Re: MS Server 2008 - Windows Server backup fails due to incorrect active volume
Hi, I've not seen this article but I'm not getting any errors relating to Microsoft Exchange Replication Service. Whenever I try to run full backup I get the following warnings/errors: Warning - Volume Shadow Copy Service warning: ASR writer Error 0x80070001. hr = 0x. (Event ID:12290) Error - Shadow copy creation failed because of error reported by ASR Writer. More info: Incorrect function. (0x80070001). (Event ID:16387) The only useful information I've found is in this TechNet thread: http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/9cf42e8a-2a33-47c5-a797-269330e9ba1a/ From this thread it says system partition must be set as active. Shazad On 30/12/2008 23:09, Christopher Bodnar wrote: Have you seen this: http://technet.microsoft.com/en-us/library/bb218863.aspx Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com mailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 *From:* Shazad Anwar [mailto:sha...@fastmail.co.uk] *Sent:* Tuesday, December 30, 2008 4:28 PM *To:* NT System Admin Issues *Subject:* MS Server 2008 - Windows Server backup fails due to incorrect active volume Hi, I'm currently running Exchange 2007 SP1 on Server 2008 (Dell Poweredge 2970). I currently use Backup Exec 12.5 to backup System State and Exchange databases. I'm trying to use Windows Server Backup to create a full backup of the server but it keeps failing wikth this error: Backup started at '27/12/2008 19:18:44' failed as Volume Shadow copy operation failed for backup volumes with following error code '2155348129'. Please rerun backup once issue is resolved. From looking up this error on google it seems C: drive should be active partition for Shadow Copy to work but on my server a small Dell partition has been set active. Has anyone encountered this problem and know of a fix? Thanks, Shazad *This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. * ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: AHCI Sata and sysprep
Alright, I was wrong i do have CC_0106 included but looking at the sysprep def. turned a light bulb on. The drivers dell has for downloads do NOT work. You have to get them from Intel. Yes i was stuck on that too which is why i commented it in the sysprep file.. I am using this version for the E6400 ; **Filename: iaStor.INF ; **Revision: Version 8.6.0.1007 ; **Date: 09/12/2008 ; **Abstract: Windows* INF File for Intel(R) Matrix Storage Manager Driver ; **Filename: iaAHCI.INF ; **Revision: Version 8.6.0.1007 ; **Date: 09/12/2008 ; **Abstract: Windows* INF File for Intel(R) Matrix Storage Manager Driver - Sysprep file ;Dell E6400 ;Get drivers from Intel not Dell *PNP0600.DeviceDesc=C:\Drivers\storage\E6400\iaAHCI.inf PCI\VEN_8086DEV_2681CC_0106=C:\Drivers\storage\E6400\iaAHCI.inf PCI\VEN_8086DEV_27C1CC_0106=C:\Drivers\storage\E6400\iaAHCI.inf PCI\VEN_8086DEV_27C5CC_0106=C:\Drivers\storage\E6400\iaAHCI.inf PCI\VEN_8086DEV_2821CC_0106=C:\Drivers\storage\E6400\iaAHCI.inf PCI\VEN_8086DEV_2829CC_0106=C:\Drivers\storage\E6400\iaAHCI.inf PCI\VEN_8086DEV_2922CC_0106=C:\Drivers\storage\E6400\iaAHCI.inf PCI\VEN_8086DEV_2929CC_0106=C:\Drivers\storage\E6400\iaAHCI.inf PCI\VEN_8086DEV_3A02CC_0106=C:\Drivers\storage\E6400\iaAHCI.inf PCI\VEN_8086DEV_3A22CC_0106=C:\Drivers\storage\E6400\iaAHCI.inf PCI\VEN_8086DEV_2682CC_0104=C:\Drivers\storage\E6400\iaStor.inf PCI\VEN_8086DEV_27C3CC_0104=C:\Drivers\storage\E6400\iaStor.inf PCI\VEN_8086DEV_27C6CC_0104=C:\Drivers\storage\E6400\iaStor.inf PCI\VEN_8086DEV_2822CC_0104=C:\Drivers\storage\E6400\iaStor.inf PCI\VEN_8086DEV_282ACC_0104=C:\Drivers\storage\E6400\iaStor.inf ;END Dell E6400 FYI... XP SP3 changes the way it handles the account being sysprep under. If you are like us and use the admin account and expect that to be copyied over to your default profile during sysprep then you have to add UpdateServerProfiledirectory=1 into the [Unattended] section. Bob On Tue, Dec 30, 2008 at 4:29 PM, Phil Brutsche p...@optimumdata.com wrote: On my machines the non-AHCI SATA would not work if I didn't put in the CC_0106 at the end of the PCI ID. To be on the safe side I ALWAYS put the device IDs in sysprep.inf EXACTLY the way they were in the driver .inf. I see I'm not the only one to suspect that putting BuildMassStorageSection = YES in there will override your custom SysprepMassStorage section ;) Johonn2 wrote: I finished my sysprep for both the E6400 AHCI and IRRT and the Dell OP760 series late last month. I believe you need to drop the CC_0106 on it but I would have to look at mine to know for sure. I am not in the office today so if someone else does not help out by then, then I will post it tomorrow. Also I may be wrong again but BuildMassStorageSection = YES I believe will overwrite your custom [SysprepMassStorage]. -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
OT Cisco MDS 9124 switch
Anyone know what the default PW is for one of these? We had an outside vendor set it up and there's no sign of a password in any of their documentation. CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users.
as follow up, with the free trial from MS, will windows allow for 25 simultaneous users during the grace period? Klint Webster wrote: *From:* Klint Price - ArizonaITPro [mailto:kpr...@arizonaitpro.com] *Subject:* Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users. I need to throw together a test server with 25 terminal services users. Does the 60 day eval (which can be increased to 240 days), allow for 25 simultaneous users via terminal services In either per-user or per-device mode the TS will issue temporary 120-day licenses. If the TS is in workgroup mode then per-user licenses are not tracked. [Windows Server 2008 TS Resource Kit pages 121 and 122] Webster ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users.
Should. In my experience the trial versions are complete and full function, just time-bombed. From: Klint Price - ArizonaITPro [mailto:kpr...@arizonaitpro.com] Sent: Wednesday, December 31, 2008 10:23 AM To: NT System Admin Issues Subject: Re: Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users. as follow up, with the free trial from MS, will windows allow for 25 simultaneous users during the grace period? Klint Webster wrote: From: Klint Price - ArizonaITPro [mailto:kpr...@arizonaitpro.com] Subject: Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users. I need to throw together a test server with 25 terminal services users. Does the 60 day eval (which can be increased to 240 days), allow for 25 simultaneous users via terminal services In either per-user or per-device mode the TS will issue temporary 120-day licenses. If the TS is in workgroup mode then per-user licenses are not tracked. [Windows Server 2008 TS Resource Kit pages 121 and 122] Webster ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users.
Backing up a little bit This is going to be utilized in a Windows 2003 domain environment. I have plenty of 2003 CALS, but no 2008 CALs. During the test time frame, do I not have to worry about 2008 CALs? Does 2008 ignore the fact they are missing until the trial period ends? Thanks, I think I am getting close. Klint and Enterprise comes with 25, and not just 5? I can't find it on the MS site, and have never dealt wi Damien Solodow wrote: Should. In my experience the trial versions are complete and full function, just time-bombed. *From:* Klint Price - ArizonaITPro [mailto:kpr...@arizonaitpro.com] *Sent:* Wednesday, December 31, 2008 10:23 AM *To:* NT System Admin Issues *Subject:* Re: Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users. as follow up, with the free trial from MS, will windows allow for 25 simultaneous users during the grace period? Klint Webster wrote: *From:* Klint Price - ArizonaITPro [mailto:kpr...@arizonaitpro.com] *Subject:* Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users. I need to throw together a test server with 25 terminal services users. Does the 60 day eval (which can be increased to 240 days), allow for 25 simultaneous users via terminal services In either per-user or per-device mode the TS will issue temporary 120-day licenses. If the TS is in workgroup mode then per-user licenses are not tracked. [Windows Server 2008 TS Resource Kit pages 121 and 122] Webster ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users.
I think so. It wouldn't make sense for a trial version to require you to buy things.. From: Klint Price - ArizonaITPro [mailto:kpr...@arizonaitpro.com] Sent: Wednesday, December 31, 2008 10:38 AM To: NT System Admin Issues Subject: Re: Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users. Backing up a little bit This is going to be utilized in a Windows 2003 domain environment. I have plenty of 2003 CALS, but no 2008 CALs. During the test time frame, do I not have to worry about 2008 CALs? Does 2008 ignore the fact they are missing until the trial period ends? Thanks, I think I am getting close. Klint and Enterprise comes with 25, and not just 5? I can't find it on the MS site, and have never dealt wi Damien Solodow wrote: Should. In my experience the trial versions are complete and full function, just time-bombed. From: Klint Price - ArizonaITPro [mailto:kpr...@arizonaitpro.com] Sent: Wednesday, December 31, 2008 10:23 AM To: NT System Admin Issues Subject: Re: Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users. as follow up, with the free trial from MS, will windows allow for 25 simultaneous users during the grace period? Klint Webster wrote: From: Klint Price - ArizonaITPro [mailto:kpr...@arizonaitpro.com] Subject: Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users. I need to throw together a test server with 25 terminal services users. Does the 60 day eval (which can be increased to 240 days), allow for 25 simultaneous users via terminal services In either per-user or per-device mode the TS will issue temporary 120-day licenses. If the TS is in workgroup mode then per-user licenses are not tracked. [Windows Server 2008 TS Resource Kit pages 121 and 122] Webster ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Hackers create rogue CA certificate using MD5 collisions
This doesn't sound too good... http://blogs.zdnet.com/security/?p=2339 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Hackers create rogue CA certificate using MD5 collisions
Microsoft released a bulletin on it yesterday http://www.microsoft.com/technet/security/advisory/961509.mspx Of note: Mitigating Factors: * Microsoft is not aware of specific attacks against MD5, so previously issued certificates that were signed using MD5 are not affected and do not need to be revoked. This issue only affects certificates being signed using MD5 after the publication of the attack method. * Most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. Customers should contact their issuing Certificate Authority for guidance. * When visited, Web sites that use Extended Validation (EV) certificates show a green address bar in most modern browsers. These certificates are always signed using SHA-1 and as such are not affected by this newly reported research David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 From: Sam Cayze [mailto:sam.ca...@rollouts.com] Sent: Wednesday, December 31, 2008 7:56 AM To: NT System Admin Issues Subject: Hackers create rogue CA certificate using MD5 collisions This doesn't sound too good... http://blogs.zdnet.com/security/?p=2339 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Hackers create rogue CA certificate using MD5 collisions
I believe MD5 has been hacked long ago... I think a lot of people will mis-interrupt this, thinking that SSL is also hacked. Related article here: http://hackaday.com/2008/12/30/25c3-hackers-completely-break-ssl-using-2 00-ps3s/ From: Sam Cayze [mailto:sam.ca...@rollouts.com] Sent: Wednesday, December 31, 2008 10:56 AM To: NT System Admin Issues Subject: Hackers create rogue CA certificate using MD5 collisions This doesn't sound too good... http://blogs.zdnet.com/security/?p=2339 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
R: MS Server 2008 - Windows Server backup fails due to incorrect active volume
Se MS KB 955687 and ask for relative hotfix (It will be included in SP2) GuidoElia HELPPC -Messaggio originale- Da: Shazad Anwar [mailto:sha...@fastmail.co.uk] Inviato: mercoledì 31 dicembre 2008 11.57 A: NT System Admin Issues Oggetto: Re: MS Server 2008 - Windows Server backup fails due to incorrect active volume Hi, I've not seen this article but I'm not getting any errors relating to Microsoft Exchange Replication Service. Whenever I try to run full backup I get the following warnings/errors: Warning - Volume Shadow Copy Service warning: ASR writer Error 0x80070001. hr = 0x. (Event ID:12290) Error - Shadow copy creation failed because of error reported by ASR Writer. More info: Incorrect function. (0x80070001). (Event ID:16387) The only useful information I've found is in this TechNet thread: http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/9cf42e8a-2a33-47c5-a797-269330e9ba1a/ From this thread it says system partition must be set as active. Shazad On 30/12/2008 23:09, Christopher Bodnar wrote: Have you seen this: http://technet.microsoft.com/en-us/library/bb218863.aspx Chris Bodnar, MCSE Sr. Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com mailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 -- -- *From:* Shazad Anwar [mailto:sha...@fastmail.co.uk] *Sent:* Tuesday, December 30, 2008 4:28 PM *To:* NT System Admin Issues *Subject:* MS Server 2008 - Windows Server backup fails due to incorrect active volume Hi, I'm currently running Exchange 2007 SP1 on Server 2008 (Dell Poweredge 2970). I currently use Backup Exec 12.5 to backup System State and Exchange databases. I'm trying to use Windows Server Backup to create a full backup of the server but it keeps failing wikth this error: Backup started at '27/12/2008 19:18:44' failed as Volume Shadow copy operation failed for backup volumes with following error code '2155348129'. Please rerun backup once issue is resolved. From looking up this error on google it seems C: drive should be active partition for Shadow Copy to work but on my server a small Dell partition has been set active. Has anyone encountered this problem and know of a fix? Thanks, Shazad -- -- *This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. * ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users.
Yes, the 2008 box will completely ignore CALS/licensing during the trial period. You get that familiar you have X days to configure a TS licensing server down in the task bar. During install our 2008 TS test setup detected our 2003 licensing server and said it didn't have any compatible licenses, but that didn't stop us from continuing the install and testing some of the sweet dt application serving and TS gateway functionality. -troy -Original Message- From: Klint Price - ArizonaITPro [mailto:kpr...@arizonaitpro.com] Sent: Wednesday, December 31, 2008 7:38 AM To: NT System Admin Issues Subject: Re: Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users. Backing up a little bit This is going to be utilized in a Windows 2003 domain environment. I have plenty of 2003 CALS, but no 2008 CALs. During the test time frame, do I not have to worry about 2008 CALs? Does 2008 ignore the fact they are missing until the trial period ends? Thanks, I think I am getting close. Klint and Enterprise comes with 25, and not just 5? I can't find it on the MS site, and have never dealt wi Damien Solodow wrote: Should. In my experience the trial versions are complete and full function, just time-bombed. From: Klint Price - ArizonaITPro [mailto:kpr...@arizonaitpro.com] Sent: Wednesday, December 31, 2008 10:23 AM To: NT System Admin Issues Subject: Re: Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users. as follow up, with the free trial from MS, will windows allow for 25 simultaneous users during the grace period? Klint Webster wrote: From: Klint Price - ArizonaITPro [mailto:kpr...@arizonaitpro.com] Subject: Win 2k8 Enterprise 240-day Eval Terminal Serivces licenses for 25 users. I need to throw together a test server with 25 terminal services users. Does the 60 day eval (which can be increased to 240 days), allow for 25 simultaneous users via terminal services In either per-user or per-device mode the TS will issue temporary 120-day licenses. If the TS is in workgroup mode then per-user licenses are not tracked. [Windows Server 2008 TS Resource Kit pages 121 and 122] Webster ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Net framework 2.0 SP1
Google is your friend. http://www.microsoft.com/downloads/details.aspx?familyid=0c1b0a88-59e2-4 eba-a70e-4cd851c5fcc4displaylang=en *** John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 *: jckel...@drmc.org mailto:jckel...@drmc.org *** -Original Message- From: Craig Gauss [mailto:gau...@rhahealthcare.org] Sent: Wednesday, December 31, 2008 11:41 To: NT System Admin Issues Subject: Net framework 2.0 SP1 Does anyone know if this SP is available anywhere as an MSI? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Net framework 2.0 SP1
Saw that one but it is only for Windows mobile Craig Gauss, Technical Supervisor/Security Officer Riverview Hospital Association Phone: 715-423-6060 ext. 8572 From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Wednesday, December 31, 2008 10:44 AM To: NT System Admin Issues Subject: RE: Net framework 2.0 SP1 Google is your friend. http://www.microsoft.com/downloads/details.aspx?familyid=0c1b0a88-59e2-4 eba-a70e-4cd851c5fcc4displaylang=en *** John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 *: jckel...@drmc.org mailto:jckel...@drmc.org *** -Original Message- From: Craig Gauss [mailto:gau...@rhahealthcare.org] Sent: Wednesday, December 31, 2008 11:41 To: NT System Admin Issues Subject: Net framework 2.0 SP1 Does anyone know if this SP is available anywhere as an MSI? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Net framework 2.0 SP1
Alrighty, how about this one? http://www.microsoft.com/Downloads/details.aspx?familyid=79BC3B77-E02C-4 AD3-AACF-A7633F706BA5displaylang=en *** John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 *: jckel...@drmc.org mailto:jckel...@drmc.org *** -Original Message- From: Craig Gauss [mailto:gau...@rhahealthcare.org] Sent: Wednesday, December 31, 2008 11:46 To: NT System Admin Issues Subject: RE: Net framework 2.0 SP1 Saw that one but it is only for Windows mobile Craig Gauss, Technical Supervisor/Security Officer Riverview Hospital Association Phone: 715-423-6060 ext. 8572 From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Wednesday, December 31, 2008 10:44 AM To: NT System Admin Issues Subject: RE: Net framework 2.0 SP1 Google is your friend. http://www.microsoft.com/downloads/details.aspx?familyid=0c1b0a88-59e2-4 eba-a70e-4cd851c5fcc4displaylang=en *** John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 *: jckel...@drmc.org mailto:jckel...@drmc.org *** -Original Message- From: Craig Gauss [mailto:gau...@rhahealthcare.org] Sent: Wednesday, December 31, 2008 11:41 To: NT System Admin Issues Subject: Net framework 2.0 SP1 Does anyone know if this SP is available anywhere as an MSI? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Net framework 2.0 SP1
nevermind..you said MSI and thats the .exe *** John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 *: jckel...@drmc.org mailto:jckel...@drmc.org *** -Original Message- From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Wednesday, December 31, 2008 11:47 To: NT System Admin Issues Subject: RE: Net framework 2.0 SP1 Alrighty, how about this one? http://www.microsoft.com/Downloads/details.aspx?familyid=79BC3B77-E02C-4 AD3-AACF-A7633F706BA5displaylang=en *** John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 *: jckel...@drmc.org mailto:jckel...@drmc.org *** -Original Message- From: Craig Gauss [mailto:gau...@rhahealthcare.org] Sent: Wednesday, December 31, 2008 11:46 To: NT System Admin Issues Subject: RE: Net framework 2.0 SP1 Saw that one but it is only for Windows mobile Craig Gauss, Technical Supervisor/Security Officer Riverview Hospital Association Phone: 715-423-6060 ext. 8572 From: Kelsey, John [mailto:jckel...@drmc.org] Sent: Wednesday, December 31, 2008 10:44 AM To: NT System Admin Issues Subject: RE: Net framework 2.0 SP1 Google is your friend. http://www.microsoft.com/downloads/details.aspx?familyid=0c1b0a88-59e2-4 eba-a70e-4cd851c5fcc4displaylang=en *** John C. Kelsey DuBois Regional Medical Center (: 814.375.3073 *: jckel...@drmc.org mailto:jckel...@drmc.org *** -Original Message- From: Craig Gauss [mailto:gau...@rhahealthcare.org] Sent: Wednesday, December 31, 2008 11:41 To: NT System Admin Issues Subject: Net framework 2.0 SP1 Does anyone know if this SP is available anywhere as an MSI? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Net framework 2.0 SP1
http://www.microsoft.com/downloads/details.aspx?familyid=0c1b0a88-59e2-4 eba-a70e-4cd851c5fcc4displaylang=en Don Guyer Systems Engineer Information Services Prudential Fox Roach/ Trident 431 W. Lancaster Avenue Devon, PA 19333 Ph: (610) 993-3299 Fax: (610) 650-5306 www.prufoxroach.com blocked::blocked::http://www.prufoxroach.com/ don.gu...@prufoxroach.com From: Craig Gauss [mailto:gau...@rhahealthcare.org] Sent: Wednesday, December 31, 2008 11:41 AM To: NT System Admin Issues Subject: Net framework 2.0 SP1 Does anyone know if this SP is available anywhere as an MSI? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Top 10 PowerShell scripts that VMware administrators should use
On that subject, I just did an intro presentation on PowerShell for my co-workers http://www.blkmtn.org/introduction-to-powershell-slides On Tue, Dec 30, 2008 at 10:13 PM, Sam Cayze sam.ca...@rollouts.com wrote: Since we are praising powershell, I just came across this. Handy list! http://www.virtual-strategy.com/Eric-Siebert-s-Top-10/Top-10-PowerShell-scripts-that-VMware-administrators-should-use.html Sam ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Net framework 2.0 SP1
Oh yeah, my apologies. You could always take the EXE and package it up into an MSI. I'm guessing you want to push this through a GPO? Don Guyer Systems Engineer Information Services Prudential Fox Roach/ Trident 431 W. Lancaster Avenue Devon, PA 19333 Ph: (610) 993-3299 Fax: (610) 650-5306 www.prufoxroach.com blocked::blocked::http://www.prufoxroach.com/ don.gu...@prufoxroach.com From: Craig Gauss [mailto:gau...@rhahealthcare.org] Sent: Wednesday, December 31, 2008 12:01 PM To: NT System Admin Issues Subject: RE: Net framework 2.0 SP1 That is only for Windows mobile Craig Gauss, Technical Supervisor/Security Officer Riverview Hospital Association Phone: 715-423-6060 ext. 8572 From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Wednesday, December 31, 2008 10:45 AM To: NT System Admin Issues Subject: RE: Net framework 2.0 SP1 http://www.microsoft.com/downloads/details.aspx?familyid=0c1b0a88-59e2-4 eba-a70e-4cd851c5fcc4displaylang=en Don Guyer Systems Engineer Information Services Prudential Fox Roach/ Trident 431 W. Lancaster Avenue Devon, PA 19333 Ph: (610) 993-3299 Fax: (610) 650-5306 www.prufoxroach.com don.gu...@prufoxroach.com From: Craig Gauss [mailto:gau...@rhahealthcare.org] Sent: Wednesday, December 31, 2008 11:41 AM To: NT System Admin Issues Subject: Net framework 2.0 SP1 Does anyone know if this SP is available anywhere as an MSI? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Net framework 2.0 SP1
The EXE is a self extracting executable you can open with WinZip. The .msi is inside. I think you need to perform an administrative install (aka msiexec /a) before you can deploy it via GPO. The same goes for .NET Framework versions 3.0 and 3.5. Don Guyer wrote: Oh yeah, my apologies. You could always take the EXE and package it up into an MSI. I’m guessing you want to push this through a GPO? -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Net framework 2.0 SP1
Thanks to everyone for looking. I think I found a satisfactory solution. We use ScriptLogic's desktop authority and I am using the Application Launcher elements to launch the install silently and asynchronously on login with the norestart switch. Has worked on the test machines I have tried it on. Craig Gauss, Technical Supervisor/Security Officer Riverview Hospital Association Phone: 715-423-6060 ext. 8572 -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Wednesday, December 31, 2008 11:12 AM To: NT System Admin Issues Subject: Re: Net framework 2.0 SP1 The EXE is a self extracting executable you can open with WinZip. The .msi is inside. I think you need to perform an administrative install (aka msiexec /a) before you can deploy it via GPO. The same goes for .NET Framework versions 3.0 and 3.5. Don Guyer wrote: Oh yeah, my apologies. You could always take the EXE and package it up into an MSI. I'm guessing you want to push this through a GPO? -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Strange Word template issue
Template was originally created in Word 2k3. The template can be opened in Word 2k3. I can't open it in Word 2k7. If it's changed to a document instead of a template, I can open it in Word 2k7. There's nothing odd about the template, it's just a memo template, with a company logo embedded, which is the only recent change to it. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Strange Word template issue
Take it one step further. Change to template to doc. Open in 2007 Save As Template From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Wednesday, December 31, 2008 10:17 AM To: NT System Admin Issues Subject: Strange Word template issue Template was originally created in Word 2k3. The template can be opened in Word 2k3. I can't open it in Word 2k7. If it's changed to a document instead of a template, I can open it in Word 2k7. There's nothing odd about the template, it's just a memo template, with a company logo embedded, which is the only recent change to it. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Net framework 2.0 SP1
Thank you both. This is good info as we also use DA here. Happy New Year! Don Guyer Systems Engineer Information Services Prudential Fox Roach/ Trident 431 W. Lancaster Avenue Devon, PA 19333 Ph: (610) 993-3299 Fax: (610) 650-5306 www.prufoxroach.com don.gu...@prufoxroach.com -Original Message- From: Craig Gauss [mailto:gau...@rhahealthcare.org] Sent: Wednesday, December 31, 2008 12:27 PM To: NT System Admin Issues Subject: RE: Net framework 2.0 SP1 Thanks to everyone for looking. I think I found a satisfactory solution. We use ScriptLogic's desktop authority and I am using the Application Launcher elements to launch the install silently and asynchronously on login with the norestart switch. Has worked on the test machines I have tried it on. Craig Gauss, Technical Supervisor/Security Officer Riverview Hospital Association Phone: 715-423-6060 ext. 8572 -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Wednesday, December 31, 2008 11:12 AM To: NT System Admin Issues Subject: Re: Net framework 2.0 SP1 The EXE is a self extracting executable you can open with WinZip. The .msi is inside. I think you need to perform an administrative install (aka msiexec /a) before you can deploy it via GPO. The same goes for .NET Framework versions 3.0 and 3.5. Don Guyer wrote: Oh yeah, my apologies. You could always take the EXE and package it up into an MSI. I'm guessing you want to push this through a GPO? -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
LCD monitor vs LCD HDTV?
I was looking to replace my aging 14 tube monitor with an LCD monitor. However, it seems like, for the price of a 22 LCD flatpanel monitor, I can get a 22 LCD HDTV which includes a tv tuner. So is there any reason to buy a LCD flatpanel monitor? The prices are about the same for a LCD monitor vs LCD HDTV. Thoughts? Feel free to msg off-list if this is considered OT. JR mail2web.com Enhanced email for the mobile individual based on Microsoft® Exchange - http://link.mail2web.com/Personal/EnhancedEmail ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LCD monitor vs LCD HDTV?
I would double check the resolution the LCD is capable of. Beyond that, no reason not to. Not all LCD TVs support the resolution a same-size LCD flatpanel monitor will. jesse-r...@wi.rr.com wrote: I was looking to replace my aging 14 tube monitor with an LCD monitor. However, it seems like, for the price of a 22 LCD flatpanel monitor, I can get a 22 LCD HDTV which includes a tv tuner. So is there any reason to buy a LCD flatpanel monitor? The prices are about the same for a LCD monitor vs LCD HDTV. Thoughts? Feel free to msg off-list if this is considered OT. -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LCD monitor vs LCD HDTV?
Well I just got an email a little while ago about LCD 22 under $150, I don't think you can get a LCD HDTV for that, as a matter of fact I think they are almost twice that price. -Original Message- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Wednesday, December 31, 2008 12:58 PM To: NT System Admin Issues Subject: LCD monitor vs LCD HDTV? I was looking to replace my aging 14 tube monitor with an LCD monitor. However, it seems like, for the price of a 22 LCD flatpanel monitor, I can get a 22 LCD HDTV which includes a tv tuner. So is there any reason to buy a LCD flatpanel monitor? The prices are about the same for a LCD monitor vs LCD HDTV. Thoughts? Feel free to msg off-list if this is considered OT. JR mail2web.com - Enhanced email for the mobile individual based on Microsoft(r) Exchange - http://link.mail2web.com/Personal/EnhancedEmail ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LCD monitor vs LCD HDTV?
I could be wrong, but a 1080p HDTV is basically like a 1920x1080 monitor or a 720p is 1280x720 that you can't change the resolution on. I infer It from this: http://www.cnet.com/hdtv-resolution/ True A-V geeks will likely chime in here. The p vs i discussions remind me of the early SVGA days where some monitors were interlaced and other non-interlaced (non-interlaced being the better choice), nowadays we hear progressive instead of non-interlaced. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -Original Message- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Wednesday, December 31, 2008 10:58 AM To: NT System Admin Issues Subject: LCD monitor vs LCD HDTV? I was looking to replace my aging 14 tube monitor with an LCD monitor. However, it seems like, for the price of a 22 LCD flatpanel monitor, I can get a 22 LCD HDTV which includes a tv tuner. So is there any reason to buy a LCD flatpanel monitor? The prices are about the same for a LCD monitor vs LCD HDTV. Thoughts? Feel free to msg off-list if this is considered OT. JR mail2web.com - Enhanced email for the mobile individual based on Microsoft(r) Exchange - http://link.mail2web.com/Personal/EnhancedEmail ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LCD monitor vs LCD HDTV?
Funny you say this. I just bought a 22 LCD HDTV for my Daughter's room and was thinking that if/when she gets a computer in her room, the TV will double as a monitor. I have not hooked a computer up to it yet so I cannot comment on the quality yet. Don Guyer Systems Engineer Information Services Prudential Fox Roach/ Trident 431 W. Lancaster Avenue Devon, PA 19333 Ph: (610) 993-3299 Fax: (610) 650-5306 www.prufoxroach.com don.gu...@prufoxroach.com -Original Message- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Wednesday, December 31, 2008 1:58 PM To: NT System Admin Issues Subject: LCD monitor vs LCD HDTV? I was looking to replace my aging 14 tube monitor with an LCD monitor. However, it seems like, for the price of a 22 LCD flatpanel monitor, I can get a 22 LCD HDTV which includes a tv tuner. So is there any reason to buy a LCD flatpanel monitor? The prices are about the same for a LCD monitor vs LCD HDTV. Thoughts? Feel free to msg off-list if this is considered OT. JR mail2web.com - Enhanced email for the mobile individual based on Microsoft(r) Exchange - http://link.mail2web.com/Personal/EnhancedEmail ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LCD monitor vs LCD HDTV?
HDTV will support HDCP as well, which you'll want to get all the features of HD TV. A lot of the LCD monitors have HDMI in now, but won't give you the full benefits HDCP does. -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Wednesday, December 31, 2008 1:02 PM To: NT System Admin Issues Subject: Re: LCD monitor vs LCD HDTV? I would double check the resolution the LCD is capable of. Beyond that, no reason not to. Not all LCD TVs support the resolution a same-size LCD flatpanel monitor will. jesse-r...@wi.rr.com wrote: I was looking to replace my aging 14 tube monitor with an LCD monitor. However, it seems like, for the price of a 22 LCD flatpanel monitor, I can get a 22 LCD HDTV which includes a tv tuner. So is there any reason to buy a LCD flatpanel monitor? The prices are about the same for a LCD monitor vs LCD HDTV. Thoughts? Feel free to msg off-list if this is considered OT. -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Net framework 2.0 SP1
How are you liking it? I think we have been using it for about 1 1/2 years and Im not sure I could work without it :) Craig Gauss, Technical Supervisor/Security Officer Riverview Hospital Association Phone: 715-423-6060 ext. 8572 -Original Message- From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Wednesday, December 31, 2008 12:20 PM To: NT System Admin Issues Subject: RE: Net framework 2.0 SP1 Thank you both. This is good info as we also use DA here. Happy New Year! Don Guyer Systems Engineer Information Services Prudential Fox Roach/ Trident 431 W. Lancaster Avenue Devon, PA 19333 Ph: (610) 993-3299 Fax: (610) 650-5306 www.prufoxroach.com don.gu...@prufoxroach.com -Original Message- From: Craig Gauss [mailto:gau...@rhahealthcare.org] Sent: Wednesday, December 31, 2008 12:27 PM To: NT System Admin Issues Subject: RE: Net framework 2.0 SP1 Thanks to everyone for looking. I think I found a satisfactory solution. We use ScriptLogic's desktop authority and I am using the Application Launcher elements to launch the install silently and asynchronously on login with the norestart switch. Has worked on the test machines I have tried it on. Craig Gauss, Technical Supervisor/Security Officer Riverview Hospital Association Phone: 715-423-6060 ext. 8572 -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Wednesday, December 31, 2008 11:12 AM To: NT System Admin Issues Subject: Re: Net framework 2.0 SP1 The EXE is a self extracting executable you can open with WinZip. The .msi is inside. I think you need to perform an administrative install (aka msiexec /a) before you can deploy it via GPO. The same goes for .NET Framework versions 3.0 and 3.5. Don Guyer wrote: Oh yeah, my apologies. You could always take the EXE and package it up into an MSI. I'm guessing you want to push this through a GPO? -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LCD monitor vs LCD HDTV?
Yeah everyone is right here... Resolution on the monitors is MUCH better. Night and day difference. Dell just had their 22 wide on sale for $140. -Original Message- From: David James [mailto:bigdadd...@gmail.com] Sent: Wednesday, December 31, 2008 1:14 PM To: NT System Admin Issues Subject: RE: LCD monitor vs LCD HDTV? HDTV will support HDCP as well, which you'll want to get all the features of HD TV. A lot of the LCD monitors have HDMI in now, but won't give you the full benefits HDCP does. -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Wednesday, December 31, 2008 1:02 PM To: NT System Admin Issues Subject: Re: LCD monitor vs LCD HDTV? I would double check the resolution the LCD is capable of. Beyond that, no reason not to. Not all LCD TVs support the resolution a same-size LCD flatpanel monitor will. jesse-r...@wi.rr.com wrote: I was looking to replace my aging 14 tube monitor with an LCD monitor. However, it seems like, for the price of a 22 LCD flatpanel monitor, I can get a 22 LCD HDTV which includes a tv tuner. So is there any reason to buy a LCD flatpanel monitor? The prices are about the same for a LCD monitor vs LCD HDTV. Thoughts? Feel free to msg off-list if this is considered OT. -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Strange Word template issue
That worked fine. So now we're having the person doing the changes to save the .doc that worked, as a template, then send that to us, to see if we can open it. The editor is using 2k3. Joe Heaton Employment Training Panel From: Martin Blackstone [mailto:mblackst...@gmail.com] Sent: Wednesday, December 31, 2008 10:21 AM To: NT System Admin Issues Subject: RE: Strange Word template issue Take it one step further. Change to template to doc. Open in 2007 Save As Template From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Wednesday, December 31, 2008 10:17 AM To: NT System Admin Issues Subject: Strange Word template issue Template was originally created in Word 2k3. The template can be opened in Word 2k3. I can't open it in Word 2k7. If it's changed to a document instead of a template, I can open it in Word 2k7. There's nothing odd about the template, it's just a memo template, with a company logo embedded, which is the only recent change to it. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Net framework 2.0 SP1
I just started using it earlier this year, when I started this job, so I haven't gotten my hands real dirty with it yet. Right now I'm only using it to pass settings for IE, desktop, etc. Don Guyer Systems Engineer Information Services Prudential Fox Roach/ Trident 431 W. Lancaster Avenue Devon, PA 19333 Ph: (610) 993-3299 Fax: (610) 650-5306 www.prufoxroach.com don.gu...@prufoxroach.com -Original Message- From: Craig Gauss [mailto:gau...@rhahealthcare.org] Sent: Wednesday, December 31, 2008 2:24 PM To: NT System Admin Issues Subject: RE: Net framework 2.0 SP1 How are you liking it? I think we have been using it for about 1 1/2 years and Im not sure I could work without it :) Craig Gauss, Technical Supervisor/Security Officer Riverview Hospital Association Phone: 715-423-6060 ext. 8572 -Original Message- From: Don Guyer [mailto:don.gu...@prufoxroach.com] Sent: Wednesday, December 31, 2008 12:20 PM To: NT System Admin Issues Subject: RE: Net framework 2.0 SP1 Thank you both. This is good info as we also use DA here. Happy New Year! Don Guyer Systems Engineer Information Services Prudential Fox Roach/ Trident 431 W. Lancaster Avenue Devon, PA 19333 Ph: (610) 993-3299 Fax: (610) 650-5306 www.prufoxroach.com don.gu...@prufoxroach.com -Original Message- From: Craig Gauss [mailto:gau...@rhahealthcare.org] Sent: Wednesday, December 31, 2008 12:27 PM To: NT System Admin Issues Subject: RE: Net framework 2.0 SP1 Thanks to everyone for looking. I think I found a satisfactory solution. We use ScriptLogic's desktop authority and I am using the Application Launcher elements to launch the install silently and asynchronously on login with the norestart switch. Has worked on the test machines I have tried it on. Craig Gauss, Technical Supervisor/Security Officer Riverview Hospital Association Phone: 715-423-6060 ext. 8572 -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Wednesday, December 31, 2008 11:12 AM To: NT System Admin Issues Subject: Re: Net framework 2.0 SP1 The EXE is a self extracting executable you can open with WinZip. The .msi is inside. I think you need to perform an administrative install (aka msiexec /a) before you can deploy it via GPO. The same goes for .NET Framework versions 3.0 and 3.5. Don Guyer wrote: Oh yeah, my apologies. You could always take the EXE and package it up into an MSI. I'm guessing you want to push this through a GPO? -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LCD monitor vs LCD HDTV?
I can run my ps3 1080p over the HDMI input, but when I hook up the PC over HDCMI it only goes to 1366 x 768. computer resolution and HD resolutions are different somehow, I've never quite understood why a 1080p tv won't do 1920 x 1080. Maybe someone else has done that and can tell me how, I'd love to put my 32 HDTV on my desk, I just can't take the lower resolution. -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Wednesday, December 31, 2008 1:06 PM To: NT System Admin Issues Subject: RE: LCD monitor vs LCD HDTV? I could be wrong, but a 1080p HDTV is basically like a 1920x1080 monitor or a 720p is 1280x720 that you can't change the resolution on. I infer It from this: http://www.cnet.com/hdtv-resolution/ True A-V geeks will likely chime in here. The p vs i discussions remind me of the early SVGA days where some monitors were interlaced and other non-interlaced (non-interlaced being the better choice), nowadays we hear progressive instead of non-interlaced. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -Original Message- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Wednesday, December 31, 2008 10:58 AM To: NT System Admin Issues Subject: LCD monitor vs LCD HDTV? I was looking to replace my aging 14 tube monitor with an LCD monitor. However, it seems like, for the price of a 22 LCD flatpanel monitor, I can get a 22 LCD HDTV which includes a tv tuner. So is there any reason to buy a LCD flatpanel monitor? The prices are about the same for a LCD monitor vs LCD HDTV. Thoughts? Feel free to msg off-list if this is considered OT. JR mail2web.com - Enhanced email for the mobile individual based on Microsoft(r) Exchange - http://link.mail2web.com/Personal/EnhancedEmail ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LCD monitor vs LCD HDTV?
The Insignia LCD-HDTV I'm looking at (22 720p) says it does 1650x1050. Any reason this wouldn't be as good as a regular old LCD panel that does 1650x1050? Original Message: - From: David James bigdadd...@gmail.com Date: Wed, 31 Dec 2008 13:55:28 -0600 To: ntsysadmin@lyris.sunbelt-software.com Subject: RE: LCD monitor vs LCD HDTV? I can run my ps3 1080p over the HDMI input, but when I hook up the PC over HDCMI it only goes to 1366 x 768. computer resolution and HD resolutions are different somehow, I've never quite understood why a 1080p tv won't do 1920 x 1080. Maybe someone else has done that and can tell me how, I'd love to put my 32 HDTV on my desk, I just can't take the lower resolution. -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Wednesday, December 31, 2008 1:06 PM To: NT System Admin Issues Subject: RE: LCD monitor vs LCD HDTV? I could be wrong, but a 1080p HDTV is basically like a 1920x1080 monitor or a 720p is 1280x720 that you can't change the resolution on. I infer It from this: http://www.cnet.com/hdtv-resolution/ True A-V geeks will likely chime in here. The p vs i discussions remind me of the early SVGA days where some monitors were interlaced and other non-interlaced (non-interlaced being the better choice), nowadays we hear progressive instead of non-interlaced. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -Original Message- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Wednesday, December 31, 2008 10:58 AM To: NT System Admin Issues Subject: LCD monitor vs LCD HDTV? I was looking to replace my aging 14 tube monitor with an LCD monitor. However, it seems like, for the price of a 22 LCD flatpanel monitor, I can get a 22 LCD HDTV which includes a tv tuner. So is there any reason to buy a LCD flatpanel monitor? The prices are about the same for a LCD monitor vs LCD HDTV. Thoughts? Feel free to msg off-list if this is considered OT. JR mail2web.com - Enhanced email for the mobile individual based on Microsoft(r) Exchange - http://link.mail2web.com/Personal/EnhancedEmail ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ mail2web.com - Microsoft® Exchange solutions from a leading provider - http://link.mail2web.com/Business/Exchange ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
gpupdate/GPO
All, I have one, or many, GPOs that are not apparently being applied on workstations. Through some testing, I have specifically found that IE settings are not really taking effect. That is, until, I manually run a gpupdate /force, and the reboot or logoff. Obviously, this is not really desired. Does anyone know why this would be happening, and how I can solve it? A GPO should be applied appropriately, without me mandating a forced update and reboot. Thanks, Jason ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LCD monitor vs LCD HDTV?
My Samsung 46 LCD does 1920X1080P just fine with my laptop hooked up to the back of it using a DVI connection. Perhaps your tv isn't what the marketing genius' now call True HD. True HD televisions support 1920X1080P resolution over either DVI or HDMI. If you're using a VGA cable good luck - I've had nothing but bad experiencing trying to go above 1024X768 using a VGA connection. For a living room, 1920X1080P works great for a PC screen resolution - but if you're talking about putting it on your desk, I agree that one is better off with a LCD monitor. On Wed, Dec 31, 2008 at 2:55 PM, David James bigdadd...@gmail.com wrote: I can run my ps3 1080p over the HDMI input, but when I hook up the PC over HDCMI it only goes to 1366 x 768. computer resolution and HD resolutions are different somehow, I've never quite understood why a 1080p tv won't do 1920 x 1080. Maybe someone else has done that and can tell me how, I'd love to put my 32 HDTV on my desk, I just can't take the lower resolution. -Original Message- From: David Lum [mailto:david@nwea.org] Sent: Wednesday, December 31, 2008 1:06 PM To: NT System Admin Issues Subject: RE: LCD monitor vs LCD HDTV? I could be wrong, but a 1080p HDTV is basically like a 1920x1080 monitor or a 720p is 1280x720 that you can't change the resolution on. I infer It from this: http://www.cnet.com/hdtv-resolution/ True A-V geeks will likely chime in here. The p vs i discussions remind me of the early SVGA days where some monitors were interlaced and other non-interlaced (non-interlaced being the better choice), nowadays we hear progressive instead of non-interlaced. David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -Original Message- From: jesse-r...@wi.rr.com [mailto:jesse-r...@wi.rr.com] Sent: Wednesday, December 31, 2008 10:58 AM To: NT System Admin Issues Subject: LCD monitor vs LCD HDTV? I was looking to replace my aging 14 tube monitor with an LCD monitor. However, it seems like, for the price of a 22 LCD flatpanel monitor, I can get a 22 LCD HDTV which includes a tv tuner. So is there any reason to buy a LCD flatpanel monitor? The prices are about the same for a LCD monitor vs LCD HDTV. Thoughts? Feel free to msg off-list if this is considered OT. JR mail2web.com - Enhanced email for the mobile individual based on Microsoft(r) Exchange - http://link.mail2web.com/Personal/EnhancedEmail ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: gpupdate/GPO
On occasion it takes 2 reboot cycles for GPO's to be applied. You can help mitigate that by making the computer wait for network on startup under the computer section, System/Group Policy ADM's. Some computers do not get the NIC started before GP settings would be applied hence requiring a 2nd reboot to get the gp settings to take effect. From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Wednesday, December 31, 2008 3:07 PM To: NT System Admin Issues Subject: gpupdate/GPO All, I have one, or many, GPOs that are not apparently being applied on workstations. Through some testing, I have specifically found that IE settings are not really taking effect. That is, until, I manually run a gpupdate /force, and the reboot or logoff. Obviously, this is not really desired. Does anyone know why this would be happening, and how I can solve it? A GPO should be applied appropriately, without me mandating a forced update and reboot. Thanks, Jason ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: gpupdate/GPO
Wouldn't that group policy not get applied under that theory though? Or any new GP at all? Furthermore, the GPO should be reset every 15 minutes, however some settings are not actually applied until the force+reboot. From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] Sent: Wednesday, December 31, 2008 3:16 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO On occasion it takes 2 reboot cycles for GPO's to be applied. You can help mitigate that by making the computer wait for network on startup under the computer section, System/Group Policy ADM's. Some computers do not get the NIC started before GP settings would be applied hence requiring a 2nd reboot to get the gp settings to take effect. From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Wednesday, December 31, 2008 3:07 PM To: NT System Admin Issues Subject: gpupdate/GPO All, I have one, or many, GPOs that are not apparently being applied on workstations. Through some testing, I have specifically found that IE settings are not really taking effect. That is, until, I manually run a gpupdate /force, and the reboot or logoff. Obviously, this is not really desired. Does anyone know why this would be happening, and how I can solve it? A GPO should be applied appropriately, without me mandating a forced update and reboot. Thanks, Jason ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: gpupdate/GPO
Not all GPO's are applied in a background refresh. Many do require a reboot to take effect, Offline files being one for example. The GPO would not apply in the initial reboot because the computer does not get the update since the NIC has not come active yet. Then it pulls down the update and it requires a 2nd reboot to actually make the changes happen. We pretty much now only require a reboot to make all our GPO's take effect when enabling the Wait on Network option. From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Wednesday, December 31, 2008 3:19 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO Wouldn't that group policy not get applied under that theory though? Or any new GP at all? Furthermore, the GPO should be reset every 15 minutes, however some settings are not actually applied until the force+reboot. From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] Sent: Wednesday, December 31, 2008 3:16 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO On occasion it takes 2 reboot cycles for GPO's to be applied. You can help mitigate that by making the computer wait for network on startup under the computer section, System/Group Policy ADM's. Some computers do not get the NIC started before GP settings would be applied hence requiring a 2nd reboot to get the gp settings to take effect. From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Wednesday, December 31, 2008 3:07 PM To: NT System Admin Issues Subject: gpupdate/GPO All, I have one, or many, GPOs that are not apparently being applied on workstations. Through some testing, I have specifically found that IE settings are not really taking effect. That is, until, I manually run a gpupdate /force, and the reboot or logoff. Obviously, this is not really desired. Does anyone know why this would be happening, and how I can solve it? A GPO should be applied appropriately, without me mandating a forced update and reboot. Thanks, Jason ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: gpupdate/GPO
When you say the NIC has not come active are you talking about the PC/drivers, etc.. or are you talking about the time it might take the switch to bring the link up? I know some switches take longer than XP to boot due to STP. If it's the latter, it can be mitigated with switch config changes. If it's the prior, then you're right. I will need to employ some other trickiness.. which I should have ready to go anyway. Thanks! From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] Sent: Wednesday, December 31, 2008 3:26 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO Not all GPO's are applied in a background refresh. Many do require a reboot to take effect, Offline files being one for example. The GPO would not apply in the initial reboot because the computer does not get the update since the NIC has not come active yet. Then it pulls down the update and it requires a 2nd reboot to actually make the changes happen. We pretty much now only require a reboot to make all our GPO's take effect when enabling the Wait on Network option. From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Wednesday, December 31, 2008 3:19 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO Wouldn't that group policy not get applied under that theory though? Or any new GP at all? Furthermore, the GPO should be reset every 15 minutes, however some settings are not actually applied until the force+reboot. From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] Sent: Wednesday, December 31, 2008 3:16 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO On occasion it takes 2 reboot cycles for GPO's to be applied. You can help mitigate that by making the computer wait for network on startup under the computer section, System/Group Policy ADM's. Some computers do not get the NIC started before GP settings would be applied hence requiring a 2nd reboot to get the gp settings to take effect. From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Wednesday, December 31, 2008 3:07 PM To: NT System Admin Issues Subject: gpupdate/GPO All, I have one, or many, GPOs that are not apparently being applied on workstations. Through some testing, I have specifically found that IE settings are not really taking effect. That is, until, I manually run a gpupdate /force, and the reboot or logoff. Obviously, this is not really desired. Does anyone know why this would be happening, and how I can solve it? A GPO should be applied appropriately, without me mandating a forced update and reboot. Thanks, Jason ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Hackers create rogue CA certificate using MD5 collisions
On Wed, Dec 31, 2008 at 11:13 AM, David Lum david@nwea.org wrote: Microsoft is not aware of specific attacks against MD5, so previously issued certificates that were signed using MD5 are not affected and do not need to be revoked. This issue only affects certificates being signed using MD5 after the publication of the attack method. I thought the idea was that an attacker would forge a certificate, with info matching an existing certificate, but using a private key of their own, and then set their fleet of PlayStation 3's to work to come up with an MD5 collision, so they could use the signature from a real certificate to sign their forgery. Or something like that. So not only does this affect already-issued certificates, it depends on them. Or am I misunderstanding? Most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. But as long as browsers still accept the older certificates, they'd still be vulnerable, right? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: gpupdate/GPO
I would think IE settings wouldn't need a reboot... Many programs can try to adjust IE settings. AV programs, Spybot, Desktop Search, etc... could anything be overwriting the settings you are trying to adjust? From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Wednesday, December 31, 2008 2:29 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO When you say the NIC has not come active are you talking about the PC/drivers, etc.. or are you talking about the time it might take the switch to bring the link up? I know some switches take longer than XP to boot due to STP. If it's the latter, it can be mitigated with switch config changes. If it's the prior, then you're right. I will need to employ some other trickiness.. which I should have ready to go anyway. Thanks! From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] Sent: Wednesday, December 31, 2008 3:26 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO Not all GPO's are applied in a background refresh. Many do require a reboot to take effect, Offline files being one for example. The GPO would not apply in the initial reboot because the computer does not get the update since the NIC has not come active yet. Then it pulls down the update and it requires a 2nd reboot to actually make the changes happen. We pretty much now only require a reboot to make all our GPO's take effect when enabling the Wait on Network option. From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Wednesday, December 31, 2008 3:19 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO Wouldn't that group policy not get applied under that theory though? Or any new GP at all? Furthermore, the GPO should be reset every 15 minutes, however some settings are not actually applied until the force+reboot. From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] Sent: Wednesday, December 31, 2008 3:16 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO On occasion it takes 2 reboot cycles for GPO's to be applied. You can help mitigate that by making the computer wait for network on startup under the computer section, System/Group Policy ADM's. Some computers do not get the NIC started before GP settings would be applied hence requiring a 2nd reboot to get the gp settings to take effect. From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Wednesday, December 31, 2008 3:07 PM To: NT System Admin Issues Subject: gpupdate/GPO All, I have one, or many, GPOs that are not apparently being applied on workstations. Through some testing, I have specifically found that IE settings are not really taking effect. That is, until, I manually run a gpupdate /force, and the reboot or logoff. Obviously, this is not really desired. Does anyone know why this would be happening, and how I can solve it? A GPO should be applied appropriately, without me mandating a forced update and reboot. Thanks, Jason ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: gpupdate/GPO
I can't say no.. but I don't know what would. I can open the registry editor, run a gpupdate /force and the changes are not there. So, I base it off that fact alone. This is just proxy/autoconfig settings too.. nothing fancy at all. From: Sam Cayze [mailto:sam.ca...@rollouts.com] Sent: Wednesday, December 31, 2008 4:13 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO I would think IE settings wouldn't need a reboot... Many programs can try to adjust IE settings. AV programs, Spybot, Desktop Search, etc... could anything be overwriting the settings you are trying to adjust? From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Wednesday, December 31, 2008 2:29 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO When you say the NIC has not come active are you talking about the PC/drivers, etc.. or are you talking about the time it might take the switch to bring the link up? I know some switches take longer than XP to boot due to STP. If it's the latter, it can be mitigated with switch config changes. If it's the prior, then you're right. I will need to employ some other trickiness.. which I should have ready to go anyway. Thanks! From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] Sent: Wednesday, December 31, 2008 3:26 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO Not all GPO's are applied in a background refresh. Many do require a reboot to take effect, Offline files being one for example. The GPO would not apply in the initial reboot because the computer does not get the update since the NIC has not come active yet. Then it pulls down the update and it requires a 2nd reboot to actually make the changes happen. We pretty much now only require a reboot to make all our GPO's take effect when enabling the Wait on Network option. From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Wednesday, December 31, 2008 3:19 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO Wouldn't that group policy not get applied under that theory though? Or any new GP at all? Furthermore, the GPO should be reset every 15 minutes, however some settings are not actually applied until the force+reboot. From: gswe...@actsconsulting.net [mailto:gswe...@actsconsulting.net] Sent: Wednesday, December 31, 2008 3:16 PM To: NT System Admin Issues Subject: RE: gpupdate/GPO On occasion it takes 2 reboot cycles for GPO's to be applied. You can help mitigate that by making the computer wait for network on startup under the computer section, System/Group Policy ADM's. Some computers do not get the NIC started before GP settings would be applied hence requiring a 2nd reboot to get the gp settings to take effect. From: Jason Gauthier [mailto:jgauth...@lastar.com] Sent: Wednesday, December 31, 2008 3:07 PM To: NT System Admin Issues Subject: gpupdate/GPO All, I have one, or many, GPOs that are not apparently being applied on workstations. Through some testing, I have specifically found that IE settings are not really taking effect. That is, until, I manually run a gpupdate /force, and the reboot or logoff. Obviously, this is not really desired. Does anyone know why this would be happening, and how I can solve it? A GPO should be applied appropriately, without me mandating a forced update and reboot. Thanks, Jason ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: gpupdate/GPO
On Wed, Dec 31, 2008 at 3:07 PM, Jason Gauthier jgauth...@lastar.com wrote:
I have one, or many, GPOs that are not apparently being applied on
workstations. Through some testing, I have specifically found that IE
settings are not really taking effect. That is, until, I manually run a
gpupdate /force, and the reboot or logoff.
GPO application can be tricky.
Some[1] computer settings can only get applied during startup
processing.If a GPO update comes in while the computer is running,
it won't take affect until the next boot, when startup processing runs
again.
If you make a GPO modification, it will get posted to one DC by
{DSA,GPMC,GPEDIT,.MSC}. You may then have to wait various amounts of
time for that change to get replicated to all your other DCs. If a
workstation happens to pick one of those other DCs during its boot,
before replication is finished, the startup processing won't even see
the change until the next reboot.
Normal startup processing frequently needs multiple passes for a GPO
to work, i.e., two (re)boots. The first time, it sees the update GPO,
and gets the settings, but can't apply them until the next (re)boot
for some reason. (Microsoft sure does love 'dem reboots.)
You can help reduce the need for multiple reboots by setting the
various GPO startup options for synchronous and foreground
policy/script processing. This serializes everything during the boot
process, instead of the fire-and-forget scenario Windows defaults to.
Makes debugging easier, too. I suggest this as a best practice.
There is some GPO stuff which only gets processed the first time a
GPO is applied on a computer. You have to do a GPUPDATE /FORCE for it
to be re-processed. For example, we get some service control
permissions in one of our GPOs. If the service in question doesn't
exist when the GPO is first applied, too bad. If the service later
gets installed, it won't get the custom control permissions until we
GPUPDATE /FORCE it.
== Footnotes ==
[1] Or maybe it's actually all computer settings. I forget. I've
been assuming all for years, since all you need is the one you care
about, and the details were not well-documented when AD came out.
Maybe things have become clearer since then.
-- Ben
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LCD monitor vs LCD HDTV?
On Wed, Dec 31, 2008 at 2:55 PM, David James bigdadd...@gmail.com wrote: I've never quite understood why a 1080p tv won't do 1920 x 1080. From what I've read: In theory, a TV is just a display monitor with a built-in tuner. But in practice, there can be hidden differences in what the tuning and signal processing electronics can handle. In ATSC, there's no definition for 1080p (1920x1080 progressive). 1080i (interlaced) is the highest they go. So a TV claiming 1080p is claiming something that isn't defined in the TV standards. In some cases, apparently this is a pure marketing gimmick: They're referring to the fact the actual display panel always draws all lines, so it's progressive, even though the signal input electronics don't have the capability of processing a 1080p signal. I imagine some TVs actually can accept a 1920x1080 progressive signal from a computer. The specs should say exactly what modes it supports. If they don't, don't count on them. There's also all the other specs that might matter, like brightness, contrast ratio, pixel refresh speed, pixel pitch, and so on. I know it used to be that monitors intended for TV were much inferior to monitors intended for use with a computer in this regard. So check those specs carefully. Caveat emptor. (ATSC = Advanced Television Standards Committee, which defined most of the digital TV and high-def TV stuff for the US.) (Progressive/interlace: Progressive means drawing every pixel line for every vertical refresh. Interlaced draws all the even lines in one refresh, all the odd lines the next. In the days of the original NTSC tube TVs, this meant less bandwidth (you only had to send half the lines per unit of time), and less expensive electronics, since the beam sweeping the tube didn't have to move as fast. With digital flat panels, there's no beam sweep, so it's always doing *something* for all pixels. But if the signal feeding it is interlace, there's no data for half the lines, so it either uses the last field, or fills in black, or interpolates, or otherwise makes up data.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: LCD monitor vs LCD HDTV?
Good info Ben. OP: You could get the LCD monitor, and add a $30 dollar TV tuner to your PC, making it into a TV?!!? -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, December 31, 2008 3:37 PM To: NT System Admin Issues Subject: Re: LCD monitor vs LCD HDTV? On Wed, Dec 31, 2008 at 2:55 PM, David James bigdadd...@gmail.com wrote: I've never quite understood why a 1080p tv won't do 1920 x 1080. From what I've read: In theory, a TV is just a display monitor with a built-in tuner. But in practice, there can be hidden differences in what the tuning and signal processing electronics can handle. In ATSC, there's no definition for 1080p (1920x1080 progressive). 1080i (interlaced) is the highest they go. So a TV claiming 1080p is claiming something that isn't defined in the TV standards. In some cases, apparently this is a pure marketing gimmick: They're referring to the fact the actual display panel always draws all lines, so it's progressive, even though the signal input electronics don't have the capability of processing a 1080p signal. I imagine some TVs actually can accept a 1920x1080 progressive signal from a computer. The specs should say exactly what modes it supports. If they don't, don't count on them. There's also all the other specs that might matter, like brightness, contrast ratio, pixel refresh speed, pixel pitch, and so on. I know it used to be that monitors intended for TV were much inferior to monitors intended for use with a computer in this regard. So check those specs carefully. Caveat emptor. (ATSC = Advanced Television Standards Committee, which defined most of the digital TV and high-def TV stuff for the US.) (Progressive/interlace: Progressive means drawing every pixel line for every vertical refresh. Interlaced draws all the even lines in one refresh, all the odd lines the next. In the days of the original NTSC tube TVs, this meant less bandwidth (you only had to send half the lines per unit of time), and less expensive electronics, since the beam sweeping the tube didn't have to move as fast. With digital flat panels, there's no beam sweep, so it's always doing *something* for all pixels. But if the signal feeding it is interlace, there's no data for half the lines, so it either uses the last field, or fills in black, or interpolates, or otherwise makes up data.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
OT: Selling servers
Hello, We are looking at migrating to an all blade environment and have some 1yr old Dell 1950s with Gold support. Has anyone sold off old servers that are still under warranty? Any recommendations on how to do it; eBay or reseller? Any suggestions are appreciated Thanks and Happy New Year Travis ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Selling servers
I have sold Dell equipment before an eBay. There is a warranty transfer site (see link) http://support.dell.com/support/topics/global.aspx/support/change_order/ en/tag_transfer From: Travis Robinson [mailto:travis.robin...@octanner.com] Sent: Wednesday, December 31, 2008 4:59 PM To: NT System Admin Issues Subject: OT: Selling servers Hello, We are looking at migrating to an all blade environment and have some 1yr old Dell 1950s with Gold support. Has anyone sold off old servers that are still under warranty? Any recommendations on how to do it; eBay or reseller? Any suggestions are appreciated Thanks and Happy New Year Travis ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Hackers create rogue CA certificate using MD5 collisions
If the PS3 guys can crack an MD5 encrypted root certificate, they can create their own CA that looks like a trusted authority and in turn the CA can issue certificates that appear to be from that fake trusted authority. If a public CA has a root cert that is encrypted with SHA1 they aren't susceptible (yet) to having their certs faked. Faked certs could be used to make false websites look secure or genuine, could be used to deploy software that appears to be from a trusted vendor, or could be used to gain access to services/systems authenticated through public certs. Hopefully this will be a kick in the rear to CAs using MD5. If you run a site or service that uses certs from CAs like Equifax, Thawte, or GTE (all have at least one valid CA with a root cert encrypted with MD5), check your cert and the encryption of the signature at the top of the certificate path. If your root cert was encrypted with MD5, I would get your CA on the phone and have a conversation about possible risks. -troy -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, December 31, 2008 1:06 PM To: NT System Admin Issues Subject: Re: Hackers create rogue CA certificate using MD5 collisions On Wed, Dec 31, 2008 at 11:13 AM, David Lum david@nwea.org wrote: Microsoft is not aware of specific attacks against MD5, so previously issued certificates that were signed using MD5 are not affected and do not need to be revoked. This issue only affects certificates being signed using MD5 after the publication of the attack method. I thought the idea was that an attacker would forge a certificate, with info matching an existing certificate, but using a private key of their own, and then set their fleet of PlayStation 3's to work to come up with an MD5 collision, so they could use the signature from a real certificate to sign their forgery. Or something like that. So not only does this affect already-issued certificates, it depends on them. Or am I misunderstanding? Most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. But as long as browsers still accept the older certificates, they'd still be vulnerable, right? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Selling servers
Unless you can transfer the warranty or ownership on the manufacturer's site like Bob says below, you probably want to get with a reseller that can handle lifecycle management in order to address the following: 1. Indemnification of improper use and disposal of equipment-if you sell or donate equipment without legal indemnification you can be liable if those serial numbers show up in a landfill or are used in committing some kind of crime. (Once it leaves your hands you just never know.) A reseller can provide al of the necessary protective services and handle brokering your usable equipment to someone else, and you get the money less the fee. It costs you money instead of time, but all the bases are covered. In California the fine for throwing a PC in the landfill is so high you won't believe me unless you Google it and look it up, but they are the highest. Sometimes you can even go to jail depending on what regulations your industry is required to obey. Other states have big fines too, like MA, MD, ME, NJ, and WA. 2. Not destroying the drives by shredding or degaussing and DOD overwriting-there are lots of ways even damaged drives can have information taken from them. Protect yourself at all times and know what the applicable laws are. From: Bob Fronk [mailto:b...@btrfronk.com] Sent: Wednesday, December 31, 2008 2:04 PM To: NT System Admin Issues Subject: RE: Selling servers I have sold Dell equipment before an eBay. There is a warranty transfer site (see link) http://support.dell.com/support/topics/global.aspx/support/change_order/ en/tag_transfer From: Travis Robinson [mailto:travis.robin...@octanner.com] Sent: Wednesday, December 31, 2008 4:59 PM To: NT System Admin Issues Subject: OT: Selling servers Hello, We are looking at migrating to an all blade environment and have some 1yr old Dell 1950s with Gold support. Has anyone sold off old servers that are still under warranty? Any recommendations on how to do it; eBay or reseller? Any suggestions are appreciated Thanks and Happy New Year Travis ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Selling servers
All that is required is a signed copy of the bill of sale or an invoice. Just like any other piece of merchandise. S From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com] Sent: Wednesday, December 31, 2008 6:33 PM To: NT System Admin Issues Subject: RE: Selling servers Unless you can transfer the warranty or ownership on the manufacturer's site like Bob says below, you probably want to get with a reseller that can handle lifecycle management in order to address the following: 1. Indemnification of improper use and disposal of equipment-if you sell or donate equipment without legal indemnification you can be liable if those serial numbers show up in a landfill or are used in committing some kind of crime. (Once it leaves your hands you just never know.) A reseller can provide al of the necessary protective services and handle brokering your usable equipment to someone else, and you get the money less the fee. It costs you money instead of time, but all the bases are covered. In California the fine for throwing a PC in the landfill is so high you won't believe me unless you Google it and look it up, but they are the highest. Sometimes you can even go to jail depending on what regulations your industry is required to obey. Other states have big fines too, like MA, MD, ME, NJ, and WA. 2. Not destroying the drives by shredding or degaussing and DOD overwriting-there are lots of ways even damaged drives can have information taken from them. Protect yourself at all times and know what the applicable laws are. From: Bob Fronk [mailto:b...@btrfronk.com] Sent: Wednesday, December 31, 2008 2:04 PM To: NT System Admin Issues Subject: RE: Selling servers I have sold Dell equipment before an eBay. There is a warranty transfer site (see link) http://support.dell.com/support/topics/global.aspx/support/change_order/en/tag_transfer From: Travis Robinson [mailto:travis.robin...@octanner.com] Sent: Wednesday, December 31, 2008 4:59 PM To: NT System Admin Issues Subject: OT: Selling servers Hello, We are looking at migrating to an all blade environment and have some 1yr old Dell 1950s with Gold support. Has anyone sold off old servers that are still under warranty? Any recommendations on how to do it; eBay or reseller? Any suggestions are appreciated Thanks and Happy New Year Travis ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Hackers create rogue CA certificate using MD5 collisions
Add GeoTrust aka Equifax Secure Global eBusiness CA-1 On Wed, Dec 31, 2008 at 2:19 PM, David Lum david@nwea.org wrote: The report itself (http://www.win.tue.nl/hashclash/rogue-ca/#sec5) listed six CA's that issued MD5 certs in 2008: RapidSSL C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1 FreeSSL (free trial certificates offered by RapidSSL) C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Network Applications TC TrustCenter AG C=DE, ST=Hamburg, L=Hamburg, O=TC TrustCenter for Security in Data Networks GmbH, OU=TC TrustCenter Class 3 CA/emailaddress=certific...@trustcenter.de RSA Data Security C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority Thawte C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailaddress=premium-ser...@thawte.com verisign.co.jp O=VeriSign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign David Lum // SYSTEMS ENGINEER NORTHWEST EVALUATION ASSOCIATION (Desk) 971.222.1025 // (Cell) 503.267.9764 -Original Message- From: Troy Meyer [mailto:troy.me...@monacocoach.com] Sent: Wednesday, December 31, 2008 2:09 PM To: NT System Admin Issues Subject: RE: Hackers create rogue CA certificate using MD5 collisions If the PS3 guys can crack an MD5 encrypted root certificate, they can create their own CA that looks like a trusted authority and in turn the CA can issue certificates that appear to be from that fake trusted authority. If a public CA has a root cert that is encrypted with SHA1 they aren't susceptible (yet) to having their certs faked. Faked certs could be used to make false websites look secure or genuine, could be used to deploy software that appears to be from a trusted vendor, or could be used to gain access to services/systems authenticated through public certs. Hopefully this will be a kick in the rear to CAs using MD5. If you run a site or service that uses certs from CAs like Equifax, Thawte, or GTE (all have at least one valid CA with a root cert encrypted with MD5), check your cert and the encryption of the signature at the top of the certificate path. If your root cert was encrypted with MD5, I would get your CA on the phone and have a conversation about possible risks. -troy -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, December 31, 2008 1:06 PM To: NT System Admin Issues Subject: Re: Hackers create rogue CA certificate using MD5 collisions On Wed, Dec 31, 2008 at 11:13 AM, David Lum david@nwea.org wrote: Microsoft is not aware of specific attacks against MD5, so previously issued certificates that were signed using MD5 are not affected and do not need to be revoked. This issue only affects certificates being signed using MD5 after the publication of the attack method. I thought the idea was that an attacker would forge a certificate, with info matching an existing certificate, but using a private key of their own, and then set their fleet of PlayStation 3's to work to come up with an MD5 collision, so they could use the signature from a real certificate to sign their forgery. Or something like that. So not only does this affect already-issued certificates, it depends on them. Or am I misunderstanding? Most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. But as long as browsers still accept the older certificates, they'd still be vulnerable, right? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Selling servers
Would that cover indemnification as well? I never really thought about this until it came up in this thread... We have a mini storage full of equipment that we are getting rid of. From: NTSysAdmin [mailto:ntsysad...@optimum.bm] Sent: Wednesday, December 31, 2008 4:48 PM To: NT System Admin Issues Subject: RE: Selling servers All that is required is a signed copy of the bill of sale or an invoice. Just like any other piece of merchandise. S From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com] Sent: Wednesday, December 31, 2008 6:33 PM To: NT System Admin Issues Subject: RE: Selling servers Unless you can transfer the warranty or ownership on the manufacturer's site like Bob says below, you probably want to get with a reseller that can handle lifecycle management in order to address the following: 1. Indemnification of improper use and disposal of equipment-if you sell or donate equipment without legal indemnification you can be liable if those serial numbers show up in a landfill or are used in committing some kind of crime. (Once it leaves your hands you just never know.) A reseller can provide al of the necessary protective services and handle brokering your usable equipment to someone else, and you get the money less the fee. It costs you money instead of time, but all the bases are covered. In California the fine for throwing a PC in the landfill is so high you won't believe me unless you Google it and look it up, but they are the highest. Sometimes you can even go to jail depending on what regulations your industry is required to obey. Other states have big fines too, like MA, MD, ME, NJ, and WA. 2. Not destroying the drives by shredding or degaussing and DOD overwriting-there are lots of ways even damaged drives can have information taken from them. Protect yourself at all times and know what the applicable laws are. From: Bob Fronk [mailto:b...@btrfronk.com] Sent: Wednesday, December 31, 2008 2:04 PM To: NT System Admin Issues Subject: RE: Selling servers I have sold Dell equipment before an eBay. There is a warranty transfer site (see link) http://support.dell.com/support/topics/global.aspx/support/change_order/ en/tag_transfer From: Travis Robinson [mailto:travis.robin...@octanner.com] Sent: Wednesday, December 31, 2008 4:59 PM To: NT System Admin Issues Subject: OT: Selling servers Hello, We are looking at migrating to an all blade environment and have some 1yr old Dell 1950s with Gold support. Has anyone sold off old servers that are still under warranty? Any recommendations on how to do it; eBay or reseller? Any suggestions are appreciated Thanks and Happy New Year Travis ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Hackers create rogue CA certificate using MD5 collisions
Not all GeoTrust certificates are MD5 signed, only those signed using the below mentioned root CA. The only GeoTrust product using that CA is the QuickSSL cert. For the higher-end certificate offerings GeoTrust uses root CAs called Equifax Security CA and GeoTrust Primary Certificate Authority, both of use SHA-1 hashes. Kurt Buff wrote: Add GeoTrust aka Equifax Secure Global eBusiness CA-1 -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Selling servers
On Wed, Dec 31, 2008 at 7:38 PM, Mike French mike.fre...@theequitybank.com wrote: Would that cover indemnification as well? This reminds of Bender on Futurama, when asked for a guarantee that his merchandise was genuine: I can guarantee you anything you want! I'm sure there are companies which will be happy to broker this stuff for a fee. But why do you trust them when you don't trust the scrap dealer? Either one might do something that gets you in trouble. If you're worried, check with your company counsel. Some jurisdictions may have laws that say the original purchaser is liable even if they've sold it, regardless of who you deal with. Some jurisdictions may just require a paper trail. Check with a lawyer who is working for *you*. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: LCD monitor vs LCD HDTV?
There are a couple of web pages out there that attempt to document which units can do the full 1920x1080 over the VGA port. Some can and some cannot. Interestingly, my Vizio claims that if you want full 1080 over the HDMI port with a PC source, you must have a native HDMI output on your PC; A DVI-to-HDMI convertor won't work. As for the VGA port, 1080 looks awful (it's interlaced and overscanned). 1366x768 is the top clean resolution. Be sure to do your homework. I wish I had. RM On Wed, 31 Dec 2008 15:09:42 -0500, Bryan Garmon bryan.gar...@gmail.co m said: My Samsung 46 LCD does 1920X1080P just fine with my laptop hooked up to the back of it using a DVI connection. Perhaps your tv isn't what the marketing genius' now call True HD. True HD televisions support 1920X1080P resolution over either DVI or HDMI. If you're using a VGA cable good luck - I've had nothing but bad experiencing trying to go above 1024X768 using a VGA connection. For a living room, 1920X1080P works great for a PC screen resolution - but if you're talking about putting it on your desk, I agree that one is better off with a LCD monitor. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
USB backup drive for Server 2003?
I'm supporting a small business that wants to use an external USB drive for backup (and upgrade to something else later). All the regular external drives from WD, Seagate, etc have a backup package that does not support server OS's. I know that I can use the built-in Windows backup but it'd be nice to have something a little more flexible. It appears that the Maxtor Small Business Edition did support Server 2003 but that product is out of production. Any ideas? The basic server version of Retrospect is too expensive for them. RM ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Hackers create rogue CA certificate using MD5 collisions
That's interesting, because I ordered direct from GeoTrust. It seems the relationships between CAs is quite complex. On Wed, Dec 31, 2008 at 4:48 PM, Phil Brutsche p...@optimumdata.com wrote: Not all GeoTrust certificates are MD5 signed, only those signed using the below mentioned root CA. The only GeoTrust product using that CA is the QuickSSL cert. For the higher-end certificate offerings GeoTrust uses root CAs called Equifax Security CA and GeoTrust Primary Certificate Authority, both of use SHA-1 hashes. Kurt Buff wrote: Add GeoTrust aka Equifax Secure Global eBusiness CA-1 -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Hackers create rogue CA certificate using MD5 collisions
The attack relies on creating two cert requests - one for a legitimate server authN cert, and one for an intermediate CA. You get the CA to sign the AuthN cert (e.g. for a website), but since the two cert requests that we have specially crafted end up with the same MD5 verification hash, we can then use the intermediate CA cert to start signing our own, illegitimate, certs. Finding MD5 collisions for existing certs would probably not be feasible yet. This attack relies, at the moment (from my understanding) on generating the two cert requests concurrently - the second one (for the CA) using padding data to generate the collision. It's easier (apparently) to generate the collision if you are creating both at the same time. But as long as browsers still accept the older certificates, they'd still be vulnerable, right? It doesn't matter what the rogue cert is signed with (could be SHA1). The issue is CAs using MD5 to sign certificates (thus allowing an attacker to come up with their own intermediate CA). The rogue intermediate CA could sign certs using SHA1. But yes - if all root CAs that were trusted were using SHA1 only and/or refusing to sign intermediate CAs with the same key that they use for end point verification, we wouldn't have this current problem. Cheers Ken -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Thursday, 1 January 2009 8:06 AM To: NT System Admin Issues Subject: Re: Hackers create rogue CA certificate using MD5 collisions On Wed, Dec 31, 2008 at 11:13 AM, David Lum david@nwea.org wrote: Microsoft is not aware of specific attacks against MD5, so previously issued certificates that were signed using MD5 are not affected and do not need to be revoked. This issue only affects certificates being signed using MD5 after the publication of the attack method. I thought the idea was that an attacker would forge a certificate, with info matching an existing certificate, but using a private key of their own, and then set their fleet of PlayStation 3's to work to come up with an MD5 collision, so they could use the signature from a real certificate to sign their forgery. Or something like that. So not only does this affect already-issued certificates, it depends on them. Or am I misunderstanding? Most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. But as long as browsers still accept the older certificates, they'd still be vulnerable, right? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Hackers create rogue CA certificate using MD5 collisions
This isn't the issue at all at the moment. Root CA certs can be signed in crayon, as long as you trust the integrity of the cert, you are OK. No one is cracking root CA certs. They are generating certificate requests (two of them - one for an end point purpose e.g. web server authentication, and one for an intermediate CA) that will result in the same signing hash from the CA if the CA is using MD5 Cheers Ken -Original Message- From: Troy Meyer [mailto:troy.me...@monacocoach.com] Sent: Thursday, 1 January 2009 9:09 AM To: NT System Admin Issues Subject: RE: Hackers create rogue CA certificate using MD5 collisions If the PS3 guys can crack an MD5 encrypted root certificate, they can create their own CA that looks like a trusted authority and in turn the CA can issue certificates that appear to be from that fake trusted authority. If a public CA has a root cert that is encrypted with SHA1 they aren't susceptible (yet) to having their certs faked. Faked certs could be used to make false websites look secure or genuine, could be used to deploy software that appears to be from a trusted vendor, or could be used to gain access to services/systems authenticated through public certs. Hopefully this will be a kick in the rear to CAs using MD5. If you run a site or service that uses certs from CAs like Equifax, Thawte, or GTE (all have at least one valid CA with a root cert encrypted with MD5), check your cert and the encryption of the signature at the top of the certificate path. If your root cert was encrypted with MD5, I would get your CA on the phone and have a conversation about possible risks. -troy -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Wednesday, December 31, 2008 1:06 PM To: NT System Admin Issues Subject: Re: Hackers create rogue CA certificate using MD5 collisions On Wed, Dec 31, 2008 at 11:13 AM, David Lum david@nwea.org wrote: Microsoft is not aware of specific attacks against MD5, so previously issued certificates that were signed using MD5 are not affected and do not need to be revoked. This issue only affects certificates being signed using MD5 after the publication of the attack method. I thought the idea was that an attacker would forge a certificate, with info matching an existing certificate, but using a private key of their own, and then set their fleet of PlayStation 3's to work to come up with an MD5 collision, so they could use the signature from a real certificate to sign their forgery. Or something like that. So not only does this affect already-issued certificates, it depends on them. Or am I misunderstanding? Most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. But as long as browsers still accept the older certificates, they'd still be vulnerable, right? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Invitation to connect on LinkedIn
LinkedIn NT, I'd like to add you to my professional network on LinkedIn. - Kamlesh Learn more: https://www.linkedin.com/e/isd/441515905/_vdeiJjK/ -- What is LinkedIn and why should you join? http://learn.linkedin.com/what-is-linkedin/ -- (c) 2008, LinkedIn Corporation ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: USB backup drive for Server 2003?
Honestly, I use NT Backup with external Maxtor USB drives, I've done several recoveries from the backups with no issue and the overall cost - (we're a non-profit so believe me this is the cheapest way) it just can't be beat. Newegg has great prices on NAS devices (Buffalo terrastation for example) that can be networked for a little more flexability if you're talking more than one server. HTH Happy New year all! John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ From: RM [mailto:r...@richardmay.net] Sent: Wednesday, December 31, 2008 9:17 PM To: NT System Admin Issues Subject: USB backup drive for Server 2003? I'm supporting a small business that wants to use an external USB drive for backup (and upgrade to something else later). All the regular external drives from WD, Seagate, etc have a backup package that does not support server OS's. I know that I can use the built-in Windows backup but it'd be nice to have something a little more flexible. It appears that the Maxtor Small Business Edition did support Server 2003 but that product is out of production. Any ideas? The basic server version of Retrospect is too expensive for them. RM CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Virtualization Questions - More Q's
Seth, I think we are in violent agreement here. I'm just saying that virtualising your infrastructure means that there is one more team of people who have privileged access to your infrastructure, and they need to be built into the whole change control/management process. For a physical DC, you need to worry about your AD team, and whoever your hardware team is (i.e. the people who have physical access to the racks that your DCs are in, and who probably also have access via DRAC/ILO/etc). If you virtualise your DC, you need to worry about the virtualisation team as well, as they, like the people who have physical access, now have privileged access to the infrastructure that hosts the DC and if the integrity of everything underneath the OS can't be guaranteed (physical environment, virtualisation software), then neither can the OS. Cheers Ken -Original Message- From: S Conn. [mailto:sysadminli...@gmail.com] Sent: Wednesday, 31 December 2008 7:28 AM To: NT System Admin Issues Subject: Re: Virtualization Questions - More Q's On Tue, Dec 30, 2008 at 10:55 AM, Ken Schaefer k...@adopenstatic.com wrote: -Original Message- From: S Conn. [mailto:sysadminli...@gmail.com] Subject: Re: Virtualization Questions - More Q's I don't see a lot of difference here between virtual environment vs physical. Physical access can mean control - but you can control physical access. Not to mention detecting network changes and preventing/detecting BIOS changes (via passwords and ILO/DRAC etc) In a virtual environment, your virtualisation people control the BIOS, the boot sequence, the virtual networks that are exposed, and even the hard disks of the VMs themselves. And they can do that remotely. In a physical world, your virtualisation people wouldn't have access to the cabinets that store your physical domain controllers or other physical servers. Just the servers that host the VM hosts. Additionally, there are occasionally vulnerabilities in virtualisation software (a couple for VMWare and a more for other products). These can be used to gain access to VMs by holding privileges on the host. Cheers Ken VMware allows you to password protect the BIOS, just like a physical machine. As for network changes, a VMWare administrator can change only the virtual switches and virtual NICs, they can't affect the physical switches connecting the rest of the network. Basically you have to treat the virtual environment the same as a physical environment and treat the access program (such as VirtualCenter) just like physical access. Yes you can access it remotely, but IP KVMs, Remote PDUs, DRAC/ILO cards, etc provide the same remote access for physical servers. Except, with virtual, you can delegate certain tasks a lot better than just giving a bunch of folks the key to the door of your server room or maintaining a ton of remote access products. You do have a good point with the software vulnerabilities. However, I'd have to argue that you have those with just about any other solution. I'm sure a clever hacker can figure out a remote PDU or DRAC card. Following best practices, such as putting your service consoles on non-production management networks, setting up isolation, patching, etc can help with these problems. Seth ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Hackers create rogue CA certificate using MD5 collisions
So, if I understand things correctly, the way to definitive way to protect against this potential attack would be to remove all root certs that use the Md5RSA signature algorithm? What are the downsides? ...Tim -Original Message- From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Wednesday, December 31, 2008 7:28 PM To: NT System Admin Issues Subject: RE: Hackers create rogue CA certificate using MD5 collisions The attack relies on creating two cert requests - one for a legitimate server authN cert, and one for an intermediate CA. You get the CA to sign the AuthN cert (e.g. for a website), but since the two cert requests that we have specially crafted end up with the same MD5 verification hash, we can then use the intermediate CA cert to start signing our own, illegitimate, certs. Finding MD5 collisions for existing certs would probably not be feasible yet. This attack relies, at the moment (from my understanding) on generating the two cert requests concurrently - the second one (for the CA) using padding data to generate the collision. It's easier (apparently) to generate the collision if you are creating both at the same time. But as long as browsers still accept the older certificates, they'd still be vulnerable, right? It doesn't matter what the rogue cert is signed with (could be SHA1). The issue is CAs using MD5 to sign certificates (thus allowing an attacker to come up with their own intermediate CA). The rogue intermediate CA could sign certs using SHA1. But yes - if all root CAs that were trusted were using SHA1 only and/or refusing to sign intermediate CAs with the same key that they use for end point verification, we wouldn't have this current problem. Cheers Ken -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Thursday, 1 January 2009 8:06 AM To: NT System Admin Issues Subject: Re: Hackers create rogue CA certificate using MD5 collisions On Wed, Dec 31, 2008 at 11:13 AM, David Lum david@nwea.org wrote: Microsoft is not aware of specific attacks against MD5, so previously issued certificates that were signed using MD5 are not affected and do not need to be revoked. This issue only affects certificates being signed using MD5 after the publication of the attack method. I thought the idea was that an attacker would forge a certificate, with info matching an existing certificate, but using a private key of their own, and then set their fleet of PlayStation 3's to work to come up with an MD5 collision, so they could use the signature from a real certificate to sign their forgery. Or something like that. So not only does this affect already-issued certificates, it depends on them. Or am I misunderstanding? Most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. But as long as browsers still accept the older certificates, they'd still be vulnerable, right? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
