss. Does anyone have any other options, free or paid for? Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ -- Sent from my mobile device ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ -- Sent from my mobile device ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
IIS redirect?
Say I want to redirect mail.myplace.com to www.myplace.com/Exchangehttp://www.myplace.com/Exchange, how do I do that? It's a DNS entry andwhat? I'm looking to make it so users don't have to include the /Exchange piece in the URL, so them typing mail.myplace.com takes them to the OWA page (Exchange 2003). Caveat: Server in question also hosts a regular www site and is not dedicated to just Exchange. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LogMeIn
I would agree with that. If the President of the US can't have one, I don't want anyone in my company to have one. I'll leave my reasons why to be worked out as an exercise for the reader. Kurt On Tue, Dec 30, 2008 at 7:33 AM, David James bigdadd...@gmail.com wrote: So Blackberries and any other service shouldn't be used either. That's a 3rd party who can view all your email. -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Tuesday, December 30, 2008 9:27 AM To: NT System Admin Issues Subject: Re: LogMeIn On Tue, Dec 30, 2008 at 10:16 AM, David James bigdadd...@gmail.com wrote: It's about helping your users use technology to be more productive, not having a power trip. The problem is that security *never* shows up as a profit. (Unless you're a security firm, heh.) So if we follow that logic, all security should be banished. Of course, security failures show up -- as losses, when it's too late. The thing that really gets me about this is that people simply *assume* LogMeIn, GoToMyPC, etc., are trustworthy. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LogMeIn
You let your users install software? That is asking for more problems than you will ever fix. Jon On Tue, Dec 30, 2008 at 9:01 AM, David Lum david@nwea.org wrote: I work for a company with ~300 employees, is there a reason to discourage a few of our employees from installing LogMeIn Free on their systems so they can remote control their work machine and bypass the need to use a VPN license? I've used LogMeIn Free for years to connect to all my own business clients, but it's one thing to use it myself and small businesses, another to recommend it's use to a larger company with resources for VPN, etc. My kneejerk reaction is no, but damned if I can come up with a viable excuse for that opinion. *David Lum** **// *SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 *// *(Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: IIS redirect?
Google javascript http redirect http://www.pageresource.com/jscript/jredir.htm so if I go to http://mail.daves.com you automatically route me to https://mail.daves.com/exchange -troy -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 10:17 AM To: NT System Admin Issues Subject: IIS redirect? Say I want to redirect mail.myplace.com to www.myplace.com/Exchange, how do I do that? It's a DNS entry andwhat? I'm looking to make it so users don't have to include the /Exchange piece in the URL, so them typing mail.myplace.com takes them to the OWA page (Exchange 2003). Caveat: Server in question also hosts a regular www site and is not dedicated to just Exchange. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: IIS redirect?
http://support.microsoft.com/kb/839357 DNS for the domain mail.myplace.com set up a web site that answers to it with an error page - that automatically redirects said user to the proper secure https://www.myplace.com/Exchange Works great. Steven On Tue, Dec 30, 2008 at 10:17 AM, David Lum david@nwea.org wrote: Say I want to redirect mail.myplace.com to www.myplace.com/Exchange, how do I do that? It's a DNS entry and….what? I'm looking to make it so users don't have to include the /Exchange piece in the URL, so them typing mail.myplace.com takes them to the OWA page (Exchange 2003). Caveat: Server in question also hosts a regular www site and is not dedicated to just Exchange. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: IIS redirect?
DNS CNAME pointing mail.myplace.com to www.myplace.comhttp://www.myplace.com Your default index.htm page at the website www.myplace.comhttp://www.myplace.com is this: META HTTP-EQUIV=Refresh CONTENT=1; URL=../exchange Watch the names on your Certs so you don't get a mismatch. From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 1:17 PM To: NT System Admin Issues Subject: IIS redirect? Say I want to redirect mail.myplace.com to www.myplace.com/Exchangehttp://www.myplace.com/Exchange, how do I do that? It's a DNS entry andwhat? I'm looking to make it so users don't have to include the /Exchange piece in the URL, so them typing mail.myplace.com takes them to the OWA page (Exchange 2003). Caveat: Server in question also hosts a regular www site and is not dedicated to just Exchange. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: IIS redirect?
and another link as well http://technet.microsoft.com/en-us/library/aa998359.aspx On Tue, Dec 30, 2008 at 10:24 AM, Steven Peck sep...@gmail.com wrote: http://support.microsoft.com/kb/839357 DNS for the domain mail.myplace.com set up a web site that answers to it with an error page - that automatically redirects said user to the proper secure https://www.myplace.com/Exchange Works great. Steven On Tue, Dec 30, 2008 at 10:17 AM, David Lum david@nwea.org wrote: Say I want to redirect mail.myplace.com to www.myplace.com/Exchange, how do I do that? It's a DNS entry and….what? I'm looking to make it so users don't have to include the /Exchange piece in the URL, so them typing mail.myplace.com takes them to the OWA page (Exchange 2003). Caveat: Server in question also hosts a regular www site and is not dedicated to just Exchange. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: IIS redirect?
Modify my idea. I just saw the caveat. I would have put up a second website on the IIS server than answers to mail.myplace.com using host headers and set up the DNS to point to that. Then add the meta http code below to the index page for that. Perhaps the second website as I suggest for mail.myplace.com and the index page is: META HTTP-EQUIV=Refresh CONTENT=1; URL=www.myplace.com/exchange But I am unsure of that, give it a test. From: Kennedy, Jim Sent: Tuesday, December 30, 2008 1:24 PM To: NT System Admin Issues Subject: RE: IIS redirect? DNS CNAME pointing mail.myplace.com to www.myplace.comhttp://www.myplace.com Your default index.htm page at the website www.myplace.comhttp://www.myplace.com is this: META HTTP-EQUIV=Refresh CONTENT=1; URL=../exchange Watch the names on your Certs so you don't get a mismatch. From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 1:17 PM To: NT System Admin Issues Subject: IIS redirect? Say I want to redirect mail.myplace.com to www.myplace.com/Exchangehttp://www.myplace.com/Exchange, how do I do that? It's a DNS entry andwhat? I'm looking to make it so users don't have to include the /Exchange piece in the URL, so them typing mail.myplace.com takes them to the OWA page (Exchange 2003). Caveat: Server in question also hosts a regular www site and is not dedicated to just Exchange. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: C$ Permissions on a Domain Controller????
Isn't that the tops? :-) On Tue, Dec 30, 2008 at 10:54 AM, Jon D rekcahp...@gmail.com wrote: Thanks everyone. After reading everyones advise that the permissions were okay I looked further and found that the problem was that a special group was added to the local administrators groups on most of the servers. Ends up, an administrator added code to the users login scripts to do add this group locally, and another administrator had the users login script in his super user account. Thanks everyone! On Tue, Dec 30, 2008 at 6:04 AM, Ken Schaefer k...@adopenstatic.com wrote: Hi, The security permissions that are applied to files/folders when running dcpromo are in a template file on your DC in %systemroot%\security\templates. The DC security.inf template is what is used by secedit during the DCPromo process to re-ACL files/folders on your new DC. C$ is a share - not a folder/file/drive. You can't set the permissions on this normally. It should be restricted to those in the Administrators group. Permissions on the root folder of the C: drive are different to C$ permissions. Everyone (or Authenticated User) should have Read+Execute and List Folder Contents permission by default. Check the inf file for more info, or use secedit to re-ACL your box if you need to. Cheers Ken -Original Message- From: Jon D [mailto:rekcahp...@gmail.com] Sent: Tuesday, 30 December 2008 8:53 AM To: NT System Admin Issues Subject: C$ Permissions on a Domain Controller Anyone know what the proper permissions are on the C: drive of a Domain Controller? Are they special or no? I'm doing a security audit and I came across 2 domain controllers that do not require a password to access their C$ share. You can't view the permissions of the share itself, but the permissions on the C drive have authenicated users with full control. That can't be right. Anyone see anything like that before? Anyone know how dangerous it is to change the permissions(once I determine the correct permissions)? Thanks in advance, Jon ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
XP volume issue
Good afternoon, Thanks to all who replied to my NT domain problem the past few days. I resolved the problem, and will post more on that in a bit. I have another problem related to the power outage. We have a workstation that has an IDE system disk, and 4 additional IDE drives configured as a striped volume. The system disk seems to be completed corrupted, but the real critical data is on the array. I swapped out the system disk, and loaded a fresh XP install. I can see two of the four disks in the array. Through troubleshooting, I determined one of the onboard IDE controllers went bad. We installed a PCI IDE controller card, and moved all drives to this card. In disk manager, I see 6 disks listed as follows: Disk 1 Dynamic 55.91 GBOnline Failed Disk 2 Dynamic Foreign Disk 3 Dynamic Foreign Disk 4 Dynamic 55.91 GBOnline Failed Missing Dynamic 55.91 GBOffline Failed Missing Dynamic 55.91 GBOffline Failed I'm sure the two missing disks correspond to the two foreign disks. How can I re-associate the two foreign drives with the missing drives? What is the proper way to recreate this array without losing data? This is just a simple, non-redundant disk array. Thanks! Eric Brouwer IT Manager www.forestpost.com er...@forestpost.com 248.855.4333 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: IIS redirect?
I do it at my ISA server. Sean Rector, MCSE -Original Message- From: Troy Meyer [mailto:troy.me...@monacocoach.com] Sent: Tuesday, December 30, 2008 1:24 PM To: NT System Admin Issues Subject: RE: IIS redirect? Google javascript http redirect http://www.pageresource.com/jscript/jredir.htm so if I go to http://mail.daves.com you automatically route me to https://mail.daves.com/exchange -troy -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 10:17 AM To: NT System Admin Issues Subject: IIS redirect? Say I want to redirect mail.myplace.com to www.myplace.com/Exchange, how do I do that? It's a DNS entry andwhat? I'm looking to make it so users don't have to include the /Exchange piece in the URL, so them typing mail.myplace.com takes them to the OWA page (Exchange 2003). Caveat: Server in question also hosts a regular www site and is not dedicated to just Exchange. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ 2008-2009 Season: Tosca | The Barber of Seville Recently Announced: Virginia Opera's 35th Anniversary Season 2009-2010 Visit us online at www.vaopera.org or call 1.866.OPERA.VA This e-mail and any attached files are confidential and intended solely for the intended recipient(s). Unless otherwise specified, persons unnamed as recipients may not read, distribute, copy or alter this e-mail. Any views or opinions expressed in this e-mail belong to the author and may not necessarily represent those of Virginia Opera. Although precautions have been taken to ensure no viruses are present, Virginia Opera cannot accept responsibility for any loss or damage that may arise from the use of this e-mail or attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: IIS redirect?
not in DNS, but on your IIS management ... couple ways to achieve this 1) Use the redirect feature to redirect www.myplace.com/ to www.myplace.com/exchange 2) Set the default document for www.myplace.com to www.myplace.com/exchange/login.asp or default.asp or whatever the Exchange folder wants to use for default Erik Goldoff IT Consultant Systems, Networks, Security _ From: David Lum [mailto:david@nwea.org] Sent: Tuesday, December 30, 2008 1:17 PM To: NT System Admin Issues Subject: IIS redirect? Say I want to redirect mail.myplace.com to www.myplace.com/Exchange, how do I do that? It's a DNS entry and..what? I'm looking to make it so users don't have to include the /Exchange piece in the URL, so them typing mail.myplace.com takes them to the OWA page (Exchange 2003). Caveat: Server in question also hosts a regular www site and is not dedicated to just Exchange. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~