Office 2007 Security Update released today

[Angus Scott-Fleming]

This is not showing up in a manual Microsoft Update scan for me even though I 
have the Compatibility Pack installed, but it was released today:

  Download details: Security Update for the 2007 Microsoft Office System 
  (KB982331)
A security vulnerability exists in the 2007 Microsoft Office System and
the Microsoft Office Compatibility Pack that could allow arbitrary code to
run when a maliciously modified file is opened. This update resolves that
vulnerability.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=7f89a734-cda4-4abb-9a10-f6dfe560e8d0
or here if the above wraps unusably: 
http://preview.tinyurl.com/22jkcxt

When I run the patch manually, it says it's already installed, and a check 
shows it was installed on 6/8 as part of Patch Tuesday.  Strange that the 
release date of this patch is 6/15.

Angus


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Technet

[Rod Trent]

http://blogs.technet.com/b/technetplussubscriptions/archive/2010/06/14/techn
et-subscriptions-standard-launches-today.aspx?wa=wsignin1.0 

 

From: Jeff Bunting [mailto:bunting.j...@gmail.com] 
Sent: Tuesday, June 15, 2010 8:44 PM
To: NT System Admin Issues
Subject: Technet

 

So I see that MS has a new "Standard" level Technet subscription:

 

http://technet.microsoft.com/en-us/subscriptions/bb892756.aspx

 

Anyone know what exactly it contains?  I haven't been able to find specifics
anywhere on their site, only "TechNet Standard does not include some
enterprise editions of Microsoft software".   

 

Jeff

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Password policy enforcement after a change

[Crawford, Scott]

You can find AdFind, along with many other goodies here:

http://joeware.net/freetools/tools/adfind/index.htm


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, June 15, 2010 7:15 PM
To: NT System Admin Issues
Subject: Re: Password policy enforcement after a change

On Tue, Jun 15, 2010 at 8:11 PM, Free, Bob  wrote:
> You don't need a tool, just do an LDAP query for pwdLastSet. I would use
> adfind as it will decode the timestamps, dump to a csv and massage in
> excel.

  I don't seem to have an "ADFIND" command.  Is that new in 2003/2008
or something?

> ADFIND -default -f "(&(objectCategory=person)(objectClass=user))"
> pwdLastSet  -tdc -csv

  Thanks!  The query will be good to have around for future reference,
even if I don't end up using it for *this* project.   :)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Technet

[Jeff Bunting]

So I see that MS has a new "Standard" level Technet subscription:

http://technet.microsoft.com/en-us/subscriptions/bb892756.aspx

Anyone know what exactly it contains?  I haven't been able to find specifics
anywhere on their site, only "TechNet Standard does not include some
enterprise editions of Microsoft software".

Jeff

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Password policy enforcement after a change

[Ben Scott]

On Tue, Jun 15, 2010 at 8:11 PM, Free, Bob  wrote:
> You don't need a tool, just do an LDAP query for pwdLastSet. I would use
> adfind as it will decode the timestamps, dump to a csv and massage in
> excel.

  I don't seem to have an "ADFIND" command.  Is that new in 2003/2008
or something?

> ADFIND -default -f "(&(objectCategory=person)(objectClass=user))"
> pwdLastSet  -tdc -csv

  Thanks!  The query will be good to have around for future reference,
even if I don't end up using it for *this* project.   :)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Password policy enforcement after a change

[Free, Bob]

You don't need a tool, just do an LDAP query for pwdLastSet. I would use
adfind as it will decode the timestamps, dump to a csv and massage in
excel.

Something along the lines of -

ADFIND -default -f "(&(objectCategory=person)(objectClass=user))"
pwdLastSet  -tdc -csv

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, June 15, 2010 4:30 PM
To: NT System Admin Issues
Subject: Re: Password policy enforcement after a change

On Tue, Jun 15, 2010 at 3:11 PM, Ben Scott  wrote:
> ... from "No password expiration" to "X days" ...
> ... 8-year-expired password before ...

  Thank you, everyone, for your informative and helpful responses!

  I think what I'll do is configure the password complexity
requirements first, and then (as suggested) send broadcast email
instructing people to change their password.  They'll have to pick a
strong password then.  Things keep working in the meantime.

  Then I'll use the ALOINFO tool (http://tinyurl.com/5n66v) to
generate a report on password ages.  With that, I can harass anyone
who hasn't changed their password in a timely fashion.

  I found the ALOINFO tool while looking for the ACCTINFO.DLL.  The
later also looks to be very useful, but more for single-user
investigations.  Reporting would require GUI clicking on each user;
not practical in even a 70 user organization.

  Thanks again!

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Ben Scott]

On Tue, Jun 15, 2010 at 7:33 PM, Steven Peck  wrote:
> So as I have said.  Pretty much every issue has not been patch
> related.  But having called MS we had help identifying the actual
> cause of the issue.

  That doesn't make Windows better at package management; it just
means if you pay for Microsoft's help, they'll help you.  I would hope
so!  :)

> I guess your support experience has not been as good as mine.  With
> only one or two exceptions in years, every issue has been the result
> of configuration or third party software, not an MS fix.

  We may have been talking about different things.  I wasn't talking
about MSFT helping with patch management issues only, but rather, in
general.  If I call about a "known issue", they just point to the
requisite MSKB article and say the "behavior is by design" and won't
be fixed.  If you mean *just* patch management issues, okay.  That's
my fault for getting off-topic.  Sorry.

  To get back on topic: "you can pay Microsoft for help investigating
possible patch issues" != "Windows has good package management
technology".

> You consistently post this viewpoint. It has become expected.

  I believe you consistently post your viewpoint, too.  :)  I don't
consider that a bad thing.  If you didn't believe what you were
saying, you wouldn't be worth listening to.  :)

>>  (Plus, if you really want the company-to-blame thing, that's
>> available for Linux, too.  Novell or Red Hat or Canonical will happily
>> take your money and let you blame them all you want.)
>
> You keep saying blame.  If you pay Redhat you get the same time of
> service you get from MS.  A person will help you diagnose and
> troubleshoot the issue.  But you have to be using their stuff and they
> will help you see if it was their fix / update or something specific
> to your system / install.  This is the exact same advantage of having
> quality paid vendor support.

  Um.  Isn't that what I was saying?  That if you pay X for support,
they'll help you with their stuff, regardless of whether X = Microsoft
or X = Canonical?  :)

>>  When I compare Linux and Windows, I often say that it's not that one
>> *can't* do this or that on Windows, but that it costs more.  Same
>> thing here.  More stuff in this area is built-in, and what's there is
>> more sophisticated in functionality and is easier to maintain.  All
>> that adds up to lower costs.
>>
> No it doesn't.  It only costs 'less' if you fail to value your time
> and the time it has taken to acquire your expertise.

  And all the time I've spent acquiring knowledge on Microsoft
products?  Courses I've taken, manuals I've read, books I've bought
and studied, support calls, paid consultants, lab environments?  That
did not have a cost?

  I have yet to find anything in the IT world that didn't require
learning, planning, and integration effort.  This is the same
everywhere, Linux or Microsoft, payware or freeware or Open Source.

  Yah, any monkey can sit down with an install CD and click GUI
buttons and get something that boots.  That's true of Linux these
days, too (for better or worse).  That doesn't translate into a stable
IT infrastructure on any platform.

> The 'you can fix it yourself' part is a myth.

  Interesting.  You say "you can fix it yourself" is a myth, while I
say the commercial support angle is a myth.  Perhaps we are both
figments of our own imaginations?  ;-)

  Understand that you don't need to be a software developer to fix
simple issues.  Anecdote: Roughly eight years ago, I was tasked with
getting an ISDN link working with Linux.  It turns out the provider
was using a ridiculously long SPID, and the Linux ISDN stack was
truncating it, causing things to fail.  I understood almost nothing in
the source code, but I understood enough to know what "#define
MAX_SPID_LENGTH = 8" meant in the header, and to bump that number up.
Compare that to, say, MAX_PATH on Windows.  For whatever reason, it
appears that will be 255 forever, and we're just stuck with it.

> Cost comes from somewhere, paying a dev, learning it
> yourself, the kindness of random strangers

  Absolutely.  I just maintain that those costs are higher for Windows.

>>  To the best of my knowledge, with MSI, I can't do half of what I can
>> do with RPM (see my other posts in this thread for examples).
>
> Our desktop guys have been packaging the adobe updates, the java
> updates, the whatever weird in house custom app updates we have for
> years now.  I shall ask them what they use.  For straight MS updates,
> MS SCCM, select what you want and fire away.

  For distributing Microsoft updates, we have WSUS now.  It sucks up a
ton of RAM for even 100 PCs, it needs a SQL database server and a web
application, it's full of cryptic stuff that isn't documented
anywhere.  On Linux, all you need is a file share.  Again, costs.

  We also do things like custom MSI deployments for Java updates.  But
wasn't your argument that most people can't do that stuff, and those
that ca

Re: Time to verify your IIS setup

[Ben Scott]

On Tue, Jun 15, 2010 at 7:22 PM, Steven Peck  wrote:
> Yes but then we get these threads bitching about MS IIS instead of
> Crappy web page asp product X

  Yah.  People like to blame obvious targets, even when it doesn't
help (or even hurts).  A number of people in my local Linux User Group
(several of whom really should know better) are convinced the lack of
malware for Linux and Mac OS X is because of some inherent superiority
over MS Windows, and not because of a smaller target population and a
lower percentage of lusers.

  When I point to the new malware emerging for Mac OS X, they tell me
it's just one or two things so far.  I guess that makes it okay if you
get compromised?

  Sigh.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Steven Peck]

...

On Tue, Jun 15, 2010 at 4:16 PM, Ben Scott  wrote:
> On Tue, Jun 15, 2010 at 6:56 PM, Steven Peck  wrote:
>> Debian had the Drupal CMS in their distributions for
>> years and despite many attempts we could not get that thing out of
>> their despite it being old/unsecure/not-desired all because some guy
>> refused to remove it from the repo.
>>
>> At least with MS OS and Applications we have a central point.
>
>  I've heard that before.  Never, *ever* have I encountered or seen or
> heard of the "central point of blame" actually helping a situation.
> Not for mere mortals like me and my colleagues, anyway.
>
>   Say Microsoft screws up.  *What then*?  I call PSS and pay $250 and
> if I'm lucky, the call center monkey I got has a half a brain and
> acknowledges the issue.

So as I have said.  Pretty much every issue has not been patch
related.  But having called MS we had help identifying the actual
cause of the issue.

>  From then on, I'm helpless.  I don't know what group in Microsoft
> has responsibility for fixing it; I don't know when or *if* it will be
> fixed.  It's all a faceless corporation.  At least you knew which guy
> in Debian to blame.  Maybe someday Microsoft publishes a hotfix, or
> maybe they just say "This behavior is by design" and tell me, politely
> and professionally, to pound sand.  Or maybe they even say, yah,
> that's a problem, but we won't be fixing this any time soon, sorry.
> Maybe in the next release of Windows.  Or the one after that for sure.

I guess your support experience has not been as good as mine.  With
only one or two exceptions in years, every issue has been the result
of configuration or third party software, not an MS fix.

>  Please tell me how "having a big company to blame" makes this better
> for me or my employer.  I've heard that line so many times, and yet it
> never happens.

You consistently post this viewpoint. It has become expected.

>  (Plus, if you really want the company-to-blame thing, that's
> available for Linux, too.  Novell or Red Hat or Canonical will happily
> take your money and let you blame them all you want.)

You keep saying blame.  If you pay Redhat you get the same time of
service you get from MS.  A person will help you diagnose and
troubleshoot the issue.  But you have to be using their stuff and they
will help you see if it was their fix / update or something specific
to your system / install.  This is the exact same advantage of having
quality paid vendor support.

>> We have had very few actual patch related issues.
>> We have had many claims that the issue were patch
>> related but when drilled down on turned out
>> to generally be not a patch issue.
>
>  When I compare Linux and Windows, I often say that it's not that one
> *can't* do this or that on Windows, but that it costs more.  Same
> thing here.  More stuff in this area is built-in, and what's there is
> more sophisticated in functionality and is easier to maintain.  All
> that adds up to lower costs.
>
No it doesn't.  It only costs 'less' if you fail to value your time
and the time it has taken to acquire your expertise.  The 'you can fix
it yourself' part is a myth.  Very few people can actually do this and
those that can are generally not cheap.  I say this having been the
Drupal Documentation Team lead and ran and built their forums for
several years.   Cost comes from somewhere, paying a dev, learning it
yourself, the kindness of random strangers

>> Vendors need to get on the band wagon and begin to leverage the tools
>> Microsoft has supplied them ...
>
>  To the best of my knowledge, with MSI, I can't do half of what I can
> do with RPM (see my other posts in this thread for examples).  If I
> can, please point me at an FM that I can R; I will shower you with
> thanks and buy you the frosty beverage of your choice.  This applies
> to Windows components and Microsoft applications as much as it does to
> third-party stuff, so this isn't a "third party vendors all suck"
> issue, as far as I can see.

> -- Ben

Our desktop guys have been packaging the adobe updates, the java
updates, the whatever weird in house custom app updates we have for
years now.  I shall ask them what they use.  For straight MS updates,
MS SCCM, select what you want and fire away.

Steven

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Password policy enforcement after a change

[Ben Scott]

On Tue, Jun 15, 2010 at 3:11 PM, Ben Scott  wrote:
> ... from "No password expiration" to "X days" ...
> ... 8-year-expired password before ...

  Thank you, everyone, for your informative and helpful responses!

  I think what I'll do is configure the password complexity
requirements first, and then (as suggested) send broadcast email
instructing people to change their password.  They'll have to pick a
strong password then.  Things keep working in the meantime.

  Then I'll use the ALOINFO tool (http://tinyurl.com/5n66v) to
generate a report on password ages.  With that, I can harass anyone
who hasn't changed their password in a timely fashion.

  I found the ALOINFO tool while looking for the ACCTINFO.DLL.  The
later also looks to be very useful, but more for single-user
investigations.  Reporting would require GUI clicking on each user;
not practical in even a 70 user organization.

  Thanks again!

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Time to verify your IIS setup

[Steven Peck]

Yes but then we get these threads bitching about MS IIS instead of
Crappy web page asp product X

On Tue, Jun 15, 2010 at 4:17 PM, Ziots, Edward  wrote:
> Problem is that its not IIS in itself that is the problem is the
> web-application running on IIS that doesn’t sanitize its input that is the
> problem, that and probably using an Database user account with too much
> privileges to access the backend, plus no auditing on the database backend
> to track what is being viewed, and on and on…
>
>
>
> Too bad it takes mass hacks like these to get some peoples attention to the
> matter, often too late, after they have been 0wned…..
>
>
>
> Z
>
>
>
> Edward Ziots
>
> CISSP,MCSA,MCP+I,Security +,Network +,CCA
>
> Network Engineer
>
> Lifespan Organization
>
> 401-639-3505
>
> ezi...@lifespan.org
>
>
>
> From: Andrew S. Baker [mailto:asbz...@gmail.com]
> Sent: Tuesday, June 15, 2010 5:46 PM
> To: NT System Admin Issues
> Subject: Re: Time to verify your IIS setup
>
>
>
> More important to me is, "How many discrete managers of IIS
> systems/environments does this represent?"
>
>
>
> I mean, on one level, if a single ISP hosting 500 discrete sites for clients
> is a victim, that's not exactly the same thing as those 500 clients failing
> to manage this risk.
>
>
>
> On the other hand (and from a more practical standpoint), they're still
> victims just the same...
>
> -ASB: http://XeeSM.com/AndrewBaker
>
> On Tue, Jun 15, 2010 at 5:38 PM, Sam Cayze  wrote:
>
> Dang.
> I was just curious...
>
> How many IIS sites are there in the world?  Roughly 780K.  So if the
> Sucuri.net's 111K number is accurate, that's about 1 in 7 IIS sites that
> are affected.
> Yikes.
>
> Source:
> http://news.netcraft.com/archives/category/web-server-survey/
>
> (most places on my search pointed to NetCraft having the most accurate
> results).
>
> Sam
>
>
>
>
> On Wed, Jun 9, 2010 at 3:43 PM, Kurt Buff  wrote:
>> about 111,000 sites infected
>>
>> http://isc.sans.edu/diary.html?storyid=8935
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Time to verify your IIS setup

[Ziots, Edward]

Problem is that its not IIS in itself that is the problem is the
web-application running on IIS that doesn't sanitize its input that is
the problem, that and probably using an Database user account with too
much privileges to access the backend, plus no auditing on the database
backend to track what is being viewed, and on and on...

 

Too bad it takes mass hacks like these to get some peoples attention to
the matter, often too late, after they have been 0wned.

 

Z

 

Edward Ziots

CISSP,MCSA,MCP+I,Security +,Network +,CCA

Network Engineer

Lifespan Organization

401-639-3505

ezi...@lifespan.org

 

From: Andrew S. Baker [mailto:asbz...@gmail.com] 
Sent: Tuesday, June 15, 2010 5:46 PM
To: NT System Admin Issues
Subject: Re: Time to verify your IIS setup

 

More important to me is, "How many discrete managers of IIS
systems/environments does this represent?"

 

I mean, on one level, if a single ISP hosting 500 discrete sites for
clients is a victim, that's not exactly the same thing as those 500
clients failing to manage this risk.

 

On the other hand (and from a more practical standpoint), they're still
victims just the same...


-ASB: http://XeeSM.com/AndrewBaker



On Tue, Jun 15, 2010 at 5:38 PM, Sam Cayze 
wrote:

Dang.
I was just curious...

How many IIS sites are there in the world?  Roughly 780K.  So if the
Sucuri.net's 111K number is accurate, that's about 1 in 7 IIS sites that
are affected.
Yikes.

Source:
http://news.netcraft.com/archives/category/web-server-survey/

(most places on my search pointed to NetCraft having the most accurate
results).

Sam






On Wed, Jun 9, 2010 at 3:43 PM, Kurt Buff  wrote:
> about 111,000 sites infected
>
> http://isc.sans.edu/diary.html?storyid=8935


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Ben Scott]

On Tue, Jun 15, 2010 at 6:56 PM, Steven Peck  wrote:
> Debian had the Drupal CMS in their distributions for
> years and despite many attempts we could not get that thing out of
> their despite it being old/unsecure/not-desired all because some guy
> refused to remove it from the repo.
>
> At least with MS OS and Applications we have a central point.

  I've heard that before.  Never, *ever* have I encountered or seen or
heard of the "central point of blame" actually helping a situation.
Not for mere mortals like me and my colleagues, anyway.

   Say Microsoft screws up.  *What then*?  I call PSS and pay $250 and
if I'm lucky, the call center monkey I got has a half a brain and
acknowledges the issue.

  From then on, I'm helpless.  I don't know what group in Microsoft
has responsibility for fixing it; I don't know when or *if* it will be
fixed.  It's all a faceless corporation.  At least you knew which guy
in Debian to blame.  Maybe someday Microsoft publishes a hotfix, or
maybe they just say "This behavior is by design" and tell me, politely
and professionally, to pound sand.  Or maybe they even say, yah,
that's a problem, but we won't be fixing this any time soon, sorry.
Maybe in the next release of Windows.  Or the one after that for sure.

  Please tell me how "having a big company to blame" makes this better
for me or my employer.  I've heard that line so many times, and yet it
never happens.

  (Plus, if you really want the company-to-blame thing, that's
available for Linux, too.  Novell or Red Hat or Canonical will happily
take your money and let you blame them all you want.)

> We have had very few actual patch related issues.
> We have had many claims that the issue were patch
> related but when drilled down on turned out
> to generally be not a patch issue.

  When I compare Linux and Windows, I often say that it's not that one
*can't* do this or that on Windows, but that it costs more.  Same
thing here.  More stuff in this area is built-in, and what's there is
more sophisticated in functionality and is easier to maintain.  All
that adds up to lower costs.

> Vendors need to get on the band wagon and begin to leverage the tools
> Microsoft has supplied them ...

  To the best of my knowledge, with MSI, I can't do half of what I can
do with RPM (see my other posts in this thread for examples).  If I
can, please point me at an FM that I can R; I will shower you with
thanks and buy you the frosty beverage of your choice.  This applies
to Windows components and Microsoft applications as much as it does to
third-party stuff, so this isn't a "third party vendors all suck"
issue, as far as I can see.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Time to verify your IIS setup

[Ziots, Edward]

Definitely a nice write up, but when you comb your IIS logs and set seeing 
DECLARE and CAST statements in the url sequences, you had better be on your 
guard because those are some tell-tale signs of SQLi.. I don’t know of many 
webapplications that are accepting that as INPUT.. so if you have things in 
place like URLSCAN, or WAF's you might want to make sure you drop that type of 
traffic and report on it as possible SQLI accordingly. 

Z

Edward Ziots
CISSP,MCSA,MCP+I,Security +,Network +,CCA
Network Engineer
Lifespan Organization
401-639-3505
ezi...@lifespan.org


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com] 
Sent: Tuesday, June 15, 2010 6:19 PM
To: NT System Admin Issues
Subject: Re: Time to verify your IIS setup

Here's an update on the issue:

http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection.html

On Tue, Jun 15, 2010 at 14:45, Andrew S. Baker  wrote:
> More important to me is, "How many discrete managers of IIS
> systems/environments does this represent?"
> I mean, on one level, if a single ISP hosting 500 discrete sites for clients
> is a victim, that's not exactly the same thing as those 500 clients failing
> to manage this risk.
> On the other hand (and from a more practical standpoint), they're still
> victims just the same...
> -ASB: http://XeeSM.com/AndrewBaker
>
>
> On Tue, Jun 15, 2010 at 5:38 PM, Sam Cayze  wrote:
>>
>> Dang.
>> I was just curious...
>>
>> How many IIS sites are there in the world?  Roughly 780K.  So if the
>> Sucuri.net's 111K number is accurate, that's about 1 in 7 IIS sites that
>> are affected.
>> Yikes.
>>
>> Source:
>> http://news.netcraft.com/archives/category/web-server-survey/
>>
>> (most places on my search pointed to NetCraft having the most accurate
>> results).
>>
>> Sam
>>
>>
>>
>>
>>
>> On Wed, Jun 9, 2010 at 3:43 PM, Kurt Buff  wrote:
>> > about 111,000 sites infected
>> >
>> > http://isc.sans.edu/diary.html?storyid=8935
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Time to verify your IIS setup

[Ziots, Edward]

SQLI and Blind SQLi are fun... You just need to go to some OWASP
meetings, it will start to make a lot of sense, that and scare the
living crap out of you, on how poorly web applications are written and
how much they are relied on to access very sensitive information in the
organization. Plus a poor written web app actually increases your attack
surface within the organization due to the multitude of people that can
hack at the web interface that couldn't do that as easily through
traditional thick client solutions. ( Not saying the Thick client is
better)

 

Now think of how secure or basically insecure your Sharepoint sites are
and possible SQLi/XSS vulnerabilities lying in those beasts, and it
seems to be the new craze in collaboration, but what about the
information stored in the website itself? Who can access should it even
be in Sharepoint? Can you encrypt it at rest? Lots of interesting
scenarios and fun questions abound.. 

 

Now that will make ya head hurt sometimes...

 

EZ

 

Edward Ziots

CISSP,MCSA,MCP+I,Security +,Network +,CCA

Network Engineer

Lifespan Organization

401-639-3505

ezi...@lifespan.org

 

From: David [mailto:blazer...@gmail.com] 
Sent: Tuesday, June 15, 2010 6:50 PM
To: NT System Admin Issues
Subject: Re: Time to verify your IIS setup

 

That just makes my head hurt.




On Tue, Jun 15, 2010 at 3:18 PM, Kurt Buff  wrote:

Here's an update on the issue:

http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection.
html


On Tue, Jun 15, 2010 at 14:45, Andrew S. Baker 
wrote:
> More important to me is, "How many discrete managers of IIS
> systems/environments does this represent?"
> I mean, on one level, if a single ISP hosting 500 discrete sites for
clients
> is a victim, that's not exactly the same thing as those 500 clients
failing
> to manage this risk.
> On the other hand (and from a more practical standpoint), they're
still
> victims just the same...
> -ASB: http://XeeSM.com/AndrewBaker
>
>



-- 
David

_

Firearms are second only to the Constitution in importance; 
they are the peoples' liberty's teeth.

~ George Washington

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Steven Peck]

Yes but with the Linux tree updates identifying the actual issue and
who has the authority to change / update / do it right can be
challenging.  Debian had the Drupal CMS in their distributions for
years and despite many attempts we could not get that thing out of
their despite it being old/unsecure/not-desired all because some guy
refused to remove it from the repo.

At least with MS OS and Applications we have a central point.  We have
had very few actual patch related issues.  We have had many claims
that the issue were patch related but when drilled down on turned out
to generally be not a patch issue.

Vendors need to get on the band wagon and begin to leverage the tools
Microsoft has supplied them but I don't really agree that the Linux
world has done this better.  It really all gets down to which *nix
distro you are using and which repositories you pick as to if they
work or not.

Steven Peck
http://www.blkmtn.org


On Tue, Jun 15, 2010 at 3:38 PM, Ben Scott  wrote:
> On Tue, Jun 15, 2010 at 5:48 PM, Steven Peck  wrote:
>> You are essentially relying on 'some' 
>> to be doing something 'right' or at least agreed on and that their
>> choices will not nuke your existing configuration.
>
>  Well, unless you write all software you use yourself, you're always
> relying on someone else to do it right.  :)
>
>  It's certainly true that package maintainers can make mistakes.  (As
> you may have noticed, proprietary software companies aren't perfect
> either.  )  However, one nice thing about strong package
> management is that it's very easy to automate things like integrity
> checking to detect mistakes -- often even preventing them from causing
> damage.
>
>  For example, on our Linux boxes, every program file is "owned" by a
> particular package.  If another package tries to install another copy
> of some library, RPM will detect that during pre-install and abort,
> saying the new package has a file which conflicts with an
> already-installed package.
>
>  The tools used to build RPM packages include things which
> automatically detect the libraries needed by an executable and note
> them as dependencies.
>
>  And assuming the packages contain correct information (the same way
> we assume Microsoft builds their MSIs correctly), there's all sorts of
> good things you get.
>
>  Say I want to uninstall foo, but something else depends on it.  RPM
> will refuse the uninstall, telling my exactly what "foo" depends on.
>
>  Or say I'm looking at a strange file, and I'm wondering what it's
> for.  For example:
>
>        /usr/lib/libpanel_g.a
>
>  I have no idea what that library is for.  But I can do this:
>
>        $ rpm --query --file /usr/lib/libpanel_g.a
>        ncurses-devel-5.5-24.20060715
>
> So now I know it's from the "ncurses" development package.  If I
> didn't know what ncurses was, I can do:
>
>        $ rpm --query --info ncurses
>
> and read a description.
>
>  Take a look at C:\WINDOWS\SYSTEM32\ on a Windows box near you.  Can
> you tell me what every file is for?  Can you easily find out?
>
>  Or let's say you want to make sure Exchange has all the right
> versions of all the right libraries installed.  At *best*, you're
> running a purpose-built tool which checks that.  It's quite possible
> you're going to end up searching the hard disk for particular .DLL
> files and manually checking version numbers.
>
>  With RPM, I can do "rpm --verify --all".  That will check every file
> in every package, and tell me if it has been changed improperly (and
> if so, what changed); it will also report any broken dependencies.
>
>  Certainly, MSI has made things better, and Microsoft keeps improving
> it, so I have hope that we'll be able to do things like this on
> Windows some day.  But it's still years off, at best, I think, before
> the Windows ecosystem will really catch up on this front.  First
> Microsoft has to build the tools, and then the rest of the industry
> has to adopt them.
>
>  I'm not saying this is a sufficient condition to abandon Windows for
> Linux.  I'm just saying this is something Linux does better today, and
> that it's a model I hope the Microsoft world learns from and adopts.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Ben Scott]

On Tue, Jun 15, 2010 at 6:40 PM, Andrew S. Baker  wrote:
>>>shaky foundation?
>
> The DOS, Win16 underpinnings...

  And even Win32 (NT/9x) didn't have anything approaching a common
installer system until 2000 or so, and side-by-side DLL installs
didn't show up until... what, Win XP?  XP SP2?

  .NET was supposed to solve all these problems, but I haven't really
seen that materialize.  Even Microsoft publishes stuff that demands a
particular release of the .NET Framework.  :-(

> Installed base is great when everything has been well laid out. Not so
> great, when you're bound to earlier suboptimal decisions...

  As a wise man once said: Indeed.  ;-)

  The Windows platform's greatest advantage (the huge base of software
available for it) is also one of it's biggest problems.  There's so
much stuff out there, and Windows has changed so much over time, that
Microsoft can't change *anything* without breaking *something*.

  While I think some of this can be blamed on Microsoft, since they
really should have seen some of it coming and were in a position to do
something about it, some of it's just bad luck.  And regardless of
fault, it's what we have now, and fixing it isn't going to be easy,
even for Microsoft.  :-(

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Time to verify your IIS setup

[David]

That just makes my head hurt.



On Tue, Jun 15, 2010 at 3:18 PM, Kurt Buff  wrote:

> Here's an update on the issue:
>
>
> http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection.html
>
> On Tue, Jun 15, 2010 at 14:45, Andrew S. Baker  wrote:
> > More important to me is, "How many discrete managers of IIS
> > systems/environments does this represent?"
> > I mean, on one level, if a single ISP hosting 500 discrete sites for
> clients
> > is a victim, that's not exactly the same thing as those 500 clients
> failing
> > to manage this risk.
> > On the other hand (and from a more practical standpoint), they're still
> > victims just the same...
> > -ASB: http://XeeSM.com/AndrewBaker
> >
> >
>

-- 
David

_

Firearms are second only to the Constitution in importance;
they are the peoples' liberty's teeth.

~ George Washington

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Time to verify your IIS setup

[Ben Scott]

On Tue, Jun 15, 2010 at 6:18 PM, Kurt Buff  wrote:
> http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection.html

  So, as usual, the biggest problem is the large amount of server-side
web application software written by people who don't know how to write
secure code.  :-(

  (For those that think I'm just a blind FOSS/Linux supporter: This is
an area where FOSS/Linux does not appear to do any better.  It sucks
everywhere.)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Andrew S. Baker]

*>>shaky foundation?*

The DOS, Win16 underpinnings...

Installed base is great when everything has been well laid out. Not so
great, when you're bound to earlier suboptimal decisions...


-ASB: http://XeeSM.com/AndrewBaker


On Tue, Jun 15, 2010 at 5:47 PM, Joseph Heaton  wrote:

> shaky foundation?
>
> >>> "Andrew S. Baker"  6/15/2010 2:42 PM >>>
> I don't know that I would say that Linux *always* had package management
> going well -- certainly not all distros.
>
> There was a time when Debian was highly regarded *because* of its excellent
> package management system.
>
> Redhat was next, and then RPM became a major standard because of their
> popularity and subsequent clout.
>
> SuSE was probably the next one in line.
>
> I'm not disagreeing with you as far as where things stand today, but at
> best, we can say that Linux started off on a "better" footing, and had less
> legacy and installed base to overcome.  Such is both the power and drawback
> of a large installed base over a shaky foundation.
>
> -ASB: http://XeeSM.com/AndrewBaker
>
>
> On Tue, Jun 15, 2010 at 1:47 PM, Ben Scott  wrote:
>
> > On Tue, Jun 15, 2010 at 12:15 PM, Phil Brutsche 
> > wrote:
> > >> And why is a solution like this missing from MS operating systems??
> > >
> > > It isn't.
> >
> >  Comparing MSI/WSUS to RPM/YUM (or dpkg/APT or...) is really missing
> > a lot.  MSI is a beast to develop for, it's a compatibility nightmare
> > across releases, MSI packages frequently require an interactive
> > presence, MSIs vary radically in design, they're a bear to customize,
> > the post-install management functions are non-existent, WSUS is a
> > completely different framework vs MSI, I could go on and on and on.
> >
> > > Third parties who refuse to publish catalogs SCUP can use (like Adobe)
> > > are as much as fault as anyone else.
> >
> >   So, basically, practically the entire software industry.
> >
> >  Microsoft has been working on Windows software installation for a
> > decade plus, and it's still very hairy, especially if you want to also
> > support not-the-latest-release-of-Windows.  I can't really blame
> > third-party developers for (1) resorting to doing their own thing and
> > (2) not wanting to jump aboard Microsoft's bandwagon when Microsoft
> > themselves weren't done building it yet (and still may not be).
> >
> >  Now, a lot of this is due to the "legacy" Microsoft built with
> > classic Windows, which was completely ad hoc.  The entire Windows
> > software industry ecosystem is built up around that.  It's way too
> > late to get it right the first time, so now Microsoft has to come up
> > with a way to migrate the world's largest installed base to something
> > more manageable.  That's not going to be quick.  Microsoft is still
> > responsible, since they built it like that way-back-when, but even
> > Microsoft can't change the past.  They work in the world they built,
> > and it's not realistic to expect them to fix it overnight.
> >
> >  But for those same reasons, expecting the rest of the software
> > industry to adopt what Microsoft's latest idea quickly is also
> > unrealistic.
> >
> >  In contrast, all the current Linux distributions were designed
> > "right" the right time, with strong package management from day one.
> > So everything has been and continues to be much smoother on the
> > package/update management front.
> >
> > -- Ben
> >
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Password policy enforcement after a change

[James Hill]

Schedule the change for out of hours or during a quiet period), inform the 
users, force all machines to log off.


-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Wednesday, 16 June 2010 5:12 AM
To: NT System Admin Issues
Subject: Password policy enforcement after a change

Hello, list,

  After years of lobbying on my part, I have finally gotten top management at 
%WORK% to approve a company password policy, complete with enforcement via 
Active Directory/Group Policy.  (And there was much rejoicing!)

  I know we have people who have never changed their password since they were 
hired in 2001.  When we suddenly go from "No password expiration" to "X days", 
at their next logon, they'll be prompted to change their password.  However, 
until they logoff/logon, the system won't prompt them.  My question is: Will 
they have trouble accessing resources until they change their password?  I've 
never tried to use a Windows domain with an 8-year-expired password before.

  Win 2000 AD server, Win XP Pro SP3 clients.

  (Yes I know Win2K has five weeks until EOL.  I'm working on it.
Budget priorities, bad economy, yadda yadda.)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Ben Scott]

On Tue, Jun 15, 2010 at 5:48 PM, Steven Peck  wrote:
> You are essentially relying on 'some' 
> to be doing something 'right' or at least agreed on and that their
> choices will not nuke your existing configuration.

  Well, unless you write all software you use yourself, you're always
relying on someone else to do it right.  :)

  It's certainly true that package maintainers can make mistakes.  (As
you may have noticed, proprietary software companies aren't perfect
either.  )  However, one nice thing about strong package
management is that it's very easy to automate things like integrity
checking to detect mistakes -- often even preventing them from causing
damage.

  For example, on our Linux boxes, every program file is "owned" by a
particular package.  If another package tries to install another copy
of some library, RPM will detect that during pre-install and abort,
saying the new package has a file which conflicts with an
already-installed package.

  The tools used to build RPM packages include things which
automatically detect the libraries needed by an executable and note
them as dependencies.

  And assuming the packages contain correct information (the same way
we assume Microsoft builds their MSIs correctly), there's all sorts of
good things you get.

  Say I want to uninstall foo, but something else depends on it.  RPM
will refuse the uninstall, telling my exactly what "foo" depends on.

  Or say I'm looking at a strange file, and I'm wondering what it's
for.  For example:

/usr/lib/libpanel_g.a

  I have no idea what that library is for.  But I can do this:

$ rpm --query --file /usr/lib/libpanel_g.a
ncurses-devel-5.5-24.20060715

So now I know it's from the "ncurses" development package.  If I
didn't know what ncurses was, I can do:

$ rpm --query --info ncurses

and read a description.

  Take a look at C:\WINDOWS\SYSTEM32\ on a Windows box near you.  Can
you tell me what every file is for?  Can you easily find out?

  Or let's say you want to make sure Exchange has all the right
versions of all the right libraries installed.  At *best*, you're
running a purpose-built tool which checks that.  It's quite possible
you're going to end up searching the hard disk for particular .DLL
files and manually checking version numbers.

  With RPM, I can do "rpm --verify --all".  That will check every file
in every package, and tell me if it has been changed improperly (and
if so, what changed); it will also report any broken dependencies.

  Certainly, MSI has made things better, and Microsoft keeps improving
it, so I have hope that we'll be able to do things like this on
Windows some day.  But it's still years off, at best, I think, before
the Windows ecosystem will really catch up on this front.  First
Microsoft has to build the tools, and then the rest of the industry
has to adopt them.

  I'm not saying this is a sufficient condition to abandon Windows for
Linux.  I'm just saying this is something Linux does better today, and
that it's a model I hope the Microsoft world learns from and adopts.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Kurt Buff]

Unlike say, some random software company that says their service pack,
hotfix or other update won't trash your machine.

MSFT/Adobe/others come to mind...

On Tue, Jun 15, 2010 at 14:48, Steven Peck  wrote:
> Nor do they do the applications on a given distribution 'right' all
> the time.  You are essentially relying on 'some' 
> to be doing something 'right' or at least agreed on and that their
> choices will not nuke your existing configuration.
>
> Steven Peck
>
> On Tue, Jun 15, 2010 at 2:42 PM, Andrew S. Baker  wrote:
>> I don't know that I would say that Linux *always* had package management
>> going well -- certainly not all distros.
>> There was a time when Debian was highly regarded *because* of its excellent
>> package management system.
>> Redhat was next, and then RPM became a major standard because of their
>> popularity and subsequent clout.
>> SuSE was probably the next one in line.
>> I'm not disagreeing with you as far as where things stand today, but at
>> best, we can say that Linux started off on a "better" footing, and had less
>> legacy and installed base to overcome.  Such is both the power and drawback
>> of a large installed base over a shaky foundation.
>> -ASB: http://XeeSM.com/AndrewBaker
>>
>>
>> On Tue, Jun 15, 2010 at 1:47 PM, Ben Scott  wrote:
>>>
>>> On Tue, Jun 15, 2010 at 12:15 PM, Phil Brutsche 
>>> wrote:
>>> >> And why is a solution like this missing from MS operating systems??
>>> >
>>> > It isn't.
>>>
>>>  Comparing MSI/WSUS to RPM/YUM (or dpkg/APT or...) is really missing
>>> a lot.  MSI is a beast to develop for, it's a compatibility nightmare
>>> across releases, MSI packages frequently require an interactive
>>> presence, MSIs vary radically in design, they're a bear to customize,
>>> the post-install management functions are non-existent, WSUS is a
>>> completely different framework vs MSI, I could go on and on and on.
>>>
>>> > Third parties who refuse to publish catalogs SCUP can use (like Adobe)
>>> > are as much as fault as anyone else.
>>>
>>>  So, basically, practically the entire software industry.
>>>
>>>  Microsoft has been working on Windows software installation for a
>>> decade plus, and it's still very hairy, especially if you want to also
>>> support not-the-latest-release-of-Windows.  I can't really blame
>>> third-party developers for (1) resorting to doing their own thing and
>>> (2) not wanting to jump aboard Microsoft's bandwagon when Microsoft
>>> themselves weren't done building it yet (and still may not be).
>>>
>>>  Now, a lot of this is due to the "legacy" Microsoft built with
>>> classic Windows, which was completely ad hoc.  The entire Windows
>>> software industry ecosystem is built up around that.  It's way too
>>> late to get it right the first time, so now Microsoft has to come up
>>> with a way to migrate the world's largest installed base to something
>>> more manageable.  That's not going to be quick.  Microsoft is still
>>> responsible, since they built it like that way-back-when, but even
>>> Microsoft can't change the past.  They work in the world they built,
>>> and it's not realistic to expect them to fix it overnight.
>>>
>>>  But for those same reasons, expecting the rest of the software
>>> industry to adopt what Microsoft's latest idea quickly is also
>>> unrealistic.
>>>
>>>  In contrast, all the current Linux distributions were designed
>>> "right" the right time, with strong package management from day one.
>>> So everything has been and continues to be much smoother on the
>>> package/update management front.
>>>
>>> -- Ben
>>>
>>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>>> ~   ~
>>
>>
>>
>>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Ben Scott]

On Tue, Jun 15, 2010 at 5:42 PM, Andrew S. Baker  wrote:
>>  In contrast, all the current Linux distributions were designed
>> "right" the [first] time, with strong package management from day one.
>
> I don't know that I would say that Linux *always* had package management
> going well -- certainly not all distros.

  Well, there was a bit of weasel-wording on my part there, with "all
current distros".  :)

  If you go back > 10 years or so, yes, there were significant distros
without strong package management.  But well before 2000, anything
without good package management either got upgraded to add it, or
became obsolete or extremely marginalized.  (One could argue about
Slackware, but they consciously made the decision to be package
management luddites.  It takes all kinds.)

  Even Red Hat 2.0, circa 1995, had RPM, which knew enough to check
dependencies and handle upgrades if you had all the local packages.

  As you note, Debian had the early advantage with a comprehensive
solution for solving dependencies and automatically downloading
packages.  Red Hat didn't do that until 6.something (c. 1999).  But
other tools were available to do it; I used to use one called (IIRC)
"autorpm".  They used all the same dependency info already included in
RPM packages.  There was no separate update infrastructure to create,
just an index of package info that could be rebuilt from the original
package files at any time.

  Certainly, things have become better over time, but the foundation
for solid package management was there 15 years ago.  That gave Linux
a real leg up.  I certainly don't envy Microsoft the task of trying to
retrofit a solution on to Windows, and then convince everybody to use
it.  But that's not my problem; keeping our software as up-to-date as
I can *is*.  :-)

  (On that note, back to our Win 2000 migration.)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Time to verify your IIS setup

[Kurt Buff]

Here's an update on the issue:

http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection.html

On Tue, Jun 15, 2010 at 14:45, Andrew S. Baker  wrote:
> More important to me is, "How many discrete managers of IIS
> systems/environments does this represent?"
> I mean, on one level, if a single ISP hosting 500 discrete sites for clients
> is a victim, that's not exactly the same thing as those 500 clients failing
> to manage this risk.
> On the other hand (and from a more practical standpoint), they're still
> victims just the same...
> -ASB: http://XeeSM.com/AndrewBaker
>
>
> On Tue, Jun 15, 2010 at 5:38 PM, Sam Cayze  wrote:
>>
>> Dang.
>> I was just curious...
>>
>> How many IIS sites are there in the world?  Roughly 780K.  So if the
>> Sucuri.net's 111K number is accurate, that's about 1 in 7 IIS sites that
>> are affected.
>> Yikes.
>>
>> Source:
>> http://news.netcraft.com/archives/category/web-server-survey/
>>
>> (most places on my search pointed to NetCraft having the most accurate
>> results).
>>
>> Sam
>>
>>
>>
>>
>>
>> On Wed, Jun 9, 2010 at 3:43 PM, Kurt Buff  wrote:
>> > about 111,000 sites infected
>> >
>> > http://isc.sans.edu/diary.html?storyid=8935
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Password policy enforcement after a change

[Devin Meade]

Okay ... we had no problems maybe because we had assigned pw's which the
users could not change.  We only had one VPN user - that never used it :-\
Now we have about 20 VPN users.  We also executed the Group Policy and went
thru AD and checked "force pw change" at around 10PM and announced it many
times.  We had under 100 users at the time so that didn't take too long.
IIRC there were about 5 or 10 users who needed hand holding to change the
pw.

On Tue, Jun 15, 2010 at 4:12 PM, Andrew S. Baker  wrote:

> Ben,
>
> They will have all sorts of problems accessing resources if you changed
> that right now.  :)
>
> The remote people would be especially pleased with you.   Depending on what
> services they were trying to access, they *might* be told to change their
> passwords, but many of the resources would just do weird things to them.
>
> Like Jonathan mentioned, I'd send out a nice memo indicating that passwords
> will need to change before XXX date, and then set the new policy to go into
> effect the day after that.
>
> -ASB: http://XeeSM.com/AndrewBaker
>
>
> On Tue, Jun 15, 2010 at 3:11 PM, Ben Scott  wrote:
>
>> Hello, list,
>>
>>  After years of lobbying on my part, I have finally gotten top
>> management at %WORK% to approve a company password policy, complete
>> with enforcement via Active Directory/Group Policy.  (And there was
>> much rejoicing!)
>>
>>  I know we have people who have never changed their password since
>> they were hired in 2001.  When we suddenly go from "No password
>> expiration" to "X days", at their next logon, they'll be prompted to
>> change their password.  However, until they logoff/logon, the system
>> won't prompt them.  My question is: Will they have trouble accessing
>> resources until they change their password?  I've never tried to use a
>> Windows domain with an 8-year-expired password before.
>>
>>  Win 2000 AD server, Win XP Pro SP3 clients.
>>
>>  (Yes I know Win2K has five weeks until EOL.  I'm working on it.
>> Budget priorities, bad economy, yadda yadda.)
>>
>> -- Ben
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Steven Peck]

Nor do they do the applications on a given distribution 'right' all
the time.  You are essentially relying on 'some' 
to be doing something 'right' or at least agreed on and that their
choices will not nuke your existing configuration.

Steven Peck

On Tue, Jun 15, 2010 at 2:42 PM, Andrew S. Baker  wrote:
> I don't know that I would say that Linux *always* had package management
> going well -- certainly not all distros.
> There was a time when Debian was highly regarded *because* of its excellent
> package management system.
> Redhat was next, and then RPM became a major standard because of their
> popularity and subsequent clout.
> SuSE was probably the next one in line.
> I'm not disagreeing with you as far as where things stand today, but at
> best, we can say that Linux started off on a "better" footing, and had less
> legacy and installed base to overcome.  Such is both the power and drawback
> of a large installed base over a shaky foundation.
> -ASB: http://XeeSM.com/AndrewBaker
>
>
> On Tue, Jun 15, 2010 at 1:47 PM, Ben Scott  wrote:
>>
>> On Tue, Jun 15, 2010 at 12:15 PM, Phil Brutsche 
>> wrote:
>> >> And why is a solution like this missing from MS operating systems??
>> >
>> > It isn't.
>>
>>  Comparing MSI/WSUS to RPM/YUM (or dpkg/APT or...) is really missing
>> a lot.  MSI is a beast to develop for, it's a compatibility nightmare
>> across releases, MSI packages frequently require an interactive
>> presence, MSIs vary radically in design, they're a bear to customize,
>> the post-install management functions are non-existent, WSUS is a
>> completely different framework vs MSI, I could go on and on and on.
>>
>> > Third parties who refuse to publish catalogs SCUP can use (like Adobe)
>> > are as much as fault as anyone else.
>>
>>  So, basically, practically the entire software industry.
>>
>>  Microsoft has been working on Windows software installation for a
>> decade plus, and it's still very hairy, especially if you want to also
>> support not-the-latest-release-of-Windows.  I can't really blame
>> third-party developers for (1) resorting to doing their own thing and
>> (2) not wanting to jump aboard Microsoft's bandwagon when Microsoft
>> themselves weren't done building it yet (and still may not be).
>>
>>  Now, a lot of this is due to the "legacy" Microsoft built with
>> classic Windows, which was completely ad hoc.  The entire Windows
>> software industry ecosystem is built up around that.  It's way too
>> late to get it right the first time, so now Microsoft has to come up
>> with a way to migrate the world's largest installed base to something
>> more manageable.  That's not going to be quick.  Microsoft is still
>> responsible, since they built it like that way-back-when, but even
>> Microsoft can't change the past.  They work in the world they built,
>> and it's not realistic to expect them to fix it overnight.
>>
>>  But for those same reasons, expecting the rest of the software
>> industry to adopt what Microsoft's latest idea quickly is also
>> unrealistic.
>>
>>  In contrast, all the current Linux distributions were designed
>> "right" the right time, with strong package management from day one.
>> So everything has been and continues to be much smoother on the
>> package/update management front.
>>
>> -- Ben
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Joseph Heaton]

shaky foundation?

>>> "Andrew S. Baker"  6/15/2010 2:42 PM >>>
I don't know that I would say that Linux *always* had package management
going well -- certainly not all distros.

There was a time when Debian was highly regarded *because* of its excellent
package management system.

Redhat was next, and then RPM became a major standard because of their
popularity and subsequent clout.

SuSE was probably the next one in line.

I'm not disagreeing with you as far as where things stand today, but at
best, we can say that Linux started off on a "better" footing, and had less
legacy and installed base to overcome.  Such is both the power and drawback
of a large installed base over a shaky foundation.

-ASB: http://XeeSM.com/AndrewBaker 


On Tue, Jun 15, 2010 at 1:47 PM, Ben Scott  wrote:

> On Tue, Jun 15, 2010 at 12:15 PM, Phil Brutsche 
> wrote:
> >> And why is a solution like this missing from MS operating systems??
> >
> > It isn't.
>
>  Comparing MSI/WSUS to RPM/YUM (or dpkg/APT or...) is really missing
> a lot.  MSI is a beast to develop for, it's a compatibility nightmare
> across releases, MSI packages frequently require an interactive
> presence, MSIs vary radically in design, they're a bear to customize,
> the post-install management functions are non-existent, WSUS is a
> completely different framework vs MSI, I could go on and on and on.
>
> > Third parties who refuse to publish catalogs SCUP can use (like Adobe)
> > are as much as fault as anyone else.
>
>   So, basically, practically the entire software industry.
>
>  Microsoft has been working on Windows software installation for a
> decade plus, and it's still very hairy, especially if you want to also
> support not-the-latest-release-of-Windows.  I can't really blame
> third-party developers for (1) resorting to doing their own thing and
> (2) not wanting to jump aboard Microsoft's bandwagon when Microsoft
> themselves weren't done building it yet (and still may not be).
>
>  Now, a lot of this is due to the "legacy" Microsoft built with
> classic Windows, which was completely ad hoc.  The entire Windows
> software industry ecosystem is built up around that.  It's way too
> late to get it right the first time, so now Microsoft has to come up
> with a way to migrate the world's largest installed base to something
> more manageable.  That's not going to be quick.  Microsoft is still
> responsible, since they built it like that way-back-when, but even
> Microsoft can't change the past.  They work in the world they built,
> and it's not realistic to expect them to fix it overnight.
>
>  But for those same reasons, expecting the rest of the software
> industry to adopt what Microsoft's latest idea quickly is also
> unrealistic.
>
>  In contrast, all the current Linux distributions were designed
> "right" the right time, with strong package management from day one.
> So everything has been and continues to be much smoother on the
> package/update management front.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Time to verify your IIS setup

[Andrew S. Baker]

More important to me is, "How many discrete managers of IIS
systems/environments does this represent?"

I mean, on one level, if a single ISP hosting 500 discrete sites for clients
is a victim, that's not exactly the same thing as those 500 clients failing
to manage this risk.

On the other hand (and from a more practical standpoint), they're still
victims just the same...

-ASB: http://XeeSM.com/AndrewBaker


On Tue, Jun 15, 2010 at 5:38 PM, Sam Cayze  wrote:

> Dang.
> I was just curious...
>
> How many IIS sites are there in the world?  Roughly 780K.  So if the
> Sucuri.net's 111K number is accurate, that's about 1 in 7 IIS sites that
> are affected.
> Yikes.
>
> Source:
> http://news.netcraft.com/archives/category/web-server-survey/
>
> (most places on my search pointed to NetCraft having the most accurate
> results).
>
> Sam
>
>
>
>
>
> On Wed, Jun 9, 2010 at 3:43 PM, Kurt Buff  wrote:
> > about 111,000 sites infected
> >
> > http://isc.sans.edu/diary.html?storyid=8935
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Andrew S. Baker]

I don't know that I would say that Linux *always* had package management
going well -- certainly not all distros.

There was a time when Debian was highly regarded *because* of its excellent
package management system.

Redhat was next, and then RPM became a major standard because of their
popularity and subsequent clout.

SuSE was probably the next one in line.

I'm not disagreeing with you as far as where things stand today, but at
best, we can say that Linux started off on a "better" footing, and had less
legacy and installed base to overcome.  Such is both the power and drawback
of a large installed base over a shaky foundation.

-ASB: http://XeeSM.com/AndrewBaker


On Tue, Jun 15, 2010 at 1:47 PM, Ben Scott  wrote:

> On Tue, Jun 15, 2010 at 12:15 PM, Phil Brutsche 
> wrote:
> >> And why is a solution like this missing from MS operating systems??
> >
> > It isn't.
>
>  Comparing MSI/WSUS to RPM/YUM (or dpkg/APT or...) is really missing
> a lot.  MSI is a beast to develop for, it's a compatibility nightmare
> across releases, MSI packages frequently require an interactive
> presence, MSIs vary radically in design, they're a bear to customize,
> the post-install management functions are non-existent, WSUS is a
> completely different framework vs MSI, I could go on and on and on.
>
> > Third parties who refuse to publish catalogs SCUP can use (like Adobe)
> > are as much as fault as anyone else.
>
>   So, basically, practically the entire software industry.
>
>  Microsoft has been working on Windows software installation for a
> decade plus, and it's still very hairy, especially if you want to also
> support not-the-latest-release-of-Windows.  I can't really blame
> third-party developers for (1) resorting to doing their own thing and
> (2) not wanting to jump aboard Microsoft's bandwagon when Microsoft
> themselves weren't done building it yet (and still may not be).
>
>  Now, a lot of this is due to the "legacy" Microsoft built with
> classic Windows, which was completely ad hoc.  The entire Windows
> software industry ecosystem is built up around that.  It's way too
> late to get it right the first time, so now Microsoft has to come up
> with a way to migrate the world's largest installed base to something
> more manageable.  That's not going to be quick.  Microsoft is still
> responsible, since they built it like that way-back-when, but even
> Microsoft can't change the past.  They work in the world they built,
> and it's not realistic to expect them to fix it overnight.
>
>  But for those same reasons, expecting the rest of the software
> industry to adopt what Microsoft's latest idea quickly is also
> unrealistic.
>
>  In contrast, all the current Linux distributions were designed
> "right" the right time, with strong package management from day one.
> So everything has been and continues to be much smoother on the
> package/update management front.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Time to verify your IIS setup

[Sam Cayze]

Dang.
I was just curious...

How many IIS sites are there in the world?  Roughly 780K.  So if the
Sucuri.net's 111K number is accurate, that's about 1 in 7 IIS sites that
are affected.
Yikes.

Source:
http://news.netcraft.com/archives/category/web-server-survey/

(most places on my search pointed to NetCraft having the most accurate
results).

Sam





On Wed, Jun 9, 2010 at 3:43 PM, Kurt Buff  wrote:
> about 111,000 sites infected
>
> http://isc.sans.edu/diary.html?storyid=8935


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Password policy enforcement after a change

[Andrew S. Baker]

Ben,

They will have all sorts of problems accessing resources if you changed that
right now.  :)

The remote people would be especially pleased with you.   Depending on what
services they were trying to access, they *might* be told to change their
passwords, but many of the resources would just do weird things to them.

Like Jonathan mentioned, I'd send out a nice memo indicating that passwords
will need to change before XXX date, and then set the new policy to go into
effect the day after that.

-ASB: http://XeeSM.com/AndrewBaker


On Tue, Jun 15, 2010 at 3:11 PM, Ben Scott  wrote:

> Hello, list,
>
>  After years of lobbying on my part, I have finally gotten top
> management at %WORK% to approve a company password policy, complete
> with enforcement via Active Directory/Group Policy.  (And there was
> much rejoicing!)
>
>  I know we have people who have never changed their password since
> they were hired in 2001.  When we suddenly go from "No password
> expiration" to "X days", at their next logon, they'll be prompted to
> change their password.  However, until they logoff/logon, the system
> won't prompt them.  My question is: Will they have trouble accessing
> resources until they change their password?  I've never tried to use a
> Windows domain with an 8-year-expired password before.
>
>  Win 2000 AD server, Win XP Pro SP3 clients.
>
>  (Yes I know Win2K has five weeks until EOL.  I'm working on it.
> Budget priorities, bad economy, yadda yadda.)
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DISK WIPING TOOL

[Ben Scott]

On Tue, Jun 15, 2010 at 2:14 PM, Angus Scott-Fleming
 wrote:
> Heidi's Eraser has a right-click option to erase an entire
> drive ... Not sure about NET USEd drives, though ...

  I'm near-positive you won't be able to overwrite an *entire disk*
via "NET USE" .  Mapped drives are really just accessing a network
file protocol; the client has no knowledge of the underlying storage.

  You should be able to overwrite individual files on a network drive, though.

  At least, in theory.  One complication in all this is that modern
storage systems may not overwrite-in-place, or may write data to more
than one location.  For example, if the filesystem has journaling
and/or copy-on-write features.  So when you write zeros to the file
you want to erase, what you end up doing is writing zeros to a bunch
of new blocks, while leaving the original blocks untouched on disk.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Password policy enforcement after a change

[John Aldrich]

Yeah. I still go through the problem of user's passwords expiring and them
not able to access network resources. I typically have them pull up a
command prompt and attempt to access a mapped drive from the command prompt
to ensure they have just had a password expiration. Or I just tell them that
I think their password has expired and they should change it. 99.999% of the
time that's the problem and a new password fixes it. I still have to tell
them *why* they can't access the network resource though. L

 

John-AldrichTile-Tools

 

From: Devin Meade [mailto:devin.me...@gmail.com] 
Sent: Tuesday, June 15, 2010 3:23 PM
To: NT System Admin Issues
Subject: Re: Password policy enforcement after a change

 

Hmm we did that ~ 2 yrs ago.  We used to assign passwords but *finally* sold
it to upper mgt to do it via Active Dir and the built in complexity policy
(2003 native mode).  It went pretty well, nobody lost access, they had to
change their passwords at next logon.  We announced it well before hand
(many times).  Still had much wailing and gnashing of teeth but it's been
worth it!  We even went through the expiry of passwords and peeps were able
to change them (mostly no hand holding).  We added the accountinfo.dll or
whatever it is called to see when passwords were set on the DC's for each
acct.

On Tue, Jun 15, 2010 at 2:11 PM, Ben Scott  wrote:

Hello, list,

 After years of lobbying on my part, I have finally gotten top
management at %WORK% to approve a company password policy, complete
with enforcement via Active Directory/Group Policy.  (And there was
much rejoicing!)

 I know we have people who have never changed their password since
they were hired in 2001.  When we suddenly go from "No password
expiration" to "X days", at their next logon, they'll be prompted to
change their password.  However, until they logoff/logon, the system
won't prompt them.  My question is: Will they have trouble accessing
resources until they change their password?  I've never tried to use a
Windows domain with an 8-year-expired password before.

 Win 2000 AD server, Win XP Pro SP3 clients.

 (Yes I know Win2K has five weeks until EOL.  I'm working on it.
Budget priorities, bad economy, yadda yadda.)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>

Re: DISK WIPING TOOL

[Kurt Buff]

http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx

On Tue, Jun 15, 2010 at 08:40, Haralson, Joe (GE Comm Fin, non-GE)
 wrote:
> Not looking to leave DBAN. Looking at options. I also have a need for a
> tool that can be used remotely. I would like to clean Data drive and not
> have to boot from cd.
>
>
> Joe Haralson
>
> Network Infrastructure Team
>
>
> -Original Message-
> From: Joseph Heaton [mailto:jhea...@dfg.ca.gov]
> Sent: Tuesday, June 15, 2010 10:12 AM
> To: NT System Admin Issues
> Subject: Re: DISK WIPING TOOL
>
> Why the interest in leaving DBAN?  It is what I've used for years
>
 "Haralson, Joe (GE Comm Fin, non-GE)" 
 6/15/2010 8:06 AM >>>
> Does anyone have a good Disk cleaning free tool? I currently use DBAN
> but was exploring other options.
>
> Joe Haralson
>
> Network Infrastructure Team
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Password policy enforcement after a change

[Jonathan Link]

By the designated date.  Top posted for your confusion.

On Tue, Jun 15, 2010 at 3:17 PM, Jonathan Link wrote:

>  Yes, it will interfere with accessing resources.
> I had to schedule a day in our office so everyone knew well in advance.
> Those that couldn't or chose not to be at work that day had an
> administratively assigned password (in the event that they needed access),
> or change their password in advance of the date.
> I believe I only had one person who didn't change their password on the
> designated date.
>
>
>
>  On Tue, Jun 15, 2010 at 3:11 PM, Ben Scott  wrote:
>
>> Hello, list,
>>
>>  After years of lobbying on my part, I have finally gotten top
>> management at %WORK% to approve a company password policy, complete
>> with enforcement via Active Directory/Group Policy.  (And there was
>> much rejoicing!)
>>
>>  I know we have people who have never changed their password since
>> they were hired in 2001.  When we suddenly go from "No password
>> expiration" to "X days", at their next logon, they'll be prompted to
>> change their password.  However, until they logoff/logon, the system
>> won't prompt them.  My question is: Will they have trouble accessing
>> resources until they change their password?  I've never tried to use a
>> Windows domain with an 8-year-expired password before.
>>
>>  Win 2000 AD server, Win XP Pro SP3 clients.
>>
>>  (Yes I know Win2K has five weeks until EOL.  I'm working on it.
>> Budget priorities, bad economy, yadda yadda.)
>>
>> -- Ben
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Password policy enforcement after a change

[Devin Meade]

Hmm we did that ~ 2 yrs ago.  We used to assign passwords but *finally* sold
it to upper mgt to do it via Active Dir and the built in complexity policy
(2003 native mode).  It went pretty well, nobody lost access, they had to
change their passwords at next logon.  We announced it well before hand
(many times).  Still had much wailing and gnashing of teeth but it's been
worth it!  We even went through the expiry of passwords and peeps were able
to change them (mostly no hand holding).  We added the accountinfo.dll or
whatever it is called to see when passwords were set on the DC's for each
acct.

On Tue, Jun 15, 2010 at 2:11 PM, Ben Scott  wrote:

> Hello, list,
>
>  After years of lobbying on my part, I have finally gotten top
> management at %WORK% to approve a company password policy, complete
> with enforcement via Active Directory/Group Policy.  (And there was
> much rejoicing!)
>
>  I know we have people who have never changed their password since
> they were hired in 2001.  When we suddenly go from "No password
> expiration" to "X days", at their next logon, they'll be prompted to
> change their password.  However, until they logoff/logon, the system
> won't prompt them.  My question is: Will they have trouble accessing
> resources until they change their password?  I've never tried to use a
> Windows domain with an 8-year-expired password before.
>
>  Win 2000 AD server, Win XP Pro SP3 clients.
>
>  (Yes I know Win2K has five weeks until EOL.  I'm working on it.
> Budget priorities, bad economy, yadda yadda.)
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Password policy enforcement after a change

[Jonathan Link]

Yes, it will interfere with accessing resources.
I had to schedule a day in our office so everyone knew well in advance.
Those that couldn't or chose not to be at work that day had an
administratively assigned password (in the event that they needed access),
or change their password in advance of the date.
I believe I only had one person who didn't change their password on the
designated date.



On Tue, Jun 15, 2010 at 3:11 PM, Ben Scott  wrote:

> Hello, list,
>
>  After years of lobbying on my part, I have finally gotten top
> management at %WORK% to approve a company password policy, complete
> with enforcement via Active Directory/Group Policy.  (And there was
> much rejoicing!)
>
>  I know we have people who have never changed their password since
> they were hired in 2001.  When we suddenly go from "No password
> expiration" to "X days", at their next logon, they'll be prompted to
> change their password.  However, until they logoff/logon, the system
> won't prompt them.  My question is: Will they have trouble accessing
> resources until they change their password?  I've never tried to use a
> Windows domain with an 8-year-expired password before.
>
>  Win 2000 AD server, Win XP Pro SP3 clients.
>
>  (Yes I know Win2K has five weeks until EOL.  I'm working on it.
> Budget priorities, bad economy, yadda yadda.)
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DISK WIPING TOOL

[Angus Scott-Fleming]

On 15 Jun 2010 at 11:40, Haralson, Joe (GE Comm Fin, n  wrote:

> Not looking to leave DBAN. Looking at options. I also have a need for a
> tool that can be used remotely. I would like to clean Data drive and not
> have to boot from cd. 

Heidi's Eraser has a right-click option to erase an entire drive (e.g. a data 
partition).  If you have remote-access (VNC, RDP) to another machine, you could 
certainly run Eraser remotely that way.  Not sure about NET USEd drives, 
though, you'll have to experiment.

Eraser is an advanced security tool for Windows which allows you to 
completely remove sensitive data from your hard drive by overwriting it 
several times with carefully selected patterns. Eraser is currently 
supported under Windows XP (with Service Pack 3), Windows Server 2003 
(with Service Pack 2), Windows Vista, Windows Server 2008, Windows 7 and 
Windows Server 2008 R2.

Eraser is Free software and its source code is released under GNU General 
Public License.

  http://eraser.heidi.ie/


--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Password policy enforcement after a change

[Ben Scott]

Hello, list,

  After years of lobbying on my part, I have finally gotten top
management at %WORK% to approve a company password policy, complete
with enforcement via Active Directory/Group Policy.  (And there was
much rejoicing!)

  I know we have people who have never changed their password since
they were hired in 2001.  When we suddenly go from "No password
expiration" to "X days", at their next logon, they'll be prompted to
change their password.  However, until they logoff/logon, the system
won't prompt them.  My question is: Will they have trouble accessing
resources until they change their password?  I've never tried to use a
Windows domain with an 8-year-expired password before.

  Win 2000 AD server, Win XP Pro SP3 clients.

  (Yes I know Win2K has five weeks until EOL.  I'm working on it.
Budget priorities, bad economy, yadda yadda.)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Printer issues

[Phil Brutsche]

IMO all modern printers are cheap Chinese made crap with obscenely high
toner costs.

That is why I started buying used refurbed HPs (LaserJet 4000s and
4100s). Refurbishment typically involves new rollers and fuser assembly.

Or buying used HPs on the cheap and having them serviced by a local
repair shop.

On 6/15/2010 1:31 PM, Ben Scott wrote:
>   I used to do that, until one day we got some new LJ P2015's, and
> when we installed the drivers, they ate the drivers for our LJ 1320's.
>  We called HP and HP told us the only solution was to replace the LJ
> 1320's with LJ P2015's (!!!).  They wouldn't budge on the issue.

-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Printer issues

[Ben Scott]

On Tue, Jun 15, 2010 at 2:14 PM, Angus Scott-Fleming
 wrote:
> I try to use only HP printers which support Network Installs.  These come for
> the most part without the bloatware.

  I used to do that, until one day we got some new LJ P2015's, and
when we installed the drivers, they ate the drivers for our LJ 1320's.
 We called HP and HP told us the only solution was to replace the LJ
1320's with LJ P2015's (!!!).  They wouldn't budge on the issue.

  We eventually hacked the HP LJ4 driver Microsoft ships with Win XP
into working as a generic PCL driver for all our HP printers.

  I eventually got escalated to some department with a name like
Americas Customer Resolutions or something like that.  When I
explained all my complaints (on this and other HP issues) to the
"Northern region manager", she told me that she couldn't do anything
about it.  When I said that was going to lead me to looking at other
vendors, she said she didn't blame me.

  We're buying Lexmark now.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: VSphere Clients at v4

[Stefan Jafs]

Thanks Yes I do have some VM's on the DMZ, I make sure I'll have the proper
IP's and yes there are multiple re-boots needed.

Thanks



On Tue, Jun 15, 2010 at 2:27 PM, Steven Peck  wrote:

> Just make sure you inventory the IP addresses on any system where you
> have multiple nic's.  While not common, we had several systems with
> issues wehre we had to redo the NIC settings after this.  It ends up
> being about 3 reboots all told.
>
> Steven Peck
> http://www.blkmtn.org
>
> On Tue, Jun 15, 2010 at 11:12 AM, Damien Solodow
>   wrote:
> > What you’re seeing is the VM hardware version. You need to be running
> VMware
> > Tools from ESX 4.x before you upgrade them to v7.
> >
> > Here’s how:
> >
> > Shutdown the VM.
> >
> > Right click and choose “Upgrade Hardware”
> >
> > Turn on VM
> >
> > Let Windows detect assorted new hardware
> >
> > Reboot.
> >
> > Rejoice.
> >
> >
> >
> > You can actually have Update Manager take care of this for you as well…
> >
> >
> >
> > From: Stefan Jafs [mailto:stefan.j...@gmail.com]
> > Sent: Tuesday, June 15, 2010 2:11 PM
> > To: NT System Admin Issues
> > Subject: VSphere Clients at v4
> >
> >
> >
> > I upgraded to VSphere quit a while ago but just today applied all
> Critical
> > and Non-critical patches. I notices that "old" VM's still show v4 after
> > updating the VMware tools, I even tried to remove re--boot and re-install
> > still v 4. However all "new" VM's show v 7! Should they not all just be v
> 7
> > after update?
> >
> >
> >
> > Should I worry about it or just ignore it?
> >
> > --
> > Stefan Jafs
> >
> >
> >
> >
> >
> >
> >
> >
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>


-- 
Stefan Jafs

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Java strangeness

[John Aldrich]

Sweet. I know there's a plugin for FF that will let you load IE in a tab,
much like the feature in Chrome.




-Original Message-
From: Angus Scott-Fleming [mailto:angu...@geoapps.com] 
Sent: Tuesday, June 15, 2010 2:15 PM
To: NT System Admin Issues
Subject: Re: Java strangeness

On 14 Jun 2010 at 13:39, John Aldrich  wrote:

> According to CIT´s Technical Support person, IE is the only supported
> browser. L I may still have the user try FireFox or Chrome, or even IE
> within FireFox. J 

ChromePlus has a built-in IETab feature.  http://chromeplus.org/
--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: VSphere Clients at v4

[Stefan Jafs]

Thanks that was as easy as the easy button.

Stefan

On Tue, Jun 15, 2010 at 2:12 PM, Damien Solodow  wrote:

>  What you’re seeing is the VM hardware version. You need to be running
> VMware Tools from ESX 4.x before you upgrade them to v7.
>
> Here’s how:
>
> Shutdown the VM.
>
> Right click and choose “Upgrade Hardware”
>
> Turn on VM
>
> Let Windows detect assorted new hardware
>
> Reboot.
>
> Rejoice.
>
>
>
> You can actually have Update Manager take care of this for you as well…
>
>
>
> *From:* Stefan Jafs [mailto:stefan.j...@gmail.com]
> *Sent:* Tuesday, June 15, 2010 2:11 PM
> *To:* NT System Admin Issues
> *Subject:* VSphere Clients at v4
>
>
>
> I upgraded to VSphere quit a while ago but just today applied all Critical
> and Non-critical patches. I notices that "old" VM's still show v4 after
> updating the VMware tools, I even tried to remove re--boot and re-install
> still v 4. However all "new" VM's show v 7! Should they not all just be v 7
> after update?
>
>
>
> Should I worry about it or just ignore it?
>
> --
> Stefan Jafs
>
>
>
>
>
>
>
>
>
>


-- 
Stefan Jafs

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: VSphere Clients at v4

[Steven Peck]

Just make sure you inventory the IP addresses on any system where you
have multiple nic's.  While not common, we had several systems with
issues wehre we had to redo the NIC settings after this.  It ends up
being about 3 reboots all told.

Steven Peck
http://www.blkmtn.org

On Tue, Jun 15, 2010 at 11:12 AM, Damien Solodow
 wrote:
> What you’re seeing is the VM hardware version. You need to be running VMware
> Tools from ESX 4.x before you upgrade them to v7.
>
> Here’s how:
>
> Shutdown the VM.
>
> Right click and choose “Upgrade Hardware”
>
> Turn on VM
>
> Let Windows detect assorted new hardware
>
> Reboot.
>
> Rejoice.
>
>
>
> You can actually have Update Manager take care of this for you as well…
>
>
>
> From: Stefan Jafs [mailto:stefan.j...@gmail.com]
> Sent: Tuesday, June 15, 2010 2:11 PM
> To: NT System Admin Issues
> Subject: VSphere Clients at v4
>
>
>
> I upgraded to VSphere quit a while ago but just today applied all Critical
> and Non-critical patches. I notices that "old" VM's still show v4 after
> updating the VMware tools, I even tried to remove re--boot and re-install
> still v 4. However all "new" VM's show v 7! Should they not all just be v 7
> after update?
>
>
>
> Should I worry about it or just ignore it?
>
> --
> Stefan Jafs
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Cisco ASA Question/IIS Question

[Ben Scott]

On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert  wrote:
> My question is:  How do I do another one to one NAT translation with a
> different public IP address so I can register both sites with our public DNS
> provider?

  Sounds like you already got the right answer (just use one IP
address on the public side), but a bit of explanation about the why
behind it:

  One-to-one static NAT means the NAT device translates an IP address
on one side to a different address on the other side.  Nothing else --
it doesn't keep state.  So you can't put two one-to-one NATs using the
same IP address on the private side, because the NAT device would have
no way of knowing which public IP address a given packet is associated
with.

  If you had to do two public IP addresses with one private IP
address, you would have to do some kind of stateful translation on the
NAT device.  Different implementations call this different things,
such as "dynamic NAT" or "port forwarding" or "NAPT" ("network
address/port translation") or "PAT", etc..  I don't know what Cisco
calls it.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Printer issues

[Angus Scott-Fleming]

On 11 Jun 2010 at 7:45, Matthew W. Ross  wrote:

> As for HP's fall from grace: We still by HP. I would be ecstatic if HP would
> offer a version of their drivers with just the .inf files and _required_
> DLLs. Keep the full functionality bloatware separate, please!

I try to use only HP printers which support Network Installs.  These come for 
the most part without the bloatware.

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Vipre sample submission question

[Angus Scott-Fleming]

On 11 Jun 2010 at 11:14, John Leto  wrote:

> Hey all, I was wondering for all of you Vipre users out there when you
> submit a possible malware sample to Sunbelt do you ever receive a response
> back on the submission? I receive a notification e-mail that they received the
> sample but never anything confirming or recognition if the samples submitted
> are malware or not. Again just curious as to what other Vipre users
> experiences are with their sample submissions. Thanks. John Leto 

I get both notification messages and (usually a day or two later) real answers 
back all the time.

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Run multliple versions of IE

[Angus Scott-Fleming]

On 14 Jun 2010 at 11:12, Bill Songstad  wrote:

> My webmaster has asked for the ability to run multiple versions of IE (6, 7,
> and 8) on a Windows XP workstation. I found a couple of candidates for
> testing on the interwebs, but is anybody using a solution for this that they
> like and/or recommend? 

I do this using VirtualBox on an XP Pro machine -- I have VBox VMs running 
everything from Windows 2000 Pro/IE5 to Win7/IE8.  Really helps in checking on 
CSS differences.  

VBox is free even for commercial use if your webmaster can install it (VBox) 
him/herself.  Once it's installed on his machine, you could certainly install 
the various flavours of Internet Explorer in separate VMs for him/her.

I have an MSAP subscription so I have Windows OS licenses available for doing 
this.  If your budget doesn't allow this, you might have to use WINE.  IE6 is 
rated GOLD under WINE, so you don't need a Windows license to run it. IE7 and 
IE8/32/XP are rated SILVER, mostly functional.

WineHQ - Internet Explorer
http://appdb.winehq.org/objectManager.php?sClass=application&iId=25



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Java strangeness

[Angus Scott-Fleming]

On 14 Jun 2010 at 13:39, John Aldrich  wrote:

> According to CIT´s Technical Support person, IE is the only supported
> browser. L I may still have the user try FireFox or Chrome, or even IE
> within FireFox. J 

ChromePlus has a built-in IETab feature.  http://chromeplus.org/
--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
Security Blog: http://geoapps.com/





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: VSphere Clients at v4

[Damien Solodow]

What you're seeing is the VM hardware version. You need to be running
VMware Tools from ESX 4.x before you upgrade them to v7. 

Here's how:

Shutdown the VM.

Right click and choose "Upgrade Hardware"

Turn on VM

Let Windows detect assorted new hardware

Reboot.

Rejoice.

 

You can actually have Update Manager take care of this for you as
well...

 

From: Stefan Jafs [mailto:stefan.j...@gmail.com] 
Sent: Tuesday, June 15, 2010 2:11 PM
To: NT System Admin Issues
Subject: VSphere Clients at v4

 

I upgraded to VSphere quit a while ago but just today applied all
Critical and Non-critical patches. I notices that "old" VM's still show
v4 after updating the VMware tools, I even tried to remove re--boot and
re-install still v 4. However all "new" VM's show v 7! Should they not
all just be v 7 after update?

 

Should I worry about it or just ignore it? 

-- 
Stefan Jafs

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

VSphere Clients at v4

[Stefan Jafs]

I upgraded to VSphere quit a while ago but just today applied all Critical
and Non-critical patches. I notices that "old" VM's still show v4 after
updating the VMware tools, I even tried to remove re--boot and re-install
still v 4. However all "new" VM's show v 7! Should they not all just be v 7
after update?

Should I worry about it or just ignore it?

-- 
Stefan Jafs

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Ben Scott]

On Tue, Jun 15, 2010 at 1:28 PM, David Lum  wrote:
> +1 for Johnny Dangerously

 "Do you know your last name is an adverb?"

> +1 for Shavlik

  Yah, I haven't used Shavlik NetChk much, but what I did try was
impressive.  I tried the free NetChk Limited package, and it found an
issue that WSUS/WU does not.  I'm still investigating that (in my
copious free time).

  To Microsoft's credit, someone on the patch-management list from
MSFT emailed offering to help on that issue.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Ben Scott]

On Tue, Jun 15, 2010 at 12:15 PM, Phil Brutsche  wrote:
>> And why is a solution like this missing from MS operating systems??
>
> It isn't.

  Comparing MSI/WSUS to RPM/YUM (or dpkg/APT or...) is really missing
a lot.  MSI is a beast to develop for, it's a compatibility nightmare
across releases, MSI packages frequently require an interactive
presence, MSIs vary radically in design, they're a bear to customize,
the post-install management functions are non-existent, WSUS is a
completely different framework vs MSI, I could go on and on and on.

> Third parties who refuse to publish catalogs SCUP can use (like Adobe)
> are as much as fault as anyone else.

  So, basically, practically the entire software industry.

  Microsoft has been working on Windows software installation for a
decade plus, and it's still very hairy, especially if you want to also
support not-the-latest-release-of-Windows.  I can't really blame
third-party developers for (1) resorting to doing their own thing and
(2) not wanting to jump aboard Microsoft's bandwagon when Microsoft
themselves weren't done building it yet (and still may not be).

  Now, a lot of this is due to the "legacy" Microsoft built with
classic Windows, which was completely ad hoc.  The entire Windows
software industry ecosystem is built up around that.  It's way too
late to get it right the first time, so now Microsoft has to come up
with a way to migrate the world's largest installed base to something
more manageable.  That's not going to be quick.  Microsoft is still
responsible, since they built it like that way-back-when, but even
Microsoft can't change the past.  They work in the world they built,
and it's not realistic to expect them to fix it overnight.

  But for those same reasons, expecting the rest of the software
industry to adopt what Microsoft's latest idea quickly is also
unrealistic.

  In contrast, all the current Linux distributions were designed
"right" the right time, with strong package management from day one.
So everything has been and continues to be much smoother on the
package/update management front.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: DISK WIPING TOOL

[Don Guyer]

And if all else fails, use a BFH.

 

J

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox & Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com  

 

From: Richard Stovall [mailto:rich...@gmail.com] 
Sent: Tuesday, June 15, 2010 1:23 PM
To: NT System Admin Issues
Subject: Re: DISK WIPING TOOL

 

DoG regs, I would think.

 

(Sorry)

On Tue, Jun 15, 2010 at 1:16 PM, Ben Scott  wrote:

On Tue, Jun 15, 2010 at 12:08 PM,   wrote:
> Perhaps if those who re-wrote the regulations saying that overwrite is
no
> longer sufficient were to receive a couple hundred thousand old hard
drives
> (especially all at once), they might re-consider that regulation.

 ... Is the ASPCA subject to DoD regulations or something?


-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Patch Management - again

[David Lum]

+1 for Johnny Dangerously

+1 for Shavlik
David Lum // SYSTEMS ENGINEER
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764



From: Jonathan Link [mailto:jonathan.l...@gmail.com]
Sent: Monday, June 14, 2010 7:42 AM
To: NT System Admin Issues
Subject: Re: Patch Management - again

To paraphrase Danny Vermin: "I automated a kernel upgrade once...ONCE!"



On Mon, Jun 14, 2010 at 10:10 AM, Jeff Cain 
mailto:je...@sunbelt-software.com>> wrote:
Jason,

   For what it's worth, I would not ever automate a kernel upgrade.

Thanks,
Jeff Cain
Technical Support Analyst
Sunbelt Software
Email: supp...@sunbeltsoftware.com
Voice: 1-877-757-4094
Fax:   1-727-562-5199
Web: >
Physical Address:
33 N Garden Ave
Suite 1200
Clearwater, FL  33755
United States

If you do not want further email from us, please forward
this message to 
listmana...@sunbelt-software.com with
the word 'unsubscribe' in the subject of your email.

Helpful Sunbelt Software Links:

Knowledge Base
Open a New Support Ticket
Sunbelt Software Product Support Communities


-Original Message-
From: Jason Gauthier [mailto:jgauth...@lastar.com]
Sent: Monday, June 14, 2010 9:49 AM
To: NT System Admin Issues
Subject: RE: Patch Management - again

Except that doesn't upgrade the kernel or any other OS libraries.  It's not 
full patch management.


-Original Message-
From: Kurt Buff [mailto:kurt.b...@gmail.com]
Sent: Saturday, June 12, 2010 8:58 PM
To: NT System Admin Issues
Subject: Re: Patch Management - again

'portupgrade -a'

FreeBSD is ridiculously easy to maintain.

And, for monitoring programs installed from ports, there's portaudit, which 
sends a daily email.

Kurt

On Fri, Jun 11, 2010 at 12:59, Alex Eckelberry 
mailto:al...@sunbelt-software.com>> wrote:
>>  WSUS.
>
> What do you do about non-Windows patching?
>
> Alex
>
>
> -Original Message-
> From: Ben Scott [mailto:mailvor...@gmail.com]
> Sent: Thursday, June 10, 2010 11:30 AM
> To: NT System Admin Issues
> Subject: Re: Patch Management - again
>
> On Thu, Jun 10, 2010 at 11:17 AM, Joseph Heaton 
> mailto:jhea...@dfg.ca.gov>> wrote:
>> What are you guys using for automating patch management for your servers?
>
>  WSUS.
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~
..
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~






~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DISK WIPING TOOL

[Richard Stovall]

DoG regs, I would think.

(Sorry)

On Tue, Jun 15, 2010 at 1:16 PM, Ben Scott  wrote:

> On Tue, Jun 15, 2010 at 12:08 PM,   wrote:
> > Perhaps if those who re-wrote the regulations saying that overwrite is no
> > longer sufficient were to receive a couple hundred thousand old hard
> drives
> > (especially all at once), they might re-consider that regulation.
>
>  ... Is the ASPCA subject to DoD regulations or something?
>
> -- Ben
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Virtualisation structural question

[Ben Scott]

On Tue, Jun 15, 2010 at 9:18 AM, John Cook  wrote:
> And if you’re a non profit Datacenter is a no brainer. A single
> cpu of DC edition for us is under (don’t hate me…) $400!

  [blank stare]

  [splutter]

  [goes cross-eyed]

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: DISK WIPING TOOL

[Crawford, Scott]

Tu es un drôle de gars.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, June 15, 2010 12:13 PM
To: NT System Admin Issues
Subject: Re: DISK WIPING TOOL

On Tue, Jun 15, 2010 at 12:10 PM, John Aldrich
 wrote:
> I think you meant /dev/zero, not "/zev/zero" :-)

  Uhhh... my Linux box has a French accent.  ;-)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DISK WIPING TOOL

[Ben Scott]

On Tue, Jun 15, 2010 at 12:08 PM,   wrote:
> Perhaps if those who re-wrote the regulations saying that overwrite is no
> longer sufficient were to receive a couple hundred thousand old hard drives
> (especially all at once), they might re-consider that regulation.

  ... Is the ASPCA subject to DoD regulations or something?

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: DISK WIPING TOOL - Thanks

[Haralson, Joe (GE Comm Fin, non-GE)]

Thanks to everyone for there response. 
 
Joe Haralson

Network Infrastructure Team

GE - Rail Services

160 N. Clark

Chicago, Il 60601

Office: (312) 853-5014

( DC: : *8 750-5014

( Cell: : (312)590-0048

* e-Mail: joe.haral...@ge.com 

THIS E-MAIL IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL OR ENTITY TO
WHICH IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED,
CONFIDENTIAL AND EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. IF THE
READER OF THIS MESSAGE IS NOT THE INTENDED RECIPIENT, OR THE EMPLOYEE OR
AGENT RESPONSIBLE FOR DELIVERING THE MESSAGE TO THE INTENDED RECIPIENT,
YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION OR COPYING
OF THIS COMMUNICATION IS STRICTLY PROHIBITED. ANY INADVERTENT RECEIPT BY
YOU OF SUCH CONFIDENTIAL INFORMATION IS NOT INTENDED TO CONSTITUTE A
WAIVER OF ANY PRIVILEGE. IF YOU HAVE RECEIVED THIS COMMUNICATION IN
ERROR, PLEASE NOTIFY US IMMEDIATELY BY TELEPHONE, AND DELETE THE
ORIGINAL MESSAGE FROM YOUR COMPUTER. THANK YOU.

 
 



From: Jonathan Link [mailto:jonathan.l...@gmail.com] 
Sent: Tuesday, June 15, 2010 11:01 AM
To: NT System Admin Issues
Subject: Re: DISK WIPING TOOL


If the speed of the CD boot is getting to you, transfer it to a USB
flash memory device, and boot from that.  I do that for UBCD4Win, whic
has DBAN on it.


On Tue, Jun 15, 2010 at 11:56 AM, S Powell  wrote:


There are a whole slew of security reasons why you'll not find
one
that you can run remotely, or not boot from the CD.

we use the native Disk Utility in OS X, just pull the HD and
plug it
in using a USB to IDE/SATA connector.

but hey, If you do find one that you can run remotely please let
us know.


Google.com  Learn it. Live it. Love it.



On Tue, Jun 15, 2010 at 08:40, Haralson, Joe (GE Comm Fin,
non-GE)

 wrote:
> Not looking to leave DBAN. Looking at options. I also have a
need for a
> tool that can be used remotely. I would like to clean Data
drive and not
> have to boot from cd.
>
>
> Joe Haralson
>
> Network Infrastructure Team
>
>
> -Original Message-
> From: Joseph Heaton [mailto:jhea...@dfg.ca.gov]
> Sent: Tuesday, June 15, 2010 10:12 AM
> To: NT System Admin Issues
> Subject: Re: DISK WIPING TOOL
>
> Why the interest in leaving DBAN?  It is what I've used for
years
>
 "Haralson, Joe (GE Comm Fin, non-GE)" 
 6/15/2010 8:06 AM >>>
> Does anyone have a good Disk cleaning free tool? I currently
use DBAN
> but was exploring other options.
>
> Joe Haralson
>
> Network Infrastructure Team
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource
hog! ~ ~
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource
hog! ~ ~
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource
hog! ~
> ~ 
~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog!
~
~   ~




 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DISK WIPING TOOL

[Ben Scott]

On Tue, Jun 15, 2010 at 12:10 PM, John Aldrich
 wrote:
> I think you meant /dev/zero, not "/zev/zero" :-)

  Uhhh... my Linux box has a French accent.  ;-)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Cisco ASA Question/IIS Question

[Erik Goldoff]

+1 on SSL needs

On Tue, Jun 15, 2010 at 1:10 PM, Richard Stovall  wrote:

> The only caveat I can think of is if you ever need to do SSL on more than
> one of the sites.  You'll need different IPs in this case since the host
> header is encrypted.  You can solve the translation problem by adding a
> second internal IP to the server.
>
>
> On Tue, Jun 15, 2010 at 11:42 AM, Kennedy, Jim <
> kennedy...@elyriaschools.org> wrote:
>
>>  Yep, it will work exactly like your internal host header set up.
>>
>>
>>
>>
>>
>>
>>
>> *From:* Chyka, Robert [mailto:bch...@medaille.edu]
>> *Sent:* Tuesday, June 15, 2010 11:41 AM
>>
>> *To:* NT System Admin Issues
>> *Subject:* RE: Cisco ASA Question/IIS Question
>>
>>
>>
>> Hi Jim,
>>
>>
>>
>> So I would just need 1 nat translation on the asa with port 80 open and 2
>> entries with our public dns server with 2 different hostnames pointing to
>> the same public ip and then the headers will function fine?
>>
>>
>>
>>
>>
>>
>>
>> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
>> *Sent:* Tuesday, June 15, 2010 11:38 AM
>> *To:* NT System Admin Issues
>> *Subject:* RE: Cisco ASA Question/IIS Question
>>
>>
>>
>> That would work. However I would just use the same IP for both publically
>> and let the host header take care of it.
>>
>>
>>
>>
>>
>>
>>
>> *From:* Candee Vaglica [mailto:can...@gmail.com]
>> *Sent:* Tuesday, June 15, 2010 11:35 AM
>> *To:* NT System Admin Issues
>> *Subject:* Re: Cisco ASA Question/IIS Question
>>
>>
>>
>> I *think* you would need a second public IP address. then you would do a
>> one to one with the second public server and the internal website.
>>
>> On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert 
>> wrote:
>>
>> Ok here my scenario:
>>
>>
>>
>> I have 2 websites on a Windows Server 2008 box with IIS7.  We are using
>> one IP address for both sites using host headers.  On our internal AD DNS we
>> have an entry in for both hostnames pointing to the same IP address (A
>> records).  For our first site we have a one-to-one NAT translation on our
>> ASA with port 80 open on the ACL.
>>
>>
>>
>> My question is:  How do I do another one to one NAT translation with a
>> different public IP address so I can register both sites with our public DNS
>> provider?  We want to be able to have 2 different public ips translated out
>> from the 2 websites.
>>
>>
>>
>> Thanks for the help and input.
>>
>>
>>
>> BOb
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Cisco ASA Question/IIS Question

[Richard Stovall]

The only caveat I can think of is if you ever need to do SSL on more than
one of the sites.  You'll need different IPs in this case since the host
header is encrypted.  You can solve the translation problem by adding a
second internal IP to the server.

On Tue, Jun 15, 2010 at 11:42 AM, Kennedy, Jim  wrote:

> Yep, it will work exactly like your internal host header set up.
>
>
>
>
>
>
>
> *From:* Chyka, Robert [mailto:bch...@medaille.edu]
> *Sent:* Tuesday, June 15, 2010 11:41 AM
>
> *To:* NT System Admin Issues
> *Subject:* RE: Cisco ASA Question/IIS Question
>
>
>
> Hi Jim,
>
>
>
> So I would just need 1 nat translation on the asa with port 80 open and 2
> entries with our public dns server with 2 different hostnames pointing to
> the same public ip and then the headers will function fine?
>
>
>
>
>
>
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Sent:* Tuesday, June 15, 2010 11:38 AM
> *To:* NT System Admin Issues
> *Subject:* RE: Cisco ASA Question/IIS Question
>
>
>
> That would work. However I would just use the same IP for both publically
> and let the host header take care of it.
>
>
>
>
>
>
>
> *From:* Candee Vaglica [mailto:can...@gmail.com]
> *Sent:* Tuesday, June 15, 2010 11:35 AM
> *To:* NT System Admin Issues
> *Subject:* Re: Cisco ASA Question/IIS Question
>
>
>
> I *think* you would need a second public IP address. then you would do a
> one to one with the second public server and the internal website.
>
> On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert 
> wrote:
>
> Ok here my scenario:
>
>
>
> I have 2 websites on a Windows Server 2008 box with IIS7.  We are using one
> IP address for both sites using host headers.  On our internal AD DNS we
> have an entry in for both hostnames pointing to the same IP address (A
> records).  For our first site we have a one-to-one NAT translation on our
> ASA with port 80 open on the ACL.
>
>
>
> My question is:  How do I do another one to one NAT translation with a
> different public IP address so I can register both sites with our public DNS
> provider?  We want to be able to have 2 different public ips translated out
> from the 2 websites.
>
>
>
> Thanks for the help and input.
>
>
>
> BOb
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DISK WIPING TOOL

[Jonathan Link]

If the speed of the CD boot is getting to you, transfer it to a USB flash
memory device, and boot from that.  I do that for UBCD4Win, whic has DBAN on
it.

On Tue, Jun 15, 2010 at 11:56 AM, S Powell  wrote:

> There are a whole slew of security reasons why you'll not find one
> that you can run remotely, or not boot from the CD.
>
> we use the native Disk Utility in OS X, just pull the HD and plug it
> in using a USB to IDE/SATA connector.
>
> but hey, If you do find one that you can run remotely please let us know.
>
>
> Google.com  Learn it. Live it. Love it.
>
>
>
> On Tue, Jun 15, 2010 at 08:40, Haralson, Joe (GE Comm Fin, non-GE)
>   wrote:
> > Not looking to leave DBAN. Looking at options. I also have a need for a
> > tool that can be used remotely. I would like to clean Data drive and not
> > have to boot from cd.
> >
> >
> > Joe Haralson
> >
> > Network Infrastructure Team
> >
> >
> > -Original Message-
> > From: Joseph Heaton [mailto:jhea...@dfg.ca.gov]
> > Sent: Tuesday, June 15, 2010 10:12 AM
> > To: NT System Admin Issues
> > Subject: Re: DISK WIPING TOOL
> >
> > Why the interest in leaving DBAN?  It is what I've used for years
> >
>  "Haralson, Joe (GE Comm Fin, non-GE)" 
>  6/15/2010 8:06 AM >>>
> > Does anyone have a good Disk cleaning free tool? I currently use DBAN
> > but was exploring other options.
> >
> > Joe Haralson
> >
> > Network Infrastructure Team
> >
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> >   ~
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
> >   ~
> >
> >
> > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> > ~   ~
> >
> >
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Patch Management - again

[Phil Brutsche]

It isn't.

The WSUS engine is more than capable of distributing and automatically
installing third-party updates - it's what's used in products like
System Center Essentials for the task - and MS created System Center
Updates Publisher (aka SCUP) so that admins can add the updates.

Third parties who refuse to publish catalogs SCUP can use (like Adobe)
are as much as fault as anyone else.

SCUP links:
http://technet.microsoft.com/en-us/library/bb531022.aspx
http://www.microsoft.com/downloads/details.aspx?FamilyID=0446cce9-94a4-4fb0-b335-e7516044063d&displaylang=en

On 6/15/2010 11:06 AM, Alan Davies wrote:
> And why is a solution like this missing from MS operating systems??

-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Patch Management - again

[Rod Trent]

Speaking of Secunia...webinar on now...

http://secunia.com/vulnerability_scanning/corporate/webinars/ 

-Original Message-
From: Alan Davies [mailto:adav...@cls-services.com] 
Sent: Tuesday, June 15, 2010 12:07 PM
To: NT System Admin Issues
Subject: RE: Patch Management - again

And why is a solution like this missing from MS operating systems??
Well, because vendors with their own commercial interests (ie. spend as
little as possible and agree on nothing with competitors) don't play well.
If there were an open platform for "plugging" into a patch-updating type
API, and all vendors were forced/coerced into using it, the world would be a
better place.  Well .. a bit anyway ;)

Secunia PSI does a great job at telling you what you need, we just need
something that translates that with vendor supported methods of actually
scheduling and installing the damn updates! :(

With Open Source .. people *usually* want to do the right thing.
Different world.



a

P.S.  Shavlik, Altiris, and a hundred other 3rd party solutions do non-MS
patch release on the Windows platform in the enterprise.  You just have to
invest in hosting it, learning how to use it, deploying it, testing with it
and integrating it into your change control procedures ...

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu]
Sent: 11 June 2010 23:51
To: NT System Admin Issues
Subject: RE: Patch Management - again

Thanks very much for this. It's exactly the kind of info I was looking for.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com]
Sent: Friday, June 11, 2010 5:26 PM
To: NT System Admin Issues
Subject: Re: Patch Management - again

On Fri, Jun 11, 2010 at 5:37 PM, Crawford, Scott 
wrote:
>>  Our only non-Windows computers are running Linux, and Linux makes 
>> patch management ridiculously easy.
>
> I'm sure there's countless places I could find this information, but 
> could you elaborate on that statement a bit?



WARNING:
The information in this email and any attachments is confidential and may be
legally privileged.

If you are not the named addressee, you must not use, copy or disclose this
email (including any attachments) or the information in it save to the named
addressee nor take any action in reliance on it. If you receive this email
or any attachments in error, please notify the sender immediately and then
delete the same and any copies.

"CLS Services Ltd × Registered in England No 4132704 × Registered Office:
Exchange Tower × One Harbour Exchange Square × London E14 9GE"



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: DISK WIPING TOOL

[John Aldrich]

I think you meant /dev/zero, not "/zev/zero" :-)



-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Tuesday, June 15, 2010 12:06 PM
To: NT System Admin Issues
Subject: Re: DISK WIPING TOOL

On Tue, Jun 15, 2010 at 11:56 AM, S Powell  wrote:
> There are a whole slew of security reasons why you'll not find one
> that you can run remotely, or not boot from the CD.

  You can certainly do raw disk overwrites remotely on Unix/Linux
(including the Unixy part of Mac OS X).

  This will do a write zeros to every block (single-pass) on the first disk:

dd if=/zev/zero of=/dev/sda

  This will do a multi-pass overwrite with sophisticated patterns
and/or random bytes (assuming you have the GNU toolset installed):

shred /dev/sda

  It helps that "remote" vs "local" is a lot more transparent on *nix
vs Windows, but there's still no technical reason I know of why
Windows shouldn't be able to do a similar thing remotely, for
non-system disks.  You'd prolly need a special utility to write the
disk directly, but it should be doable.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DISK WIPING TOOL

[RichardMcClary]

Perhaps if those who re-wrote the regulations saying that overwrite is no 
longer sufficient were to receive a couple hundred thousand old hard 
drives (especially all at once), they might re-consider that regulation.

--
Richard D. McClary
Systems Administrator, Information Technology Group 
ASPCA®
 

Ben Scott  wrote on 06/15/2010 10:59:57 AM:

[snip]
>   It doesn't do any "fancy" overwrite patterns, but I'm not sure those
> really matter anymore.  Government agencies say overwrite is no longer
> sufficient, so if you're *that* worried overwrite won't help, and if
> you're not that worried writing zeros is prolly good enough.
> 
>   However, the writing zeros part is broken in at least Win 2003 and
> Win XP 64-bit.See MSKB 952630 for details and the hotfix.  No
> mention of other releases, so I guess they are not broken (?).
> 
> http://support.microsoft.com/kb/952630
> 
>   (How do you screw up writing zeros until EOF?  Sometimes I think
> Microsoft couldn't fall out of bed without needing to install a
> Service Pack and a patch first.)
> 
> -- Ben
> 
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
> 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Patch Management - again

[Alan Davies]

And why is a solution like this missing from MS operating systems??
Well, because vendors with their own commercial interests (ie. spend as
little as possible and agree on nothing with competitors) don't play
well.  If there were an open platform for "plugging" into a
patch-updating type API, and all vendors were forced/coerced into using
it, the world would be a better place.  Well .. a bit anyway ;)

Secunia PSI does a great job at telling you what you need, we just need
something that translates that with vendor supported methods of actually
scheduling and installing the damn updates! :(

With Open Source .. people *usually* want to do the right thing.
Different world.



a

P.S.  Shavlik, Altiris, and a hundred other 3rd party solutions do
non-MS patch release on the Windows platform in the enterprise.  You
just have to invest in hosting it, learning how to use it, deploying it,
testing with it and integrating it into your change control procedures
...

-Original Message-
From: Crawford, Scott [mailto:crawfo...@evangel.edu] 
Sent: 11 June 2010 23:51
To: NT System Admin Issues
Subject: RE: Patch Management - again

Thanks very much for this. It's exactly the kind of info I was looking
for.

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Friday, June 11, 2010 5:26 PM
To: NT System Admin Issues
Subject: Re: Patch Management - again

On Fri, Jun 11, 2010 at 5:37 PM, Crawford, Scott 
wrote:
>>  Our only non-Windows computers are running Linux, and Linux makes
>> patch management ridiculously easy.
>
> I'm sure there's countless places I could find this information, but
> could you elaborate on that statement a bit?


WARNING:
The information in this email and any attachments is confidential and may be 
legally privileged.

If you are not the named addressee, you must not use, copy or disclose this 
email (including any attachments) or the information in it save to the named 
addressee nor take any action in reliance on it. If you receive this email or 
any attachments in error, please notify the sender immediately and then delete 
the same and any copies.

"CLS Services Ltd × Registered in England No 4132704 × Registered Office: 
Exchange Tower × One Harbour Exchange Square × London E14 9GE"



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DISK WIPING TOOL

[Ben Scott]

On Tue, Jun 15, 2010 at 11:56 AM, S Powell  wrote:
> There are a whole slew of security reasons why you'll not find one
> that you can run remotely, or not boot from the CD.

  You can certainly do raw disk overwrites remotely on Unix/Linux
(including the Unixy part of Mac OS X).

  This will do a write zeros to every block (single-pass) on the first disk:

dd if=/zev/zero of=/dev/sda

  This will do a multi-pass overwrite with sophisticated patterns
and/or random bytes (assuming you have the GNU toolset installed):

shred /dev/sda

  It helps that "remote" vs "local" is a lot more transparent on *nix
vs Windows, but there's still no technical reason I know of why
Windows shouldn't be able to do a similar thing remotely, for
non-system disks.  You'd prolly need a special utility to write the
disk directly, but it should be doable.

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DISK WIPING TOOL

[Ben Scott]

On Tue, Jun 15, 2010 at 11:06 AM, Haralson, Joe (GE Comm Fin, non-GE)
 wrote:
> Does anyone have a good Disk cleaning free tool? I currently use DBAN but
> was exploring other options.

  DISKPART has a "CLEAN ALL" command which writes zeros to every block
on the disk.  The chief advantages of this are (1) it's free, (2) it's
simple, and (3) it doesn't need a separate boot.

  It doesn't do any "fancy" overwrite patterns, but I'm not sure those
really matter anymore.  Government agencies say overwrite is no longer
sufficient, so if you're *that* worried overwrite won't help, and if
you're not that worried writing zeros is prolly good enough.

  However, the writing zeros part is broken in at least Win 2003 and
Win XP 64-bit.See MSKB 952630 for details and the hotfix.  No
mention of other releases, so I guess they are not broken (?).

http://support.microsoft.com/kb/952630

  (How do you screw up writing zeros until EOF?  Sometimes I think
Microsoft couldn't fall out of bed without needing to install a
Service Pack and a patch first.)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DISK WIPING TOOL

[S Powell]

There are a whole slew of security reasons why you'll not find one
that you can run remotely, or not boot from the CD.

we use the native Disk Utility in OS X, just pull the HD and plug it
in using a USB to IDE/SATA connector.

but hey, If you do find one that you can run remotely please let us know.


Google.com  Learn it. Live it. Love it.



On Tue, Jun 15, 2010 at 08:40, Haralson, Joe (GE Comm Fin, non-GE)
 wrote:
> Not looking to leave DBAN. Looking at options. I also have a need for a
> tool that can be used remotely. I would like to clean Data drive and not
> have to boot from cd.
>
>
> Joe Haralson
>
> Network Infrastructure Team
>
>
> -Original Message-
> From: Joseph Heaton [mailto:jhea...@dfg.ca.gov]
> Sent: Tuesday, June 15, 2010 10:12 AM
> To: NT System Admin Issues
> Subject: Re: DISK WIPING TOOL
>
> Why the interest in leaving DBAN?  It is what I've used for years
>
 "Haralson, Joe (GE Comm Fin, non-GE)" 
 6/15/2010 8:06 AM >>>
> Does anyone have a good Disk cleaning free tool? I currently use DBAN
> but was exploring other options.
>
> Joe Haralson
>
> Network Infrastructure Team
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DISK WIPING TOOL

[Erik Goldoff]

I suppose you could use something like eraser at the file system level, but
it would take much longer for an entire drive ( I use that for folders/files
though )

On Tue, Jun 15, 2010 at 11:40 AM, Haralson, Joe (GE Comm Fin, non-GE) <
joe.haral...@ge.com> wrote:

> Not looking to leave DBAN. Looking at options. I also have a need for a
> tool that can be used remotely. I would like to clean Data drive and not
> have to boot from cd.
>
>
> Joe Haralson
>
> Network Infrastructure Team
>
>
> -Original Message-
> From: Joseph Heaton [mailto:jhea...@dfg.ca.gov]
> Sent: Tuesday, June 15, 2010 10:12 AM
> To: NT System Admin Issues
> Subject: Re: DISK WIPING TOOL
>
> Why the interest in leaving DBAN?  It is what I've used for years
>
> >>> "Haralson, Joe (GE Comm Fin, non-GE)" 
> >>> 6/15/2010 8:06 AM >>>
> Does anyone have a good Disk cleaning free tool? I currently use DBAN
> but was exploring other options.
>
> Joe Haralson
>
> Network Infrastructure Team
>
>
>
>  ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
>   ~
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Cisco ASA Question/IIS Question

[Erik Goldoff]

+1

use same IPs for public like you do internal, let host header mechanism sort
it out at the IIS server level.

On Tue, Jun 15, 2010 at 11:42 AM, Kennedy, Jim  wrote:

>  Yep, it will work exactly like your internal host header set up.
>
>
>
>
>
>
>
> *From:* Chyka, Robert [mailto:bch...@medaille.edu]
> *Sent:* Tuesday, June 15, 2010 11:41 AM
>
> *To:* NT System Admin Issues
> *Subject:* RE: Cisco ASA Question/IIS Question
>
>
>
> Hi Jim,
>
>
>
> So I would just need 1 nat translation on the asa with port 80 open and 2
> entries with our public dns server with 2 different hostnames pointing to
> the same public ip and then the headers will function fine?
>
>
>
>
>
>
>
> *From:* Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
> *Sent:* Tuesday, June 15, 2010 11:38 AM
> *To:* NT System Admin Issues
> *Subject:* RE: Cisco ASA Question/IIS Question
>
>
>
> That would work. However I would just use the same IP for both publically
> and let the host header take care of it.
>
>
>
>
>
>
>
> *From:* Candee Vaglica [mailto:can...@gmail.com]
> *Sent:* Tuesday, June 15, 2010 11:35 AM
> *To:* NT System Admin Issues
> *Subject:* Re: Cisco ASA Question/IIS Question
>
>
>
> I *think* you would need a second public IP address. then you would do a
> one to one with the second public server and the internal website.
>
> On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert 
> wrote:
>
> Ok here my scenario:
>
>
>
> I have 2 websites on a Windows Server 2008 box with IIS7.  We are using one
> IP address for both sites using host headers.  On our internal AD DNS we
> have an entry in for both hostnames pointing to the same IP address (A
> records).  For our first site we have a one-to-one NAT translation on our
> ASA with port 80 open on the ACL.
>
>
>
> My question is:  How do I do another one to one NAT translation with a
> different public IP address so I can register both sites with our public DNS
> provider?  We want to be able to have 2 different public ips translated out
> from the 2 websites.
>
>
>
> Thanks for the help and input.
>
>
>
> BOb
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Cisco ASA Question/IIS Question

[Chyka, Robert]

Nice.  I will give that a shot.

 

Thanks..

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Tuesday, June 15, 2010 11:42 AM
To: NT System Admin Issues
Subject: RE: Cisco ASA Question/IIS Question

 

Yep, it will work exactly like your internal host header set up.

 

 

 

From: Chyka, Robert [mailto:bch...@medaille.edu] 
Sent: Tuesday, June 15, 2010 11:41 AM
To: NT System Admin Issues
Subject: RE: Cisco ASA Question/IIS Question

 

Hi Jim,

 

So I would just need 1 nat translation on the asa with port 80 open and
2 entries with our public dns server with 2 different hostnames pointing
to the same public ip and then the headers will function fine?

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Tuesday, June 15, 2010 11:38 AM
To: NT System Admin Issues
Subject: RE: Cisco ASA Question/IIS Question

 

That would work. However I would just use the same IP for both
publically and let the host header take care of it.

 

 

 

From: Candee Vaglica [mailto:can...@gmail.com] 
Sent: Tuesday, June 15, 2010 11:35 AM
To: NT System Admin Issues
Subject: Re: Cisco ASA Question/IIS Question

 

I *think* you would need a second public IP address. then you would do a
one to one with the second public server and the internal website.

On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert 
wrote:

Ok here my scenario:

 

I have 2 websites on a Windows Server 2008 box with IIS7.  We are using
one IP address for both sites using host headers.  On our internal AD
DNS we have an entry in for both hostnames pointing to the same IP
address (A records).  For our first site we have a one-to-one NAT
translation on our ASA with port 80 open on the ACL.

 

My question is:  How do I do another one to one NAT translation with a
different public IP address so I can register both sites with our public
DNS provider?  We want to be able to have 2 different public ips
translated out from the 2 websites.

 

Thanks for the help and input.

 

BOb  

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Cisco ASA Question/IIS Question

[Kennedy, Jim]

Yep, it will work exactly like your internal host header set up.



From: Chyka, Robert [mailto:bch...@medaille.edu]
Sent: Tuesday, June 15, 2010 11:41 AM
To: NT System Admin Issues
Subject: RE: Cisco ASA Question/IIS Question

Hi Jim,

So I would just need 1 nat translation on the asa with port 80 open and 2 
entries with our public dns server with 2 different hostnames pointing to the 
same public ip and then the headers will function fine?



From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org]
Sent: Tuesday, June 15, 2010 11:38 AM
To: NT System Admin Issues
Subject: RE: Cisco ASA Question/IIS Question

That would work. However I would just use the same IP for both publically and 
let the host header take care of it.



From: Candee Vaglica [mailto:can...@gmail.com]
Sent: Tuesday, June 15, 2010 11:35 AM
To: NT System Admin Issues
Subject: Re: Cisco ASA Question/IIS Question

I *think* you would need a second public IP address. then you would do a one to 
one with the second public server and the internal website.
On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert 
mailto:bch...@medaille.edu>> wrote:
Ok here my scenario:

I have 2 websites on a Windows Server 2008 box with IIS7.  We are using one IP 
address for both sites using host headers.  On our internal AD DNS we have an 
entry in for both hostnames pointing to the same IP address (A records).  For 
our first site we have a one-to-one NAT translation on our ASA with port 80 
open on the ACL.

My question is:  How do I do another one to one NAT translation with a 
different public IP address so I can register both sites with our public DNS 
provider?  We want to be able to have 2 different public ips translated out 
from the 2 websites.

Thanks for the help and input.

BOb


















~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: DISK WIPING TOOL

[Haralson, Joe (GE Comm Fin, non-GE)]

Not looking to leave DBAN. Looking at options. I also have a need for a
tool that can be used remotely. I would like to clean Data drive and not
have to boot from cd. 


Joe Haralson

Network Infrastructure Team


-Original Message-
From: Joseph Heaton [mailto:jhea...@dfg.ca.gov] 
Sent: Tuesday, June 15, 2010 10:12 AM
To: NT System Admin Issues
Subject: Re: DISK WIPING TOOL

Why the interest in leaving DBAN?  It is what I've used for years

>>> "Haralson, Joe (GE Comm Fin, non-GE)"  
>>> 6/15/2010 8:06 AM >>>
Does anyone have a good Disk cleaning free tool? I currently use DBAN
but was exploring other options. 
 
Joe Haralson

Network Infrastructure Team

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Cisco ASA Question/IIS Question

[Chyka, Robert]

Hi Jim,

 

So I would just need 1 nat translation on the asa with port 80 open and
2 entries with our public dns server with 2 different hostnames pointing
to the same public ip and then the headers will function fine?

 

 

 

From: Kennedy, Jim [mailto:kennedy...@elyriaschools.org] 
Sent: Tuesday, June 15, 2010 11:38 AM
To: NT System Admin Issues
Subject: RE: Cisco ASA Question/IIS Question

 

That would work. However I would just use the same IP for both
publically and let the host header take care of it.

 

 

 

From: Candee Vaglica [mailto:can...@gmail.com] 
Sent: Tuesday, June 15, 2010 11:35 AM
To: NT System Admin Issues
Subject: Re: Cisco ASA Question/IIS Question

 

I *think* you would need a second public IP address. then you would do a
one to one with the second public server and the internal website.

On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert 
wrote:

Ok here my scenario:

 

I have 2 websites on a Windows Server 2008 box with IIS7.  We are using
one IP address for both sites using host headers.  On our internal AD
DNS we have an entry in for both hostnames pointing to the same IP
address (A records).  For our first site we have a one-to-one NAT
translation on our ASA with port 80 open on the ACL.

 

My question is:  How do I do another one to one NAT translation with a
different public IP address so I can register both sites with our public
DNS provider?  We want to be able to have 2 different public ips
translated out from the 2 websites.

 

Thanks for the help and input.

 

BOb  

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Cisco ASA Question/IIS Question

[Kennedy, Jim]

That would work. However I would just use the same IP for both publically and 
let the host header take care of it.



From: Candee Vaglica [mailto:can...@gmail.com]
Sent: Tuesday, June 15, 2010 11:35 AM
To: NT System Admin Issues
Subject: Re: Cisco ASA Question/IIS Question

I *think* you would need a second public IP address. then you would do a one to 
one with the second public server and the internal website.
On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert 
mailto:bch...@medaille.edu>> wrote:
Ok here my scenario:

I have 2 websites on a Windows Server 2008 box with IIS7.  We are using one IP 
address for both sites using host headers.  On our internal AD DNS we have an 
entry in for both hostnames pointing to the same IP address (A records).  For 
our first site we have a one-to-one NAT translation on our ASA with port 80 
open on the ACL.

My question is:  How do I do another one to one NAT translation with a 
different public IP address so I can register both sites with our public DNS 
provider?  We want to be able to have 2 different public ips translated out 
from the 2 websites.

Thanks for the help and input.

BOb










~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Cisco ASA Question/IIS Question

[Chyka, Robert]

I have a 2nd public ip address but when I do the nat translation on the
ASA it tells me the internal ip is already assigned to a translation..
(which it is due to 2 sites on 1 ip using the host headers)

 

From: Candee Vaglica [mailto:can...@gmail.com] 
Sent: Tuesday, June 15, 2010 11:35 AM
To: NT System Admin Issues
Subject: Re: Cisco ASA Question/IIS Question

 

I *think* you would need a second public IP address. then you would do a
one to one with the second public server and the internal website.

On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert 
wrote:

Ok here my scenario:

 

I have 2 websites on a Windows Server 2008 box with IIS7.  We are using
one IP address for both sites using host headers.  On our internal AD
DNS we have an entry in for both hostnames pointing to the same IP
address (A records).  For our first site we have a one-to-one NAT
translation on our ASA with port 80 open on the ACL.

 

My question is:  How do I do another one to one NAT translation with a
different public IP address so I can register both sites with our public
DNS provider?  We want to be able to have 2 different public ips
translated out from the 2 websites.

 

Thanks for the help and input.

 

BOb  

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Cisco ASA Question/IIS Question

[Candee Vaglica]

I *think* you would need a second public IP address. then you would do a one
to one with the second public server and the internal website.

On Tue, Jun 15, 2010 at 11:09 AM, Chyka, Robert  wrote:

>  Ok here my scenario:
>
>
>
> I have 2 websites on a Windows Server 2008 box with IIS7.  We are using one
> IP address for both sites using host headers.  On our internal AD DNS we
> have an entry in for both hostnames pointing to the same IP address (A
> records).  For our first site we have a one-to-one NAT translation on our
> ASA with port 80 open on the ACL.
>
>
>
> My question is:  How do I do another one to one NAT translation with a
> different public IP address so I can register both sites with our public DNS
> provider?  We want to be able to have 2 different public ips translated out
> from the 2 websites.
>
>
>
> Thanks for the help and input.
>
>
>
> BOb
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: DISK WIPING TOOL

[Haralson, Joe (GE Comm Fin, non-GE)]

Seeking input. I just want to make sure I'm not missing out on better
tool.
 
Joe Haralson

Network Infrastructure Team

GE - Rail Services

160 N. Clark

Chicago, Il 60601

Office: (312) 853-5014

( DC: : *8 750-5014

( Cell: : (312)590-0048

* e-Mail: joe.haral...@ge.com 

THIS E-MAIL IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL OR ENTITY TO
WHICH IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED,
CONFIDENTIAL AND EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. IF THE
READER OF THIS MESSAGE IS NOT THE INTENDED RECIPIENT, OR THE EMPLOYEE OR
AGENT RESPONSIBLE FOR DELIVERING THE MESSAGE TO THE INTENDED RECIPIENT,
YOU ARE HEREBY NOTIFIED THAT ANY DISSEMINATION, DISTRIBUTION OR COPYING
OF THIS COMMUNICATION IS STRICTLY PROHIBITED. ANY INADVERTENT RECEIPT BY
YOU OF SUCH CONFIDENTIAL INFORMATION IS NOT INTENDED TO CONSTITUTE A
WAIVER OF ANY PRIVILEGE. IF YOU HAVE RECEIVED THIS COMMUNICATION IN
ERROR, PLEASE NOTIFY US IMMEDIATELY BY TELEPHONE, AND DELETE THE
ORIGINAL MESSAGE FROM YOUR COMPUTER. THANK YOU.

 
 



From: Erik Goldoff [mailto:egold...@gmail.com] 
Sent: Tuesday, June 15, 2010 10:11 AM
To: NT System Admin Issues
Subject: Re: DISK WIPING TOOL


I've been using dban too ... anything particular that dissatisfies you
about DBAN or you just seeking input ?


On Tue, Jun 15, 2010 at 11:06 AM, Haralson, Joe (GE Comm Fin, non-GE)
 wrote:


Does anyone have a good Disk cleaning free tool? I currently use
DBAN but was exploring other options. 
 

Joe Haralson

Network Infrastructure Team

 

 


 






 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DISK WIPING TOOL

[Joseph Heaton]

Why the interest in leaving DBAN?  It is what I've used for years

>>> "Haralson, Joe (GE Comm Fin, non-GE)"  6/15/2010 8:06 
>>> AM >>>
Does anyone have a good Disk cleaning free tool? I currently use DBAN
but was exploring other options. 
 
Joe Haralson

Network Infrastructure Team

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DISK WIPING TOOL

[Erik Goldoff]

I've been using dban too ... anything particular that dissatisfies you about
DBAN or you just seeking input ?

On Tue, Jun 15, 2010 at 11:06 AM, Haralson, Joe (GE Comm Fin, non-GE) <
joe.haral...@ge.com> wrote:

>  Does anyone have a good Disk cleaning free tool? I currently use DBAN but
> was exploring other options.
>
>
> Joe Haralson
>
> Network Infrastructure Team
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Cisco ASA Question/IIS Question

[Chyka, Robert]

Ok here my scenario:

 

I have 2 websites on a Windows Server 2008 box with IIS7.  We are using
one IP address for both sites using host headers.  On our internal AD
DNS we have an entry in for both hostnames pointing to the same IP
address (A records).  For our first site we have a one-to-one NAT
translation on our ASA with port 80 open on the ACL.

 

My question is:  How do I do another one to one NAT translation with a
different public IP address so I can register both sites with our public
DNS provider?  We want to be able to have 2 different public ips
translated out from the 2 websites.

 

Thanks for the help and input.

 

BOb  


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: DISK WIPING TOOL

[tony patton]

There is a free version of KillDisk as far as I can remember, but I'd 
probably stick with DBAN.

Regards

Tony Patton
Desktop Operations Cavan
Ext 8078
Direct Dial 049 435 2878
email: tony.pat...@quinn-insurance.com



From:   "Haralson, Joe (GE Comm Fin, non-GE)" 
To: "NT System Admin Issues" 
Date:   15/06/2010 16:07
Subject:DISK WIPING TOOL



Does anyone have a good Disk cleaning free tool? I currently use DBAN but 
was exploring other options. 
 
Joe Haralson
Network Infrastructure Team
 
 
 
This e-mail is intended only for the addressee named above. The contents should 
not be copied nor disclosed to any other person. Any views or opinions 
expressed are solely those of the sender and do not necessarily represent those 
of QUINN-Insurance Limited (Under Administration), unless otherwise
specifically stated . As internet communications are not secure,
QUINN-Insurance Limited (Under Administration) is not responsible for the 
contents of this message nor
responsible for any change made to this message after it was sent by the 
original sender. Although virus scanning is used on all inbound and outbound 
e-mail, we advise you to carry out your own virus check before opening any 
attachment. We cannot accept liability for any damage sustained as a result of 
any software viruses.



QUINN-Insurance Limited (Under Administration) is regulated by the Financial 
Regulator and
regulated by the Financial Services Authority for the conduct of UK
business.



QUINN-Insurance Limited (Under Administration) is registered in Ireland, 
registration number
240768 and is a private company limited by shares. 
Its head office is at Dublin Road, Cavan, Co. Cavan.




This message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise private information.  If you have received it in 
error, please notify the sender immediately and delete the original.  Any other 
use of the email by you is prohibited.

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

DISK WIPING TOOL

[Haralson, Joe (GE Comm Fin, non-GE)]

Does anyone have a good Disk cleaning free tool? I currently use DBAN
but was exploring other options. 
 
Joe Haralson

Network Infrastructure Team

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Run multliple versions of IE

[Jay Dale]

Bumping this ... works for our developers fine, and it's free.

Jay Dale
I.T. Manager, 3GiG
Mobile: 713.299.2541
Email: jay.d...@3-gig.com

Confidentiality Notice: This e-mail, including any attached files, may contain 
confidential and/or privileged information for the sole use of the intended 
recipient. If you are not the intended recipient, you are hereby notified that 
any review, dissemination or copying of this e-mail and attachments, if any, or 
the information contained herein, is strictly prohibited. If you are not the 
intended recipient (or authorized to receive information for the intended 
recipient), please contact the sender by reply e-mail and delete all copies of 
this message.


From: Jay Dale [mailto:jay.d...@3-gig.com]
Sent: Monday, June 14, 2010 2:24 PM
To: NT System Admin Issues
Subject: RE: Run multliple versions of IE

Try this:

http://finalbuilds.edskes.net/iecollection.htm


Jay Dale
I.T. Manager, 3GiG
Mobile: 713.299.2541
Email: jay.d...@3-gig.com

Confidentiality Notice: This e-mail, including any attached files, may contain 
confidential and/or privileged information for the sole use of the intended 
recipient. If you are not the intended recipient, you are hereby notified that 
any review, dissemination or copying of this e-mail and attachments, if any, or 
the information contained herein, is strictly prohibited. If you are not the 
intended recipient (or authorized to receive information for the intended 
recipient), please contact the sender by reply e-mail and delete all copies of 
this message.


From: Bill Songstad [mailto:bsongs...@gmail.com]
Sent: Monday, June 14, 2010 2:06 PM
To: NT System Admin Issues
Subject: Re: Run multliple versions of IE

Unfortunately, the budget for this project is somewhere between $0.00 and 
$0.01.  So additional VMs is out.  I am going to test the package that Roger 
recommended this afternoon.  I'll post how that goes.

-Bill
On Mon, Jun 14, 2010 at 11:52 AM, Brian Desmond 
mailto:br...@briandesmond.com>> wrote:
I use VMs. Microsoft offers pre-baked VMs with all the IE versions on their 
site for download.

Thanks,
Brian Desmond
br...@briandesmond.com

c   - 312.731.3132

From: Bill Songstad [mailto:bsongs...@gmail.com]
Sent: Monday, June 14, 2010 1:13 PM
To: NT System Admin Issues
Subject: Run multliple versions of IE

My webmaster has asked for the ability to run multiple versions of IE (6, 7, 
and 8) on a Windows XP workstation.  I found a couple of candidates for testing 
on the interwebs, but is anybody using a solution for this that they like 
and/or recommend?

Thanks,
Bill


















~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Time to verify your IIS setup

[Roger Wright]

Perhaps this will help:
http://www.qualys.com/products/qg_suite/malware_detection/


Die dulci fruere!

Roger Wright
___




On Wed, Jun 9, 2010 at 3:43 PM, Kurt Buff  wrote:
> about 111,000 sites infected
>
> http://isc.sans.edu/diary.html?storyid=8935
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: Website repuation tool

[Roger Wright]

http://www.qualys.com/products/qg_suite/malware_detection/ provides a
free site scanning service as well.


Die dulci fruere!

Roger Wright
___




On Tue, Jun 1, 2010 at 8:00 AM, Ziots, Edward  wrote:
> I came across this little nugget in another discussion group, figure I would
> share it with the list, since we always are looking at scanning potentially
> malware/spyware infested files from virustotal.com or jotti, well you can
> scan websites to see if they are also infected at the following URL.
>
>
>
> www.urlvoid.com.
>
>
>
> It links into novirusthanks.com also.
>
>
>
> Z
>
>
>
>
>
>
>
> Edward Ziots
>
> CISSP,MCSA,MCP+I,Security +,Network +,CCA
>
> Network Engineer
>
> Lifespan Organization
>
> 401-639-3505
>
> ezi...@lifespan.org
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Technet question

[Don Guyer]

Within our current licensing agreement, we get a boat load of these
web-based courses.

 

I'd say that the content is much better than what you would get at their
free expos, but not quite what you would get attending a cert class.

 

Still worth the time IMHO though.

 

Don Guyer

Systems Engineer - Information Services

Prudential, Fox & Roach/Trident Group

431 W. Lancaster Avenue

Devon, PA 19333

Direct: (610) 993-3299

Fax: (610) 650-5306

don.gu...@prufoxroach.com  

 

From: Jeff Bunting [mailto:bunting.j...@gmail.com] 
Sent: Tuesday, June 15, 2010 9:02 AM
To: NT System Admin Issues
Subject: Re: Technet question

 

The ones I took about a year ago were self-paced web based courses.  

Jeff

On Tue, Jun 15, 2010 at 3:28 AM, Oliver Marshall <
oliver.marsh...@g2support.com> wrote:

A little bit OT I'm sure, but perhaps someone can tell me of their
experiences. 

 

The Technet Pro subscription comes with "12 E-learning courses" but the
technet page doesn't tell me any more about the courses themselves.
Anyone know what kind of courses they are ? Are they just the weird MS
Partner style interactive courses which you have to sit to get the MS
Action packs?

 

Olly

 

 

 

 

Network Support 
Online Backups
Server Management

Tel: 0845 307 3443 

Email: oliver.marsh...@g2support.com

Web: http://www.g2support.com  

Twitter: g2support  

Newsletter: http://www.g2support.com/newsletter
 

Mail: 2 Roundhill Road, Brighton, Sussex, BN2 3RF

 

G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE

BN3 7LE. Our registered company number is OC316341. 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>

Re: Virtualisation structural question

[Andrew S. Baker]

Yes, but it depends on the size of the box.

If you're building or purchasing a box that can only support 5 or 6 VMs,
then DataCenter is overkill.

If you're building a box that can support 15-20+ VMs, then you'll save
tremendously by going with DataCenter because that will be the only OS
license you need.  (CALs sold separately. Some assembly required.)

-ASB: http://XeeSM.com/AndrewBaker


On Tue, Jun 15, 2010 at 9:07 AM, Jon Harris  wrote:

> Yes but Enterprise is a bit less expensive than Data Center.
>
> Jon
>
> On Tue, Jun 15, 2010 at 9:03 AM, N Parr  wrote:
>
>>  If you buy CPU licenses of Data Center Server you can run as many as you
>> want.
>>
>>  --
>> *From:* Jon Harris [mailto:jk.har...@gmail.com]
>> *Sent:* Monday, June 14, 2010 5:08 PM
>>
>> *To:* NT System Admin Issues
>> *Subject:* Re: Virtualisation structural question
>>
>>   If you purchase the Enterprise version of 2k8 R2 I think it comes with
>> 4 virtual licenses.  That would allow for:
>> VM Host on physical machine
>>
>> DC1 on Virtual machine 1
>>
>> DC2 on Virtual machine 2
>>
>> Exchange server on Virtual machine 3
>>
>> File server on Virtual machine 4
>>
>> The only think I have never done is machine 3.  I don't do nor have I ever
>> touched Exchange but I did have a TechNet person tell me that it was a
>> supported configuration but depending on what you have running on the front
>> end of Exchange you would need a really beefy Host to support it but that
>> would be more for someone Exchange orientated than me to say.
>>
>> Jon
>>
>> On Mon, Jun 14, 2010 at 12:01 PM, Oliver Marshall <
>> oliver.marsh...@g2support.com> wrote:
>>
>>>  I'd love to but we dont have enough licenses.
>>>
>>>
>>>
>>>
>>>
>>> --
>>>
>>> G2 Support
>>>
>>> Network Support : Online Backups : Server Management
>>>
>>>
>>>
>>> Web: www.g2support.com
>>>
>>> Twitter: g2support 
>>>
>>> Newsletter: www.g2support.com/newsletter
>>>
>>>
>>>
>>> *From:* Malcolm Reitz [mailto:malcolm.re...@live.com]
>>> *Sent:* 14 June 2010 16:29
>>>
>>> *To:* NT System Admin Issues
>>> *Subject:* RE: Virtualisation structural question
>>>
>>>
>>>
>>> I would prefer to run the host as VM host only. I would also create 3 VMs
>>> – DC, file, Exchange. I don’t like to mix file services in to a domain
>>> controller as it creates security administration issues.
>>>
>>>
>>>
>>> -Malcolm
>>>
>>>
>>>
>>> *From:* Oliver Marshall [mailto:oliver.marsh...@g2support.com]
>>> *Sent:* Monday, June 14, 2010 06:15
>>> *To:* NT System Admin Issues
>>> *Subject:* Virtualisation structural question
>>>
>>>
>>>
>>> Hi chaps.
>>>
>>>
>>>
>>> Can I kick some thoughts around here and look for some comments?
>>>
>>>
>>>
>>> We have a few old servers that we need to upgrade to new versions.
>>> Basically we will be upgrading several Windows 2003 servers running file
>>> services, AD and Exchange 2003. We will be replacing these with 2008 64bit
>>> R2 servers running Exchange 2010.
>>>
>>>
>>>
>>> As running Exchange 2010 on a DC isn't recommended (though it appears
>>> that it isn't not-supported as such) we are looking at having two servers;
>>> one for AD and file roles and one for Exchange roles. Clearly this lends
>>> itself to virtualisation quite nicely with both 'servers' running on a
>>> parent host.
>>>
>>>
>>>
>>> The question is really this: Should the AD/File roles run in a VM or on
>>> the parent host itself, with Exchange being a child VM on the parent host ?
>>>
>>>
>>>
>>> So this;
>>>
>>>
>>>
>>> Physical Host: VM-HOST1
>>>
>>> Roles: Hyper-V Host
>>>
>>> Domain: Workgroup
>>>
>>>
>>>
>>> VM Name: AD-1
>>>
>>> Role: DC/GC/FILE
>>>
>>> Host: VM-HOST1
>>>
>>> Domain: MYDOMAIN
>>>
>>>
>>>
>>> VM Name: EX-1
>>>
>>> Roles: Exchange 2010
>>>
>>> Host: VM-HOST1
>>>
>>> Domain: MYDOMAIN
>>>
>>>
>>>
>>> Or this;
>>>
>>>
>>>
>>> Physical Host: VM-HOST1
>>>
>>> Roles: Hyper-V Host, DC/GC/FILE
>>>
>>> Domain: MYDOMAIN
>>>
>>>
>>>
>>> VM Name: EX-1
>>>
>>> Roles: Exchange 2010
>>>
>>> Host: VM-HOST1
>>>
>>> Domain: MYDOMAIN
>>>
>>>
>>>
>>> My feeling is that the former is neater, that is with both the AD server
>>> and the Exchange server being VMs on a parent host, than the latter.
>>>
>>>
>>>
>>> Any suggestions? How are you chaps structuring things ?
>>>
>>>
>>> Olly
>>>
>>>
>>>
>>>
>>>
>>>  Network Support
>>> Online Backups
>>> Server Management
>>>
>>> Tel: 0845 307 3443
>>>
>>> Email: oliver.marsh...@g2support.com
>>>
>>> Web: http://www.g2support.com
>>>
>>> Twitter: g2support 
>>>
>>> Newsletter: http://www.g2support.com/newsletter
>>>
>>> Mail: 2 Roundhill Road, Brighton, Sussex, BN2 3RF
>>>
>>>
>>>
>>> G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE
>>>
>>> BN3 7LE. Our registered company number is OC316341.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN

Re: Virtualisation structural question

[Jon Harris]

Yes but Enterprise is a bit less expensive than Data Center.

Jon

On Tue, Jun 15, 2010 at 9:03 AM, N Parr  wrote:

>  If you buy CPU licenses of Data Center Server you can run as many as you
> want.
>
>  --
> *From:* Jon Harris [mailto:jk.har...@gmail.com]
> *Sent:* Monday, June 14, 2010 5:08 PM
>
> *To:* NT System Admin Issues
> *Subject:* Re: Virtualisation structural question
>
>   If you purchase the Enterprise version of 2k8 R2 I think it comes with 4
> virtual licenses.  That would allow for:
> VM Host on physical machine
>
> DC1 on Virtual machine 1
>
> DC2 on Virtual machine 2
>
> Exchange server on Virtual machine 3
>
> File server on Virtual machine 4
>
> The only think I have never done is machine 3.  I don't do nor have I ever
> touched Exchange but I did have a TechNet person tell me that it was a
> supported configuration but depending on what you have running on the front
> end of Exchange you would need a really beefy Host to support it but that
> would be more for someone Exchange orientated than me to say.
>
> Jon
>
> On Mon, Jun 14, 2010 at 12:01 PM, Oliver Marshall <
> oliver.marsh...@g2support.com> wrote:
>
>>  I'd love to but we dont have enough licenses.
>>
>>
>>
>>
>>
>> --
>>
>> G2 Support
>>
>> Network Support : Online Backups : Server Management
>>
>>
>>
>> Web: www.g2support.com
>>
>> Twitter: g2support 
>>
>> Newsletter: www.g2support.com/newsletter
>>
>>
>>
>> *From:* Malcolm Reitz [mailto:malcolm.re...@live.com]
>> *Sent:* 14 June 2010 16:29
>>
>> *To:* NT System Admin Issues
>> *Subject:* RE: Virtualisation structural question
>>
>>
>>
>> I would prefer to run the host as VM host only. I would also create 3 VMs
>> – DC, file, Exchange. I don’t like to mix file services in to a domain
>> controller as it creates security administration issues.
>>
>>
>>
>> -Malcolm
>>
>>
>>
>> *From:* Oliver Marshall [mailto:oliver.marsh...@g2support.com]
>> *Sent:* Monday, June 14, 2010 06:15
>> *To:* NT System Admin Issues
>> *Subject:* Virtualisation structural question
>>
>>
>>
>> Hi chaps.
>>
>>
>>
>> Can I kick some thoughts around here and look for some comments?
>>
>>
>>
>> We have a few old servers that we need to upgrade to new versions.
>> Basically we will be upgrading several Windows 2003 servers running file
>> services, AD and Exchange 2003. We will be replacing these with 2008 64bit
>> R2 servers running Exchange 2010.
>>
>>
>>
>> As running Exchange 2010 on a DC isn't recommended (though it appears that
>> it isn't not-supported as such) we are looking at having two servers; one
>> for AD and file roles and one for Exchange roles. Clearly this lends itself
>> to virtualisation quite nicely with both 'servers' running on a parent host.
>>
>>
>>
>> The question is really this: Should the AD/File roles run in a VM or on
>> the parent host itself, with Exchange being a child VM on the parent host ?
>>
>>
>>
>> So this;
>>
>>
>>
>> Physical Host: VM-HOST1
>>
>> Roles: Hyper-V Host
>>
>> Domain: Workgroup
>>
>>
>>
>> VM Name: AD-1
>>
>> Role: DC/GC/FILE
>>
>> Host: VM-HOST1
>>
>> Domain: MYDOMAIN
>>
>>
>>
>> VM Name: EX-1
>>
>> Roles: Exchange 2010
>>
>> Host: VM-HOST1
>>
>> Domain: MYDOMAIN
>>
>>
>>
>> Or this;
>>
>>
>>
>> Physical Host: VM-HOST1
>>
>> Roles: Hyper-V Host, DC/GC/FILE
>>
>> Domain: MYDOMAIN
>>
>>
>>
>> VM Name: EX-1
>>
>> Roles: Exchange 2010
>>
>> Host: VM-HOST1
>>
>> Domain: MYDOMAIN
>>
>>
>>
>> My feeling is that the former is neater, that is with both the AD server
>> and the Exchange server being VMs on a parent host, than the latter.
>>
>>
>>
>> Any suggestions? How are you chaps structuring things ?
>>
>>
>> Olly
>>
>>
>>
>>
>>
>>  Network Support
>> Online Backups
>> Server Management
>>
>> Tel: 0845 307 3443
>>
>> Email: oliver.marsh...@g2support.com
>>
>> Web: http://www.g2support.com
>>
>> Twitter: g2support 
>>
>> Newsletter: http://www.g2support.com/newsletter
>>
>> Mail: 2 Roundhill Road, Brighton, Sussex, BN2 3RF
>>
>>
>>
>> G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE
>>
>> BN3 7LE. Our registered company number is OC316341.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>

RE: Virtualisation structural question

[N Parr]

If you buy CPU licenses of Data Center Server you can run as many as you
want.



From: Jon Harris [mailto:jk.har...@gmail.com] 
Sent: Monday, June 14, 2010 5:08 PM
To: NT System Admin Issues
Subject: Re: Virtualisation structural question


If you purchase the Enterprise version of 2k8 R2 I think it comes with 4
virtual licenses.  That would allow for:
 
VM Host on physical machine
 
DC1 on Virtual machine 1
 
DC2 on Virtual machine 2
 
Exchange server on Virtual machine 3
 
File server on Virtual machine 4
 
The only think I have never done is machine 3.  I don't do nor have I
ever touched Exchange but I did have a TechNet person tell me that it
was a supported configuration but depending on what you have running on
the front end of Exchange you would need a really beefy Host to support
it but that would be more for someone Exchange orientated than me to
say.
 
Jon


On Mon, Jun 14, 2010 at 12:01 PM, Oliver Marshall <
oliver.marsh...@g2support.com> wrote:


I'd love to but we dont have enough licenses.

 

 

--

G2 Support

Network Support : Online Backups : Server Management

 

Web: www.g2support.com  

Twitter: g2support  

Newsletter: www.g2support.com/newsletter

 

From: Malcolm Reitz [mailto:malcolm.re...@live.com] 
Sent: 14 June 2010 16:29 

To: NT System Admin Issues

Subject: RE: Virtualisation structural question 





 

I would prefer to run the host as VM host only. I would also
create 3 VMs - DC, file, Exchange. I don't like to mix file services in
to a domain controller as it creates security administration issues.

 

-Malcolm

 

From: Oliver Marshall [mailto:oliver.marsh...@g2support.com] 
Sent: Monday, June 14, 2010 06:15
To: NT System Admin Issues
Subject: Virtualisation structural question

 

Hi chaps.

 

Can I kick some thoughts around here and look for some comments?


 

We have a few old servers that we need to upgrade to new
versions. Basically we will be upgrading several Windows 2003 servers
running file services, AD and Exchange 2003. We will be replacing these
with 2008 64bit R2 servers running Exchange 2010. 

 

As running Exchange 2010 on a DC isn't recommended (though it
appears that it isn't not-supported as such) we are looking at having
two servers; one for AD and file roles and one for Exchange roles.
Clearly this lends itself to virtualisation quite nicely with both
'servers' running on a parent host.

 

The question is really this: Should the AD/File roles run in a
VM or on the parent host itself, with Exchange being a child VM on the
parent host ?

 

So this;

 

Physical Host: VM-HOST1

Roles: Hyper-V Host

Domain: Workgroup

 

VM Name: AD-1

Role: DC/GC/FILE

Host: VM-HOST1

Domain: MYDOMAIN

 

VM Name: EX-1

Roles: Exchange 2010

Host: VM-HOST1

Domain: MYDOMAIN

 

Or this;

 

Physical Host: VM-HOST1

Roles: Hyper-V Host, DC/GC/FILE

Domain: MYDOMAIN

 

VM Name: EX-1

Roles: Exchange 2010

Host: VM-HOST1

Domain: MYDOMAIN

 

My feeling is that the former is neater, that is with both the
AD server and the Exchange server being VMs on a parent host, than the
latter. 

 

Any suggestions? How are you chaps structuring things ?


Olly

 

 

 

 

Network Support 
Online Backups
Server Management

Tel: 0845 307 3443

Email: oliver.marsh...@g2support.com

Web: http://www.g2support.com  

Twitter: g2support  

Newsletter: http://www.g2support.com/newsletter
 

Mail: 2 Roundhill Road, Brighton, Sussex, BN2 3RF

 

G2 Support LLP is registered at Mill House, 103 Holmes Avenue,
HOVE

BN3 7LE. Our registered company number is OC316341. 

 

 

 

 

 

 


 






 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>

Re: Technet question

[Jeff Bunting]

The ones I took about a year ago were self-paced web based courses.

Jeff

On Tue, Jun 15, 2010 at 3:28 AM, Oliver Marshall <
oliver.marsh...@g2support.com> wrote:

>  A little bit OT I'm sure, but perhaps someone can tell me of their
> experiences.
>
>
>
> The Technet Pro subscription comes with "12 E-learning courses" but the
> technet page doesn't tell me any more about the courses themselves. Anyone
> know what kind of courses they are ? Are they just the weird MS Partner
> style interactive courses which you have to sit to get the MS Action packs?
>
>
>
> Olly
>
>
>
>
>
>Network Support
> Online Backups
> Server Management
>
> Tel: 0845 307 3443
>
> Email: oliver.marsh...@g2support.com
>
> Web: http://www.g2support.com
>
> Twitter: g2support 
>
> Newsletter: http://www.g2support.com/newsletter
>
> Mail: 2 Roundhill Road, Brighton, Sussex, BN2 3RF
>
>
>
> G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE
>
> BN3 7LE. Our registered company number is OC316341.
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>

RE: Technet question

[Rod Trent]

With a TechNet Pro subscription, you receive six months of access to
Microsoft E-Learning with hands-on learning to help you build the skills you
need to do your job. The following courses are available to TechNet Pro
subscribers through June 30, 2010:

. Course 3377: Implementing Windows Desktop Search in an Enterprise
Environment - In this online learning course, you learn how to enable
searching local and network files and folders using Windows Desktop Search.
Topics covered within the course include an overview of Search technologies,
installing and configuring WDS, as well as WDS integration with Outlook,
enterprise solutions, and Windows Vista. This online learning course is
composed of a rich multimedia experience coupled with comprehensive
technical labs.

. Course 10166: Windows 7 Essentials I - This one-hour course
provides you with an overview of the new features in Windows 7. It describes
how you can get started working with Windows 7. It also describes how
Windows 7 helps you become more organized and productive, with improvements
in the user interface, enhanced search capabilities, and new features such
as Libraries and Jump Lists.

. Course 10167: Windows 7 Essentials II - This one-hour course
provides you with an overview of advanced features in Windows 7. It
describes the enhancements that help you manage your devices and printers,
maintain and troubleshoot problems with your computer, and protect your
computer and data. It also describes how Windows 7 helps you easily manage
local and remote network connections.

 

 

 

From: Oliver Marshall [mailto:oliver.marsh...@g2support.com] 
Sent: Tuesday, June 15, 2010 3:29 AM
To: NT System Admin Issues
Subject: Technet question

 

A little bit OT I'm sure, but perhaps someone can tell me of their
experiences. 

 

The Technet Pro subscription comes with "12 E-learning courses" but the
technet page doesn't tell me any more about the courses themselves. Anyone
know what kind of courses they are ? Are they just the weird MS Partner
style interactive courses which you have to sit to get the MS Action packs?

 

Olly

 



 




Network Support 
Online Backups
Server Management

Tel: 0845 307 3443

Email: oliver.marsh...@g2support.com

Web:   http://www.g2support.com

Twitter:   g2support

Newsletter:  
http://www.g2support.com/newsletter

Mail: 2 Roundhill Road, Brighton, Sussex, BN2 3RF

 

G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE

BN3 7LE. Our registered company number is OC316341. 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>

Technet question

[Oliver Marshall]

A little bit OT I'm sure, but perhaps someone can tell me of their experiences.

The Technet Pro subscription comes with "12 E-learning courses" but the technet 
page doesn't tell me any more about the courses themselves. Anyone know what 
kind of courses they are ? Are they just the weird MS Partner style interactive 
courses which you have to sit to get the MS Action packs?

Olly

[cid:personal24823.jpg]

[cid:g2supportsmall_250x58border18be.png]

Network Support
Online Backups
Server Management

Tel: 0845 307 3443
Email: oliver.marsh...@g2support.com
Web: http://www.g2support.com
Twitter: g2support
Newsletter: http://www.g2support.com/newsletter
Mail: 2 Roundhill Road, Brighton, Sussex, BN2 3RF

G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE
BN3 7LE. Our registered company number is OC316341.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~<><>