RE: IIS redirect?

[Ken Schaefer]

I would suggest ISA server (or whatever reverse proxy you have in place) if you 
have one

Alternatively, I would create a second website that answers to 
http://mail.myplace.com and create a custom 404 (File Not Found) error page 
that does a redirect to http://www.myplace.com/exchange -or-  you can use the 
native IIS redirect functionality that redirects any request for any 
file/folder to go to http://www.myplace.com/exchange.

Cheers
Ken

From: David Lum [mailto:david@nwea.org]
Sent: Wednesday, 31 December 2008 5:17 AM
To: NT System Admin Issues
Subject: IIS redirect?

Say I want to redirect mail.myplace.com to 
www.myplace.com/Exchange, how do I do that? 
It's a DNS entry andwhat? I'm looking to make it so users don't have to 
include the /Exchange piece in the URL, so them typing mail.myplace.com takes 
them to the OWA page (Exchange 2003).

Caveat: Server in question also hosts a regular www site and is not dedicated 
to just Exchange.





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

FWD: Top 10 PowerShell scripts that VMware administrators should use

[Sam Cayze]

Since we are praising powershell, I just came across this.  Handy list!

http://www.virtual-strategy.com/Eric-Siebert-s-Top-10/Top-10-PowerShell-
scripts-that-VMware-administrators-should-use.html

Sam


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

NTBackup Restore question

[Bill Monicher]

I'm planning to do a test install of some software on a W2K3 R2 server

If I use NTBackup to back up the system drive, then restore it when
I'm done, will I be left with orphaned files?

--BM

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Win 2k8 Enterprise 240-day Eval & Terminal Serivces licenses for 25 users.

[Webster]

From: Klint Price - ArizonaITPro [mailto:kpr...@arizonaitpro.com] 
Subject: Win 2k8 Enterprise 240-day Eval & Terminal Serivces licenses for 25
users.

 

I need to throw together a test server with 25 terminal services users.

Does the 60 day eval (which can be increased to 240 days), allow for 25
simultaneous users via terminal services



In either per-user or per-device mode the TS will issue temporary 120-day
licenses.  If the TS is in workgroup mode then per-user licenses are not
tracked.  [Windows Server 2008 TS Resource Kit pages 121 and 122]

Webster


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Win 2k8 Enterprise 240-day Eval & Terminal Serivces licenses for 25 users.

[Klint Price - ArizonaITPro]

I need to throw together a test server with 25 terminal services users.

Does the 60 day eval (which can be increased to 240 days), allow for 25 
simultaneous users via terminal services

Thanks,

Klint


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: MS Server 2008 - Windows Server backup fails due to incorrect active volume

[Christopher Bodnar]

Have you seen this:

 

http://technet.microsoft.com/en-us/library/bb218863.aspx

 

 

 

Chris Bodnar, MCSE
Sr. Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003

  _  

From: Shazad Anwar [mailto:sha...@fastmail.co.uk] 
Sent: Tuesday, December 30, 2008 4:28 PM
To: NT System Admin Issues
Subject: MS Server 2008 - Windows Server backup fails due to incorrect
active volume

 

Hi,

 

I'm currently running Exchange 2007 SP1 on Server 2008 (Dell Poweredge
2970).

 

I currently use Backup Exec 12.5 to backup System State and Exchange
databases.

 

I'm trying to use Windows Server Backup to create a full backup of the
server but it keeps failing wikth this error:


"Backup started at '27/12/2008 19:18:44' failed as Volume Shadow copy
operation failed for backup volumes with following error code
'2155348129'. Please rerun backup once issue is resolved."

>From looking up this error on google it seems C: drive should be active
partition for Shadow Copy to work but on my server a small Dell partition
has been set active.

Has anyone encountered this problem and know of a fix?

Thanks,

Shazad

 

 

 



-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Error finding VFLOPPY.SYS

[David Lum]

Has anyone seen this on a 2003 Server? Google-Fu points me to PowerQuest 
issues, which certainly is  not on our servers. Other links point to resetting 
the MBR, I was  wondering if anyone here has seen this in person on a server 
and what the fix might be.

David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764






~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: AHCI Sata and sysprep

[Sam Cayze]

Great info everyone, thanks! 

-Sam

-Original Message-
From: Phil Brutsche [mailto:p...@optimumdata.com] 
Sent: Tuesday, December 30, 2008 3:30 PM
To: NT System Admin Issues
Subject: Re: AHCI Sata and sysprep

On my machines the non-AHCI SATA would not work if I didn't put in the
&CC_0106 at the end of the PCI ID.

To be on the safe side I ALWAYS put the device IDs in sysprep.inf
EXACTLY the way they were in the driver .inf.

I see I'm not the only one to suspect that putting
"BuildMassStorageSection = YES" in there will override your custom
SysprepMassStorage section ;)

Johonn2 wrote:
> I finished my sysprep for both the E6400 AHCI and IRRT and the Dell 
> OP760 series late last month.  I believe you need to drop the
"&CC_0106"
> on it but I would have to look at mine to know for sure.  I am not in 
> the office today so if someone else does not help out by then, then I 
> will post it tomorrow.  Also I may be wrong again but 
> "BuildMassStorageSection = YES" I believe will overwrite your custom 
> [SysprepMassStorage].

-- 

Phil Brutsche
p...@optimumdata.com


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

General security discussion (was: LogMeIn)

[Ben Scott]

On Tue, Dec 30, 2008 at 1:03 PM, Kurt Buff  wrote:
> I'm beginning to wonder if all companies should maintain two
> physically separate networks and provide their employees with two
> computers - one that connects to the world, and one that is for core
> applications *only*.

  That's the way the NSA, DoD, and other three-letter agencies do
things.  If it's a matter of national security ("classified"), it's
not connected to the Internet.  The "air gap firewall" is the only
absolute defense against network attackers.

  If I could get that to fly for regular business stuff at work, I
would.  As it is, we've seriously considered setting up a farm of
Terminal Servers in a firewalled DMZ, and only allowing web browsing
from those, with no direct workstation<->public IP connectivity.

  Malware is getting advanced to the point where people are injecting
targeted code in to in-memory executables, without ever needing to
touch the filesystem, and then using that to read data and send it
out, using HTTP as a covert channel.  How the heck do you defend
against that without just locking the browser out of the computer
entirely?

  If you think about it, web browsing (including HTML email, which is
web browsing with a different transport) are incredibly risky
behaviors.  You're letting anyone in the world send instructions to
your computer, and your computer will carry those instructions out to
the best of its ability.  We call these instructions by fancy names,
like "HTML" and "JavaScript", but that's what they are.  Yikes.

  And people btich that we block MySpace.  :-(

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: NT issue RESOLVED

[Kurt Buff]

Get the comfy chair!

On Tue, Dec 30, 2008 at 1:28 PM, Eric Brouwer  wrote:
> Thanks again to everyone who responded to my issue.  The fix was a weird
> one.  With the power outage, our main switch lost it's jumbo frames
> settings.  Once we reset all the ports to use jumbo frames, communications
> between the PDC and BDC were restored, and all was happy with the old
> network.
>
>
>
> 
>
> From: Erik Goldoff [mailto:egold...@gmail.com]
> Sent: Tuesday, December 30, 2008 10:24 AM
> To: NT System Admin Issues
> Subject: RE: NT issue
>
>
>
> we do somewhat agree there ... it does sound at least on the surface, like a
> WINS or maybe browse list issue
>
>
>
> Erik Goldoff
>
> IT  Consultant
>
> Systems, Networks, & Security
>
>
>
>
>
> 
>
> From: David James [mailto:bigdadd...@gmail.com]
> Sent: Tuesday, December 30, 2008 10:20 AM
> To: NT System Admin Issues
> Subject: RE: NT issue
>
> Either way, I'm wondering if a quick install of WINS and targeting at least
> his servers at it would help over come this issue.
>
>
>
> From: Erik Goldoff [mailto:egold...@gmail.com]
> Sent: Tuesday, December 30, 2008 7:37 AM
> To: NT System Admin Issues
> Subject: RE: NT issue
>
>
>
> meant to address this earlier ... it is NOT the HOSTS file to look at ...
> HOSTS is the file based version of DNS, to resolve an FQDN to an IP
> address for NT Domain issues, the LMHOSTS file is the one that works
> like WINS to resolve NetBIOS names ( Browse ) to IP
>
>
>
> Erik Goldoff
>
> IT  Consultant
>
> Systems, Networks, & Security
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: AHCI Sata and sysprep

[Phil Brutsche]

On my machines the non-AHCI SATA would not work if I didn't put in the
&CC_0106 at the end of the PCI ID.

To be on the safe side I ALWAYS put the device IDs in sysprep.inf
EXACTLY the way they were in the driver .inf.

I see I'm not the only one to suspect that putting
"BuildMassStorageSection = YES" in there will override your custom
SysprepMassStorage section ;)

Johonn2 wrote:
> I finished my sysprep for both the E6400 AHCI and IRRT and the Dell
> OP760 series late last month.  I believe you need to drop the “&CC_0106”
> on it but I would have to look at mine to know for sure.  I am not in
> the office today so if someone else does not help out by then, then I
> will post it tomorrow.  Also I may be wrong again but
> “BuildMassStorageSection = YES” I believe will overwrite your custom
> [SysprepMassStorage].

-- 

Phil Brutsche
p...@optimumdata.com


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: AHCI Sata and sysprep

[David James]

I had to load one of the new system and then create a new image with the
sata drives.  I spent less time doing that than figuring out how to get my
old image to work.  I feel your pain though.

 

From: Sam Cayze [mailto:sam.ca...@rollouts.com] 
Sent: Tuesday, December 30, 2008 2:55 PM
To: NT System Admin Issues
Subject: AHCI Sata and sysprep

 

Been working and googling all day on this...

 

Trying to get my XP SP3 image to work on these new dell e series, with AHCI
enabled in the bios...  

Piece of cake with Vista.  

 

 

Anyone been down this road?

 

 

 

 

What my inf file looks like so far.  Still getting the famous STOP 07B error
or whatever it is.

 

[Sysprep]
BuildMassStorageSection = YES 

 

[SysprepMassStorage]

 

;Drivers for ICH9SATA controller support
PCI\VEN_8086&DEV_2681&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_27C1&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_27C5&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2821&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2829&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2922&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2929&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_3A22&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2682&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf
PCI\VEN_8086&DEV_27C3&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf
PCI\VEN_8086&DEV_27C6&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf
PCI\VEN_8086&DEV_2822&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf
PCI\VEN_8086&DEV_282A&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: NT issue RESOLVED

[Eric Brouwer]

Thanks again to everyone who responded to my issue.  The fix was a weird
one.  With the power outage, our main switch lost it's jumbo frames
settings.  Once we reset all the ports to use jumbo frames, communications
between the PDC and BDC were restored, and all was happy with the old
network.

 

  _  

From: Erik Goldoff [mailto:egold...@gmail.com] 
Sent: Tuesday, December 30, 2008 10:24 AM
To: NT System Admin Issues
Subject: RE: NT issue

 

we do somewhat agree there ... it does sound at least on the surface, like a
WINS or maybe browse list issue

 


Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

 

  _  

From: David James [mailto:bigdadd...@gmail.com] 
Sent: Tuesday, December 30, 2008 10:20 AM
To: NT System Admin Issues
Subject: RE: NT issue

Either way, I'm wondering if a quick install of WINS and targeting at least
his servers at it would help over come this issue.  

 

From: Erik Goldoff [mailto:egold...@gmail.com] 
Sent: Tuesday, December 30, 2008 7:37 AM
To: NT System Admin Issues
Subject: RE: NT issue

 

meant to address this earlier ... it is NOT the HOSTS file to look at ...
HOSTS is the file based version of DNS, to resolve an FQDN to an IP
address for NT Domain issues, the LMHOSTS file is the one that works
like WINS to resolve NetBIOS names ( Browse ) to IP

 


Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

MS Server 2008 - Windows Server backup fails due to incorrect active volume

[Shazad Anwar]

Hi,

I'm currently running Exchange 2007 SP1 on Server 2008 (Dell
Poweredge 2970).

I currently use Backup Exec 12.5 to backup System State and
Exchange databases.

I'm trying to use Windows Server Backup to create a full backup
of the server but it keeps failing wikth this error:

"Backup started at '27/12/2008 19:18:44' failed as Volume Shadow
copy operation failed for backup volumes with following error
code '2155348129'. Please rerun backup once issue is resolved."

>From looking up this error on google it seems C: drive should be
active partition for Shadow Copy to work but on my server a small
Dell partition has been set active.

Has anyone encountered this problem and know of a fix?

Thanks,

Shazad

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: AHCI Sata and sysprep

[Johonn2]

I finished my sysprep for both the E6400 AHCI and IRRT and the Dell OP760
series late last month.  I believe you need to drop the "&CC_0106" on it but
I would have to look at mine to know for sure.  I am not in the office today
so if someone else does not help out by then, then I will post it tomorrow.
Also I may be wrong again but "BuildMassStorageSection = YES" I believe will
overwrite your custom [SysprepMassStorage].

 

 

I have my sysprep run by a batch files these days but when I am adding new
drives for storage I run it manually and tell it not to reboot.  If it
finishes correctly you are good to go if you gave it the right drivers.  If
it fails on the drivers then you should see a error message that reference
not being able to update the registry or something on that line.  

 

Bob

 

From: Sam Cayze [mailto:sam.ca...@rollouts.com] 
Sent: Tuesday, December 30, 2008 3:55 PM
To: NT System Admin Issues
Subject: AHCI Sata and sysprep

 

Been working and googling all day on this...

 

Trying to get my XP SP3 image to work on these new dell e series, with AHCI
enabled in the bios...  

Piece of cake with Vista.  

 

 

Anyone been down this road?

 

 

 

 

What my inf file looks like so far.  Still getting the famous STOP 07B error
or whatever it is.

 

[Sysprep]
BuildMassStorageSection = YES 

 

[SysprepMassStorage]

 

;Drivers for ICH9SATA controller support
PCI\VEN_8086&DEV_2681&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_27C1&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_27C5&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2821&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2829&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2922&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2929&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_3A22&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2682&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf
PCI\VEN_8086&DEV_27C3&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf
PCI\VEN_8086&DEV_27C6&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf
PCI\VEN_8086&DEV_2822&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf
PCI\VEN_8086&DEV_282A&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: AHCI Sata and sysprep

[Phil Brutsche]

I have a sysprep image that loads the AHCI drivers along with quite a
bunch of other stuff.

What you have looks mostly correct, here's what I have for AHCI if it
helps any:

[SysprepMassStorage]
PCI\VEN_8086&DEV_2681&CC_0106=%SystemDrive%\DRIVERS\storage\ahci\iaahci.inf
PCI\VEN_8086&DEV_27C1&CC_0106=%SystemDrive%\DRIVERS\storage\ahci\iaahci.inf
PCI\VEN_8086&DEV_27C5&CC_0106=%SystemDrive%\DRIVERS\storage\ahci\iaahci.inf
PCI\VEN_8086&DEV_2821&CC_0106=%SystemDrive%\DRIVERS\storage\ahci\iaahci.inf
PCI\VEN_8086&DEV_2829&CC_0106=%SystemDrive%\DRIVERS\storage\ahci\iaahci.inf
PCI\VEN_8086&DEV_2922&CC_0106=%SystemDrive%\DRIVERS\storage\ahci\iaahci.inf
PCI\VEN_8086&DEV_2929&CC_0106=%SystemDrive%\DRIVERS\storage\ahci\iaahci.inf
PCI\VEN_8086&DEV_3A02&CC_0106=%SystemDrive%\DRIVERS\storage\ahci\iaahci.inf
PCI\VEN_8086&DEV_3A22&CC_0106=%SystemDrive%\DRIVERS\storage\ahci\iaahci.inf

The last 2 lines are for the newer ICH10 AHCI controllers.

A sanitized and out-of-date version of my sysprep.inf is at
http://www.optimumdata.net/phil/sysprep.inf if it helps any.

If you note I have my drivers organized under C:\DRIVERS, you have it
under C:\Program Files. Perhaps you need to put the path in quotes, due
to the space in the directory name.

Something else to try: Remove the [sysprep] section and the
"BuildMassStorageSection" line.

If you look at my sysprep.inf I have manually added most of the IDE,
SATA, and SCSI controllers natively supported by XP SP3, so I don't need
sysprep to build the SysprepMassStorage section for me.

By telling Sysprep to build the [SysprepMassStorage] section you could
be telling it to override what you've put in for the AHCI drivers.

Sam Cayze wrote:
> Been working and googling all day on this...
>  
> Trying to get my XP SP3 image to work on these new dell e series, with
> AHCI enabled in the bios...  
> Piece of cake with Vista. 
>  
>  
> Anyone been down this road?
>  
>  
>  
>  
> What my inf file looks like so far.  Still getting the famous STOP 07B
> error or whatever it is.
>  
> [Sysprep]
> BuildMassStorageSection = YES
>  
> [SysprepMassStorage]
>  
> ;Drivers for ICH9SATA controller support
> PCI\VEN_8086&DEV_2681&CC_0106=%SystemDrive%\Program
> Files\Rollouts\Drivers\iaahci.inf
> PCI\VEN_8086&DEV_27C1&CC_0106=%SystemDrive%\Program
> Files\Rollouts\Drivers\iaahci.inf
> PCI\VEN_8086&DEV_27C5&CC_0106=%SystemDrive%\Program
> Files\Rollouts\Drivers\iaahci.inf
> PCI\VEN_8086&DEV_2821&CC_0106=%SystemDrive%\Program
> Files\Rollouts\Drivers\iaahci.inf
> PCI\VEN_8086&DEV_2829&CC_0106=%SystemDrive%\Program
> Files\Rollouts\Drivers\iaahci.inf
> PCI\VEN_8086&DEV_2922&CC_0106=%SystemDrive%\Program
> Files\Rollouts\Drivers\iaahci.inf
> PCI\VEN_8086&DEV_2929&CC_0106=%SystemDrive%\Program
> Files\Rollouts\Drivers\iaahci.inf
> PCI\VEN_8086&DEV_3A22&CC_0106=%SystemDrive%\Program
> Files\Rollouts\Drivers\iaahci.inf
> PCI\VEN_8086&DEV_2682&CC_0104=%SystemDrive%\Program
> Files\Rollouts\Drivers\iastor.inf
> PCI\VEN_8086&DEV_27C3&CC_0104=%SystemDrive%\Program
> Files\Rollouts\Drivers\iastor.inf
> PCI\VEN_8086&DEV_27C6&CC_0104=%SystemDrive%\Program
> Files\Rollouts\Drivers\iastor.inf
> PCI\VEN_8086&DEV_2822&CC_0104=%SystemDrive%\Program
> Files\Rollouts\Drivers\iastor.inf
> PCI\VEN_8086&DEV_282A&CC_0104=%SystemDrive%\Program
> Files\Rollouts\Drivers\iastor.inf
> 
>  
> 
>  
> 


-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Virtualization Questions - More Q's

[Fogarty, Richard R Mr CTR USA USASOC]

"Extremely granular and an extreme PITA to do any work for.  Need a VM for
testing purposes?  A minimum 3 month process as it went thru all the change
control processes."

Although I don't appreciate the 3 month process, from my experience on huge
networks, using a structured methodology such as this provides more good
than bad. If the VM is needed for testing a truly well thought out
engineered solution probably would have thought that out from the beginning.
Shooting from the hip is usually what causes the network outages, so no root
cause analysis would be truly needed in that environment. 


Just my $0.02.

 

 

From: Webster [mailto:carlwebs...@gmail.com] 
Sent: Tuesday, December 30, 2008 12:05 PM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

No, you don't that type of experience.

 

But when you have 1000 IT personnel, they can't all be AD people, or even
domain admins. 

 

I did some AD/GPO/WSUS troubleshooting for a company in the Global Fortune
15.  For the one small segment of their network I worked on, they had over
6,000 servers and over 35,000 PCs.  They had two dedicated IT staff who did
nothing but maintain the huge Excel SS of all their DHCP scopes,
reservations, server static IPs and server/scope options.  They had people
who did nothing but monitor NetBackup, people who changed tapes, people who
handled Iron Mountain, etc.  Extremely granular and an extreme PITA to do
any work for.  Need a VM for testing purposes?  A minimum 3 month process as
it went thru all the change control processes.

 

Webster

From: Joe Heaton [mailto:jhea...@etp.ca.gov] 
Subject: RE: Virtualization Questions - More Q's

 

Wow, that's really compartmentalized. I dunno if I'd want to work somewhere
that limits me that much as far as what I'm working with.  And yet, I'm sure
if you apply for one of those positions, you are still required to have 10+
years experience, and expertise with Windows, Unix, mainframes, every
desktop OS known to man, etc.

 

Joe Heaton

Employment Training Panel

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

I work for Avanade - we deal mostly with large enterprises (Global 500 type
companies).

 

In those types of orgs the AD team is usually separate from Virtualisation
(which is predominantly VMWare), which is again separate from the hardware
components (network, security, storage). Even as a directory, AD is usually
limited to the Wintel area, and most large orgs have significant investment
in *nix, midrange/mainframe systems as well. The "source of truth" is
generally other systems like HR/payroll.

 

As I said before - in smaller shops, there's usually significant overlap, so
it's not really an  issue. In larger shops (once there isn't a predominance
of Windows), and AD isn't "king", it starts to become something that needs
to be dealt with in some way.


Cheers

Ken

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

AHCI Sata and sysprep

[Sam Cayze]

Been working and googling all day on this...
 
Trying to get my XP SP3 image to work on these new dell e series, with
AHCI enabled in the bios...  
Piece of cake with Vista.  
 
 
Anyone been down this road?
 
 
 
 
What my inf file looks like so far.  Still getting the famous STOP 07B
error or whatever it is.
 
[Sysprep]
BuildMassStorageSection = YES 
 
[SysprepMassStorage]
 
;Drivers for ICH9SATA controller support
PCI\VEN_8086&DEV_2681&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_27C1&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_27C5&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2821&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2829&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2922&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2929&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_3A22&CC_0106=%SystemDrive%\Program
Files\Rollouts\Drivers\iaahci.inf
PCI\VEN_8086&DEV_2682&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf
PCI\VEN_8086&DEV_27C3&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf
PCI\VEN_8086&DEV_27C6&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf
PCI\VEN_8086&DEV_2822&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf
PCI\VEN_8086&DEV_282A&CC_0104=%SystemDrive%\Program
Files\Rollouts\Drivers\iastor.inf

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Aaaiiiyyyeeeeee!!! OOO notices! (OT)

[Greg Mulholland]

i saw it that way as well unil i read it again. wow, spooky!

Greg

From: Kennedy, Jim [kennedy...@elyriaschools.org]
Sent: Wednesday, 31 December 2008 2:48 AM
To: NT System Admin Issues
Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT)

Ok, I am off to get more coffee. I saw "doesn't" instead of what you actually 
wrote.


> -Original Message-
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Tuesday, December 30, 2008 10:48 AM
> To: NT System Admin Issues
> Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT)
>
> Isn't that what I said?
>
> :-)
>
> But my biggest issue is that in our organization, that's not
> particularly useful. We need everyone to get OOFs, including people
> outside the organization. Although customizing the message sent
> internally vs. externally is nice.
>
>
>
> -Original Message-
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Tuesday, December 30, 2008 9:46 AM
> To: NT System Admin Issues
> Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT)
>
>
> Sure it does, that is how ours is I just retested it to be certain.
> Internals get OOF's and externals do not.
>
>
> > -Original Message-
> > From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> > Sent: Tuesday, December 30, 2008 9:38 AM
> > To: NT System Admin Issues
> > Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT)
>
>
> > Exchange 2007 does support separating the handling of OOO's between
> > internal and external senders...
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Virtualization Questions - More Q's

[S Conn.]

On Tue, Dec 30, 2008 at 10:55 AM, Ken Schaefer  wrote:
> -Original Message-
> From: S Conn. [mailto:sysadminli...@gmail.com]
> Subject: Re: Virtualization Questions - More Q's
>
>> I don't see a lot of difference here between virtual environment vs physical.
>
> Physical access can mean control - but you can control physical access. Not 
> to mention detecting network changes and preventing/detecting BIOS changes 
> (via passwords and ILO/DRAC etc)
>
> In a virtual environment, your virtualisation people control the BIOS, the 
> boot sequence, the virtual networks that are exposed, and even the hard disks 
> of the VMs themselves. And they can do that remotely. In a physical world, 
> your virtualisation people wouldn't have access to the cabinets that store 
> your physical domain controllers or other physical servers. Just the servers 
> that host the VM hosts.
>
> Additionally, there are occasionally vulnerabilities in virtualisation 
> software (a couple for VMWare and a more for other products). These can be 
> used to gain access to VMs by holding privileges on the host.
>
> Cheers
> Ken
>

VMware allows you to password protect the BIOS, just like a physical
machine.  As for network changes, a VMWare administrator can change
only the virtual switches and virtual NICs, they can't affect the
physical switches connecting the rest of the network.

Basically you have to treat the virtual environment the same as a
physical environment and treat the access program (such as
VirtualCenter) just like physical access.  Yes you can access it
remotely, but IP KVMs, Remote PDUs, DRAC/ILO cards, etc provide the
same remote access for physical servers.  Except, with virtual, you
can delegate certain tasks a lot better than just giving a bunch of
folks the key to the door of your server room or maintaining a ton of
remote access products.

You do have a good point with the software vulnerabilities.  However,
I'd have to argue that you have those with just about any other
solution.  I'm sure a clever hacker can figure out a remote PDU or
DRAC card.  Following best practices, such as putting your service
consoles on non-production management networks, setting up isolation,
patching, etc can help with these problems.

Seth

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: XP volume issue

[NTSysAdmin]

You need to import the unrecognized disks.

-Original Message-
From: Eric Brouwer [mailto:er...@forestpost.com] 
Sent: Tuesday, December 30, 2008 2:50 PM
To: NT System Admin Issues
Subject: XP volume issue

Good afternoon,

Thanks to all who replied to my NT domain problem the past few days.   
I resolved the problem, and will post more on that in a bit.

I have another problem related to the power outage.  We have a  
workstation that has an IDE system disk, and 4 additional IDE drives  
configured as a striped volume.  The system disk seems to be completed  
corrupted, but the real critical data is on the array.  I swapped out  
the system disk, and loaded a fresh XP install.  I can see two of the  
four disks in the array.  Through troubleshooting, I determined one of  
the onboard IDE controllers went bad.  We installed a PCI IDE  
controller card, and moved all drives to this card.  In disk manager,  
I see 6 disks listed as follows:

Disk 1  Dynamic 55.91 GBOnline  Failed
Disk 2  Dynamic Foreign
Disk 3  Dynamic Foreign
Disk 4  Dynamic 55.91 GBOnline  Failed
Missing Dynamic 55.91 GBOffline Failed
Missing Dynamic 55.91 GBOffline Failed

I'm sure the two missing disks correspond to the two foreign disks.   
How can I re-associate the two foreign drives with the missing  
drives?  What is the proper way to recreate this array without losing  
data?  This is just a simple, non-redundant disk array.

Thanks!

Eric Brouwer
IT Manager
www.forestpost.com
er...@forestpost.com
248.855.4333





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[NTSysAdmin]

I have a client, A large firm of lawyers. They use PC's & servers for their 
legal work & document printing. No connection to the internet at all for that 
network. Updates are by DVD & remote deployment.

They have MAC's for email & internet. Email hosted off site.

S

-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Tuesday, December 30, 2008 2:04 PM
To: NT System Admin Issues
Subject: Re: LogMeIn

Thoroughly agree.

Hell, I'm fighting a battle now to keep personal machines from
connecting via VPN.

My mantra: "If the hardware isn't owned and controlled by the company,
I don't want it on the company network."

I'm beginning to wonder if all companies should maintain two
physically separate networks and provide their employees with two
computers - one that connects to the world, and one that is for core
applications *only*.

Kurt

On Tue, Dec 30, 2008 at 6:15 AM, Ben Scott  wrote:
> On Tue, Dec 30, 2008 at 9:01 AM, David Lum  wrote:
>> I work for a company with ~300 employees, is there a reason to discourage a
>> few of our employees from installing LogMeIn Free on their systems ...
>
>  You're letting an outside organization have control of one of your
> computers.  You're okay with that?  Cool, can I have control of one of
> your computers, too?  I promise I won't do anything bad.  Pinky swear!
>
>  Sure, all these remote-control companies claim to have great
> security.  *Everybody* claims that.  And yet, major security problems
> keep on happening, all over the place, all the time.  From this, we
> can conclude that claims of great security mean precisely nothing.
>
>  "Security problems" don't have to mean them taking over the world.
> It doesn't have to mean organization-wide intent.  It could be one
> employee with a grudge.  Or maybe an undetected remote compromise on a
> server in their datacenter -- these are high-profile targets, and
> custom malware would be undetectable by signature-based virus
> scanners.  Or maybe they cut back on security spending when the
> economy tanked.  It might not be something you could detect -- passive
> monitoring would be invisible.  It might not even be something with
> specific intent -- maybe random malware makes it into their systems,
> and then propagates over the remote-control system to you.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: IIS redirect?

[Erik Goldoff]

not in DNS, but on your IIS management ... couple ways to achieve this
 
1)  Use the redirect feature to redirect www.myplace.com/  to
www.myplace.com/exchange
2) Set the default document for www.myplace.com to
www.myplace.com/exchange/login.asp  or default.asp or whatever the Exchange
folder wants to use for default
 

Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

  _  

From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, December 30, 2008 1:17 PM
To: NT System Admin Issues
Subject: IIS redirect?



Say I want to redirect mail.myplace.com to www.myplace.com/Exchange, how do
I do that? It's a DNS entry and..what? I'm looking to make it so users don't
have to include the /Exchange piece in the URL, so them typing
mail.myplace.com takes them to the OWA page (Exchange 2003).

 

Caveat: Server in question also hosts a regular www site and is not
dedicated to just Exchange.

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 


 


 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: IIS redirect?

[Sean Rector]

I do it at my ISA server.

Sean Rector, MCSE

-Original Message-
From: Troy Meyer [mailto:troy.me...@monacocoach.com] 
Sent: Tuesday, December 30, 2008 1:24 PM
To: NT System Admin Issues
Subject: RE: IIS redirect?

Google javascript http redirect

http://www.pageresource.com/jscript/jredir.htm


so if I go to http://mail.daves.com you automatically route me to
https://mail.daves.com/exchange


-troy

-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, December 30, 2008 10:17 AM
To: NT System Admin Issues
Subject: IIS redirect?

Say I want to redirect mail.myplace.com to www.myplace.com/Exchange, how
do I do that? It's a DNS entry andwhat? I'm looking to make it so
users don't have to include the /Exchange piece in the URL, so them
typing mail.myplace.com takes them to the OWA page (Exchange 2003).

 

Caveat: Server in question also hosts a regular www site and is not
dedicated to just Exchange.

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 


 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~
> 2008-2009 Season:  Tosca | The Barber of Seville
> Recently Announced:  Virginia Opera's 35th Anniversary Season 2009-2010
Visit us online at www.vaopera.org or call 1.866.OPERA.VA

This e-mail and any attached files are confidential and intended solely for the 
intended recipient(s). Unless otherwise specified, persons unnamed as 
recipients may not read, distribute, copy or alter this e-mail. Any views or 
opinions expressed in this e-mail belong to the author and may not necessarily 
represent those of Virginia Opera. Although precautions have been taken to 
ensure no viruses are present, Virginia Opera cannot accept responsibility for 
any loss or damage that may arise from the use of this e-mail or attachments.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

XP volume issue

[Eric Brouwer]

Good afternoon,

Thanks to all who replied to my NT domain problem the past few days.   
I resolved the problem, and will post more on that in a bit.


I have another problem related to the power outage.  We have a  
workstation that has an IDE system disk, and 4 additional IDE drives  
configured as a striped volume.  The system disk seems to be completed  
corrupted, but the real critical data is on the array.  I swapped out  
the system disk, and loaded a fresh XP install.  I can see two of the  
four disks in the array.  Through troubleshooting, I determined one of  
the onboard IDE controllers went bad.  We installed a PCI IDE  
controller card, and moved all drives to this card.  In disk manager,  
I see 6 disks listed as follows:


Disk 1  Dynamic 55.91 GBOnline  Failed
Disk 2  Dynamic Foreign
Disk 3  Dynamic Foreign
Disk 4  Dynamic 55.91 GBOnline  Failed
Missing Dynamic 55.91 GBOffline Failed
Missing Dynamic 55.91 GBOffline Failed

I'm sure the two missing disks correspond to the two foreign disks.   
How can I re-associate the two foreign drives with the missing  
drives?  What is the proper way to recreate this array without losing  
data?  This is just a simple, non-redundant disk array.


Thanks!

Eric Brouwer
IT Manager
www.forestpost.com
er...@forestpost.com
248.855.4333





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: C$ Permissions on a Domain Controller????

[Jonathan Link]

Isn't that the tops? :-)

On Tue, Dec 30, 2008 at 10:54 AM, Jon D  wrote:

> Thanks everyone. After reading everyones advise that the permissions
> were okay I looked further and found that the problem was that a
> special group was added to the local administrators groups on most of
> the servers.
>
> Ends up, an administrator added code to the users login scripts to do
> add this group locally, and another administrator had the users login
> script in his super user account.
>
> Thanks everyone!
>
>
>
>
>
> On Tue, Dec 30, 2008 at 6:04 AM, Ken Schaefer 
> wrote:
> > Hi,
> >
> > The security permissions that are applied to files/folders when running
> dcpromo are in a template file on your DC in
> %systemroot%\security\templates. The "DC security.inf" template is what is
> used by secedit during the DCPromo process to re-ACL files/folders on your
> new DC.
> >
> > C$ is a share - not a folder/file/drive. You can't set the permissions on
> this normally. It should be restricted to those in the Administrators group.
> >
> > Permissions on the root folder of the C: drive are different to C$
> permissions. Everyone (or Authenticated User) should have Read+Execute and
> List Folder Contents permission by default. Check the inf file for more
> info, or use secedit to re-ACL your box if you need to.
> >
> > Cheers
> > Ken
> >
> > -Original Message-
> > From: Jon D [mailto:rekcahp...@gmail.com]
> > Sent: Tuesday, 30 December 2008 8:53 AM
> > To: NT System Admin Issues
> > Subject: C$ Permissions on a Domain Controller
> >
> > Anyone know what the proper permissions are on the C: drive of a
> > Domain Controller?
> > Are they special or no?
> >
> > I'm doing a security audit and I came across 2 domain controllers that
> > do not require a password to access their C$ share.
> > You can't view the permissions of the share itself, but the
> > permissions on the C drive have authenicated users with full control.
> >
> > That can't be right.
> > Anyone see anything like that before?
> > Anyone know how dangerous it is to change the permissions(once I
> > determine the correct permissions)?
> >
> >
> >
> >
> > Thanks in advance,
> > Jon
> >
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: IIS redirect?

[Kennedy, Jim]

Modify my idea. I just saw the caveat.

I would have put up a second website on the IIS server than answers to 
mail.myplace.com using host headers and set up the DNS to point to that. Then 
add the meta http code below to the index page for that.

Perhaps the second website as I suggest for mail.myplace.com and the index page 
is:



But I am unsure of that, give it a test.


From: Kennedy, Jim
Sent: Tuesday, December 30, 2008 1:24 PM
To: NT System Admin Issues
Subject: RE: IIS redirect?

DNS CNAME pointing mail.myplace.com to www.myplace.com

Your default index.htm page at the website 
www.myplace.com is this:



Watch the names on your Certs so you don't get a mismatch.




From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, December 30, 2008 1:17 PM
To: NT System Admin Issues
Subject: IIS redirect?

Say I want to redirect mail.myplace.com to 
www.myplace.com/Exchange, how do I do that? 
It's a DNS entry andwhat? I'm looking to make it so users don't have to 
include the /Exchange piece in the URL, so them typing mail.myplace.com takes 
them to the OWA page (Exchange 2003).

Caveat: Server in question also hosts a regular www site and is not dedicated 
to just Exchange.
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764







~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: IIS redirect?

[Steven Peck]

and another link as well
http://technet.microsoft.com/en-us/library/aa998359.aspx

On Tue, Dec 30, 2008 at 10:24 AM, Steven Peck  wrote:
> http://support.microsoft.com/kb/839357
> DNS for the domain mail.myplace.com
> set up a web site that answers to it with an error page
> - that automatically redirects said user to the proper secure
> https://www.myplace.com/Exchange
>
> Works great.
>
> Steven
>
> On Tue, Dec 30, 2008 at 10:17 AM, David Lum  wrote:
>> Say I want to redirect mail.myplace.com to www.myplace.com/Exchange, how do
>> I do that? It's a DNS entry and….what? I'm looking to make it so users don't
>> have to include the /Exchange piece in the URL, so them typing
>> mail.myplace.com takes them to the OWA page (Exchange 2003).
>>
>>
>>
>> Caveat: Server in question also hosts a regular www site and is not
>> dedicated to just Exchange.
>>
>> David Lum // SYSTEMS ENGINEER
>> NORTHWEST EVALUATION ASSOCIATION
>> (Desk) 971.222.1025 // (Cell) 503.267.9764
>>
>>
>>
>>
>>
>>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: IIS redirect?

[Steven Peck]

http://support.microsoft.com/kb/839357
DNS for the domain mail.myplace.com
set up a web site that answers to it with an error page
- that automatically redirects said user to the proper secure
https://www.myplace.com/Exchange

Works great.

Steven

On Tue, Dec 30, 2008 at 10:17 AM, David Lum  wrote:
> Say I want to redirect mail.myplace.com to www.myplace.com/Exchange, how do
> I do that? It's a DNS entry and….what? I'm looking to make it so users don't
> have to include the /Exchange piece in the URL, so them typing
> mail.myplace.com takes them to the OWA page (Exchange 2003).
>
>
>
> Caveat: Server in question also hosts a regular www site and is not
> dedicated to just Exchange.
>
> David Lum // SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 // (Cell) 503.267.9764
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: IIS redirect?

[Kennedy, Jim]

DNS CNAME pointing mail.myplace.com to www.myplace.com

Your default index.htm page at the website 
www.myplace.com is this:



Watch the names on your Certs so you don't get a mismatch.




From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, December 30, 2008 1:17 PM
To: NT System Admin Issues
Subject: IIS redirect?

Say I want to redirect mail.myplace.com to 
www.myplace.com/Exchange, how do I do that? 
It's a DNS entry andwhat? I'm looking to make it so users don't have to 
include the /Exchange piece in the URL, so them typing mail.myplace.com takes 
them to the OWA page (Exchange 2003).

Caveat: Server in question also hosts a regular www site and is not dedicated 
to just Exchange.
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764







~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: IIS redirect?

[Troy Meyer]

Google javascript http redirect

http://www.pageresource.com/jscript/jredir.htm


so if I go to http://mail.daves.com you automatically route me to 
https://mail.daves.com/exchange


-troy

-Original Message-
From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, December 30, 2008 10:17 AM
To: NT System Admin Issues
Subject: IIS redirect?

Say I want to redirect mail.myplace.com to www.myplace.com/Exchange, how do I 
do that? It's a DNS entry andwhat? I'm looking to make it so users don't 
have to include the /Exchange piece in the URL, so them typing mail.myplace.com 
takes them to the OWA page (Exchange 2003).

 

Caveat: Server in question also hosts a regular www site and is not dedicated 
to just Exchange.

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 


 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: LogMeIn

[Jon Harris]

You let your users install software?  That is asking for more problems than
you will ever fix.

Jon

On Tue, Dec 30, 2008 at 9:01 AM, David Lum  wrote:

>  I work for a company with ~300 employees, is there a reason to discourage
> a few of our employees from installing LogMeIn Free on their systems so they
> can remote control their work machine and bypass the need to use a VPN
> license?
>
>
>
> I've used LogMeIn Free for years to connect to all my own business clients,
> but it's one thing to use it myself and small businesses, another to
> recommend it's use to a larger company with resources for VPN, etc.
>
>
>
> My kneejerk reaction is "no", but damned if I can come up with a viable
> excuse for that opinion.
>
> *David Lum** **// *SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 *// *(Cell) 503.267.9764
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: LogMeIn

[Kurt Buff]

I would agree with that.

If the President of the US can't have one, I don't want anyone in my
company to have one.

I'll leave my reasons why to be worked out as an exercise for the reader.

Kurt

On Tue, Dec 30, 2008 at 7:33 AM, David James  wrote:
> So Blackberries and any other service shouldn't be used either.  That's a
> 3rd party who can view all your email.
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Tuesday, December 30, 2008 9:27 AM
> To: NT System Admin Issues
> Subject: Re: LogMeIn
>
> On Tue, Dec 30, 2008 at 10:16 AM, David James  wrote:
>> It's about helping your users use technology to be more productive, not
>> having a power trip.
>
>  The problem is that security *never* shows up as a profit.  (Unless
> you're a security firm, heh.)  So if we follow that logic, all
> security should be banished.  Of course, security failures show up --
> as losses, when it's too late.
>
>  The thing that really gets me about this is that people simply
> *assume* LogMeIn, GoToMyPC, etc., are trustworthy.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

IIS redirect?

[David Lum]

Say I want to redirect mail.myplace.com to 
www.myplace.com/Exchange, how do I do that? 
It's a DNS entry andwhat? I'm looking to make it so users don't have to 
include the /Exchange piece in the URL, so them typing mail.myplace.com takes 
them to the OWA page (Exchange 2003).

Caveat: Server in question also hosts a regular www site and is not dedicated 
to just Exchange.
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Search software

[Joe Heaton]

Looking at Express, and it looks pretty good.  Free doesn't hurt
either...lol.

Joe Heaton
Employment Training Panel


-Original Message-
From: Kevin Lundy [mailto:klu...@gmail.com] 
Sent: Monday, December 29, 2008 3:18 PM
To: NT System Admin Issues
Subject: Re: Search software

Search Server Express should work for you just fine.

On 12/29/08, Joe Heaton  wrote:
> A little under 56,000 files, at 5 GB.  They're accessed over a mapped
> drive from the desktops.  I haven't gone through the directories, but
> I'm sure some of those are going to be screenshots saved as PDFs... I
> don't expect to search within those, and I have no plan of getting any
> OCR software...
>
>
>
> Joe Heaton
>
> Employment Training Panel
>
>
>
> From: Kevin Lundy [mailto:klu...@gmail.com]
> Sent: Monday, December 29, 2008 1:38 PM
> To: NT System Admin Issues
> Subject: Re: Search software
>
>
>
> No, not at all.  I've got it running under 2k3.
>
>
>
> How many files and what total size are you talking about?
>
> On Mon, Dec 29, 2008 at 4:33 PM, Joe Heaton 
wrote:
>
> I looked at Search Server, but that's just a 2k8 thing, right?
>
>
> Joe Heaton
> Employment Training Panel
>
> -Original Message-
> From: Kevin Lundy [mailto:klu...@gmail.com]
>
> Sent: Monday, December 29, 2008 12:05 PM
> To: NT System Admin Issues
> Subject: Re: Search software
>
> +1 for the MS Search Server.
>
> Or have a look at the Google appliance
>
> I'd recommend against a desktop search if these are network shares of
> any size.  Desktop search will index them across the network ... For
> each desktop.
>
> On 12/29/08, Michael B. Smith 
wrote:
>
>> Have you looked at Windows Search Server?
>>
>>
>>
>> Regards,
>>
>>
>>
>> Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP
>>
>> My blog: http://TheEssentialExchange.com/blogs/michael
>>
>> I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php
>>
>>
>>
>
>> From: Joe Heaton [mailto:jhea...@etp.ca.gov]
>
>> Sent: Monday, December 29, 2008 1:52 PM
>
>> To: NT System Admin Issues
>> Subject: Search software
>>
>>
>>
>> Anyone using any third party search software?  We have archived
> contract
>> folders going back years, and we have a department that has to search
>> through these folders for keywords, dates, etc.  Windows Search is
> extremely
>> lacking and extremely hit and miss.  Does anyone have any other
> options,
>> free or paid for?
>>
>>
>>
>> Joe Heaton
>>
>> AISA
>>
>> Employment Training Panel
>>
>> 1100 J Street, 4th Floor
>>
>> Sacramento, CA  95814
>>
>> (916) 327-5276
>>
>> jhea...@etp.ca.gov
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>
> --
> Sent from my mobile device
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~

-- 
Sent from my mobile device

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: LogMeIn

[Kurt Buff]

On Tue, Dec 30, 2008 at 7:16 AM, David James  wrote:
> It's about helping your users use technology to be more productive, not
> having a power trip.  The company must survive tight economic times, so use
> all your tools to provide them ways to produce from anywhere at anytime, and
> you'll be a hero to your users and company management.

As computer professionals, our ethics should be similar to other professions.

Here's one statement that I think should be kept in mind, from another
profession:

"First, do no harm."

Logmein and other 3rd party remote access products, IMNSHO, are the
rough equivalent of sending a 3 year old to play in the auto wrecking
yard.

Kurt

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: A/V on VM Host

[Devin Meade]

I run AV on our VMWare server host boxes and exclude the local folder
for the guests.  I am contemplating removing this to recapture the AV
licenses.  Actually I plan on moving these boxes to ESXi.  Betcha ESXi
won't run AV software (have not checked that).  But that's three of
four projects from now :-/

I consider it kind of like running file based AV on an SQL or Exchange
server.  Yes you can do it but exlcude everything of value (so why do
it anyway?).

Devin


On Tue, Dec 30, 2008 at 9:49 AM, Roger Wright  wrote:
> Would the anti-virus package on a host machine also protect the guest VMs?
>
>
>
> I was wondering if, say, VirusScan is installed on the host box, wouldn't it
> be scanning all data streaming across the NIC, including that which is
> destined for the VMs?
>
>
>
> Is there a flaw in my thinking?
>
>
>
>
>
>
>
> Roger Wright
>
> Network Administrator
>
> Evatone, Inc.
>
> 727.572.7076  x388
>
>
>
> _
>
>
>
>
>
>



-- 
Devin

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: LogMeIn

[Kurt Buff]

Thoroughly agree.

Hell, I'm fighting a battle now to keep personal machines from
connecting via VPN.

My mantra: "If the hardware isn't owned and controlled by the company,
I don't want it on the company network."

I'm beginning to wonder if all companies should maintain two
physically separate networks and provide their employees with two
computers - one that connects to the world, and one that is for core
applications *only*.

Kurt

On Tue, Dec 30, 2008 at 6:15 AM, Ben Scott  wrote:
> On Tue, Dec 30, 2008 at 9:01 AM, David Lum  wrote:
>> I work for a company with ~300 employees, is there a reason to discourage a
>> few of our employees from installing LogMeIn Free on their systems ...
>
>  You're letting an outside organization have control of one of your
> computers.  You're okay with that?  Cool, can I have control of one of
> your computers, too?  I promise I won't do anything bad.  Pinky swear!
>
>  Sure, all these remote-control companies claim to have great
> security.  *Everybody* claims that.  And yet, major security problems
> keep on happening, all over the place, all the time.  From this, we
> can conclude that claims of great security mean precisely nothing.
>
>  "Security problems" don't have to mean them taking over the world.
> It doesn't have to mean organization-wide intent.  It could be one
> employee with a grudge.  Or maybe an undetected remote compromise on a
> server in their datacenter -- these are high-profile targets, and
> custom malware would be undetectable by signature-based virus
> scanners.  Or maybe they cut back on security spending when the
> economy tanked.  It might not be something you could detect -- passive
> monitoring would be invisible.  It might not even be something with
> specific intent -- maybe random malware makes it into their systems,
> and then propagates over the remote-control system to you.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Virtualization Questions - More Q's

[Christopher Bodnar]

Yes there are definitely shops out there of that size. And they are
"silo'd" to use IBM terminology. I've been part of a Global Services
outsourcing and experienced that. But keep in mind that there aren't that
many companies out there with that scope. My last employer had 100,000
users globally and didn't have that sort of granularity. 

 

 

 

Chris Bodnar, MCSE
Sr. Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003

  _  

From: Webster [mailto:carlwebs...@gmail.com] 
Sent: Tuesday, December 30, 2008 12:05 PM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

No, you don't that type of experience.

 

But when you have 1000 IT personnel, they can't all be AD people, or even
domain admins. 

 

I did some AD/GPO/WSUS troubleshooting for a company in the Global Fortune
15.  For the one small segment of their network I worked on, they had over
6,000 servers and over 35,000 PCs.  They had two dedicated IT staff who
did nothing but maintain the huge Excel SS of all their DHCP scopes,
reservations, server static IPs and server/scope options.  They had people
who did nothing but monitor NetBackup, people who changed tapes, people
who handled Iron Mountain, etc.  Extremely granular and an extreme PITA to
do any work for.  Need a VM for testing purposes?  A minimum 3 month
process as it went thru all the change control processes.

 

Webster

From: Joe Heaton [mailto:jhea...@etp.ca.gov] 
Subject: RE: Virtualization Questions - More Q's

 

Wow, that's really compartmentalized. I dunno if I'd want to work
somewhere that limits me that much as far as what I'm working with.  And
yet, I'm sure if you apply for one of those positions, you are still
required to have 10+ years experience, and expertise with Windows, Unix,
mainframes, every desktop OS known to man, etc.

 

Joe Heaton

Employment Training Panel

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

I work for Avanade - we deal mostly with large enterprises (Global 500
type companies).

 

In those types of orgs the AD team is usually separate from Virtualisation
(which is predominantly VMWare), which is again separate from the hardware
components (network, security, storage). Even as a directory, AD is
usually limited to the Wintel area, and most large orgs have significant
investment in *nix, midrange/mainframe systems as well. The "source of
truth" is generally other systems like HR/payroll.

 

As I said before - in smaller shops, there's usually significant overlap,
so it's not really an  issue. In larger shops (once there isn't a
predominance of Windows), and AD isn't "king", it starts to become
something that needs to be dealt with in some way.


Cheers

Ken

 

 

 



-
This message, and any attachments to it, may contain information
that is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination,
distribution, copying, or communication of this message is strictly
prohibited.  If you have received this message in error, please
notify the sender immediately by return e-mail and delete the
message and any attachments.  Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Virtualization Questions - More Q's

[Joe Heaton]

Wow, I've never worked for anything even close to that big.  Where I'm
at now is the largest IT department I've been in, and there's only 6 of
us, 3 of which are developers, one is the manager, me on the server
side, and one guy doing desktops.

 

And I may be laid off soon, if the Governator has his way...

 

Joe Heaton

Employment Training Panel

 

From: Webster [mailto:carlwebs...@gmail.com] 
Sent: Tuesday, December 30, 2008 9:05 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

No, you don't that type of experience.

 

But when you have 1000 IT personnel, they can't all be AD people, or
even domain admins. 

 

I did some AD/GPO/WSUS troubleshooting for a company in the Global
Fortune 15.  For the one small segment of their network I worked on,
they had over 6,000 servers and over 35,000 PCs.  They had two dedicated
IT staff who did nothing but maintain the huge Excel SS of all their
DHCP scopes, reservations, server static IPs and server/scope options.
They had people who did nothing but monitor NetBackup, people who
changed tapes, people who handled Iron Mountain, etc.  Extremely
granular and an extreme PITA to do any work for.  Need a VM for testing
purposes?  A minimum 3 month process as it went thru all the change
control processes.

 

Webster

From: Joe Heaton [mailto:jhea...@etp.ca.gov] 
Subject: RE: Virtualization Questions - More Q's

 

Wow, that's really compartmentalized... I dunno if I'd want to work
somewhere that limits me that much as far as what I'm working with.  And
yet, I'm sure if you apply for one of those positions, you are still
required to have 10+ years experience, and expertise with Windows, Unix,
mainframes, every desktop OS known to man, etc...

 

Joe Heaton

Employment Training Panel

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

I work for Avanade - we deal mostly with large enterprises (Global 500
type companies).

 

In those types of orgs the AD team is usually separate from
Virtualisation (which is predominantly VMWare), which is again separate
from the hardware components (network, security, storage). Even as a
directory, AD is usually limited to the Wintel area, and most large orgs
have significant investment in *nix, midrange/mainframe systems as well.
The "source of truth" is generally other systems like HR/payroll.

 

As I said before - in smaller shops, there's usually significant
overlap, so it's not really an  issue. In larger shops (once there isn't
a predominance of Windows), and AD isn't "king", it starts to become
something that needs to be dealt with in some way.


Cheers

Ken

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Aaaiiiyyyeeeeee!!! OOO notices! (OT)

[Kurt Buff]

Note to whoever publishes L*yris - Set the headers correctly on the lists, too.

On Tue, Dec 30, 2008 at 8:03 AM, Ben Scott  wrote:
> On Tue, Dec 30, 2008 at 9:38 AM, John Hornbuckle
>  wrote:
>> Exchange 2003 had a registry hack that was supposed to minimize occurrences 
>> of OOO's going to mailing
>> lists, but I believe that has gone away with 2007.
>
> #ifdef RANT
>
>  WTF?  Why is this so hard for Microsoft to figure out?  The
> "vacation" program I used on the university's DEC Ultrix machines back
> in 1996 did this right, for crying out loud.  After 10+ years,
> Microsoft can't get an auto-responder to work right?
>
>  Free tip to anyone at Microsoft: Send auto-responses to the RFC-821
> envelope reverse-path address, not the RFC-822 header "From" address,
> like the standards say to.
>
>  Grr.
>
> #endif
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Virtualization Questions - More Q's

[Webster]

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

No, you don't that type of experience.

 

But when you have 1000 IT personnel, they can't all be AD people, or even
domain admins. 

 

I did some AD/GPO/WSUS troubleshooting for a company in the Global Fortune
15.  For the one small segment of their network I worked on, they had over
6,000 servers and over 35,000 PCs.  They had two dedicated IT staff who did
nothing but maintain the huge Excel SS of all their DHCP scopes,
reservations, server static IPs and server/scope options.  They had people
who did nothing but monitor NetBackup, people who changed tapes, people who
handled Iron Mountain, etc.  Extremely granular and an extreme PITA to do
any work for.  Need a VM for testing purposes?  A minimum 3 month process as
it went thru all the change control processes.

 

Webster

From: Joe Heaton [mailto:jhea...@etp.ca.gov] 
Subject: RE: Virtualization Questions - More Q's

 

Wow, that's really compartmentalized. I dunno if I'd want to work somewhere
that limits me that much as far as what I'm working with.  And yet, I'm sure
if you apply for one of those positions, you are still required to have 10+
years experience, and expertise with Windows, Unix, mainframes, every
desktop OS known to man, etc.

 

Joe Heaton

Employment Training Panel

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Subject: RE: Virtualization Questions - More Q's

 

I work for Avanade - we deal mostly with large enterprises (Global 500 type
companies).

 

In those types of orgs the AD team is usually separate from Virtualisation
(which is predominantly VMWare), which is again separate from the hardware
components (network, security, storage). Even as a directory, AD is usually
limited to the Wintel area, and most large orgs have significant investment
in *nix, midrange/mainframe systems as well. The "source of truth" is
generally other systems like HR/payroll.

 

As I said before - in smaller shops, there's usually significant overlap, so
it's not really an  issue. In larger shops (once there isn't a predominance
of Windows), and AD isn't "king", it starts to become something that needs
to be dealt with in some way.


Cheers

Ken


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: A/V on VM Host

[Martin Blackstone]

If I had an ESX Server and a Windows VM in there, I would install AV on the
Windows VM. But I wouldn't run AV on the ESX host. 

-Original Message-
From: Joe Heaton [mailto:jhea...@etp.ca.gov] 
Sent: Tuesday, December 30, 2008 8:28 AM
To: NT System Admin Issues
Subject: RE: A/V on VM Host

So how do you protect your VM?  Or do you simply keep a supposedly known
good backup of it in case the active gets infected?

Joe Heaton
Employment Training Panel


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, December 30, 2008 8:15 AM
To: NT System Admin Issues
Subject: Re: A/V on VM Host

On Tue, Dec 30, 2008 at 10:49 AM, Roger Wright 
wrote:
> Would the anti-virus package on a host machine also protect the guest
VMs?

  No.

  To the host OS, the virtual disk image is just a giant binary file.
You wouldn't want to scan that with AV; it would kill performance.
And even if the AV found something, all it could do would be to
quarantine or delete your virtual disk -- essentially causing your VM
to spontaneously disappear from existence.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Virtualization Questions - More Q's

[Ken Schaefer]

-Original Message-
From: S Conn. [mailto:sysadminli...@gmail.com] 
Subject: Re: Virtualization Questions - More Q's

On Tue, Dec 30, 2008 at 5:33 AM, Ken Schaefer  wrote:
>> Most people have said "no" to question #2.
>>
>> I would say that there is a definite impact. Your virtualisation team are
>> pretty much now an additional "god" in the organisation. For smaller shops
>> this isn't an issue. For bigger shops, or where compliance/auditing/change
>> control are important, then this is another layer of people who have
>> significant  privileges, who must be worked into your change control
>> process.
>>
>
> I don't see a lot of difference here between virtual environment vs physical.

Physical access can mean control - but you can control physical access. Not to 
mention detecting network changes and preventing/detecting BIOS changes (via 
passwords and ILO/DRAC etc)

In a virtual environment, your virtualisation people control the BIOS, the boot 
sequence, the virtual networks that are exposed, and even the hard disks of the 
VMs themselves. And they can do that remotely. In a physical world, your 
virtualisation people wouldn't have access to the cabinets that store your 
physical domain controllers or other physical servers. Just the servers that 
host the VM hosts.

Additionally, there are occasionally vulnerabilities in virtualisation software 
(a couple for VMWare and a more for other products). These can be used to gain 
access to VMs by holding privileges on the host.

Cheers
Ken





A) The guest virtual machines have the same security as their physical
counterparts. (ie you still need a login/password to get into the
operating systems).  Same in a physical environment.  It's the same as
walking up to a KVM or logging into an IP KVM.
B) If you have access to the virtual environment, you could power off
the machines (reboot, etc).  It's the same if you have physical access
to the data center/server room/etc or access to a remote PDU (aka walk
up and press the off button on a machine).

The only difference is that you could change resource allocation, but
in a compliance/audit scenario, you're not accessing the actual data
or the guest OS itself, just the "box" itself.  Changing resources
does affect change control, but so would someone removing RAM out of a
physical box or adding a CPU.

I'm only speaking for VMWare here (since that's what I know and run),
but you can set up a lot of different levels of access in the virtual
environment.  You can group the machines, set administrators for those
groups, or break it down to only allow certain groups to have access
to certain machines.  For example, I myself have full access to the
entire network, but I only allow my programmers to have access to only
a couple of machines, and only restart ability to those.  When they
log in, all they see are their machines only.  Their only options are
console or power on/off/reboot, the same access they've had when the
servers where physical.  It ties into Active Directory, and you can
set groups to as much or as little access as you want.

I do agree, there is some security concerns that you'll need to
address, but virtualizing your servers won't give anyone any more
additional access to the machines over walking into the server room
IMO.


Seth

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Virtualization Questions - More Q's

[Ken Schaefer]

No, you don't that type of experience.

But when you have 1000 IT personnel, they can't all be AD people, or even 
domain admins.

Cheers
Ken

From: Joe Heaton [mailto:jhea...@etp.ca.gov]
Sent: Wednesday, 31 December 2008 2:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

Wow, that's really compartmentalized... I dunno if I'd want to work somewhere 
that limits me that much as far as what I'm working with.  And yet, I'm sure if 
you apply for one of those positions, you are still required to have 10+ years 
experience, and expertise with Windows, Unix, mainframes, every desktop OS 
known to man, etc...

Joe Heaton
Employment Training Panel

From: Ken Schaefer [mailto:k...@adopenstatic.com]
Sent: Tuesday, December 30, 2008 6:14 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

I work for Avanade - we deal mostly with large enterprises (Global 500 type 
companies).

In those types of orgs the AD team is usually separate from Virtualisation 
(which is predominantly VMWare), which is again separate from the hardware 
components (network, security, storage). Even as a directory, AD is usually 
limited to the Wintel area, and most large orgs have significant investment in 
*nix, midrange/mainframe systems as well. The "source of truth" is generally 
other systems like HR/payroll.

As I said before - in smaller shops, there's usually significant overlap, so 
it's not really an  issue. In larger shops (once there isn't a predominance of 
Windows), and AD isn't "king", it starts to become something that needs to be 
dealt with in some way.

Cheers
Ken

From: Christopher Bodnar [mailto:christopher_bod...@glic.com]
Sent: Wednesday, 31 December 2008 12:31 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

That's an interesting point. Have you actually seen this in practice? What I 
mean is, in every shop I've been in, the virtualization group is composed of 
the same people who "hold the keys to the kingdom" anyway (AD admins, or 
Linux/UNIX admins). I've never seen a group brought in to manage the virtual 
environment that didn't already have that type of access.

YMMV



Chris Bodnar, MCSE
Sr. Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003


From: k...@adopenstatic.com [mailto:k...@adopenstatic.com]
Sent: Tuesday, December 30, 2008 6:33 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

Most people have said "no" to question #2.

I would say that there is a definite impact. Your virtualisation team are 
pretty much now an additional "god" in the organisation. For smaller shops this 
isn't an issue. For bigger shops, or where compliance/auditing/change control 
are important, then this is another layer of people who have significant  
privileges, who must be worked into your change control process.

Cheers
Ken

From: Andy Shook [mailto:andy.sh...@peak10.com]
Sent: Tuesday, 30 December 2008 2:57 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's


1.   As long as the resources are available for the VM, then transparent.  
I know in the past that processors had to be in the same family as well as the 
same brand for Vmotion but I heard that this has changed with (ESX) update 3.  
I don't know the details yet, so someone please chime in here for clarification.

2.   No

3.   Most environments will have both.  Shared for the lightweight servers 
and dedicated for VMotion\HA\DRS and the heavy hitting servers.

4.   An OS license is an OS license is an OS license.  Doubtful but check 
with the vendors in question.

Shook

From: Roger Wright [mailto:rwri...@evatone.com]
Sent: Monday, December 29, 2008 10:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

Great responses so far!  You've all given me even more to think about.

A few other questions:


1.   From a DR perspective, or perhaps just for rebalancing the load on a 
host machine, how does moving from one host to another with different HW impact 
the VM, or is it transparent?


2.   Does Virtualization impact your domain security requirements in any 
way?


3.   NIC Utilization - Shared NICs or separate for each VM?


4.   OS & App licensing - can we expect any reduction in licensing 
requirements?



Thanks!















This message, and any attachments to it, may contain information that is 
privileged, confidential, and exempt from disclosure under applicable law. If 
the reader of this message is not the intended recipient, you are notified that 
any use, dissemination, distribution, copying, or communication of this message 
is strictly prohibited. If you have received this message in error, please 
notify the send

RE: Citrix client?

[Webster]

> -Original Message-
> From: Craig Gauss [mailto:gau...@rhahealthcare.org]
> Subject: Citrix client?
> 
> Does anyone know of any issues with backwards compatibility issues with
> the newest Citrix client?

There are a couple if you use the free Citrix Secure Gateway software.  The
main issues deal with streaming apps (and those apps generated using the
Citrix Streaming Profiler Server).

> I have to deploy the Citrix client thorughout
> our Association so users can connect to another hospitals Citrix farm.
> Can only find the 11.0 client.  I know it works with the 10.2 client
> just want to make sure it works with the 11.0 client before I deploy
> it.

U, I know where you can get the 10.x and 9.x software if you ask nice
enough off list. :)

> Unfortunately we dont have a test account either.

Weird, you should have, or ask for, a test account just for issues like
this.  The test account can be disabled/enabled on an as needed basis.  When
I work on Citrix farms, I ask for two test accounts: an admin one and a
regular standard user one.  


Webster
The Accidental Citrix Admin
http://CarlWebster.com




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: A/V on VM Host

[Joe Heaton]

Ok, so I must have misunderstood the initial question...doh!

Joe Heaton
Employment Training Panel


-Original Message-
From: Damien Solodow [mailto:damien.solo...@ibcschools.edu] 
Sent: Tuesday, December 30, 2008 8:30 AM
To: NT System Admin Issues
Subject: RE: A/V on VM Host

Load AV on it just like you would a physical machine?

-Original Message-
From: Joe Heaton [mailto:jhea...@etp.ca.gov] 
Sent: Tuesday, December 30, 2008 11:28 AM
To: NT System Admin Issues
Subject: RE: A/V on VM Host

So how do you protect your VM?  Or do you simply keep a supposedly known
good backup of it in case the active gets infected?

Joe Heaton
Employment Training Panel


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, December 30, 2008 8:15 AM
To: NT System Admin Issues
Subject: Re: A/V on VM Host

On Tue, Dec 30, 2008 at 10:49 AM, Roger Wright 
wrote:
> Would the anti-virus package on a host machine also protect the guest
VMs?

  No.

  To the host OS, the virtual disk image is just a giant binary file.
You wouldn't want to scan that with AV; it would kill performance.
And even if the AV found something, all it could do would be to
quarantine or delete your virtual disk -- essentially causing your VM
to spontaneously disappear from existence.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: A/V on VM Host

[Damien Solodow]

Load AV on it just like you would a physical machine?

-Original Message-
From: Joe Heaton [mailto:jhea...@etp.ca.gov] 
Sent: Tuesday, December 30, 2008 11:28 AM
To: NT System Admin Issues
Subject: RE: A/V on VM Host

So how do you protect your VM?  Or do you simply keep a supposedly known
good backup of it in case the active gets infected?

Joe Heaton
Employment Training Panel


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, December 30, 2008 8:15 AM
To: NT System Admin Issues
Subject: Re: A/V on VM Host

On Tue, Dec 30, 2008 at 10:49 AM, Roger Wright 
wrote:
> Would the anti-virus package on a host machine also protect the guest
VMs?

  No.

  To the host OS, the virtual disk image is just a giant binary file.
You wouldn't want to scan that with AV; it would kill performance.
And even if the AV found something, all it could do would be to
quarantine or delete your virtual disk -- essentially causing your VM
to spontaneously disappear from existence.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: A/V on VM Host

[Joe Heaton]

So how do you protect your VM?  Or do you simply keep a supposedly known
good backup of it in case the active gets infected?

Joe Heaton
Employment Training Panel


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, December 30, 2008 8:15 AM
To: NT System Admin Issues
Subject: Re: A/V on VM Host

On Tue, Dec 30, 2008 at 10:49 AM, Roger Wright 
wrote:
> Would the anti-virus package on a host machine also protect the guest
VMs?

  No.

  To the host OS, the virtual disk image is just a giant binary file.
You wouldn't want to scan that with AV; it would kill performance.
And even if the AV found something, all it could do would be to
quarantine or delete your virtual disk -- essentially causing your VM
to spontaneously disappear from existence.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[Ziots, Edward]

Agreed +1..

Z

Edward E. Ziots
Network Engineer
Lifespan Organization
Email: ezi...@lifespan.org
Phone: 401-639-3505
MCSE, MCP+I, ME, CCA, Security +, Network +

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, December 30, 2008 11:13 AM
To: NT System Admin Issues
Subject: Re: LogMeIn

On Tue, Dec 30, 2008 at 10:57 AM, David James 
wrote:
> They wouldn't be in business if they hacked their customers networks.

  I believe I provided some arguments as to why that's a logical
fallacy.

  Again, you're not actually doing any analysis.  If you presented
some kind of evaluation, it would be one thing.  Example: Small art
design firm; seven employees; no HIPAA/PCI/etc.; low profile
organization; no radical trade secrets; alternative solutions would
cost $%LARGE%; alternatives exceed the value of assets.  That's valid
risk management.  (I might quibble with the alternative solutions
cost, but that's a lot more subjective.)  But you're just hoping
things will be okay.

  Wanting something doesn't make it real (unless you're an xkcd fan).

  I'm sure it pisses you off to no end that I keep calling you on your
flimsy logic.  Sorry.  I don't mean to anger you, but security is
about facing harsh realities.  I've found most people would rather be
happily unaware than unhappily informed.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[David James]

It doesn't piss me off.  I made my points earlier, stating that I use SSL
VPN appliances/RDP for regulated access.  
I also said it's situation based, and products like this can be utilized
properly for the SMB.  That's all I'm saying. 

Have a great day!



-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, December 30, 2008 10:13 AM
To: NT System Admin Issues
Subject: Re: LogMeIn

On Tue, Dec 30, 2008 at 10:57 AM, David James  wrote:
> They wouldn't be in business if they hacked their customers networks.

  I believe I provided some arguments as to why that's a logical fallacy.

  Again, you're not actually doing any analysis.  If you presented
some kind of evaluation, it would be one thing.  Example: Small art
design firm; seven employees; no HIPAA/PCI/etc.; low profile
organization; no radical trade secrets; alternative solutions would
cost $%LARGE%; alternatives exceed the value of assets.  That's valid
risk management.  (I might quibble with the alternative solutions
cost, but that's a lot more subjective.)  But you're just hoping
things will be okay.

  Wanting something doesn't make it real (unless you're an xkcd fan).

  I'm sure it pisses you off to no end that I keep calling you on your
flimsy logic.  Sorry.  I don't mean to anger you, but security is
about facing harsh realities.  I've found most people would rather be
happily unaware than unhappily informed.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Label printers

[Phillip Partipilo]

This Brother tape is M-2312PK, 8 meters of tape per cart. It's extremely
thin so there isnt much stress trying to pull it apart when you wrap it
around and stick it to itself - in fact I've labeled dozens of cables in
that fashion with this tape and it is excellent (probably because it isnt
laminated). A nice aspect is that the labeler itself is dirt cheap, it's a
"Home & Hobby" labeler, model PT-65. 


 
Phillip Partipilo
Parametric Solutions Inc.
Jupiter, Florida
(561) 747-6107
 
 

-Original Message-
From: Eisenberg, Wayne [mailto:wayne.eisenb...@pbvllc.com] 
Sent: Tuesday, December 30, 2008 10:18 AM
To: NT System Admin Issues
Subject: RE: Label printers



And... Now that you all got me interested in the topic again, I went
trolling on the Brother site, and it seems that they have a label that
*may* be similar to the Brady vinyl/acrylic label that works so well for me.
I don't think the specific labelling machine is as important as the material
the label itself is made from. If this Brother tape (TZFX231) tests as well
as the Brady does and costs less, then I might go back to that...

Wayne


-Original Message-
From: Eisenberg, Wayne [mailto:wayne.eisenb...@pbvllc.com]
Sent: Tuesday, December 30, 2008 9:50 AM
To: NT System Admin Issues
Subject: RE: Label printers

I have found that P-Touch labels do not adhere well to the material used for
patch cables and you wind up needing to make flags, or find ways to deal
with labels peeling off. 

What I have found that works fabulously are Brady cable markers. You can use
an ultra-fine Sharpie to write on them, they are self-laminating and they do
not come off easily like P-touch labels do. I buy what they call the
'porta-pack' (just a booklet of labels) PWC-PK-1. You can get that label
material in a roll and use it in one of Brady's labeller machines, but their
label makers tend to be quite expensive (but there is a ton of functionality
built into it). I find the porta-pak and a Sharpie to do just as good of a
job for a lot less money. You can get them from Grainger or other similar
supply house.

Wayne

-Original Message-
From: Steve Pruitt [mailto:adminli...@bytampabay.com]
Sent: Monday, December 29, 2008 6:17 PM
To: NT System Admin Issues
Subject: Re: Label printers

I use a Brother P-Touch, and I'm very happy with it. I'm compulsive about
labeling both ends of every cable, and the jacks on non-standard devices.

Steve

- Original Message -
From: "Mike French" 
To: "NT System Admin Issues" 
Sent: Monday, December 29, 2008 5:01 PM
Subject: RE: Label printers


I use a Rino 3000
(http://www.rhinopromo.com/Printers_3000_Features.shtm)




From: Orland, Kathleen [mailto:korl...@rogers.com]
Sent: Saturday, December 27, 2008 10:09 PM
To: NT System Admin Issues
Subject: RE: Label printers

I use the same thing. In addition I purchase bright yellow tapes to make

identification distinct and easy.


From: Jacob [mailto:ja...@excaliburfilms.com]
Sent: Saturday, December 27, 2008 3:34 PM
To: NT System Admin Issues
Subject: RE: Label printers
Brother P Touch III

What I use to label cable, tapes, etc...

From: Gavin Wilby [mailto:gavin.wi...@gmail.com]
Sent: Saturday, December 27, 2008 12:24 PM
To: NT System Admin Issues
Subject: Label printers

Not as off topic as it might sound - I want to get my own lable printer, to
do things like patch cables, patch panels, back up tapes and the like.

Anyone got any favorites?

Gavin.

Hope you have all had a great Christmas break!









~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~ 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~



--
If this email is spam, report it here:
http://www.onlymyemail.com/view/?action=reportSpam&Id=ODEzNjQ6ODIxMjIxMjQwOn
BqcEBwc25ldC5jb20%3D


THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL AND PROPRIETARY
PROPERTY OF THE SENDER. THE INFORMATION IS INTENDED FOR USE BY THE ADDRESSEE
ONLY. ANY OTHER INTERCEPTION, COPYING, ACCESSING, OR DISCLOSURE OF THIS
MESSAGE IS PROHIBITED.
IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY NOTIFY THE
SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT FORWARD THIS MESSAGE
WITHOUT PERMISSION OF THE SENDER. 



THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL
AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS 
INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION,
COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED.
IF YOU HAVE RECEIVED THIS MESSAGE IN ERR

Re: A/V on VM Host

[Ben Scott]

On Tue, Dec 30, 2008 at 10:49 AM, Roger Wright  wrote:
> Would the anti-virus package on a host machine also protect the guest VMs?

  No.

  To the host OS, the virtual disk image is just a giant binary file.
You wouldn't want to scan that with AV; it would kill performance.
And even if the AV found something, all it could do would be to
quarantine or delete your virtual disk -- essentially causing your VM
to spontaneously disappear from existence.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: A/V on VM Host

[Jeff Bunting]

Agreed; even if the host could scan the VMs, they're disk images.
Scanning a 20gb file (or however big your virtual hard drive is) isn't
going to be fast.

Jeff

On Tue, Dec 30, 2008 at 11:10 AM, Damien Solodow
 wrote:
> Mostly. However, I don't know that it can efficiently scan the vmdk files
> for it.
>
>
>
> I would be easy enough to test… Put AV on your host, and put eicars on one
> of the guests and see if the host notices it.
>
>
>
> I'm fairly sure the answer will be no though..
>
>
>
> From: Roger Wright [mailto:rwri...@evatone.com]
> Sent: Tuesday, December 30, 2008 11:02 AM
> To: NT System Admin Issues
> Subject: RE: A/V on VM Host
>
>
>
> And from the host's perspective, the VMs are files, right?
>
>
>
>
>
>
>
> Roger Wright
>
> Network Administrator
>
> Evatone, Inc.
>
> 727.572.7076  x388
>
> _
>
>
>
> From: Damien Solodow [mailto:damien.solo...@ibcschools.edu]
> Sent: Tuesday, December 30, 2008 10:56 AM
> To: NT System Admin Issues
> Subject: RE: A/V on VM Host
>
>
>
> Normally the AV autoprotect monitors files, not network traffic….
>
>
>
> From: Roger Wright [mailto:rwri...@evatone.com]
> Sent: Tuesday, December 30, 2008 10:50 AM
> To: NT System Admin Issues
> Subject: A/V on VM Host
>
>
>
> Would the anti-virus package on a host machine also protect the guest VMs?
>
>
>
> I was wondering if, say, VirusScan is installed on the host box, wouldn't it
> be scanning all data streaming across the NIC, including that which is
> destined for the VMs?
>
>
>
> Is there a flaw in my thinking?
>
>
>
>
>
>
>
> Roger Wright
>
> Network Administrator
>
> Evatone, Inc.
>
> 727.572.7076  x388
>
>
>
> _
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Citrix client?

[Phil Brutsche]

I've never experienced any compatibility issues.

At one point we were using the 10.2 client with our TS, which is running
the ancient (late 2003 vintage) Metaframe XP.

Craig Gauss wrote:
> Does anyone know of any issues with backwards compatibility issues with
> the newest Citrix client?  I have to deploy the Citrix client thorughout
> our Association so users can connect to another hospitals Citrix farm.
> Can only find the 11.0 client.  I know it works with the 10.2 client
> just want to make sure it works with the 11.0 client before I deploy it.
> Unfortunately we dont have a test account either.

-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: LogMeIn

[Ben Scott]

On Tue, Dec 30, 2008 at 10:57 AM, David James  wrote:
> They wouldn't be in business if they hacked their customers networks.

  I believe I provided some arguments as to why that's a logical fallacy.

  Again, you're not actually doing any analysis.  If you presented
some kind of evaluation, it would be one thing.  Example: Small art
design firm; seven employees; no HIPAA/PCI/etc.; low profile
organization; no radical trade secrets; alternative solutions would
cost $%LARGE%; alternatives exceed the value of assets.  That's valid
risk management.  (I might quibble with the alternative solutions
cost, but that's a lot more subjective.)  But you're just hoping
things will be okay.

  Wanting something doesn't make it real (unless you're an xkcd fan).

  I'm sure it pisses you off to no end that I keep calling you on your
flimsy logic.  Sorry.  I don't mean to anger you, but security is
about facing harsh realities.  I've found most people would rather be
happily unaware than unhappily informed.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: A/V on VM Host

[Damien Solodow]

Mostly. However, I don't know that it can efficiently scan the vmdk
files for it.

 

I would be easy enough to test... Put AV on your host, and put eicars on
one of the guests and see if the host notices it.

 

I'm fairly sure the answer will be no though..

 

From: Roger Wright [mailto:rwri...@evatone.com] 
Sent: Tuesday, December 30, 2008 11:02 AM
To: NT System Admin Issues
Subject: RE: A/V on VM Host

 

And from the host's perspective, the VMs are files, right?

 

   

 

Roger Wright

Network Administrator

Evatone, Inc.

727.572.7076  x388

_  

 

From: Damien Solodow [mailto:damien.solo...@ibcschools.edu] 
Sent: Tuesday, December 30, 2008 10:56 AM
To: NT System Admin Issues
Subject: RE: A/V on VM Host

 

Normally the AV autoprotect monitors files, not network traffic

 

From: Roger Wright [mailto:rwri...@evatone.com] 
Sent: Tuesday, December 30, 2008 10:50 AM
To: NT System Admin Issues
Subject: A/V on VM Host

 

Would the anti-virus package on a host machine also protect the guest
VMs? 

 

I was wondering if, say, VirusScan is installed on the host box,
wouldn't it be scanning all data streaming across the NIC, including
that which is destined for the VMs?

 

Is there a flaw in my thinking?

 

 

 

Roger Wright

Network Administrator

Evatone, Inc.

727.572.7076  x388

  

 

_

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<>

Re: Aaaiiiyyyeeeeee!!! OOO notices! (OT)

[Ben Scott]

On Tue, Dec 30, 2008 at 9:38 AM, John Hornbuckle
 wrote:
> Exchange 2003 had a registry hack that was supposed to minimize occurrences 
> of OOO's going to mailing
> lists, but I believe that has gone away with 2007.

#ifdef RANT

  WTF?  Why is this so hard for Microsoft to figure out?  The
"vacation" program I used on the university's DEC Ultrix machines back
in 1996 did this right, for crying out loud.  After 10+ years,
Microsoft can't get an auto-responder to work right?

  Free tip to anyone at Microsoft: Send auto-responses to the RFC-821
envelope reverse-path address, not the RFC-822 header "From" address,
like the standards say to.

  Grr.

#endif

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: A/V on VM Host

[Roger Wright]

And from the host's perspective, the VMs are files, right?

 

   

 

Roger Wright

Network Administrator

Evatone, Inc.

727.572.7076  x388

_  

 

From: Damien Solodow [mailto:damien.solo...@ibcschools.edu] 
Sent: Tuesday, December 30, 2008 10:56 AM
To: NT System Admin Issues
Subject: RE: A/V on VM Host

 

Normally the AV autoprotect monitors files, not network traffic

 

From: Roger Wright [mailto:rwri...@evatone.com] 
Sent: Tuesday, December 30, 2008 10:50 AM
To: NT System Admin Issues
Subject: A/V on VM Host

 

Would the anti-virus package on a host machine also protect the guest
VMs? 

 

I was wondering if, say, VirusScan is installed on the host box,
wouldn't it be scanning all data streaming across the NIC, including
that which is destined for the VMs?

 

Is there a flaw in my thinking?

 

 

 

Roger Wright

Network Administrator

Evatone, Inc.

727.572.7076  x388

  

 

_

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<>

Re: Label printers

[Ben Scott]

[reply to multiple posts]

On Tue, Dec 30, 2008 at 9:50 AM, Eisenberg, Wayne
 wrote:
> I have found that P-Touch labels do not adhere well to the material used
> for patch cables and you wind up needing to make flags ...

  The Dymo tape doesn't stick especially well, either.  I print two
labels without cutting, and loop it around the cable, sticking the
label backs together.  Pretty easy.  I guess that's making a flag, but
it works.  I actually find it easier to read the label that way; you
don't need to move the cable as much, just the label.

On Tue, Dec 30, 2008 at 10:12 AM, Phillip Partipilo  wrote:
> They are much easier to apply since the backing seems to come off
> the adhesive layer much easier ...

  One thing I like about the Dymo tape is that they split the backing,
so peeling it off is really easy.

  One thing I don't like is we apparently had a bad batch a while
back, several cartridges kept getting having the tape stick together
on the roll.  Didn't show up until a good portion of the roll was
gone, and this is one of those products that's expensive enough for
that to be irritating, but not quite worth the probable fuss of filing
a warranty claim over a small issue.  Haven't had the problem since.
If it comes back, then I'll b*tch.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: A/V on VM Host

[Damien Solodow]

Normally the AV autoprotect monitors files, not network traffic

 

From: Roger Wright [mailto:rwri...@evatone.com] 
Sent: Tuesday, December 30, 2008 10:50 AM
To: NT System Admin Issues
Subject: A/V on VM Host

 

Would the anti-virus package on a host machine also protect the guest
VMs? 

 

I was wondering if, say, VirusScan is installed on the host box,
wouldn't it be scanning all data streaming across the NIC, including
that which is destined for the VMs?

 

Is there a flaw in my thinking?

 

 

 

Roger Wright

Network Administrator

Evatone, Inc.

727.572.7076  x388

  

 

_

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<>

Re: C$ Permissions on a Domain Controller????

[Jon D]

Thanks everyone. After reading everyones advise that the permissions
were okay I looked further and found that the problem was that a
special group was added to the local administrators groups on most of
the servers.

Ends up, an administrator added code to the users login scripts to do
add this group locally, and another administrator had the users login
script in his super user account.

Thanks everyone!





On Tue, Dec 30, 2008 at 6:04 AM, Ken Schaefer  wrote:
> Hi,
>
> The security permissions that are applied to files/folders when running 
> dcpromo are in a template file on your DC in %systemroot%\security\templates. 
> The "DC security.inf" template is what is used by secedit during the DCPromo 
> process to re-ACL files/folders on your new DC.
>
> C$ is a share - not a folder/file/drive. You can't set the permissions on 
> this normally. It should be restricted to those in the Administrators group.
>
> Permissions on the root folder of the C: drive are different to C$ 
> permissions. Everyone (or Authenticated User) should have Read+Execute and 
> List Folder Contents permission by default. Check the inf file for more info, 
> or use secedit to re-ACL your box if you need to.
>
> Cheers
> Ken
>
> -Original Message-
> From: Jon D [mailto:rekcahp...@gmail.com]
> Sent: Tuesday, 30 December 2008 8:53 AM
> To: NT System Admin Issues
> Subject: C$ Permissions on a Domain Controller
>
> Anyone know what the proper permissions are on the C: drive of a
> Domain Controller?
> Are they special or no?
>
> I'm doing a security audit and I came across 2 domain controllers that
> do not require a password to access their C$ share.
> You can't view the permissions of the share itself, but the
> permissions on the C drive have authenicated users with full control.
>
> That can't be right.
> Anyone see anything like that before?
> Anyone know how dangerous it is to change the permissions(once I
> determine the correct permissions)?
>
>
>
>
> Thanks in advance,
> Jon
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[David James]

It's encrypted to blackberry, but they can still pry if they want, which is
what people's point against logmein is.  I'm just saying, you inherently
trust a lot of companies, and to say one service that is used like
Blackberry in a high percentage of businesses, then 'flush' other services
which may help your users be productive seems silly to me.  But I digress.
I just want the point made that LogMeIn does have its place if it's
implemented properly.  They wouldn't be in business if they hacked their
customers networks.

DPJ

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, December 30, 2008 9:42 AM
To: NT System Admin Issues
Subject: Re: LogMeIn

On Tue, Dec 30, 2008 at 10:33 AM, David James  wrote:
> So Blackberries and any other service shouldn't be used either.  That's a
> 3rd party who can view all your email.

  Regarding BlackBerries: Email is already public.  Anyone who thinks
general Internet email is secure is just plain wrong.  We educate our
users that email is not secure.  They all want it to be, of course,
but it's a case of wanting what can't be had.  (Good crypto will
address this, of course, but that's a customer-interaction issue that
needs to be sorted out on a case-by-case basis, and most people don't
actually want to pay for security, they want free lip-service.  We
give them all the free lip-service they want.)

  Regarding "other services": Depends on the situation, as evidenced
by the email example above.  But generally, no, we're not overly
trusting, because the world's filled with dangerous, scary people, and
the Internet brings them all to your doorstep.  Life's hard; get a
helmet.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[Ziots, Edward]

It definitely is a risk, and a lot of companies are taking it. Why not
have Blackberry sign a BAA with you before you sign up for there service
to CYA.. 

Z

Edward E. Ziots
Network Engineer
Lifespan Organization
Email: ezi...@lifespan.org
Phone: 401-639-3505
MCSE, MCP+I, ME, CCA, Security +, Network +

-Original Message-
From: David James [mailto:bigdadd...@gmail.com] 
Sent: Tuesday, December 30, 2008 10:34 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

So Blackberries and any other service shouldn't be used either.  That's
a
3rd party who can view all your email.  

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, December 30, 2008 9:27 AM
To: NT System Admin Issues
Subject: Re: LogMeIn

On Tue, Dec 30, 2008 at 10:16 AM, David James 
wrote:
> It's about helping your users use technology to be more productive,
not
> having a power trip.

  The problem is that security *never* shows up as a profit.  (Unless
you're a security firm, heh.)  So if we follow that logic, all
security should be banished.  Of course, security failures show up --
as losses, when it's too late.

  The thing that really gets me about this is that people simply
*assume* LogMeIn, GoToMyPC, etc., are trustworthy.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

A/V on VM Host

[Roger Wright]

Would the anti-virus package on a host machine also protect the guest
VMs? 

 

I was wondering if, say, VirusScan is installed on the host box,
wouldn't it be scanning all data streaming across the NIC, including
that which is destined for the VMs?

 

Is there a flaw in my thinking?

 

 

 

Roger Wright

Network Administrator

Evatone, Inc.

727.572.7076  x388

  

 

_

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<>

RE: LogMeIn

[Ziots, Edward]

Productive, but at what cost to the business? It only takes one security
incident, to cost you more than the productivity of a years worth of
work. Heck some of the penalities are in the 250K+ range at the most
severe for HIPPA and I am sure its higher in the other regulations (
PCI, GLB, SarbOx)

Its not about a power trip either, its about following process, using
good risk management techniques and being able to prove that people are
accessing only what you gave them access to and no more. ( due
diligence, Least Privilege rules) 

Actually security could show up in making sure the profits you are
earning by doing your work as shown. Just imagine the laptop that the
C-Level is using that wasn't Lo-Jacked and you didn't think about adding
full hard drive encryption, but those juicy insider details are being
pushed to your competition, because he/she/it had its laptop stolen and
didn't encrypt the information that was confident/sensitive in nature.
Now it's the hands of the people that shouldn't have had it in the first
place. That is just one of a lot of ways you can show how working
securely and following security protocol helps you stay profitable and
avoid these types of situations that when you look at the bottom line
cost the organization/business more money per-incident than they might
make in a month or even year. 

Food for thought,
Z

Edward E. Ziots
Network Engineer
Lifespan Organization
Email: ezi...@lifespan.org
Phone: 401-639-3505
MCSE, MCP+I, ME, CCA, Security +, Network +

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, December 30, 2008 10:27 AM
To: NT System Admin Issues
Subject: Re: LogMeIn

On Tue, Dec 30, 2008 at 10:16 AM, David James 
wrote:
> It's about helping your users use technology to be more productive,
not
> having a power trip.

  The problem is that security *never* shows up as a profit.  (Unless
you're a security firm, heh.)  So if we follow that logic, all
security should be banished.  Of course, security failures show up --
as losses, when it's too late.

  The thing that really gets me about this is that people simply
*assume* LogMeIn, GoToMyPC, etc., are trustworthy.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Aaaiiiyyyeeeeee!!! OOO notices! (OT)

[Kennedy, Jim]

Ok, I am off to get more coffee. I saw "doesn't" instead of what you actually 
wrote.


> -Original Message-
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Tuesday, December 30, 2008 10:48 AM
> To: NT System Admin Issues
> Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT)
> 
> Isn't that what I said?
> 
> :-)
> 
> But my biggest issue is that in our organization, that's not
> particularly useful. We need everyone to get OOFs, including people
> outside the organization. Although customizing the message sent
> internally vs. externally is nice.
> 
> 
> 
> -Original Message-
> From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> Sent: Tuesday, December 30, 2008 9:46 AM
> To: NT System Admin Issues
> Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT)
> 
> 
> Sure it does, that is how ours is I just retested it to be certain.
> Internals get OOF's and externals do not.
> 
> 
> > -Original Message-
> > From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> > Sent: Tuesday, December 30, 2008 9:38 AM
> > To: NT System Admin Issues
> > Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT)
> 
> 
> > Exchange 2007 does support separating the handling of OOO's between
> > internal and external senders...
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Aaaiiiyyyeeeeee!!! OOO notices! (OT)

[John Hornbuckle]

Isn't that what I said?

:-)

But my biggest issue is that in our organization, that's not particularly 
useful. We need everyone to get OOFs, including people outside the 
organization. Although customizing the message sent internally vs. externally 
is nice.



-Original Message-
From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Tuesday, December 30, 2008 9:46 AM
To: NT System Admin Issues
Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT)


Sure it does, that is how ours is I just retested it to be certain. Internals 
get OOF's and externals do not.


> -Original Message-
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Tuesday, December 30, 2008 9:38 AM
> To: NT System Admin Issues
> Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT)


> Exchange 2007 does support separating the handling of OOO's between
> internal and external senders...

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: LogMeIn

[Ben Scott]

On Tue, Dec 30, 2008 at 10:41 AM, Graeme Carstairs  wrote:
> Large corporates and compliance is all good if you can do that but for
> sme it's difficult to get budget for anything.

  Smaller organizations have less to lose.  As always, it's risk
management, cost/benefit.  If the cost of counter-measures exceeds the
sum total value of the organization, then it's actually worth it to
just roll the dice and take the risk, since the business just isn't
worth that much.

  Of course, nobody ever likes to be told their livelihood is of
lesser value.  One reason few people like security analysis is that
it's largely about facing unpleasant truths.

  Sheesh, I sound like a political advertisement.  "Vote for me, or
the hackers will get you!"

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[John Cook]

BB's are managed by the company (at least mine are) and can be locked down (to 
some extent - you can't solve stupid!) AND remotely wiped. Our users have to 
sign a security form before they get their hands on one and all of our devices 
are company owned.

John W. Cook
Systems Administrator
Partnership For Strong Families
315 SE 2nd Ave
Gainesville, Fl 32601
Office (352) 393-2741 x320
Cell (352) 215-6944
Fax (352) 393-2746
MCSE, MCTS, MCP+I,CompTIA A+, N+


-Original Message-
From: David James [mailto:bigdadd...@gmail.com]
Sent: Tuesday, December 30, 2008 10:34 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

So Blackberries and any other service shouldn't be used either.  That's a
3rd party who can view all your email.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Tuesday, December 30, 2008 9:27 AM
To: NT System Admin Issues
Subject: Re: LogMeIn

On Tue, Dec 30, 2008 at 10:16 AM, David James  wrote:
> It's about helping your users use technology to be more productive, not
> having a power trip.

  The problem is that security *never* shows up as a profit.  (Unless
you're a security firm, heh.)  So if we follow that logic, all
security should be banished.  Of course, security failures show up --
as losses, when it's too late.

  The thing that really gets me about this is that people simply
*assume* LogMeIn, GoToMyPC, etc., are trustworthy.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

CONFIDENTIALITY STATEMENT: The information transmitted, or contained or 
attached to or with this Notice is intended only for the person or entity to 
which it is addressed and may contain Protected Health Information (PHI), 
confidential and/or privileged material. Any review, transmission, 
dissemination, or other use of, and taking any action in reliance upon this 
information by persons or entities other than the intended recipient without 
the express written consent of the sender are prohibited. This information may 
be protected by the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), and other Federal and Florida laws. Improper or unauthorized use or 
disclosure of this information could result in civil and/or criminal penalties.
 Consider the environment. Please don't print this e-mail unless you really 
need to.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: LogMeIn

[Ben Scott]

On Tue, Dec 30, 2008 at 10:33 AM, David James  wrote:
> So Blackberries and any other service shouldn't be used either.  That's a
> 3rd party who can view all your email.

  Regarding BlackBerries: Email is already public.  Anyone who thinks
general Internet email is secure is just plain wrong.  We educate our
users that email is not secure.  They all want it to be, of course,
but it's a case of wanting what can't be had.  (Good crypto will
address this, of course, but that's a customer-interaction issue that
needs to be sorted out on a case-by-case basis, and most people don't
actually want to pay for security, they want free lip-service.  We
give them all the free lip-service they want.)

  Regarding "other services": Depends on the situation, as evidenced
by the email example above.  But generally, no, we're not overly
trusting, because the world's filled with dangerous, scary people, and
the Internet brings them all to your doorstep.  Life's hard; get a
helmet.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: LogMeIn

[Graeme Carstairs]

I'm with you logmein rescue rocks we use it to support our customers
and our remote sites. We support many users on many remote networks.
Mainly in sme space.

Large corporates and compliance is all good if you can do that but for
sme it's difficult to get budget for anything.

But everyones advice is good. I wouldn't want logmein installed on work pc's.

Gotomypc is advertised constantly on UK radio to access your work of
from home, using the dragons from dragons den.
But doesn't mention securit or company policy.

Graeme

On 30/12/2008, David James  wrote:
> LogMeInRescue FTW for supporting remote users.
>
> Sonicwall SSL VPN Products for remote access.  Using the Java or ActiveX RDP
> agents provide a more productive user experience than logmein free.
>
> In logmein free's defense as a security measure...  I had a customer who
> used logmein on their systems, it was a small business.  Someone stole a
> computer, and since LogMeIn auto connects from anywhere on the net, they
> were able to track the system down.  Kind of a free lowjack utility.
>
> Before I worked for myself, I would have argued that software like this was
> not useful, but it has it's place in the SMB.  The corporate compliance set
> forbids it, but I have found that the ultimate question is how productive
> your users are, and how secure are their passwords.  LogMeIn is just another
> door to the building, another key to keep track of, so depending on the
> business type/model, and it's obligations for compliance, it may or may not
> have its place.  I know lots of network admins who keep it on their servers
> but yell at every user that wants to use it.  Sometimes productivity demands
> it.  If you've got a user who needs to print at home to a Multifunction
> device to be more productive, sometimes logmein pro is the best solution,
> since RDP doesn't support certain printers.  In these rare cases, a simple
> signed policy will suffice to cover your ___.
>
> It's about helping your users use technology to be more productive, not
> having a power trip.  The company must survive tight economic times, so use
> all your tools to provide them ways to produce from anywhere at anytime, and
> you'll be a hero to your users and company management.
>
>
>
>
>
> -Original Message-
> From: Graeme Carstairs [mailto:loonyto...@gmail.com]
> Sent: Tuesday, December 30, 2008 8:37 AM
> To: NT System Admin Issues
> Subject: Re: LogMeIn
>
> You wouldn't allow any support via logmein rescue or webec etc.
> Do the install through web use and then no further access type solutions?
>
> May I ask how large your organisation is?
>
> Graeme
>
> On 30/12/2008, Ziots, Edward  wrote:
>> And make that apart of the acceptable use policy or another network
>> policy that includes the terms, "violation of this policy, can subject
>> the violator(s) to punishment up to and including termination of
>> employment"
>>
>>
>>
>> The fire them, that will send the message. Logmein is not to be trusted
>> and any business seeking to do business with you that uses that as a
>> Remote access sytem for support should be shown the door as quickly as
>> they came in. ( Had to deal with one here, and they went bye bye)
>>
>>
>>
>> Z
>>
>>
>>
>> Edward E. Ziots
>>
>> Network Engineer
>>
>> Lifespan Organization
>>
>> Email: ezi...@lifespan.org
>>
>> Phone: 401-639-3505
>>
>> MCSE, MCP+I, ME, CCA, Security +, Network +
>>
>> 
>>
>> From: John Cook [mailto:john.c...@pfsf.org]
>> Sent: Tuesday, December 30, 2008 9:15 AM
>> To: NT System Admin Issues
>> Subject: RE: LogMeIn
>>
>>
>>
>> On a separate note we expressly forbid users to install ANY unapproved
>> software, specifically remote control software, as it opens the network
>> up to potential HIPAA violations (your regulatory obligations may come
>> into play as well) Just say no!
>>
>>
>>
>> John W. Cook
>>
>> Systems Administrator
>>
>> Partnership For Strong Families
>>
>> 315 SE 2nd Ave
>>
>> Gainesville, Fl 32601
>>
>> Office (352) 393-2741 x320
>>
>> Cell (352) 215-6944
>>
>> Fax (352) 393-2746
>>
>> MCSE, MCTS, MCP+I,CompTIA A+, N+
>>
>>
>>
>> From: David Lum [mailto:david@nwea.org]
>> Sent: Tuesday, December 30, 2008 9:02 AM
>> To: NT System Admin Issues
>> Subject: LogMeIn
>>
>>
>>
>> I work for a company with ~300 employees, is there a reason to
>> discourage a few of our employees from installing LogMeIn Free on their
>> systems so they can remote control their work machine and bypass the
>> need to use a VPN license?
>>
>>
>>
>> I've used LogMeIn Free for years to connect to all my own business
>> clients, but it's one thing to use it myself and small businesses,
>> another to recommend it's use to a larger company with resources for
>> VPN, etc.
>>
>>
>>
>> My kneejerk reaction is "no", but damned if I can come up with a viable
>> excuse for that opinion.
>>
>> David Lum // SYSTEMS ENGINEER
>> NORTHWEST EVALUATION ASSOCIATION
>> (Desk) 971.222.1025 // (Cell) 503.267.976

Re: LogMeIn

[Ben Scott]

On Tue, Dec 30, 2008 at 9:25 AM, Erik Goldoff  wrote:
>> "You're letting an outside organization have control of one of your
>> computers.  You're okay with that? "
>
> Ever read the Microsoft EULA, especially regarding the Service Packs and
> automatic update ???

  Indeed.

  Heck, I'm not really overly comfortable with Microsoft, either.
Their track record on business ethics and practices isn't exactly a
glowing recommendation.  And they're huge; big enough for a rogue
element to go undetected for years.  There are some key differences,
though:

A1. Various organizations audit at least some of the Windows source.
A2. Various organizations audit at least some of the Windows machine
code (binaries/executables).
A3. There are *lots* of A1 and A2.  Windows is under a tremendous
amount of scrutiny.
A4. Windows doesn't have the ability to bypass our firewall or other
non-Microsoft security measures.  We have defense-in-depth, both in
terms of technology and vendors.
A5. Windows runs on systems under our control.

  The remote-control services violate all of the above.  In
particular, major parts of all remote-control services run through
servers and software *nobody else can see*.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Citrix client?

[Joe Heaton]

Haven't read anything on it myself, but maybe install it on one and see
what happens, before deploying it widely.

Joe Heaton
Employment Training Panel

-Original Message-
From: Craig Gauss [mailto:gau...@rhahealthcare.org] 
Sent: Tuesday, December 30, 2008 5:54 AM
To: NT System Admin Issues
Subject: Citrix client?

Does anyone know of any issues with backwards compatibility issues with
the newest Citrix client?  I have to deploy the Citrix client thorughout
our Association so users can connect to another hospitals Citrix farm.
Can only find the 11.0 client.  I know it works with the 10.2 client
just want to make sure it works with the 11.0 client before I deploy it.
Unfortunately we dont have a test account either.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Virtualization Questions - More Q's

[Joe Heaton]

Wow, that's really compartmentalized... I dunno if I'd want to work
somewhere that limits me that much as far as what I'm working with.  And
yet, I'm sure if you apply for one of those positions, you are still
required to have 10+ years experience, and expertise with Windows, Unix,
mainframes, every desktop OS known to man, etc...

 

Joe Heaton

Employment Training Panel

 

From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Tuesday, December 30, 2008 6:14 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

I work for Avanade - we deal mostly with large enterprises (Global 500
type companies).

 

In those types of orgs the AD team is usually separate from
Virtualisation (which is predominantly VMWare), which is again separate
from the hardware components (network, security, storage). Even as a
directory, AD is usually limited to the Wintel area, and most large orgs
have significant investment in *nix, midrange/mainframe systems as well.
The "source of truth" is generally other systems like HR/payroll.

 

As I said before - in smaller shops, there's usually significant
overlap, so it's not really an  issue. In larger shops (once there isn't
a predominance of Windows), and AD isn't "king", it starts to become
something that needs to be dealt with in some way.


Cheers

Ken

 

From: Christopher Bodnar [mailto:christopher_bod...@glic.com] 
Sent: Wednesday, 31 December 2008 12:31 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

That's an interesting point. Have you actually seen this in practice?
What I mean is, in every shop I've been in, the virtualization group is
composed of the same people who "hold the keys to the kingdom" anyway
(AD admins, or Linux/UNIX admins). I've never seen a group brought in to
manage the virtual environment that didn't already have that type of
access. 

 

YMMV

 

 

Chris Bodnar, MCSE
Sr. Systems Engineer
Distributed Systems Service Delivery - Intel Services
Guardian Life Insurance Company of America
Email: christopher_bod...@glic.com
Phone: 610-807-6459
Fax: 610-807-6003



From: k...@adopenstatic.com [mailto:k...@adopenstatic.com] 
Sent: Tuesday, December 30, 2008 6:33 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

Most people have said "no" to question #2.

 

I would say that there is a definite impact. Your virtualisation team
are pretty much now an additional "god" in the organisation. For smaller
shops this isn't an issue. For bigger shops, or where
compliance/auditing/change control are important, then this is another
layer of people who have significant  privileges, who must be worked
into your change control process.

 

Cheers

Ken

 

From: Andy Shook [mailto:andy.sh...@peak10.com] 
Sent: Tuesday, 30 December 2008 2:57 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

1.   As long as the resources are available for the VM, then
transparent.  I know in the past that processors had to be in the same
family as well as the same brand for Vmotion but I heard that this has
changed with (ESX) update 3.  I don't know the details yet, so someone
please chime in here for clarification. 

2.   No

3.   Most environments will have both.  Shared for the lightweight
servers and dedicated for VMotion\HA\DRS and the heavy hitting servers.

4.   An OS license is an OS license is an OS license.  Doubtful but
check with the vendors in question.  

 

Shook

 

From: Roger Wright [mailto:rwri...@evatone.com] 
Sent: Monday, December 29, 2008 10:32 AM
To: NT System Admin Issues
Subject: RE: Virtualization Questions - More Q's

 

Great responses so far!  You've all given me even more to think about.

 

A few other questions:

 

1.   From a DR perspective, or perhaps just for rebalancing the load
on a host machine, how does moving from one host to another with
different HW impact the VM, or is it transparent?  

 

2.   Does Virtualization impact your domain security requirements in
any way?  

 

3.   NIC Utilization - Shared NICs or separate for each VM?

 

4.   OS & App licensing - can we expect any reduction in licensing
requirements?

 

 

Thanks!

 

 

 

 

 

 

 



This message, and any attachments to it, may contain information that is
privileged, confidential, and exempt from disclosure under applicable
law. If the reader of this message is not the intended recipient, you
are notified that any use, dissemination, distribution, copying, or
communication of this message is strictly prohibited. If you have
received this message in error, please notify the sender immediately by
return e-mail and delete the message and any attachments. Thank you. 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[Erik Goldoff]

Well stated ... I've always had to battle for budget for ANYTHING that
doesn't directly participate in generating revenue  



Erik Goldoff
IT  Consultant
Systems, Networks, & Security 


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, December 30, 2008 10:27 AM
To: NT System Admin Issues
Subject: Re: LogMeIn

On Tue, Dec 30, 2008 at 10:16 AM, David James  wrote:
> It's about helping your users use technology to be more productive, 
> not having a power trip.

  The problem is that security *never* shows up as a profit.  (Unless you're
a security firm, heh.)  So if we follow that logic, all security should be
banished.  Of course, security failures show up -- as losses, when it's too
late.

  The thing that really gets me about this is that people simply
*assume* LogMeIn, GoToMyPC, etc., are trustworthy.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[David James]

So Blackberries and any other service shouldn't be used either.  That's a
3rd party who can view all your email.  

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, December 30, 2008 9:27 AM
To: NT System Admin Issues
Subject: Re: LogMeIn

On Tue, Dec 30, 2008 at 10:16 AM, David James  wrote:
> It's about helping your users use technology to be more productive, not
> having a power trip.

  The problem is that security *never* shows up as a profit.  (Unless
you're a security firm, heh.)  So if we follow that logic, all
security should be banished.  Of course, security failures show up --
as losses, when it's too late.

  The thing that really gets me about this is that people simply
*assume* LogMeIn, GoToMyPC, etc., are trustworthy.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: LogMeIn

[Ben Scott]

On Tue, Dec 30, 2008 at 10:16 AM, David James  wrote:
> It's about helping your users use technology to be more productive, not
> having a power trip.

  The problem is that security *never* shows up as a profit.  (Unless
you're a security firm, heh.)  So if we follow that logic, all
security should be banished.  Of course, security failures show up --
as losses, when it's too late.

  The thing that really gets me about this is that people simply
*assume* LogMeIn, GoToMyPC, etc., are trustworthy.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[David Lum]

We're not even CLOSE to being that buttoned down, all our users here are local 
administrators, we allow more than one browser on the desktop, etc. I know I 
KNOW! :) I'm making progress, but the inertia of 200+ users and the (lack of) 
policies before I got here are not insignificant.
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

From: Ziots, Edward [mailto:ezi...@lifespan.org]
Sent: Tuesday, December 30, 2008 6:31 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

And make that apart of the acceptable use policy or another network policy that 
includes the terms, "violation of this policy, can subject the violator(s) to 
punishment up to and including termination of employment"

The fire them, that will send the message. Logmein is not to be trusted and any 
business seeking to do business with you that uses that as a Remote access 
sytem for support should be shown the door as quickly as they came in. ( Had to 
deal with one here, and they went bye bye)

Z

Edward E. Ziots
Network Engineer
Lifespan Organization
Email: ezi...@lifespan.org
Phone: 401-639-3505
MCSE, MCP+I, ME, CCA, Security +, Network +

From: John Cook [mailto:john.c...@pfsf.org]
Sent: Tuesday, December 30, 2008 9:15 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

On a separate note we expressly forbid users to install ANY unapproved 
software, specifically remote control software, as it opens the network up to 
potential HIPAA violations (your regulatory obligations may come into play as 
well) Just say no!

John W. Cook
Systems Administrator
Partnership For Strong Families
315 SE 2nd Ave
Gainesville, Fl 32601
Office (352) 393-2741 x320
Cell (352) 215-6944
Fax (352) 393-2746
MCSE, MCTS, MCP+I,CompTIA A+, N+

From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, December 30, 2008 9:02 AM
To: NT System Admin Issues
Subject: LogMeIn

I work for a company with ~300 employees, is there a reason to discourage a few 
of our employees from installing LogMeIn Free on their systems so they can 
remote control their work machine and bypass the need to use a VPN license?

I've used LogMeIn Free for years to connect to all my own business clients, but 
it's one thing to use it myself and small businesses, another to recommend it's 
use to a larger company with resources for VPN, etc.

My kneejerk reaction is "no", but damned if I can come up with a viable excuse 
for that opinion.
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764









CONFIDENTIALITY STATEMENT: The information transmitted, or contained or 
attached to or with this Notice is intended only for the person or entity to 
which it is addressed and may contain Protected Health Information (PHI), 
confidential and/or privileged material. Any review, transmission, 
dissemination, or other use of, and taking any action in reliance upon this 
information by persons or entities other than the intended recipient without 
the express written consent of the sender are prohibited. This information may 
be protected by the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), and other Federal and Florida laws. Improper or unauthorized use or 
disclosure of this information could result in civil and/or criminal penalties.
Consider the environment. Please don't print this e-mail unless you really need 
to.










~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: NT issue

[Erik Goldoff]

we do somewhat agree there ... it does sound at least on the surface, like a
WINS or maybe browse list issue
 

Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

  _  

From: David James [mailto:bigdadd...@gmail.com] 
Sent: Tuesday, December 30, 2008 10:20 AM
To: NT System Admin Issues
Subject: RE: NT issue



Either way, I'm wondering if a quick install of WINS and targeting at least
his servers at it would help over come this issue.  

 

From: Erik Goldoff [mailto:egold...@gmail.com] 
Sent: Tuesday, December 30, 2008 7:37 AM
To: NT System Admin Issues
Subject: RE: NT issue

 

meant to address this earlier ... it is NOT the HOSTS file to look at ...
HOSTS is the file based version of DNS, to resolve an FQDN to an IP
address for NT Domain issues, the LMHOSTS file is the one that works
like WINS to resolve NetBIOS names ( Browse ) to IP

 


Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[David James]

The logging in LogMein can be set up to go to syslog, and all sessions can
be recorded to an .avi file, or just the plain ol loggin is great.

To prevent access from a punted employee you just remove it.

-Original Message-
From: S Conn. [mailto:sysadminli...@gmail.com] 
Sent: Tuesday, December 30, 2008 9:17 AM
To: NT System Admin Issues
Subject: Re: LogMeIn

Perhaps I missed this point in the replies, but what about user
separation?  I'm not keen on giving any user access that I can't
revoke the moment they get fired.  Also, access logs go a long way
when you're having HR issues..

Seth



On Tue, Dec 30, 2008 at 8:01 AM, David Lum  wrote:
> I work for a company with ~300 employees, is there a reason to discourage
a
> few of our employees from installing LogMeIn Free on their systems so they
> can remote control their work machine and bypass the need to use a VPN
> license?
>
>
>
> I've used LogMeIn Free for years to connect to all my own business
clients,
> but it's one thing to use it myself and small businesses, another to
> recommend it's use to a larger company with resources for VPN, etc.
>
>
>
> My kneejerk reaction is "no", but damned if I can come up with a viable
> excuse for that opinion.
>
> David Lum // SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 // (Cell) 503.267.9764

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Cert vulnerability

[Kennedy, Jim]

PS3's used to crack MD5 certs.

http://blogs.zdnet.com/security/?p=2339




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Label printers

[Eisenberg, Wayne]

And... Now that you all got me interested in the topic again, I went
trolling on the Brother site, and it seems that they have a label that
*may* be similar to the Brady vinyl/acrylic label that works so well for
me. I don't think the specific labelling machine is as important as the
material the label itself is made from. If this Brother tape (TZFX231)
tests as well as the Brady does and costs less, then I might go back to
that...

Wayne


-Original Message-
From: Eisenberg, Wayne [mailto:wayne.eisenb...@pbvllc.com] 
Sent: Tuesday, December 30, 2008 9:50 AM
To: NT System Admin Issues
Subject: RE: Label printers

I have found that P-Touch labels do not adhere well to the material used
for patch cables and you wind up needing to make flags, or find ways to
deal with labels peeling off. 

What I have found that works fabulously are Brady cable markers. You can
use an ultra-fine Sharpie to write on them, they are self-laminating and
they do not come off easily like P-touch labels do. I buy what they call
the 'porta-pack' (just a booklet of labels) PWC-PK-1. You can get that
label material in a roll and use it in one of Brady's labeller machines,
but their label makers tend to be quite expensive (but there is a ton of
functionality built into it). I find the porta-pak and a Sharpie to do
just as good of a job for a lot less money. You can get them from
Grainger or other similar supply house.

Wayne

-Original Message-
From: Steve Pruitt [mailto:adminli...@bytampabay.com]
Sent: Monday, December 29, 2008 6:17 PM
To: NT System Admin Issues
Subject: Re: Label printers

I use a Brother P-Touch, and I'm very happy with it. I'm compulsive
about labeling both ends of every cable, and the jacks on non-standard
devices.

Steve

- Original Message -
From: "Mike French" 
To: "NT System Admin Issues" 
Sent: Monday, December 29, 2008 5:01 PM
Subject: RE: Label printers


I use a Rino 3000
(http://www.rhinopromo.com/Printers_3000_Features.shtm)




From: Orland, Kathleen [mailto:korl...@rogers.com]
Sent: Saturday, December 27, 2008 10:09 PM
To: NT System Admin Issues
Subject: RE: Label printers

I use the same thing. In addition I purchase bright yellow tapes to make

identification distinct and easy.


From: Jacob [mailto:ja...@excaliburfilms.com]
Sent: Saturday, December 27, 2008 3:34 PM
To: NT System Admin Issues
Subject: RE: Label printers
Brother P Touch III

What I use to label cable, tapes, etc...

From: Gavin Wilby [mailto:gavin.wi...@gmail.com]
Sent: Saturday, December 27, 2008 12:24 PM
To: NT System Admin Issues
Subject: Label printers

Not as off topic as it might sound - I want to get my own lable printer,
to do things like patch cables, patch panels, back up tapes and the
like.

Anyone got any favorites?

Gavin.

Hope you have all had a great Christmas break!









~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~ 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: LogMeIn

[S Conn.]

Perhaps I missed this point in the replies, but what about user
separation?  I'm not keen on giving any user access that I can't
revoke the moment they get fired.  Also, access logs go a long way
when you're having HR issues..

Seth



On Tue, Dec 30, 2008 at 8:01 AM, David Lum  wrote:
> I work for a company with ~300 employees, is there a reason to discourage a
> few of our employees from installing LogMeIn Free on their systems so they
> can remote control their work machine and bypass the need to use a VPN
> license?
>
>
>
> I've used LogMeIn Free for years to connect to all my own business clients,
> but it's one thing to use it myself and small businesses, another to
> recommend it's use to a larger company with resources for VPN, etc.
>
>
>
> My kneejerk reaction is "no", but damned if I can come up with a viable
> excuse for that opinion.
>
> David Lum // SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 // (Cell) 503.267.9764

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: NT issue

[David James]

Either way, I'm wondering if a quick install of WINS and targeting at least
his servers at it would help over come this issue.  

 

From: Erik Goldoff [mailto:egold...@gmail.com] 
Sent: Tuesday, December 30, 2008 7:37 AM
To: NT System Admin Issues
Subject: RE: NT issue

 

meant to address this earlier ... it is NOT the HOSTS file to look at ...
HOSTS is the file based version of DNS, to resolve an FQDN to an IP
address for NT Domain issues, the LMHOSTS file is the one that works
like WINS to resolve NetBIOS names ( Browse ) to IP

 


Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

 

  _  

From: David James [mailto:bigdadd...@gmail.com] 
Sent: Tuesday, December 30, 2008 1:16 AM
To: NT System Admin Issues
Subject: RE: NT issue

Does your hosts file have the #DOM entry?

 

From: Eric Brouwer [mailto:er...@forestpost.com] 
Sent: Monday, December 29, 2008 11:28 PM
To: NT System Admin Issues
Subject: RE: NT issue

 

I've rebooted the PDC numerous times tonight.  Onc in a while when it comes
up, I se a message about a slow network connection, and I get the option to
download my profile, or load the local profile.  Could this be an issue, and
what does it point to?

I've moved the PDC to a new port, new cable, etc. which I am relatively
certain is okay.  I was using it for hours with my laptop which does not
belong to the domain, and it seems fine.



- Original Message -
From: "Eric Brouwer"  
Sent: Mon, December 29, 2008 19:59
Subject: RE: NT issue

I figured out the SET command.  I was wrong.  The problem server is not a
member, but a BDC.  It authenticated to itself, but it is not seeing the
PDC.  For instance, I can not run User Manager on the BDC, and I am seeing
Event ID:3096 in the logs.  The message is about not finding a domain
controller on the network.

 

  _  

From: Eric Brouwer [mailto:er...@forestpost.com] 
Sent: Monday, December 29, 2008 7:49 PM
To: NT System Admin Issues
Subject: RE: NT issue

 

Server and Net Logon services are running on both servers.  Yes, they are on
the same subnet.

 

How do I check the preferred server setting?

 

How do I look at the environment variables from the command line?

 

  _  

From: Erik Goldoff [mailto:egold...@gmail.com] 
Sent: Monday, December 29, 2008 7:33 PM
To: NT System Admin Issues
Subject: RE: NT issue

 

on the server look for the server service, and netlogon service ... are they
on the same subnet ?  Maybe check your WINS server too, and on the member
server that won't authenticate you can check for an incorrect preferred
server setting ( and from cmd look at environment variables for netlogon
server )

 


Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

 

  _  

From: Eric Brouwer [mailto:er...@forestpost.com] 
Sent: Monday, December 29, 2008 7:06 PM
To: NT System Admin Issues
Subject: NT issue

Good evening,

 

Yes, I am still running a few NT servers on an old network!  We had a power
outage, and now we're having authentication issues.  The PDC seems to be
coming up fine, but one of my NT member servers won't authenticate to it.  I
see a NETLOGON message in the event viewer stating no domain controllers
could be found.  How can I determine if the PDC is running properly?  How
can I verify the proper services are running, etc. to service logon
requests?

 

Thanks!

 

Eric Brouwer

IT Manager

Forest Post Productions

er...@forestpost.com

(248) 855-4333

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Label printers

[Phillip Partipilo]

I've used a few different types of P-Touches.  There is the variant  
that has three spools in the cartridge - the adhesive tape layer, the  
thermal ink ribbon, and the laminating layer  They are much easier to  
apply since the backing seems to come off the adhesive layer much  
easier, but they dont stick for crap.  There are cheaper P-touches  
that use a cartridge that is a single spool that just uses thermal  
paper on a pre-adhered spool of paper/adhesive.  Those seem to work  
just fine, they never come loose, and stick wonderfully, but often its  
a bitch to get the substrate of the adhesive off of the label.



On Dec 30, 2008, at 9:50 AM, Eisenberg, Wayne wrote:




I have found that P-Touch labels do not adhere well to the material  
used
for patch cables and you wind up needing to make flags, or find ways  
to

deal with labels peeling off.

What I have found that works fabulously are Brady cable markers. You  
can
use an ultra-fine Sharpie to write on them, they are self-laminating  
and
they do not come off easily like P-touch labels do. I buy what they  
call

the 'porta-pack' (just a booklet of labels) PWC-PK-1. You can get that
label material in a roll and use it in one of Brady's labeller  
machines,
but their label makers tend to be quite expensive (but there is a  
ton of

functionality built into it). I find the porta-pak and a Sharpie to do
just as good of a job for a lot less money. You can get them from
Grainger or other similar supply house.

Wayne

-Original Message-
From: Steve Pruitt [mailto:adminli...@bytampabay.com]
Sent: Monday, December 29, 2008 6:17 PM
To: NT System Admin Issues
Subject: Re: Label printers

I use a Brother P-Touch, and I'm very happy with it. I'm compulsive
about labeling both ends of every cable, and the jacks on non-standard
devices.

Steve

- Original Message -
From: "Mike French" 
To: "NT System Admin Issues" 
Sent: Monday, December 29, 2008 5:01 PM
Subject: RE: Label printers


I use a Rino 3000
(http://www.rhinopromo.com/Printers_3000_Features.shtm)




From: Orland, Kathleen [mailto:korl...@rogers.com]
Sent: Saturday, December 27, 2008 10:09 PM
To: NT System Admin Issues
Subject: RE: Label printers

I use the same thing. In addition I purchase bright yellow tapes to  
make


identification distinct and easy.


From: Jacob [mailto:ja...@excaliburfilms.com]
Sent: Saturday, December 27, 2008 3:34 PM
To: NT System Admin Issues
Subject: RE: Label printers
Brother P Touch III

What I use to label cable, tapes, etc...

From: Gavin Wilby [mailto:gavin.wi...@gmail.com]
Sent: Saturday, December 27, 2008 12:24 PM
To: NT System Admin Issues
Subject: Label printers

Not as off topic as it might sound - I want to get my own lable  
printer,

to
do things like patch cables, patch panels, back up tapes and the like.

Anyone got any favorites?

Gavin.

Hope you have all had a great Christmas break!









~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



--
If this email is spam, report it here:
http://www.onlymyemail.com/view/?action=reportSpam&Id=ODEzNjQ6ODIxMjA1Mjg2OnBqcEBwc25ldC5jb20%3D


THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL
AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS
INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION,
COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED.
IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY
NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT
FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[David James]

LogMeInRescue FTW for supporting remote users.

Sonicwall SSL VPN Products for remote access.  Using the Java or ActiveX RDP
agents provide a more productive user experience than logmein free.

In logmein free's defense as a security measure...  I had a customer who
used logmein on their systems, it was a small business.  Someone stole a
computer, and since LogMeIn auto connects from anywhere on the net, they
were able to track the system down.  Kind of a free lowjack utility.  

Before I worked for myself, I would have argued that software like this was
not useful, but it has it's place in the SMB.  The corporate compliance set
forbids it, but I have found that the ultimate question is how productive
your users are, and how secure are their passwords.  LogMeIn is just another
door to the building, another key to keep track of, so depending on the
business type/model, and it's obligations for compliance, it may or may not
have its place.  I know lots of network admins who keep it on their servers
but yell at every user that wants to use it.  Sometimes productivity demands
it.  If you've got a user who needs to print at home to a Multifunction
device to be more productive, sometimes logmein pro is the best solution,
since RDP doesn't support certain printers.  In these rare cases, a simple
signed policy will suffice to cover your ___.  

It's about helping your users use technology to be more productive, not
having a power trip.  The company must survive tight economic times, so use
all your tools to provide them ways to produce from anywhere at anytime, and
you'll be a hero to your users and company management.





-Original Message-
From: Graeme Carstairs [mailto:loonyto...@gmail.com] 
Sent: Tuesday, December 30, 2008 8:37 AM
To: NT System Admin Issues
Subject: Re: LogMeIn

You wouldn't allow any support via logmein rescue or webec etc.
Do the install through web use and then no further access type solutions?

May I ask how large your organisation is?

Graeme

On 30/12/2008, Ziots, Edward  wrote:
> And make that apart of the acceptable use policy or another network
> policy that includes the terms, "violation of this policy, can subject
> the violator(s) to punishment up to and including termination of
> employment"
>
>
>
> The fire them, that will send the message. Logmein is not to be trusted
> and any business seeking to do business with you that uses that as a
> Remote access sytem for support should be shown the door as quickly as
> they came in. ( Had to deal with one here, and they went bye bye)
>
>
>
> Z
>
>
>
> Edward E. Ziots
>
> Network Engineer
>
> Lifespan Organization
>
> Email: ezi...@lifespan.org
>
> Phone: 401-639-3505
>
> MCSE, MCP+I, ME, CCA, Security +, Network +
>
> 
>
> From: John Cook [mailto:john.c...@pfsf.org]
> Sent: Tuesday, December 30, 2008 9:15 AM
> To: NT System Admin Issues
> Subject: RE: LogMeIn
>
>
>
> On a separate note we expressly forbid users to install ANY unapproved
> software, specifically remote control software, as it opens the network
> up to potential HIPAA violations (your regulatory obligations may come
> into play as well) Just say no!
>
>
>
> John W. Cook
>
> Systems Administrator
>
> Partnership For Strong Families
>
> 315 SE 2nd Ave
>
> Gainesville, Fl 32601
>
> Office (352) 393-2741 x320
>
> Cell (352) 215-6944
>
> Fax (352) 393-2746
>
> MCSE, MCTS, MCP+I,CompTIA A+, N+
>
>
>
> From: David Lum [mailto:david@nwea.org]
> Sent: Tuesday, December 30, 2008 9:02 AM
> To: NT System Admin Issues
> Subject: LogMeIn
>
>
>
> I work for a company with ~300 employees, is there a reason to
> discourage a few of our employees from installing LogMeIn Free on their
> systems so they can remote control their work machine and bypass the
> need to use a VPN license?
>
>
>
> I've used LogMeIn Free for years to connect to all my own business
> clients, but it's one thing to use it myself and small businesses,
> another to recommend it's use to a larger company with resources for
> VPN, etc.
>
>
>
> My kneejerk reaction is "no", but damned if I can come up with a viable
> excuse for that opinion.
>
> David Lum // SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 // (Cell) 503.267.9764
>
>
>
>
>
>
>
>
>
>
>
>
>
> 
>
> CONFIDENTIALITY STATEMENT: The information transmitted, or contained or
> attached to or with this Notice is intended only for the person or
> entity to which it is addressed and may contain Protected Health
> Information (PHI), confidential and/or privileged material. Any review,
> transmission, dissemination, or other use of, and taking any action in
> reliance upon this information by persons or entities other than the
> intended recipient without the express written consent of the sender are
> prohibited. This information may be protected by the Health Insurance
> Portability and Accountability Act of 1996 (HIPAA), and other Federal
> and Florida laws. 

RE: LogMeIn

[Chinnery, Paul]

But that can be a nightmare.  How can you prove your business partner
meets compliance testing?  Run your own pentest?  And what if that
company has a relationship with another company that supports them?
HIPAA answers that with the Chain of Trust guidelines.  I'm not sure
about PCI or Redflag rules, though.  
But for all of them, I would assume the "reasonable man" defense would
apply if questioned by a government agency.
 

Paul Chinnery 
Network Administrator 
Memorial Medical Center 
231-845-2319 

 

  _  

From: Erik Goldoff [mailto:egold...@gmail.com] 
Sent: Tuesday, December 30, 2008 10:03 AM
To: NT System Admin Issues
Subject: RE: LogMeIn


and as in the case of PCI and other compliance certifications, you might
have to prove that any 'connected' partner also passes compliance
testing
 

Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

  _  

From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com] 
Sent: Tuesday, December 30, 2008 9:35 AM
To: NT System Admin Issues
Subject: RE: LogMeIn



Exactly. I would add to that list

 

 

* Free to use, but how much does it cost you if it stops working
correctly?

 

* What will your auditors or the BSA think of the setup? (It
would be very interesting to see their recommendation.)

 

* Does the company actually have a paid and supported version?
That is usually an indicator that the "free" version is for personal use
only-not business/organizational use.

 

 

  _  

From: Derek Lidbom [mailto:dlid...@trone.com] 
Sent: Tuesday, December 30, 2008 6:19 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

 

* What about the fact that it bypasses (using encrypted traffic
even) any protections you have in place to filter/monitor/scan traffic
passing through your gateway?

* It introduces a new attack vector (files can get on that
computer in ways they couldn't have before).

* You are trusting logmein with credentials that allow access to
your internal network.  Companies bigger than them get
usernames/passwords stolen.

* You have less logging of intrusion attempts (to my knowledge)
than if you were going through your own equipment

* It is another piece of software to keep updated on your
clients

* How do you protect the usernames/passwords users use to access
logmein?  (hopefully any vpn solution would have two-factor auth so
creds aren't a free path in to your network).  I know they have some
sort of two factor integration options, but I don't think it's at the
first username/password prompt.

 

 

 

 


 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Virtualization Questions - More Q's

[S Conn.]

On Tue, Dec 30, 2008 at 5:33 AM, Ken Schaefer  wrote:
> Most people have said "no" to question #2.
>
>
>
> I would say that there is a definite impact. Your virtualisation team are
> pretty much now an additional "god" in the organisation. For smaller shops
> this isn't an issue. For bigger shops, or where compliance/auditing/change
> control are important, then this is another layer of people who have
> significant  privileges, who must be worked into your change control
> process.
>
>
>
> Cheers
>
> Ken
>


I don't see a lot of difference here between virtual environment vs physical.

A) The guest virtual machines have the same security as their physical
counterparts. (ie you still need a login/password to get into the
operating systems).  Same in a physical environment.  It's the same as
walking up to a KVM or logging into an IP KVM.
B) If you have access to the virtual environment, you could power off
the machines (reboot, etc).  It's the same if you have physical access
to the data center/server room/etc or access to a remote PDU (aka walk
up and press the off button on a machine).

The only difference is that you could change resource allocation, but
in a compliance/audit scenario, you're not accessing the actual data
or the guest OS itself, just the "box" itself.  Changing resources
does affect change control, but so would someone removing RAM out of a
physical box or adding a CPU.

I'm only speaking for VMWare here (since that's what I know and run),
but you can set up a lot of different levels of access in the virtual
environment.  You can group the machines, set administrators for those
groups, or break it down to only allow certain groups to have access
to certain machines.  For example, I myself have full access to the
entire network, but I only allow my programmers to have access to only
a couple of machines, and only restart ability to those.  When they
log in, all they see are their machines only.  Their only options are
console or power on/off/reboot, the same access they've had when the
servers where physical.  It ties into Active Directory, and you can
set groups to as much or as little access as you want.

I do agree, there is some security concerns that you'll need to
address, but virtualizing your servers won't give anyone any more
additional access to the machines over walking into the server room
IMO.


Seth

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[Erik Goldoff]

does the business software alliance really deserve capitalization ? 
 

Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

  _  

From: Andy Shook [mailto:andy.sh...@peak10.com] 
Sent: Tuesday, December 30, 2008 9:46 AM
To: NT System Admin Issues
Subject: RE: LogMeIn



Big stinkin' A-hole?

 

Shook

 

From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, December 30, 2008 9:42 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

 

BSA?

 

From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com] 
Sent: Tuesday, December 30, 2008 6:35 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

 

Exactly. I would add to that list

 

 

. Free to use, but how much does it cost you if it stops working
correctly?

 

. What will your auditors or the BSA think of the setup? (It would
be very interesting to see their recommendation.)

 

. Does the company actually have a paid and supported version? That
is usually an indicator that the "free" version is for personal use only-not
business/organizational use.

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[Erik Goldoff]

and as in the case of PCI and other compliance certifications, you might
have to prove that any 'connected' partner also passes compliance testing
 

Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

  _  

From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com] 
Sent: Tuesday, December 30, 2008 9:35 AM
To: NT System Admin Issues
Subject: RE: LogMeIn



Exactly. I would add to that list

 

 

* Free to use, but how much does it cost you if it stops working
correctly?

 

* What will your auditors or the BSA think of the setup? (It would
be very interesting to see their recommendation.)

 

* Does the company actually have a paid and supported version? That
is usually an indicator that the "free" version is for personal use only-not
business/organizational use.

 

 

  _  

From: Derek Lidbom [mailto:dlid...@trone.com] 
Sent: Tuesday, December 30, 2008 6:19 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

 

* What about the fact that it bypasses (using encrypted traffic
even) any protections you have in place to filter/monitor/scan traffic
passing through your gateway?

* It introduces a new attack vector (files can get on that computer
in ways they couldn't have before).

* You are trusting logmein with credentials that allow access to
your internal network.  Companies bigger than them get usernames/passwords
stolen.

* You have less logging of intrusion attempts (to my knowledge) than
if you were going through your own equipment

* It is another piece of software to keep updated on your clients

* How do you protect the usernames/passwords users use to access
logmein?  (hopefully any vpn solution would have two-factor auth so creds
aren't a free path in to your network).  I know they have some sort of two
factor integration options, but I don't think it's at the first
username/password prompt.

 

 

 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[Ziots, Edward]

Yep, 

We have our own secure support access solution, and for security reasons
I can't tell you what it is or how it works. ( lets just say 256BIT AES
FIPS 140-2 compliant, enuff said) 

Z

Edward E. Ziots
Network Engineer
Lifespan Organization
Email: ezi...@lifespan.org
Phone: 401-639-3505
MCSE, MCP+I, ME, CCA, Security +, Network +

-Original Message-
From: Graeme Carstairs [mailto:loonyto...@gmail.com] 
Sent: Tuesday, December 30, 2008 9:37 AM
To: NT System Admin Issues
Subject: Re: LogMeIn

You wouldn't allow any support via logmein rescue or webec etc.
Do the install through web use and then no further access type
solutions?

May I ask how large your organisation is?

Graeme

On 30/12/2008, Ziots, Edward  wrote:
> And make that apart of the acceptable use policy or another network
> policy that includes the terms, "violation of this policy, can subject
> the violator(s) to punishment up to and including termination of
> employment"
>
>
>
> The fire them, that will send the message. Logmein is not to be
trusted
> and any business seeking to do business with you that uses that as a
> Remote access sytem for support should be shown the door as quickly as
> they came in. ( Had to deal with one here, and they went bye bye)
>
>
>
> Z
>
>
>
> Edward E. Ziots
>
> Network Engineer
>
> Lifespan Organization
>
> Email: ezi...@lifespan.org
>
> Phone: 401-639-3505
>
> MCSE, MCP+I, ME, CCA, Security +, Network +
>
> 
>
> From: John Cook [mailto:john.c...@pfsf.org]
> Sent: Tuesday, December 30, 2008 9:15 AM
> To: NT System Admin Issues
> Subject: RE: LogMeIn
>
>
>
> On a separate note we expressly forbid users to install ANY unapproved
> software, specifically remote control software, as it opens the
network
> up to potential HIPAA violations (your regulatory obligations may come
> into play as well) Just say no!
>
>
>
> John W. Cook
>
> Systems Administrator
>
> Partnership For Strong Families
>
> 315 SE 2nd Ave
>
> Gainesville, Fl 32601
>
> Office (352) 393-2741 x320
>
> Cell (352) 215-6944
>
> Fax (352) 393-2746
>
> MCSE, MCTS, MCP+I,CompTIA A+, N+
>
>
>
> From: David Lum [mailto:david@nwea.org]
> Sent: Tuesday, December 30, 2008 9:02 AM
> To: NT System Admin Issues
> Subject: LogMeIn
>
>
>
> I work for a company with ~300 employees, is there a reason to
> discourage a few of our employees from installing LogMeIn Free on
their
> systems so they can remote control their work machine and bypass the
> need to use a VPN license?
>
>
>
> I've used LogMeIn Free for years to connect to all my own business
> clients, but it's one thing to use it myself and small businesses,
> another to recommend it's use to a larger company with resources for
> VPN, etc.
>
>
>
> My kneejerk reaction is "no", but damned if I can come up with a
viable
> excuse for that opinion.
>
> David Lum // SYSTEMS ENGINEER
> NORTHWEST EVALUATION ASSOCIATION
> (Desk) 971.222.1025 // (Cell) 503.267.9764
>
>
>
>
>
>
>
>
>
>
>
>
>
> 
>
> CONFIDENTIALITY STATEMENT: The information transmitted, or contained
or
> attached to or with this Notice is intended only for the person or
> entity to which it is addressed and may contain Protected Health
> Information (PHI), confidential and/or privileged material. Any
review,
> transmission, dissemination, or other use of, and taking any action in
> reliance upon this information by persons or entities other than the
> intended recipient without the express written consent of the sender
are
> prohibited. This information may be protected by the Health Insurance
> Portability and Accountability Act of 1996 (HIPAA), and other Federal
> and Florida laws. Improper or unauthorized use or disclosure of this
> information could result in civil and/or criminal penalties.
> Consider the environment. Please don't print this e-mail unless you
> really need to.
>
>
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~


-- 
Carbon credits are a bit like beating someone up on this side of the
world and sponsoring one of those poor starving kids on the other side
of the world to make up for the fact that you're a complete shit at
home.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[Ziots, Edward]

Folks,

 

Its more about security of your systems and controlling whom has access
with what, with Logmein you basically are giving up that control to an
unknown, untrusted 3rd party, that you can't audit, you don't have a BAA
( business associate agreement, or MOU ( memorandum of understanding (
only applies to Govt entities)) which are violations of HIPPA. 

 

The sections are the following.  NOTE: I am not a Lawyer, none of this
constitutes LEGAL ADVICE, and I can't be held responsible for you
following any of this advice and causing harm to your organization, you
should talk with your Lawyers/Management C levels before doing any of
this. I am just interpreting the HIPPA regulations as per what they
state in the final rule. 

 

Transmissions Security: Section 164.312(e)(1) ( encrypted communications
or viewing of EPHI on carious systems access by Logmein)

Person or Entity Authentication: Section 164.312(d)(8) (Failure to
accurate authenticate who is accessing your EPHI, you don't control the
logmein authentication mechanism, you can't audit it, and you can't tie
it back into a person or process that you can verifiably claim did or
didn't access the EPHI in question)

 

Integrity: Section 164.312 ( c ) (1): If you can audit who has access to
your data, then you don't know if its been manipulated or changed from
its current state and if its valid or not anymore, thus violation the
Integrity of the data. 

 

Audit Controls: Section 164.312(b): Again u can't audit who did and
didn't login via Logmein, or tie that back to a person, or entity that
will state up in a court of law if you take it that far ( Forensically
sound logs of the information access and manipulation etc etc)

 

Access Controls: Section 164.312(a)(1): Again you are allowing a 3rd
party without a BAA, or MOU access to your systems via an untrusted
mechanism that you can't secure or control, access into your information
systems? I think we all see the blaring problem is this reguard, you are
opening yourself up to all kinds of bad things. 

 

Security Management Process: Section 164.308(a)(1): You probably haven't
completed a Risk Assessment for this new technology that would have
easily outlined the inheirent harm that Logmein and similar Remote
Access Solutions can cause with the Confidentially, Integrity and
Availability of your systems and data. 

 

Security Incident Proceedures:  Section 164.308(a)(6):  Think about your
incident response plan if or probably when one or more of your systems
become hacked by a malicious 3rd party that has found a flaw or bug in
the logmein process and starts access or stealing your data, corrupting
your systems, rootkits, malware, Trojans, backdoors, etc etc,
Information blackmail, or general denial service from within your
network. What are you going to do then, You let it in the door, you
agreed to have your systems access via an insecure mechanism, I don't
think you are going to win many court battles trying to argue that you
did due diligence or due care process in those reguards. So you might as
well write that big fat check and notify the people that there PHI is
history and in some hackers hands floating around in 3rd world countries
or other nerfarious places of the earth, and that there lives are going
to be affected adversely and probably there identity is going to be
stolen, or attempt to be stolen via information leaks and lack of
judgement. 

 

If that doesn't wake up some C levels eyes and have the lawyers
stirring, and management putting the Kabosh on Logmein and similar
Remote access solutions, then not quiet sure what will. 

 

PS: If you want the breakdown of the sections of HIPPA I have and excel
spreadsheet that covers each section and the types of questions you all
need to be asking yourselves when you deal with these type of issues. 

 

Edward E. Ziots

Network Engineer

Lifespan Organization

Email: ezi...@lifespan.org

Phone: 401-639-3505

MCSE, MCP+I, ME, CCA, Security +, Network +



From: David Mazzaccaro [mailto:david.mazzacc...@hudsonhhc.com] 
Sent: Tuesday, December 30, 2008 9:15 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

 

Lots of reasons.  Security & compliancy (HIPAA) come to mind.

With a VPN, you know (and have control) who is on the network.

 

 



From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, December 30, 2008 9:02 AM
To: NT System Admin Issues
Subject: LogMeIn

I work for a company with ~300 employees, is there a reason to
discourage a few of our employees from installing LogMeIn Free on their
systems so they can remote control their work machine and bypass the
need to use a VPN license?

 

I've used LogMeIn Free for years to connect to all my own business
clients, but it's one thing to use it myself and small businesses,
another to recommend it's use to a larger company with resources for
VPN, etc.

 

My kneejerk reaction is "no", but damned if I can come up with a 

RE: Label printers

[Eisenberg, Wayne]

I have found that P-Touch labels do not adhere well to the material used
for patch cables and you wind up needing to make flags, or find ways to
deal with labels peeling off. 

What I have found that works fabulously are Brady cable markers. You can
use an ultra-fine Sharpie to write on them, they are self-laminating and
they do not come off easily like P-touch labels do. I buy what they call
the 'porta-pack' (just a booklet of labels) PWC-PK-1. You can get that
label material in a roll and use it in one of Brady's labeller machines,
but their label makers tend to be quite expensive (but there is a ton of
functionality built into it). I find the porta-pak and a Sharpie to do
just as good of a job for a lot less money. You can get them from
Grainger or other similar supply house.

Wayne

-Original Message-
From: Steve Pruitt [mailto:adminli...@bytampabay.com] 
Sent: Monday, December 29, 2008 6:17 PM
To: NT System Admin Issues
Subject: Re: Label printers

I use a Brother P-Touch, and I'm very happy with it. I'm compulsive
about labeling both ends of every cable, and the jacks on non-standard
devices.

Steve

- Original Message -
From: "Mike French" 
To: "NT System Admin Issues" 
Sent: Monday, December 29, 2008 5:01 PM
Subject: RE: Label printers


I use a Rino 3000
(http://www.rhinopromo.com/Printers_3000_Features.shtm)




From: Orland, Kathleen [mailto:korl...@rogers.com]
Sent: Saturday, December 27, 2008 10:09 PM
To: NT System Admin Issues
Subject: RE: Label printers

I use the same thing. In addition I purchase bright yellow tapes to make

identification distinct and easy.


From: Jacob [mailto:ja...@excaliburfilms.com]
Sent: Saturday, December 27, 2008 3:34 PM
To: NT System Admin Issues
Subject: RE: Label printers
Brother P Touch III

What I use to label cable, tapes, etc...

From: Gavin Wilby [mailto:gavin.wi...@gmail.com]
Sent: Saturday, December 27, 2008 12:24 PM
To: NT System Admin Issues
Subject: Label printers

Not as off topic as it might sound - I want to get my own lable printer,
to 
do things like patch cables, patch panels, back up tapes and the like.

Anyone got any favorites?

Gavin.

Hope you have all had a great Christmas break!









~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~ 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[Dallas Burnworth]

Business Software Alliance www.bsa.org   these guys
are the #1 software compliance and anti-piracy organization world-wide.
They can come in and audit any organization for proper software use and
licensing. They currently use Centennial Discovery software for their
audits. They are out there to protect the rights of software companies
like Microsoft get all the money from people who use their stuff.

 

 



From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, December 30, 2008 6:42 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

 

BSA?

 

From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com] 
Sent: Tuesday, December 30, 2008 6:35 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

 

Exactly. I would add to that list

 

 

* Free to use, but how much does it cost you if it stops working
correctly?

 

* What will your auditors or the BSA think of the setup? (It
would be very interesting to see their recommendation.)

 

* Does the company actually have a paid and supported version?
That is usually an indicator that the "free" version is for personal use
only-not business/organizational use.

 

 



From: Derek Lidbom [mailto:dlid...@trone.com] 
Sent: Tuesday, December 30, 2008 6:19 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

 

* What about the fact that it bypasses (using encrypted traffic
even) any protections you have in place to filter/monitor/scan traffic
passing through your gateway?

* It introduces a new attack vector (files can get on that
computer in ways they couldn't have before).

* You are trusting logmein with credentials that allow access to
your internal network.  Companies bigger than them get
usernames/passwords stolen.

* You have less logging of intrusion attempts (to my knowledge)
than if you were going through your own equipment

* It is another piece of software to keep updated on your
clients

* How do you protect the usernames/passwords users use to access
logmein?  (hopefully any vpn solution would have two-factor auth so
creds aren't a free path in to your network).  I know they have some
sort of two factor integration options, but I don't think it's at the
first username/password prompt.

 

 

 

 

From: John Cook [mailto:john.c...@pfsf.org] 
Sent: Tuesday, December 30, 2008 9:04 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

 

Is there some verbatim in the LogMeIn agreement that says for personal
use only? This sounds like business use to me >;-)

 

John W. Cook

Systems Administrator

Partnership For Strong Families

315 SE 2nd Ave

Gainesville, Fl 32601

Office (352) 393-2741 x320

Cell (352) 215-6944

Fax (352) 393-2746

MCSE, MCTS, MCP+I,CompTIA A+, N+

 

From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, December 30, 2008 9:02 AM
To: NT System Admin Issues
Subject: LogMeIn

 

I work for a company with ~300 employees, is there a reason to
discourage a few of our employees from installing LogMeIn Free on their
systems so they can remote control their work machine and bypass the
need to use a VPN license?

 

I've used LogMeIn Free for years to connect to all my own business
clients, but it's one thing to use it myself and small businesses,
another to recommend it's use to a larger company with resources for
VPN, etc.

 

My kneejerk reaction is "no", but damned if I can come up with a viable
excuse for that opinion.

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

 

 

 

 



CONFIDENTIALITY STATEMENT: The information transmitted, or contained or
attached to or with this Notice is intended only for the person or
entity to which it is addressed and may contain Protected Health
Information (PHI), confidential and/or privileged material. Any review,
transmission, dissemination, or other use of, and taking any action in
reliance upon this information by persons or entities other than the
intended recipient without the express written consent of the sender are
prohibited. This information may be protected by the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), and other Federal
and Florida laws. Improper or unauthorized use or disclosure of this
information could result in civil and/or criminal penalties.
Consider the environment. Please don't print this e-mail unless you
really need to.

 

 


~~~
Derek Lidbom
Director of Technology and Interactive Development, Trone
336.812.2010
dlid...@trone.com
  

Confidentiality Notice: This e-mail communication and any attachments
may contain confidential and privileged information for the use of the
designated recipients named above.  If you are not the intended
recipient, you are hereby notified that you have received this
communication in error and that any

RE: Aaaiiiyyyeeeeee!!! OOO notices! (OT)

[Kennedy, Jim]

Sure it does, that is how ours is I just retested it to be certain. Internals 
get OOF's and externals do not.


> -Original Message-
> From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
> Sent: Tuesday, December 30, 2008 9:38 AM
> To: NT System Admin Issues
> Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT)


> Exchange 2007 does support separating the handling of OOO's between
> internal and external senders...

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[Andy Shook]

Big stinkin' A-hole?

Shook

From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, December 30, 2008 9:42 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

BSA?

From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com]
Sent: Tuesday, December 30, 2008 6:35 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

Exactly. I would add to that list


* Free to use, but how much does it cost you if it stops working 
correctly?

* What will your auditors or the BSA think of the setup? (It would be 
very interesting to see their recommendation.)

* Does the company actually have a paid and supported version? That is 
usually an indicator that the "free" version is for personal use only-not 
business/organizational use.



From: Derek Lidbom [mailto:dlid...@trone.com]
Sent: Tuesday, December 30, 2008 6:19 AM
To: NT System Admin Issues
Subject: RE: LogMeIn


* What about the fact that it bypasses (using encrypted traffic even) 
any protections you have in place to filter/monitor/scan traffic passing 
through your gateway?

* It introduces a new attack vector (files can get on that computer in 
ways they couldn't have before).

* You are trusting logmein with credentials that allow access to your 
internal network.  Companies bigger than them get usernames/passwords stolen.

* You have less logging of intrusion attempts (to my knowledge) than if 
you were going through your own equipment

* It is another piece of software to keep updated on your clients

* How do you protect the usernames/passwords users use to access 
logmein?  (hopefully any vpn solution would have two-factor auth so creds 
aren't a free path in to your network).  I know they have some sort of two 
factor integration options, but I don't think it's at the first 
username/password prompt.





From: John Cook [mailto:john.c...@pfsf.org]
Sent: Tuesday, December 30, 2008 9:04 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

Is there some verbatim in the LogMeIn agreement that says for personal use 
only? This sounds like business use to me >;-)

John W. Cook
Systems Administrator
Partnership For Strong Families
315 SE 2nd Ave
Gainesville, Fl 32601
Office (352) 393-2741 x320
Cell (352) 215-6944
Fax (352) 393-2746
MCSE, MCTS, MCP+I,CompTIA A+, N+

From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, December 30, 2008 9:02 AM
To: NT System Admin Issues
Subject: LogMeIn

I work for a company with ~300 employees, is there a reason to discourage a few 
of our employees from installing LogMeIn Free on their systems so they can 
remote control their work machine and bypass the need to use a VPN license?

I've used LogMeIn Free for years to connect to all my own business clients, but 
it's one thing to use it myself and small businesses, another to recommend it's 
use to a larger company with resources for VPN, etc.

My kneejerk reaction is "no", but damned if I can come up with a viable excuse 
for that opinion.
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764









CONFIDENTIALITY STATEMENT: The information transmitted, or contained or 
attached to or with this Notice is intended only for the person or entity to 
which it is addressed and may contain Protected Health Information (PHI), 
confidential and/or privileged material. Any review, transmission, 
dissemination, or other use of, and taking any action in reliance upon this 
information by persons or entities other than the intended recipient without 
the express written consent of the sender are prohibited. This information may 
be protected by the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), and other Federal and Florida laws. Improper or unauthorized use or 
disclosure of this information could result in civil and/or criminal penalties.
Consider the environment. Please don't print this e-mail unless you really need 
to.





~~~
Derek Lidbom
Director of Technology and Interactive Development, Trone
336.812.2010
dlid...@trone.com
[http://www.trone.com/RemoteImages/TroneSignature.jpg]

Confidentiality Notice: This e-mail communication and any attachments may 
contain confidential and privileged information for the use of the designated 
recipients named above.  If you are not the intended recipient, you are hereby 
notified that you have received this communication in error and that any 
review, disclosure, dissemination, distribution or copying of it or its 
contents is prohibited.  If you have received this communication in error, 
please notify me immediately by replying to this message and deleting it from 
your computer.  Thank you.
















~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Aaaiiiyyyeeeeee!!! OOO notices! (OT)

[John Cook]

Same here I was just under the (apparently mistaken)impression that when you 
tell Outlook (2007) to not send OOFs to people outside your domain that's what 
it did.

John W. Cook
Systems Administrator
Partnership For Strong Families
315 SE 2nd Ave
Gainesville, Fl 32601
Office (352) 393-2741 x320
Cell (352) 215-6944
Fax (352) 393-2746
MCSE, MCTS, MCP+I,CompTIA A+, N+


-Original Message-
From: John Hornbuckle [mailto:john.hornbuc...@taylor.k12.fl.us]
Sent: Tuesday, December 30, 2008 9:38 AM
To: NT System Admin Issues
Subject: RE: Aaaiiiyyyee!!! OOO notices! (OT)

I'm sure I'm one of the guilty party.

Exchange 2003 had a registry hack that was supposed to minimize occurrences of 
OOO's going to mailing lists, but I believe that has gone away with 2007.

Exchange 2007 does support separating the handling of OOO's between internal 
and external senders, but I turn both on. I need people outside of my 
organization (vendors, members of the public, etc.) to know I'm OOO just as 
much as I need people within my organization to know it.



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us





-Original Message-
From: Edward B. DREGER [mailto:eddy+public+s...@noc.everquick.net]
Sent: Monday, December 29, 2008 1:03 PM
To: NT System Admin Issues
Subject: Aaaiiiyyyee!!! OOO notices! (OT)

I normally get a few OOOs in response to a post... but _thirteen_ just
now?!

Hint:  If a message is addressed to a list (not to oneself), from a
list server, et cetera, an OOO response might not be appropriate.  And
telling random people that you'll be out of state for two months is
unwise from a security perspective.


Eddy
--
Everquick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita

DO NOT send mail to the following addresses:
dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net
Sending mail to spambait addresses is a great way to get blocked.
Ditto for broken OOO autoresponders and foolish AV software backscatter.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

CONFIDENTIALITY STATEMENT: The information transmitted, or contained or 
attached to or with this Notice is intended only for the person or entity to 
which it is addressed and may contain Protected Health Information (PHI), 
confidential and/or privileged material. Any review, transmission, 
dissemination, or other use of, and taking any action in reliance upon this 
information by persons or entities other than the intended recipient without 
the express written consent of the sender are prohibited. This information may 
be protected by the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), and other Federal and Florida laws. Improper or unauthorized use or 
disclosure of this information could result in civil and/or criminal penalties.
 Consider the environment. Please don't print this e-mail unless you really 
need to.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: LogMeIn

[David Lum]

BSA?

From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com]
Sent: Tuesday, December 30, 2008 6:35 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

Exactly. I would add to that list


* Free to use, but how much does it cost you if it stops working 
correctly?

* What will your auditors or the BSA think of the setup? (It would be 
very interesting to see their recommendation.)

* Does the company actually have a paid and supported version? That is 
usually an indicator that the "free" version is for personal use only-not 
business/organizational use.



From: Derek Lidbom [mailto:dlid...@trone.com]
Sent: Tuesday, December 30, 2008 6:19 AM
To: NT System Admin Issues
Subject: RE: LogMeIn


* What about the fact that it bypasses (using encrypted traffic even) 
any protections you have in place to filter/monitor/scan traffic passing 
through your gateway?

* It introduces a new attack vector (files can get on that computer in 
ways they couldn't have before).

* You are trusting logmein with credentials that allow access to your 
internal network.  Companies bigger than them get usernames/passwords stolen.

* You have less logging of intrusion attempts (to my knowledge) than if 
you were going through your own equipment

* It is another piece of software to keep updated on your clients

* How do you protect the usernames/passwords users use to access 
logmein?  (hopefully any vpn solution would have two-factor auth so creds 
aren't a free path in to your network).  I know they have some sort of two 
factor integration options, but I don't think it's at the first 
username/password prompt.





From: John Cook [mailto:john.c...@pfsf.org]
Sent: Tuesday, December 30, 2008 9:04 AM
To: NT System Admin Issues
Subject: RE: LogMeIn

Is there some verbatim in the LogMeIn agreement that says for personal use 
only? This sounds like business use to me >;-)

John W. Cook
Systems Administrator
Partnership For Strong Families
315 SE 2nd Ave
Gainesville, Fl 32601
Office (352) 393-2741 x320
Cell (352) 215-6944
Fax (352) 393-2746
MCSE, MCTS, MCP+I,CompTIA A+, N+

From: David Lum [mailto:david@nwea.org]
Sent: Tuesday, December 30, 2008 9:02 AM
To: NT System Admin Issues
Subject: LogMeIn

I work for a company with ~300 employees, is there a reason to discourage a few 
of our employees from installing LogMeIn Free on their systems so they can 
remote control their work machine and bypass the need to use a VPN license?

I've used LogMeIn Free for years to connect to all my own business clients, but 
it's one thing to use it myself and small businesses, another to recommend it's 
use to a larger company with resources for VPN, etc.

My kneejerk reaction is "no", but damned if I can come up with a viable excuse 
for that opinion.
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764









CONFIDENTIALITY STATEMENT: The information transmitted, or contained or 
attached to or with this Notice is intended only for the person or entity to 
which it is addressed and may contain Protected Health Information (PHI), 
confidential and/or privileged material. Any review, transmission, 
dissemination, or other use of, and taking any action in reliance upon this 
information by persons or entities other than the intended recipient without 
the express written consent of the sender are prohibited. This information may 
be protected by the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), and other Federal and Florida laws. Improper or unauthorized use or 
disclosure of this information could result in civil and/or criminal penalties.
Consider the environment. Please don't print this e-mail unless you really need 
to.





~~~
Derek Lidbom
Director of Technology and Interactive Development, Trone
336.812.2010
dlid...@trone.com
[http://www.trone.com/RemoteImages/TroneSignature.jpg]

Confidentiality Notice: This e-mail communication and any attachments may 
contain confidential and privileged information for the use of the designated 
recipients named above.  If you are not the intended recipient, you are hereby 
notified that you have received this communication in error and that any 
review, disclosure, dissemination, distribution or copying of it or its 
contents is prohibited.  If you have received this communication in error, 
please notify me immediately by replying to this message and deleting it from 
your computer.  Thank you.











~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Aaaiiiyyyeeeeee!!! OOO notices! (OT)

[John Hornbuckle]

I'm sure I'm one of the guilty party.

Exchange 2003 had a registry hack that was supposed to minimize occurrences of 
OOO's going to mailing lists, but I believe that has gone away with 2007.

Exchange 2007 does support separating the handling of OOO's between internal 
and external senders, but I turn both on. I need people outside of my 
organization (vendors, members of the public, etc.) to know I'm OOO just as 
much as I need people within my organization to know it.



John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us





-Original Message-
From: Edward B. DREGER [mailto:eddy+public+s...@noc.everquick.net] 
Sent: Monday, December 29, 2008 1:03 PM
To: NT System Admin Issues
Subject: Aaaiiiyyyee!!! OOO notices! (OT)

I normally get a few OOOs in response to a post... but _thirteen_ just
now?!

Hint:  If a message is addressed to a list (not to oneself), from a
list server, et cetera, an OOO response might not be appropriate.  And
telling random people that you'll be out of state for two months is
unwise from a security perspective.


Eddy
--
Everquick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita

DO NOT send mail to the following addresses:
dav...@brics.com -*- jfconmaa...@intc.net -*- s...@everquick.net
Sending mail to spambait addresses is a great way to get blocked.
Ditto for broken OOO autoresponders and foolish AV software backscatter.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~