Re: A poll, of sorts...
Why are you looking to change the password policy? what is the business driver for this? Also what would be the effective loss to the business if one of the more high level employee's password's was cracked (i.e. an engineer that has access to software designs)? Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From: Kurt Buff kurt.b...@gmail.com To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date: 01/09/2012 11:32 PM Subject:A poll, of sorts... All, In the interest of curiosity, I have a theoretical question for your consideration and debate... What measures would you need to see in place in a small business (fewer than 500 users) to feel comfortable with setting a password policy that sets standard complexity (that is, at least three of the standard four character types - UC, LC, numeric and special), miniumum10 characters in length, with no expiration, no history and no mimimum age? Assume a Win2k8R2 single domain forest. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin - This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Domain Admin accounts
Yeah...I listed the DA accounts in question and the SE's didn't reply, and my bet is 1/2 the accounts in question the don't even know what they do. No security problem there Yeah the dude has keys to the castle, but I don't know who he is. Dave -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, January 09, 2012 4:11 PM To: NT System Admin Issues Subject: Re: Domain Admin accounts On Mon, Jan 9, 2012 at 09:41, David Lum david@nwea.org wrote: We have several service accounts that are Domain Admin – is there any way to test for what permissions these accounts actually need short of “removing DA and see what happens?”. I’m guessing no… The big question will be exactly what jobs they are performing. You'll need a complete understanding of what they're used for - or rather, what you mean by service account Some service accounts are used for running services, and have a very limited scope that is more or less traceable. Others are, for instance, used in scheduled tasks, in which case you'll need to understand what the task does Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
IIS 6.0 Security
Hopefully, the subject line is not a complete oxymoron... Yes, I am continuing to search Google as well as the MS TechNet pages (that Google returns) concerning IIS 6.0. We failed a PCI compliance audit on our Citrix server (Presentation Server 4.5, and yes, a new Citrix system is in the works, but this one needs to pass a scan test.) The system does have a VeriSign SSL certificate. -- Here are the issues found by the scan: Disable TLS Renegotiation Fix Microsoft IIS Content Location Internal IP Address Leak (Note - the server is accessed via web through a MIP's IP address) Upgrade to the latest version of OpenSSL Disable SSL support for weak ciphers Disable SSL v2 protocol support -- Anyway, we need assistance in dealing with those security issues without hosing the Citrix services (which our clients are paying for). Thank you; back to Google and Technet... - richard The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Domain Admin accounts
In a SOX audit I would require verification from HR that every member of Domain Admins, Enterprise Admins and Schema Admins is a valid employee. You would probably not be surprised how many are not employed and have been gone for quite some time. Same process for off-site backup access (Iron Mountain, etc). Service accounts that are members of one or more of those groups have to have CIO (or equivalent level) sign-off. Thanks Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com http://www.carlwebster.com/ On 1/10/12 8:57 AM, David Lum david@nwea.org wrote: Yeah...I listed the DA accounts in question and the SE's didn't reply, and my bet is 1/2 the accounts in question the don't even know what they do. No security problem there Yeah the dude has keys to the castle, but I don't know who he is. Dave -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, January 09, 2012 4:11 PM To: NT System Admin Issues Subject: Re: Domain Admin accounts On Mon, Jan 9, 2012 at 09:41, David Lum david@nwea.org wrote: We have several service accounts that are Domain Admin is there any way to test for what permissions these accounts actually need short of ³removing DA and see what happens?². I¹m guessing noŠ The big question will be exactly what jobs they are performing. You'll need a complete understanding of what they're used for - or rather, what you mean by service account Some service accounts are used for running services, and have a very limited scope that is more or less traceable. Others are, for instance, used in scheduled tasks, in which case you'll need to understand what the task does Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
OT - How to determine vCPU over-commit in VMware ESX 4.1
I am working on a PowerCLI (Powershell with VMware extension) script that I want to use to determine memory and vCPU over-commit - i.e., that I have allocated too much vCPU or memory to a VM. I can figure out the memory easily enough - I take the maximum of the last 30 days worth of 2 hour intervals of mem.usage.stat counter, and compare that to the amount of memory allocated to the VM (MemoryMB). If MemoryMB / Max MemUsed is more than 2.0, then I've allocated more than twice what the memory needs of this VM are (based on the last 30 days usage), and I should be able to drop down the allocated memory, still have enough of a buffer for unusual needs for the VM, and save some cluster resources as a reserve. But how can I get a similar result for vCPU? For example, if I have a VM with 4 vCPUs, is there any way to determine that I can get along just fine with 2 vCPUs, based on max CPU usage for the last 30 days? What counters do I look at, and how do they relate to the number of vCPUs allocated? On the VMware forums, I've been advised like this: Once you have collected your max CPU usage stat I would do the following. CPUsageMax * ( CurrentCPUCount / NewCPUCount) If output is 85 reduce by 1 vCPU. Loop this to see if you need to remove more then one vCPU. Same equation for adding vCPUs For instance. You have 3 vCPUs at 50% utilisation. 50 * (3/2) = 75 In this case you can drop down to one vCPU. Thoughts on this methodology? I know that there are commercial programs to analyze your VMware cluster, and tell you these things, and even adjust them, but we don't have the budget for Capacity IQ. So I'm trying for a some improvement is better than no improvement. Is there a better way to estimate this? I have a few VMs with 4 vCPUs, and while I'm sure I can knock a CPU off those VMs, I need some numbers to back me up, and to show that removing one vCPU won't negatively impact that VM too much ... Thanks, and sorry for the OT. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Domain Admin accounts
The gone employees I have handled. The accounts in question are like Websense, myonelogin and other application-like accounts. -Original Message- From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 7:10 AM To: NT System Admin Issues Subject: Re: Domain Admin accounts In a SOX audit I would require verification from HR that every member of Domain Admins, Enterprise Admins and Schema Admins is a valid employee. You would probably not be surprised how many are not employed and have been gone for quite some time. Same process for off-site backup access (Iron Mountain, etc). Service accounts that are members of one or more of those groups have to have CIO (or equivalent level) sign-off. Thanks Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com http://www.carlwebster.com/ On 1/10/12 8:57 AM, David Lum david@nwea.org wrote: Yeah...I listed the DA accounts in question and the SE's didn't reply, and my bet is 1/2 the accounts in question the don't even know what they do. No security problem there Yeah the dude has keys to the castle, but I don't know who he is. Dave -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, January 09, 2012 4:11 PM To: NT System Admin Issues Subject: Re: Domain Admin accounts On Mon, Jan 9, 2012 at 09:41, David Lum david@nwea.org wrote: We have several service accounts that are Domain Admin is there any way to test for what permissions these accounts actually need short of ³removing DA and see what happens?². I¹m guessing noŠ The big question will be exactly what jobs they are performing. You'll need a complete understanding of what they're used for - or rather, what you mean by service account Some service accounts are used for running services, and have a very limited scope that is more or less traceable. Others are, for instance, used in scheduled tasks, in which case you'll need to understand what the task does Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Expaning Subnet again
So for me *.255 are usable exept 3.255, correct? Stefan On Mon, Jan 9, 2012 at 11:00 PM, Ben Scott mailvor...@gmail.com wrote: On Mon, Jan 9, 2012 at 7:32 PM, Heaton, Joseph@DFG jhea...@dfg.ca.gov wrote: .255 is broadcast Not always. Very true, if we go and break up a class C, that is absolutely true. But, seeing as he's going the other way, and making the subnet bigger, not smaller... .255 is still not always the broadcast address. For example, in a /23, there will be two addresses where the dotted-decimal ends in .255. One will be the broadcast address, and the other will just be a regular host. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Stefan Jafs ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: A poll, of sorts...
No expiration, no history, no minimum age? Sounds like a kiosk... From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Tuesday, January 10, 2012 5:25 AM To: NT System Admin Issues Subject: Re: A poll, of sorts... Why are you looking to change the password policy? what is the business driver for this? Also what would be the effective loss to the business if one of the more high level employee's password's was cracked (i.e. an engineer that has access to software designs)? Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.commailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From:Kurt Buff kurt.b...@gmail.commailto:kurt.b...@gmail.com To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date:01/09/2012 11:32 PM Subject:A poll, of sorts... All, In the interest of curiosity, I have a theoretical question for your consideration and debate... What measures would you need to see in place in a small business (fewer than 500 users) to feel comfortable with setting a password policy that sets standard complexity (that is, at least three of the standard four character types - UC, LC, numeric and special), miniumum10 characters in length, with no expiration, no history and no mimimum age? Assume a Win2k8R2 single domain forest. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Domain Admin accounts
Which means you're going to have to audit those applications to understand what they're doing. If, for instance, the websense account is only used for AD auth for the web filter, then it doesn't need to be a DA - for our Barracuda I created an account (_barracuda), with no special privileges, because all it does is query AD for the web filter, then placed the account in our service account OU. Kurt 2012/1/10 David Lum david@nwea.org: The gone employees I have handled. The accounts in question are like Websense, myonelogin and other application-like accounts. -Original Message- From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 7:10 AM To: NT System Admin Issues Subject: Re: Domain Admin accounts In a SOX audit I would require verification from HR that every member of Domain Admins, Enterprise Admins and Schema Admins is a valid employee. You would probably not be surprised how many are not employed and have been gone for quite some time. Same process for off-site backup access (Iron Mountain, etc). Service accounts that are members of one or more of those groups have to have CIO (or equivalent level) sign-off. Thanks Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com http://www.carlwebster.com/ On 1/10/12 8:57 AM, David Lum david@nwea.org wrote: Yeah...I listed the DA accounts in question and the SE's didn't reply, and my bet is 1/2 the accounts in question the don't even know what they do. No security problem there Yeah the dude has keys to the castle, but I don't know who he is. Dave -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, January 09, 2012 4:11 PM To: NT System Admin Issues Subject: Re: Domain Admin accounts On Mon, Jan 9, 2012 at 09:41, David Lum david@nwea.org wrote: We have several service accounts that are Domain Admin is there any way to test for what permissions these accounts actually need short of ³removing DA and see what happens?². I¹m guessing noŠ The big question will be exactly what jobs they are performing. You'll need a complete understanding of what they're used for - or rather, what you mean by service account Some service accounts are used for running services, and have a very limited scope that is more or less traceable. Others are, for instance, used in scheduled tasks, in which case you'll need to understand what the task does Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
bougt the book
Book bought. I expect big things Brian! ☺ Dave From: David Lum [mailto:david@nwea.org] Sent: Thursday, January 05, 2012 1:07 PM To: NT System Admin Issues Subject: RE: Concur for expense management You mean…buy the book? Get out… From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Thursday, January 05, 2012 11:47 AM To: NT System Admin Issues Subject: RE: Concur for expense management Without going in to all the gory details, Brian’s homegrown glue is reference is fairly spot on ☺ From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: Wednesday, January 04, 2012 2:00 PM To: NT System Admin Issues Subject: RE: Concur for expense management Wait – Concur is telling us we need ADFS 2.0 to use SAML. How do you do it without ADFS? From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Wednesday, January 04, 2012 1:01 PM To: NT System Admin Issues Subject: RE: Concur for expense management Ditto. We went from our old internal hosted to external Concur last year using SAML for authN. No ADFS. From: Christopher Bodnar [mailto:christopher_bod...@glic.com]mailto:[mailto:christopher_bod...@glic.com] Sent: Wednesday, January 04, 2012 7:01 AM To: NT System Admin Issues Subject: Re: Concur for expense management the 2003 to 2003 R2 is very simple. More like adding additional features, than a true OS upgrade. You should be fine. No issues. We use Concur here, but do not have federation services configured. Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.commailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From:David Lum david@nwea.orgmailto:david@nwea.org To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date:01/04/2012 09:17 AM Subject:Concur for expense management Does anyone here use Concur for expense management? I need to configure Federation with them and they sent me a SAML document and it looks like I need to install ADFS…which requires 2003 R2 and we don’t have any 2003 R2 servers, ours are straight 2003. It’s not a big deal to stand up a 2003 R2 DC in a 2003 domain is it? Is an in-place upgrade possible? I seem to think on the 2003 versions, 2003 and 2003 R2 are very similar. David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send
Re: Expaning Subnet again
Are you guessing, or did you try writing it out as explained to you? -- Espi On Tue, Jan 10, 2012 at 7:37 AM, Stefan Jafs stefan.j...@gmail.com wrote: So for me *.255 are usable exept 3.255, correct? Stefan On Mon, Jan 9, 2012 at 11:00 PM, Ben Scott mailvor...@gmail.com wrote: On Mon, Jan 9, 2012 at 7:32 PM, Heaton, Joseph@DFG jhea...@dfg.ca.gov wrote: .255 is broadcast Not always. Very true, if we go and break up a class C, that is absolutely true. But, seeing as he's going the other way, and making the subnet bigger, not smaller... .255 is still not always the broadcast address. For example, in a /23, there will be two addresses where the dotted-decimal ends in .255. One will be the broadcast address, and the other will just be a regular host. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Stefan Jafs ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Related to my Domain Admin thread
Theoretically, built-in groups are historical in nature (i.e., carryovers from NT4.0 and previous) and should not be used going forward. All of their capabilities are reproducible via delegation and GPOs and User Rights Assignments. But I don't think they are going anywhere. Brian Desmond may have more insight than I do on this topic. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:david@nwea.org] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: Related to my Domain Admin thread Best practice to not add users to a builtin group? Account Operators: By default, this built-in group has no members. It can create and manage users and groups in the domain, but it cannot manage service administrator accounts. As a best practice, do not add members to this group, and do not use it for any delegated administration. http://technet.microsoft.com/en-us/library/cc700835.aspx David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Searching for SCCM MVP's or Guru's to answer this question
Trying to find out why SCCM is using WEBDAV to communicate with endpoints, the configuration of SCCM in its install state, is causing PCI Scans to fail because the propfind method is enabled on IIS 7.5 and the configuration is to allow anonymous access and to anywhere in the path of allowed files. Disabling the propfind method breaks WEB-DAV which breaks a part of SCCM. For those that have SCCM running in a PCI environment, have you run across this before with a Qualsys scan and what might be done about it to close up the issue. Sincerely, EZ Edward E. Ziots Senior Informational Security Engineer CISSP,Security +,Network+ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Domain Admin accounts
I would concurr for PCI also, all accounts should be unique and auditable ( especially in the EA, DA, SA and administrator groups) service accounts should be properly documented with executive sign-off and proper risk management to the account for least privilege. Sincerely EZ Edward E. Ziots Senior Informational Security Engineer CISSP,Security +,Network+ Date: Tue, 10 Jan 2012 07:45:47 -0800 Subject: Re: Domain Admin accounts From: kurt.b...@gmail.com To: ntsysadmin@lyris.sunbelt-software.com Which means you're going to have to audit those applications to understand what they're doing. If, for instance, the websense account is only used for AD auth for the web filter, then it doesn't need to be a DA - for our Barracuda I created an account (_barracuda), with no special privileges, because all it does is query AD for the web filter, then placed the account in our service account OU. Kurt 2012/1/10 David Lum david@nwea.org: The gone employees I have handled. The accounts in question are like Websense, myonelogin and other application-like accounts. -Original Message- From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 7:10 AM To: NT System Admin Issues Subject: Re: Domain Admin accounts In a SOX audit I would require verification from HR that every member of Domain Admins, Enterprise Admins and Schema Admins is a valid employee. You would probably not be surprised how many are not employed and have been gone for quite some time. Same process for off-site backup access (Iron Mountain, etc). Service accounts that are members of one or more of those groups have to have CIO (or equivalent level) sign-off. Thanks Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com http://www.carlwebster.com/ On 1/10/12 8:57 AM, David Lum david@nwea.org wrote: Yeah...I listed the DA accounts in question and the SE's didn't reply, and my bet is 1/2 the accounts in question the don't even know what they do. No security problem there Yeah the dude has keys to the castle, but I don't know who he is. Dave -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Monday, January 09, 2012 4:11 PM To: NT System Admin Issues Subject: Re: Domain Admin accounts On Mon, Jan 9, 2012 at 09:41, David Lum david@nwea.org wrote: We have several service accounts that are Domain Admin is there any way to test for what permissions these accounts actually need short of ³removing DA and see what happens?². I¹m guessing noŠ The big question will be exactly what jobs they are performing. You'll need a complete understanding of what they're used for - or rather, what you mean by service account Some service accounts are used for running services, and have a very limited scope that is more or less traceable. Others are, for instance, used in scheduled tasks, in which case you'll need to understand what the task does Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here:
RE: IIS 6.0 Security
Just gotta know the right search string. http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx http://geekswithblogs.net/dchristiansen/archive/2009/03/24/pcidss-disablessl2andweakciphersoniis6.aspx Now: Citrix/XenApp support for SSL 3.0 - I don't know anything about that. Carl Webster needs to speak to that! :) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Richard McClary [mailto:richard.mccl...@aspca.org] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: IIS 6.0 Security Hopefully, the subject line is not a complete oxymoron... Yes, I am continuing to search Google as well as the MS TechNet pages (that Google returns) concerning IIS 6.0. We failed a PCI compliance audit on our Citrix server (Presentation Server 4.5, and yes, a new Citrix system is in the works, but this one needs to pass a scan test.) The system does have a VeriSign SSL certificate. -- Here are the issues found by the scan: Disable TLS Renegotiation Fix Microsoft IIS Content Location Internal IP Address Leak (Note - the server is accessed via web through a MIP's IP address) Upgrade to the latest version of OpenSSL Disable SSL support for weak ciphers Disable SSL v2 protocol support -- Anyway, we need assistance in dealing with those security issues without hosing the Citrix services (which our clients are paying for). Thank you; back to Google and Technet... - richard ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Related to my Domain Admin thread
Yes best practice is not to use them. They have all sorts of little bits of extra access floating around in weird places, and they cause adminSDHolder to apply to accounts that probably shouldn't be covered. Do the legwork and delegate exactly what you need to groups - even better do it in logical groupings of access (e.g. reset password, account unlock, update personal info, etc.), and then you can just add people to groups when they need the access. Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Tuesday, January 10, 2012 10:47 AM To: NT System Admin Issues Subject: RE: Related to my Domain Admin thread Theoretically, built-in groups are historical in nature (i.e., carryovers from NT4.0 and previous) and should not be used going forward. All of their capabilities are reproducible via delegation and GPOs and User Rights Assignments. But I don't think they are going anywhere. Brian Desmond may have more insight than I do on this topic. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: Related to my Domain Admin thread Best practice to not add users to a builtin group? Account Operators: By default, this built-in group has no members. It can create and manage users and groups in the domain, but it cannot manage service administrator accounts. As a best practice, do not add members to this group, and do not use it for any delegated administration. http://technet.microsoft.com/en-us/library/cc700835.aspx David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: A poll, of sorts...
On Tue, Jan 10, 2012 at 12:12 AM, Kurt Buff kurt.b...@gmail.com wrote: What are the threats you are defending against? What will this counter-measure cost you (e.g., forgotten passwords/resets, writing down of passwords, user hostility, political capital, etc.)? For the threats - well, the company is connected to the Internet, and has a decent firewall. Further than that, make up your own threat scenario. That's not a realistic request. It's a big difference if they're manufacturing bolts or they're a defense contractor, for example. You have to define parameters or you just get the Take the computer, unplug it, seal it in a safe, and bury the safe in concrete response. In particular, are you using passwords to authenticate anything from the public Internet? Assume that forgotten passwords were at most 2/month, that previously passwords were 8 characters, and changed on a 90-day cycle. I'm not a big fan of the short (90 day) password lifetimes, unless a specific credible threat can be cited (e.g., web cafe usage (in which case you have other problems)). You're better off with a strong password that people can remember. Anything that short-lived virtually forces people to writing down or formula/system/pattern passwords, both of which are usually bigger problems. Periodic changes are certainly a good idea, but I usually prefer a year or so. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: IIS 6.0 Security
Here is a few links for the ciphers issues: You can only use SSL v3 or TLS v1.0 http://manyrootsofallevilrants.blogspot.com/2011/11/disabling-low-ciphers-in-iis-60.html Here is the Blog from IIS.net that will set you straight on what to take care of in the registry. http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx You can test your ciphers using openssl. To make sure you don't have sslv2 enabled, do the following. Install latest version of Openssl ( I believe 1.0x now) navigate to the bin directory in the openssl install directory. Type openssl to get the openssl command line. then type the following: OpenSSL s_client -connect host:port -ssl2 ( if it comes back with the following, its not accepting SSLv2) CONNECTED(0758) 4348:error:1406D0CB:SSL routines:GET_SERVER_HELLO:peer error no cipher:.\ssl\s2_ pkt.c:675: 4348:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:.\ssl\s2_pkt.c :428: Show this to the auditors. EZ Edward E. Ziots Senior Informational Security Engineer CISSP,Security +,Network+ From: richard.mccl...@aspca.org To: ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 15:05:48 + Subject: IIS 6.0 Security Hopefully, the subject line is not a complete oxymoron… Yes, I am continuing to search Google as well as the MS TechNet pages (that Google returns) concerning IIS 6.0. We failed a PCI compliance audit on our Citrix server (Presentation Server 4.5, and yes, a new Citrix system is in the works, but this one needs to pass a scan test.) The system does have a VeriSign SSL certificate. -- Here are the issues found by the scan: Disable TLS Renegotiation Fix Microsoft IIS Content Location Internal IP Address Leak (Note – the server is accessed via web through a MIP’s IP address) Upgrade to the latest version of OpenSSL Disable SSL support for weak ciphers Disable SSL v2 protocol support -- Anyway, we need assistance in dealing with those security issues without hosing the Citrix services (which our clients are paying for). Thank you; back to Google and Technet… - richard The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Fun with Hyper-V - and failover hardware Q's
I was thinking more along the lines of taking the file load off the server (onto a NAS device) so that it is just running exchange and SharePoint, then you could test the backup server at load. You can even then leave the data there while you do the swing migration sometime in the future. Mike From: David Lum [mailto:david@nwea.org] Sent: 09 January 2012 15:37 To: NT System Admin Issues Subject: RE: Fun with Hyper-V - and failover hardware Q's I've had their SBS 2K3 on a VM for a long time now (it's on non-R2 Server 2008 Hyper-V, if that's any indication) and I have confirmed I can stand up the SBS VM on VMHOST2 from backups (never have tested external logins or other functionality yet though - that's next week). The SATA speed on VMHOST2 is such doesn't boot much slower than on VMHOST1, it's performance with more than 5 folks hooked to it that I am not sure of. An upgrade to SBS2011 is actually some of the driving force as they already have purchased it - I am going to upgrade the VMHOST1 OS to 2008 R2 and the vendor that their AR software runs on (Springbrook, and they're scheduled to upgrade their software this month as well) recommends with RAID1 or RAID 10 and specifically discourages RAID5. Their VMHOST1 server is on RAID5, so I am going to add a disk and change to a pair of RAID1 volumes, which requires completely flattening the existing Hyper-V config, which also means I need to be REALLY comfortable with the DR on their SBS server :). VMHOST2 is a little older (PowerEdge SC1435, circa 2007), but still has enough oomph (12GB RAM, a dual core AMD Opteron's) to be serviceable. Once I get the host OS upgraded to R2 I will buy one of the swing kits from SBSMIGRATION. I have done a swing migration just once before, and it was actually from a standard domain/Exchange onto the SBS 2K3 platform (different client). Q: Can you put a hold on the email flow into the system? A: Yes, their e-mail hits a Barracuda device first Q: Can you break the server data into other places i.e. a drive on a NAS box which keeps a copy of the user data for while they are switching over? A: I have a NAS box (but it's not NTFS) as well as VMHOST2. Not fully following you here though... Dave From: Mike Hoffman [mailto:m...@drumbrae.net]mailto:[mailto:m...@drumbrae.net] Sent: Monday, January 09, 2012 6:26 AM To: NT System Admin Issues Subject: RE: Fun with Hyper-V - and failover hardware Q's Remember that SBS2K3 is not supported by MS in a virtual environment - but does work. Have you considered doing a proper DR practice to see what happens? You might be in a better position than you think. If you have Shadow Copy on the drives and can access the Exchange store then you will have a much smaller window of data loss - as long as you can get the raw VM data across. Can you put a hold on the email flow into the system? Can you break the server data into other places i.e. a drive on a NAS box which keeps a copy of the user data for while they are switching over? I would look to planning an upgrade to SBS 2011, if not for now then for soon. Take a look at the swing migration options as you are really talking about a hardware swing in a DR scenario - you can keep the plates spinning while you move what you need to without a major impact. Sounds like VMHost2 is much older and therefore slower, but an upgrade might be cost effective. I would test the DR option and see if they are happy with performance. You could stop email, turn off all machines, run backup, turn off old box, start backup box and then start desktops to see how it runs - if enough data is cached then it might be fine after a slow logon for users. Mike From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: 09 January 2012 05:47 To: NT System Admin Issues Subject: Fun with Hyper-V - and failover hardware Q's I have a client with SBS 2K3 (VM-SBS1) that's VM'd on a 2K8 (non-R2) server (VMHOST1). I now nightly have it shooting backups of VM-SBS1 VHD's to a 2008 R2 Hyper-V server (VMHOST2) at 6PM. I have the R2 server configured to use these disk's as a VM on it (VM-SBS1-SPARE) and this VM will always be off. Both VMHOST servers have local storage only, no SAN. But by doing backups this way my thinking is worst case scenario if VMHOST1 or VM-SBS1 get KIA I simply spool up VM-SBS1-SPARE and away I go.The worst case scenario is the live servers die at 5:58PM and my client loses 1 day of data While this puts me miles ahead of where I had been (previously the best I had was local eSATA backup which takes 3 hours to copy back local), there is the not insignificant issue that VMHOST2 has RAID1 SATA drives whereas VMHOST1 has RAID5 SAS 15K RPM drives. Performance will suck, and in fact I'm not sure WHAT kind of performance this would have with Exchange and SQL and 55 users hooked to it. I am assuming it would be better than nothing, but... How much should I be concerned with
RE: Searching for SCCM MVP's or Guru's to answer this question
You saw this, I'm guessing? http://technet.microsoft.com/en-us/library/cc431377.aspx BTW: If you're using ConfigMgr, you might want to check out myITforum.com From: ed ziots [mailto:ezi...@hotmail.com] Sent: Tuesday, January 10, 2012 11:47 AM To: NT System Admin Issues Subject: Searching for SCCM MVP's or Guru's to answer this question Trying to find out why SCCM is using WEBDAV to communicate with endpoints, the configuration of SCCM in its install state, is causing PCI Scans to fail because the propfind method is enabled on IIS 7.5 and the configuration is to allow anonymous access and to anywhere in the path of allowed files. Disabling the propfind method breaks WEB-DAV which breaks a part of SCCM. For those that have SCCM running in a PCI environment, have you run across this before with a Qualsys scan and what might be done about it to close up the issue. Sincerely, EZ Edward E. Ziots Senior Informational Security Engineer CISSP,Security +,Network+ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: bougt the book
Brian's book is a very useful resource and reference tool. (Broken record here) I registered my book on oreilly.com, paid $4.99 and got the Kindle, epub, and PDF versions. Copy those files to the appropriate devices and I have Brian's book with me all the time. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: David Lum david@nwea.orgmailto:david@nwea.org Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:08:07 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: bougt the book Book bought. I expect big things Brian! :) Dave From: David Lum [mailto:david@nwea.org] Sent: Thursday, January 05, 2012 1:07 PM To: NT System Admin Issues Subject: RE: Concur for expense management You mean…buy the book? Get out… From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Thursday, January 05, 2012 11:47 AM To: NT System Admin Issues Subject: RE: Concur for expense management Without going in to all the gory details, Brian’s homegrown glue is reference is fairly spot on :) From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: Wednesday, January 04, 2012 2:00 PM To: NT System Admin Issues Subject: RE: Concur for expense management Wait – Concur is telling us we need ADFS 2.0 to use SAML. How do you do it without ADFS? From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Wednesday, January 04, 2012 1:01 PM To: NT System Admin Issues Subject: RE: Concur for expense management Ditto. We went from our old internal hosted to external Concur last year using SAML for authN. No ADFS. From: Christopher Bodnar [mailto:christopher_bod...@glic.com]mailto:[mailto:christopher_bod...@glic.com] Sent: Wednesday, January 04, 2012 7:01 AM To: NT System Admin Issues Subject: Re: Concur for expense management the 2003 to 2003 R2 is very simple. More like adding additional features, than a true OS upgrade. You should be fine. No issues. We use Concur here, but do not have federation services configured. Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.commailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From:David Lum david@nwea.orgmailto:david@nwea.org To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date:01/04/2012 09:17 AM Subject:Concur for expense management Does anyone here use Concur for expense management? I need to configure Federation with them and they sent me a SAML document and it looks like I need to install ADFS…which requires 2003 R2 and we don’t have any 2003 R2 servers, ours are straight 2003. It’s not a big deal to stand up a 2003 R2 DC in a 2003 domain is it? Is an in-place upgrade possible? I seem to think on the 2003 versions, 2003 and 2003 R2 are very similar. David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to
RE: IIS 6.0 Security
Thanks! I did find a patch or two on the Citrix site I'll need to run. The claim is, it deals with the TLS Renegotiation vulnerability. I guess I'll find out what all works after the scan. This is a very promising start, however. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Tuesday, January 10, 2012 10:50 AM To: NT System Admin Issues Subject: RE: IIS 6.0 Security Just gotta know the right search string. http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx http://geekswithblogs.net/dchristiansen/archive/2009/03/24/pcidss-disablessl2andweakciphersoniis6.aspx Now: Citrix/XenApp support for SSL 3.0 - I don't know anything about that. Carl Webster needs to speak to that! :) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Richard McClary [mailto:richard.mccl...@aspca.org] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: IIS 6.0 Security Hopefully, the subject line is not a complete oxymoron... Yes, I am continuing to search Google as well as the MS TechNet pages (that Google returns) concerning IIS 6.0. We failed a PCI compliance audit on our Citrix server (Presentation Server 4.5, and yes, a new Citrix system is in the works, but this one needs to pass a scan test.) The system does have a VeriSign SSL certificate. -- Here are the issues found by the scan: Disable TLS Renegotiation Fix Microsoft IIS Content Location Internal IP Address Leak (Note - the server is accessed via web through a MIP's IP address) Upgrade to the latest version of OpenSSL Disable SSL support for weak ciphers Disable SSL v2 protocol support -- Anyway, we need assistance in dealing with those security issues without hosing the Citrix services (which our clients are paying for). Thank you; back to Google and Technet... - richard ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Expaning Subnet again
No I did not but i got the idea, i used the Advanced Subnet Calculator that shows me all my IP's. No I'm fighting with my switches to change to /22, looks like my Dell switches I have to connect the cable and do it from the CLI command line, can't edit the IP in the GUI! Stefan On Tue, Jan 10, 2012 at 11:36 AM, Micheal Espinola Jr michealespin...@gmail.com wrote: Are you guessing, or did you try writing it out as explained to you? -- Espi On Tue, Jan 10, 2012 at 7:37 AM, Stefan Jafs stefan.j...@gmail.comwrote: So for me *.255 are usable exept 3.255, correct? Stefan On Mon, Jan 9, 2012 at 11:00 PM, Ben Scott mailvor...@gmail.com wrote: On Mon, Jan 9, 2012 at 7:32 PM, Heaton, Joseph@DFG jhea...@dfg.ca.gov wrote: .255 is broadcast Not always. Very true, if we go and break up a class C, that is absolutely true. But, seeing as he's going the other way, and making the subnet bigger, not smaller... .255 is still not always the broadcast address. For example, in a /23, there will be two addresses where the dotted-decimal ends in .255. One will be the broadcast address, and the other will just be a regular host. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Stefan Jafs ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Stefan Jafs ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: A poll, of sorts...
* miniumum10 characters in length, with no expiration, no history and no mimimum age?* When I determine what would make me comfortable with the above, I'll let you know. In the mean time, I'll echo the why question you've already been asked... * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Mon, Jan 9, 2012 at 11:31 PM, Kurt Buff kurt.b...@gmail.com wrote: All, In the interest of curiosity, I have a theoretical question for your consideration and debate... What measures would you need to see in place in a small business (fewer than 500 users) to feel comfortable with setting a password policy that sets standard complexity (that is, at least three of the standard four character types - UC, LC, numeric and special), miniumum10 characters in length, with no expiration, no history and no mimimum age? Assume a Win2k8R2 single domain forest. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: IIS 6.0 Security
I am checking. Please hold for the next available Citrix support person. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Michael Smith mich...@smithcons.commailto:mich...@smithcons.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:49:40 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: RE: IIS 6.0 Security Just gotta know the right search string. http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx http://geekswithblogs.net/dchristiansen/archive/2009/03/24/pcidss-disablessl2andweakciphersoniis6.aspx Now: Citrix/XenApp support for SSL 3.0 – I don’t know anything about that. Carl Webster needs to speak to that! :) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Richard McClary [mailto:richard.mccl...@aspca.org] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: IIS 6.0 Security Hopefully, the subject line is not a complete oxymoron… Yes, I am continuing to search Google as well as the MS TechNet pages (that Google returns) concerning IIS 6.0. We failed a PCI compliance audit on our Citrix server (Presentation Server 4.5, and yes, a new Citrix system is in the works, but this one needs to pass a scan test.) The system does have a VeriSign SSL certificate. -- Here are the issues found by the scan: Disable TLS Renegotiation Fix Microsoft IIS Content Location Internal IP Address Leak (Note – the server is accessed via web through a MIP’s IP address) Upgrade to the latest version of OpenSSL Disable SSL support for weak ciphers Disable SSL v2 protocol support -- Anyway, we need assistance in dealing with those security issues without hosing the Citrix services (which our clients are paying for). Thank you; back to Google and Technet… - richard ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Related to my Domain Admin thread
Cool. I already have some AD groups created for some of these kinds of things. Some need to be able to create user and workstation accounts, does it make sense to have two different groups? One for creating machine and another for user? Don't think I'll have a situation where anyone would need one capability but not another, doesn't mean it won't happen. The other thing I see is they want local admin access to servers in case there's some hardware/software issue, I have that handled via restricted groups for the Service Desk team but what SE's get me with is what if it's a DC?. Same for being able to do a file restore. Dave From: Brian Desmond [mailto:br...@briandesmond.com] Sent: Tuesday, January 10, 2012 8:55 AM To: NT System Admin Issues Subject: RE: Related to my Domain Admin thread Yes best practice is not to use them. They have all sorts of little bits of extra access floating around in weird places, and they cause adminSDHolder to apply to accounts that probably shouldn't be covered. Do the legwork and delegate exactly what you need to groups - even better do it in logical groupings of access (e.g. reset password, account unlock, update personal info, etc.), and then you can just add people to groups when they need the access. Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Michael B. Smith [mailto:mich...@smithcons.com]mailto:[mailto:mich...@smithcons.com] Sent: Tuesday, January 10, 2012 10:47 AM To: NT System Admin Issues Subject: RE: Related to my Domain Admin thread Theoretically, built-in groups are historical in nature (i.e., carryovers from NT4.0 and previous) and should not be used going forward. All of their capabilities are reproducible via delegation and GPOs and User Rights Assignments. But I don't think they are going anywhere. Brian Desmond may have more insight than I do on this topic. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: Related to my Domain Admin thread Best practice to not add users to a builtin group? Account Operators: By default, this built-in group has no members. It can create and manage users and groups in the domain, but it cannot manage service administrator accounts. As a best practice, do not add members to this group, and do not use it for any delegated administration. http://technet.microsoft.com/en-us/library/cc700835.aspx David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: bougt the book
What's the title? -- Sent using BlackBerry From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 12:13 PM To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: Re: bougt the book Brian's book is a very useful resource and reference tool. (Broken record here) I registered my book on oreilly.com, paid $4.99 and got the Kindle, epub, and PDF versions. Copy those files to the appropriate devices and I have Brian's book with me all the time. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: David Lum david@nwea.orgmailto:david@nwea.org Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:08:07 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: bougt the book Book bought. I expect big things Brian! ☺ Dave From: David Lum [mailto:david@nwea.org] Sent: Thursday, January 05, 2012 1:07 PM To: NT System Admin Issues Subject: RE: Concur for expense management You mean…buy the book? Get out… From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Thursday, January 05, 2012 11:47 AM To: NT System Admin Issues Subject: RE: Concur for expense management Without going in to all the gory details, Brian’s homegrown glue is reference is fairly spot on ☺ From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: Wednesday, January 04, 2012 2:00 PM To: NT System Admin Issues Subject: RE: Concur for expense management Wait – Concur is telling us we need ADFS 2.0 to use SAML. How do you do it without ADFS? From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Wednesday, January 04, 2012 1:01 PM To: NT System Admin Issues Subject: RE: Concur for expense management Ditto. We went from our old internal hosted to external Concur last year using SAML for authN. No ADFS. From: Christopher Bodnar [mailto:christopher_bod...@glic.com]mailto:[mailto:christopher_bod...@glic.com] Sent: Wednesday, January 04, 2012 7:01 AM To: NT System Admin Issues Subject: Re: Concur for expense management the 2003 to 2003 R2 is very simple. More like adding additional features, than a true OS upgrade. You should be fine. No issues. We use Concur here, but do not have federation services configured. Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.commailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From:David Lum david@nwea.orgmailto:david@nwea.org To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date:01/04/2012 09:17 AM Subject:Concur for expense management Does anyone here use Concur for expense management? I need to configure Federation with them and they sent me a SAML document and it looks like I need to install ADFS…which requires 2003 R2 and we don’t have any 2003 R2 servers, ours are straight 2003. It’s not a big deal to stand up a 2003 R2 DC in a 2003 domain is it? Is an in-place upgrade possible? I seem to think on the 2003 versions, 2003 and 2003 R2 are very similar. David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe
RE: Fun with Hyper-V - and failover hardware Q's
HEY...now there's a thought! User data and Shared folders on the NAS right? It's a Buffalo NAS to it's a little cumbersome to do all the users folders (no NTFS support), but each department (only three of them) has its own S: mapping and that wouldn't be too tough to set up. I hadn't thought of that, thanks! From: Mike Hoffman [mailto:m...@drumbrae.net] Sent: Tuesday, January 10, 2012 9:05 AM To: NT System Admin Issues Subject: RE: Fun with Hyper-V - and failover hardware Q's I was thinking more along the lines of taking the file load off the server (onto a NAS device) so that it is just running exchange and SharePoint, then you could test the backup server at load. You can even then leave the data there while you do the swing migration sometime in the future. Mike From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: 09 January 2012 15:37 To: NT System Admin Issues Subject: RE: Fun with Hyper-V - and failover hardware Q's I've had their SBS 2K3 on a VM for a long time now (it's on non-R2 Server 2008 Hyper-V, if that's any indication) and I have confirmed I can stand up the SBS VM on VMHOST2 from backups (never have tested external logins or other functionality yet though - that's next week). The SATA speed on VMHOST2 is such doesn't boot much slower than on VMHOST1, it's performance with more than 5 folks hooked to it that I am not sure of. An upgrade to SBS2011 is actually some of the driving force as they already have purchased it - I am going to upgrade the VMHOST1 OS to 2008 R2 and the vendor that their AR software runs on (Springbrook, and they're scheduled to upgrade their software this month as well) recommends with RAID1 or RAID 10 and specifically discourages RAID5. Their VMHOST1 server is on RAID5, so I am going to add a disk and change to a pair of RAID1 volumes, which requires completely flattening the existing Hyper-V config, which also means I need to be REALLY comfortable with the DR on their SBS server :). VMHOST2 is a little older (PowerEdge SC1435, circa 2007), but still has enough oomph (12GB RAM, a dual core AMD Opteron's) to be serviceable. Once I get the host OS upgraded to R2 I will buy one of the swing kits from SBSMIGRATION. I have done a swing migration just once before, and it was actually from a standard domain/Exchange onto the SBS 2K3 platform (different client). Q: Can you put a hold on the email flow into the system? A: Yes, their e-mail hits a Barracuda device first Q: Can you break the server data into other places i.e. a drive on a NAS box which keeps a copy of the user data for while they are switching over? A: I have a NAS box (but it's not NTFS) as well as VMHOST2. Not fully following you here though... Dave From: Mike Hoffman [mailto:m...@drumbrae.net]mailto:[mailto:m...@drumbrae.net] Sent: Monday, January 09, 2012 6:26 AM To: NT System Admin Issues Subject: RE: Fun with Hyper-V - and failover hardware Q's Remember that SBS2K3 is not supported by MS in a virtual environment - but does work. Have you considered doing a proper DR practice to see what happens? You might be in a better position than you think. If you have Shadow Copy on the drives and can access the Exchange store then you will have a much smaller window of data loss - as long as you can get the raw VM data across. Can you put a hold on the email flow into the system? Can you break the server data into other places i.e. a drive on a NAS box which keeps a copy of the user data for while they are switching over? I would look to planning an upgrade to SBS 2011, if not for now then for soon. Take a look at the swing migration options as you are really talking about a hardware swing in a DR scenario - you can keep the plates spinning while you move what you need to without a major impact. Sounds like VMHost2 is much older and therefore slower, but an upgrade might be cost effective. I would test the DR option and see if they are happy with performance. You could stop email, turn off all machines, run backup, turn off old box, start backup box and then start desktops to see how it runs - if enough data is cached then it might be fine after a slow logon for users. Mike From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: 09 January 2012 05:47 To: NT System Admin Issues Subject: Fun with Hyper-V - and failover hardware Q's I have a client with SBS 2K3 (VM-SBS1) that's VM'd on a 2K8 (non-R2) server (VMHOST1). I now nightly have it shooting backups of VM-SBS1 VHD's to a 2008 R2 Hyper-V server (VMHOST2) at 6PM. I have the R2 server configured to use these disk's as a VM on it (VM-SBS1-SPARE) and this VM will always be off. Both VMHOST servers have local storage only, no SAN. But by doing backups this way my thinking is worst case scenario if VMHOST1 or VM-SBS1 get KIA I simply spool up VM-SBS1-SPARE and away I go.The worst case scenario is the live servers die at 5:58PM and my client
Re: bougt the book
Showing up late to the party here, but Carl could you be so kind and enlighten me to as to what you mean by registering your book on o'reilly? Being new to the Kindle has me interested in bringing some of my PDF's and other books to it. A cursory search on o'reilly really doesn't provide much info. On Tue, Jan 10, 2012 at 12:13 PM, Webster webs...@carlwebster.com wrote: Brian's book is a very useful resource and reference tool. (Broken record here) I registered my book on oreilly.com, paid $4.99 and got the Kindle, epub, and PDF versions. Copy those files to the appropriate devices and I have Brian's book with me all the time. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com http://www.carlwebster.com/ From: David Lum david@nwea.org Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:08:07 + To: NT Issues ntsysadmin@lyris.sunbelt-software.com Subject: bougt the book Book bought. I expect big things Brian! J ** ** Dave ** ** *From:* David Lum [mailto:david@nwea.org david@nwea.org] *Sent:* Thursday, January 05, 2012 1:07 PM *To:* NT System Admin Issues *Subject:* RE: Concur for expense management ** ** You mean…buy the book? Get out… ** ** *From:* Free, Bob [mailto:r...@pge.com] *Sent:* Thursday, January 05, 2012 11:47 AM *To:* NT System Admin Issues *Subject:* RE: Concur for expense management ** ** Without going in to all the gory details, Brian’s homegrown glue is reference is fairly spot on J ** ** *From:* David Lum [mailto:david@nwea.org] *Sent:* Wednesday, January 04, 2012 2:00 PM *To:* NT System Admin Issues *Subject:* RE: Concur for expense management ** ** Wait – Concur is telling us we need ADFS 2.0 to use SAML. How do you do it without ADFS? ** ** *From:* Free, Bob [mailto:r...@pge.com] *Sent:* Wednesday, January 04, 2012 1:01 PM *To:* NT System Admin Issues *Subject:* RE: Concur for expense management ** ** Ditto. ** ** We went from our old internal hosted to external Concur last year using SAML for authN. No ADFS. ** ** *From:* Christopher Bodnar [mailto:christopher_bod...@glic.com] *Sent:* Wednesday, January 04, 2012 7:01 AM *To:* NT System Admin Issues *Subject:* Re: Concur for expense management ** ** the 2003 to 2003 R2 is very simple. More like adding additional features, than a true OS upgrade. You should be fine. No issues. We use Concur here, but do not have federation services configured. Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From:David Lum david@nwea.org To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Date:01/04/2012 09:17 AM Subject:Concur for expense management -- Does anyone here use Concur for expense management? I need to configure Federation with them and they sent me a SAML document and it looks like I need to install ADFS…which requires 2003 R2 and we don’t have any 2003 R2 servers, ours are straight 2003. It’s not a big deal to stand up a 2003 R2 DC in a 2003 domain is it? Is an in-place upgrade possible? I seem to think on the 2003 versions, 2003 and 2003 R2 are very similar. *David Lum* Systems Engineer // NWEATM Office 503.548.5229 //* *Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
RE: bougt the book
Active Directory. (Fourth edition) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Damien Solodow [mailto:damien.solo...@harrison.edu] Sent: Tuesday, January 10, 2012 12:48 PM To: NT System Admin Issues Subject: Re: bougt the book What's the title? -- Sent using BlackBerry From: Webster [mailto:webs...@carlwebster.com]mailto:[mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 12:13 PM To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: Re: bougt the book Brian's book is a very useful resource and reference tool. (Broken record here) I registered my book on oreilly.com, paid $4.99 and got the Kindle, epub, and PDF versions. Copy those files to the appropriate devices and I have Brian's book with me all the time. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: David Lum david@nwea.orgmailto:david@nwea.org Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:08:07 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: bougt the book Book bought. I expect big things Brian! ☺ Dave From: David Lum [mailto:david@nwea.org] Sent: Thursday, January 05, 2012 1:07 PM To: NT System Admin Issues Subject: RE: Concur for expense management You mean…buy the book? Get out… From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Thursday, January 05, 2012 11:47 AM To: NT System Admin Issues Subject: RE: Concur for expense management Without going in to all the gory details, Brian’s homegrown glue is reference is fairly spot on ☺ From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: Wednesday, January 04, 2012 2:00 PM To: NT System Admin Issues Subject: RE: Concur for expense management Wait – Concur is telling us we need ADFS 2.0 to use SAML. How do you do it without ADFS? From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Wednesday, January 04, 2012 1:01 PM To: NT System Admin Issues Subject: RE: Concur for expense management Ditto. We went from our old internal hosted to external Concur last year using SAML for authN. No ADFS. From: Christopher Bodnar [mailto:christopher_bod...@glic.com]mailto:[mailto:christopher_bod...@glic.com] Sent: Wednesday, January 04, 2012 7:01 AM To: NT System Admin Issues Subject: Re: Concur for expense management the 2003 to 2003 R2 is very simple. More like adding additional features, than a true OS upgrade. You should be fine. No issues. We use Concur here, but do not have federation services configured. Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.commailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From:David Lum david@nwea.orgmailto:david@nwea.org To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date:01/04/2012 09:17 AM Subject:Concur for expense management Does anyone here use Concur for expense management? I need to configure Federation with them and they sent me a SAML document and it looks like I need to install ADFS…which requires 2003 R2 and we don’t have any 2003 R2 servers, ours are straight 2003. It’s not a big deal to stand up a 2003 R2 DC in a 2003 domain is it? Is an in-place upgrade possible? I seem to think on the 2003 versions, 2003 and 2003 R2 are very similar. David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe
Re: IIS 6.0 Security
From what I can find, SSL v3 support is already there in just about every Citrix recent product. http://support.citrix.com/proddocs/topic/xenapp65-sec/ps-sec-tls-ssl-protocols-xa6.html http://support.citrix.com/proddocs/topic/xenapp65-sec/ps-sec-considerations-xa-deployment-xa6.html When you publish a resource, on the Client Options screen, you can Enable SSL and TLS. This will use SSL v3 OR TLS 1.0. Both will use the same server certificate. Citrix Secure Gateway also allows the use of TLS v1 or SSL v3 and TLS v1. I am surprised that security audits for a Citrix XenApp environment never catch that SSLRelay is not in use to secure traffic between the various servers. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Carl Webster webs...@carlwebster.commailto:webs...@carlwebster.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 17:38:12 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: Re: IIS 6.0 Security I am checking. Please hold for the next available Citrix support person. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Michael Smith mich...@smithcons.commailto:mich...@smithcons.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:49:40 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: RE: IIS 6.0 Security Just gotta know the right search string. http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx http://geekswithblogs.net/dchristiansen/archive/2009/03/24/pcidss-disablessl2andweakciphersoniis6.aspx Now: Citrix/XenApp support for SSL 3.0 – I don’t know anything about that. Carl Webster needs to speak to that! :) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Richard McClary [mailto:richard.mccl...@aspca.org] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: IIS 6.0 Security Hopefully, the subject line is not a complete oxymoron… Yes, I am continuing to search Google as well as the MS TechNet pages (that Google returns) concerning IIS 6.0. We failed a PCI compliance audit on our Citrix server (Presentation Server 4.5, and yes, a new Citrix system is in the works, but this one needs to pass a scan test.) The system does have a VeriSign SSL certificate. -- Here are the issues found by the scan: Disable TLS Renegotiation Fix Microsoft IIS Content Location Internal IP Address Leak (Note – the server is accessed via web through a MIP’s IP address) Upgrade to the latest version of OpenSSL Disable SSL support for weak ciphers Disable SSL v2 protocol support -- Anyway, we need assistance in dealing with those security issues without hosing the Citrix services (which our clients are paying for). Thank you; back to Google and Technet… - richard ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: bougt the book
http://briandesmond.com/blog/active-directory-4th-edition/ Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Damien Solodow damien.solo...@harrison.edumailto:damien.solo...@harrison.edu Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 17:47:35 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: Re: bougt the book What's the title? -- Sent using BlackBerry From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 12:13 PM To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: Re: bougt the book Brian's book is a very useful resource and reference tool. (Broken record here) I registered my book on oreilly.com, paid $4.99 and got the Kindle, epub, and PDF versions. Copy those files to the appropriate devices and I have Brian's book with me all the time. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: David Lum david@nwea.orgmailto:david@nwea.org Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:08:07 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: bougt the book Book bought. I expect big things Brian! :) Dave From: David Lum [mailto:david@nwea.org] Sent: Thursday, January 05, 2012 1:07 PM To: NT System Admin Issues Subject: RE: Concur for expense management You mean…buy the book? Get out… From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Thursday, January 05, 2012 11:47 AM To: NT System Admin Issues Subject: RE: Concur for expense management Without going in to all the gory details, Brian’s homegrown glue is reference is fairly spot on :) From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: Wednesday, January 04, 2012 2:00 PM To: NT System Admin Issues Subject: RE: Concur for expense management Wait – Concur is telling us we need ADFS 2.0 to use SAML. How do you do it without ADFS? From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Wednesday, January 04, 2012 1:01 PM To: NT System Admin Issues Subject: RE: Concur for expense management Ditto. We went from our old internal hosted to external Concur last year using SAML for authN. No ADFS. From: Christopher Bodnar [mailto:christopher_bod...@glic.com]mailto:[mailto:christopher_bod...@glic.com] Sent: Wednesday, January 04, 2012 7:01 AM To: NT System Admin Issues Subject: Re: Concur for expense management the 2003 to 2003 R2 is very simple. More like adding additional features, than a true OS upgrade. You should be fine. No issues. We use Concur here, but do not have federation services configured. Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.commailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From:David Lum david@nwea.orgmailto:david@nwea.org To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date:01/04/2012 09:17 AM Subject:Concur for expense management Does anyone here use Concur for expense management? I need to configure Federation with them and they sent me a SAML document and it looks like I need to install ADFS…which requires 2003 R2 and we don’t have any 2003 R2 servers, ours are straight 2003. It’s not a big deal to stand up a 2003 R2 DC in a 2003 domain is it? Is an in-place upgrade possible? I seem to think on the 2003 versions, 2003 and 2003 R2 are very similar. David Lum Systems Engineer // NWEATM Office 503.548.5229 //Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage
RE: Related to my Domain Admin thread
Split it in two. Interns or a vendor setting up new computers won't need to make user accounts. Maybe someday you will want HR to make new employee user accounts. From: David Lum [mailto:david@nwea.org] Sent: Tuesday, January 10, 2012 12:47 PM To: NT System Admin Issues Subject: RE: Related to my Domain Admin thread Cool. I already have some AD groups created for some of these kinds of things. Some need to be able to create user and workstation accounts, does it make sense to have two different groups? One for creating machine and another for user? Don't think I'll have a situation where anyone would need one capability but not another, doesn't mean it won't happen. The other thing I see is they want local admin access to servers in case there's some hardware/software issue, I have that handled via restricted groups for the Service Desk team but what SE's get me with is what if it's a DC?. Same for being able to do a file restore. Dave From: Brian Desmond [mailto:br...@briandesmond.com]mailto:[mailto:br...@briandesmond.com] Sent: Tuesday, January 10, 2012 8:55 AM To: NT System Admin Issues Subject: RE: Related to my Domain Admin thread Yes best practice is not to use them. They have all sorts of little bits of extra access floating around in weird places, and they cause adminSDHolder to apply to accounts that probably shouldn't be covered. Do the legwork and delegate exactly what you need to groups - even better do it in logical groupings of access (e.g. reset password, account unlock, update personal info, etc.), and then you can just add people to groups when they need the access. Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Michael B. Smith [mailto:mich...@smithcons.com]mailto:[mailto:mich...@smithcons.com] Sent: Tuesday, January 10, 2012 10:47 AM To: NT System Admin Issues Subject: RE: Related to my Domain Admin thread Theoretically, built-in groups are historical in nature (i.e., carryovers from NT4.0 and previous) and should not be used going forward. All of their capabilities are reproducible via delegation and GPOs and User Rights Assignments. But I don't think they are going anywhere. Brian Desmond may have more insight than I do on this topic. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: Related to my Domain Admin thread Best practice to not add users to a builtin group? Account Operators: By default, this built-in group has no members. It can create and manage users and groups in the domain, but it cannot manage service administrator accounts. As a best practice, do not add members to this group, and do not use it for any delegated administration. http://technet.microsoft.com/en-us/library/cc700835.aspx David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Fun with Hyper-V - and failover hardware Q's
You could attach the Buffalo NAS to the front end of a Windows Server. The server will handle ntfs for you. ISCSI Initiator is what you are looking for on the server. Don't know the Buffalo NAS's to say they support it, so check into that part. Basically is just a network SCSI connection to the server...so the NAS ends up being another drive on the server. From: David Lum [mailto:david@nwea.org] Sent: Tuesday, January 10, 2012 12:48 PM To: NT System Admin Issues Subject: RE: Fun with Hyper-V - and failover hardware Q's HEY...now there's a thought! User data and Shared folders on the NAS right? It's a Buffalo NAS to it's a little cumbersome to do all the users folders (no NTFS support), but each department (only three of them) has its own S: mapping and that wouldn't be too tough to set up. I hadn't thought of that, thanks! From: Mike Hoffman [mailto:m...@drumbrae.net]mailto:[mailto:m...@drumbrae.net] Sent: Tuesday, January 10, 2012 9:05 AM To: NT System Admin Issues Subject: RE: Fun with Hyper-V - and failover hardware Q's I was thinking more along the lines of taking the file load off the server (onto a NAS device) so that it is just running exchange and SharePoint, then you could test the backup server at load. You can even then leave the data there while you do the swing migration sometime in the future. Mike From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: 09 January 2012 15:37 To: NT System Admin Issues Subject: RE: Fun with Hyper-V - and failover hardware Q's I've had their SBS 2K3 on a VM for a long time now (it's on non-R2 Server 2008 Hyper-V, if that's any indication) and I have confirmed I can stand up the SBS VM on VMHOST2 from backups (never have tested external logins or other functionality yet though - that's next week). The SATA speed on VMHOST2 is such doesn't boot much slower than on VMHOST1, it's performance with more than 5 folks hooked to it that I am not sure of. An upgrade to SBS2011 is actually some of the driving force as they already have purchased it - I am going to upgrade the VMHOST1 OS to 2008 R2 and the vendor that their AR software runs on (Springbrook, and they're scheduled to upgrade their software this month as well) recommends with RAID1 or RAID 10 and specifically discourages RAID5. Their VMHOST1 server is on RAID5, so I am going to add a disk and change to a pair of RAID1 volumes, which requires completely flattening the existing Hyper-V config, which also means I need to be REALLY comfortable with the DR on their SBS server :). VMHOST2 is a little older (PowerEdge SC1435, circa 2007), but still has enough oomph (12GB RAM, a dual core AMD Opteron's) to be serviceable. Once I get the host OS upgraded to R2 I will buy one of the swing kits from SBSMIGRATION. I have done a swing migration just once before, and it was actually from a standard domain/Exchange onto the SBS 2K3 platform (different client). Q: Can you put a hold on the email flow into the system? A: Yes, their e-mail hits a Barracuda device first Q: Can you break the server data into other places i.e. a drive on a NAS box which keeps a copy of the user data for while they are switching over? A: I have a NAS box (but it's not NTFS) as well as VMHOST2. Not fully following you here though... Dave From: Mike Hoffman [mailto:m...@drumbrae.net]mailto:[mailto:m...@drumbrae.net] Sent: Monday, January 09, 2012 6:26 AM To: NT System Admin Issues Subject: RE: Fun with Hyper-V - and failover hardware Q's Remember that SBS2K3 is not supported by MS in a virtual environment - but does work. Have you considered doing a proper DR practice to see what happens? You might be in a better position than you think. If you have Shadow Copy on the drives and can access the Exchange store then you will have a much smaller window of data loss - as long as you can get the raw VM data across. Can you put a hold on the email flow into the system? Can you break the server data into other places i.e. a drive on a NAS box which keeps a copy of the user data for while they are switching over? I would look to planning an upgrade to SBS 2011, if not for now then for soon. Take a look at the swing migration options as you are really talking about a hardware swing in a DR scenario - you can keep the plates spinning while you move what you need to without a major impact. Sounds like VMHost2 is much older and therefore slower, but an upgrade might be cost effective. I would test the DR option and see if they are happy with performance. You could stop email, turn off all machines, run backup, turn off old box, start backup box and then start desktops to see how it runs - if enough data is cached then it might be fine after a slow logon for users. Mike From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: 09 January 2012 05:47 To: NT System Admin Issues Subject: Fun with Hyper-V - and failover hardware Q's I have a
Re: OT - Home Router ideas?
Those are his only needs? * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 12:09 PM, winsys winsysad...@gmail.com wrote: Hi All, A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. Any ideas? thx! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: bougt the book
You have to create an account on the site, login to the account and you will see Register Print Books. They are hooked up with Microsoft Press, so I registered all my MS Press books, paid $4.99 each and now have them all on my Kindle, iPad and the PDFs in a folder on every computer. O'Reilly is VERY good about updating the e versions when they make corrections and updates. They send you an e-mail and you can download the updated e files. Well worth the $4.99 IMNSHO. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Harry Singh hbo...@gmail.commailto:hbo...@gmail.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 12:51:33 -0500 To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: Re: bougt the book Showing up late to the party here, but Carl could you be so kind and enlighten me to as to what you mean by registering your book on o'reilly? Being new to the Kindle has me interested in bringing some of my PDF's and other books to it. A cursory search on o'reilly really doesn't provide much info. On Tue, Jan 10, 2012 at 12:13 PM, Webster webs...@carlwebster.commailto:webs...@carlwebster.com wrote: Brian's book is a very useful resource and reference tool. (Broken record here) I registered my book on oreilly.comhttp://oreilly.com, paid $4.99 and got the Kindle, epub, and PDF versions. Copy those files to the appropriate devices and I have Brian's book with me all the time. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: David Lum david@nwea.orgmailto:david@nwea.org Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:08:07 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: bougt the book Book bought. I expect big things Brian! :) Dave From: David Lum [mailto:david@nwea.org] Sent: Thursday, January 05, 2012 1:07 PM To: NT System Admin Issues Subject: RE: Concur for expense management You mean…buy the book? Get out… From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Thursday, January 05, 2012 11:47 AM To: NT System Admin Issues Subject: RE: Concur for expense management Without going in to all the gory details, Brian’s homegrown glue is reference is fairly spot on :) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: IIS 6.0 Security
Thanks! Went to your web site, but 4.5 seems to be too old for anything there. I think I have all but the microsoft iis content location internal ip address leak taken care of, and I have a bunch of tabs open concerning that. I'll find out for sure what has been taken care of after this upcoming scan... From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 11:38 AM To: NT System Admin Issues Subject: Re: IIS 6.0 Security I am checking. Please hold for the next available Citrix support person. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Michael Smith mich...@smithcons.commailto:mich...@smithcons.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:49:40 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: RE: IIS 6.0 Security Just gotta know the right search string. http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx http://geekswithblogs.net/dchristiansen/archive/2009/03/24/pcidss-disablessl2andweakciphersoniis6.aspx Now: Citrix/XenApp support for SSL 3.0 - I don't know anything about that. Carl Webster needs to speak to that! :) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Richard McClary [mailto:richard.mccl...@aspca.org] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: IIS 6.0 Security Hopefully, the subject line is not a complete oxymoron... Yes, I am continuing to search Google as well as the MS TechNet pages (that Google returns) concerning IIS 6.0. We failed a PCI compliance audit on our Citrix server (Presentation Server 4.5, and yes, a new Citrix system is in the works, but this one needs to pass a scan test.) The system does have a VeriSign SSL certificate. -- Here are the issues found by the scan: Disable TLS Renegotiation Fix Microsoft IIS Content Location Internal IP Address Leak (Note - the server is accessed via web through a MIP's IP address) Upgrade to the latest version of OpenSSL Disable SSL support for weak ciphers Disable SSL v2 protocol support -- Anyway, we need assistance in dealing with those security issues without hosing the Citrix services (which our clients are paying for). Thank you; back to Google and Technet... - richard ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: bougt the book
But is it autographed? :p Didn't know there was a kindle version. Think my copy might be outdated. Time for a new one. :) From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 9:14 AM To: NT System Admin Issues Subject: Re: bougt the book Brian's book is a very useful resource and reference tool. (Broken record here) I registered my book on oreilly.com, paid $4.99 and got the Kindle, epub, and PDF versions. Copy those files to the appropriate devices and I have Brian's book with me all the time. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: David Lum david@nwea.orgmailto:david@nwea.org Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:08:07 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: bougt the book Book bought. I expect big things Brian! :) Dave From: David Lum [mailto:david@nwea.org] Sent: Thursday, January 05, 2012 1:07 PM To: NT System Admin Issues Subject: RE: Concur for expense management You mean...buy the book? Get out... From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Thursday, January 05, 2012 11:47 AM To: NT System Admin Issues Subject: RE: Concur for expense management Without going in to all the gory details, Brian's homegrown glue is reference is fairly spot on :) From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: Wednesday, January 04, 2012 2:00 PM To: NT System Admin Issues Subject: RE: Concur for expense management Wait - Concur is telling us we need ADFS 2.0 to use SAML. How do you do it without ADFS? From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Wednesday, January 04, 2012 1:01 PM To: NT System Admin Issues Subject: RE: Concur for expense management Ditto. We went from our old internal hosted to external Concur last year using SAML for authN. No ADFS. From: Christopher Bodnar [mailto:christopher_bod...@glic.com]mailto:[mailto:christopher_bod...@glic.com] Sent: Wednesday, January 04, 2012 7:01 AM To: NT System Admin Issues Subject: Re: Concur for expense management the 2003 to 2003 R2 is very simple. More like adding additional features, than a true OS upgrade. You should be fine. No issues. We use Concur here, but do not have federation services configured. Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.commailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From:David Lum david@nwea.orgmailto:david@nwea.org To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date:01/04/2012 09:17 AM Subject:Concur for expense management Does anyone here use Concur for expense management? I need to configure Federation with them and they sent me a SAML document and it looks like I need to install ADFS...which requires 2003 R2 and we don't have any 2003 R2 servers, ours are straight 2003. It's not a big deal to stand up a 2003 R2 DC in a 2003 domain is it? Is an in-place upgrade possible? I seem to think on the 2003 versions, 2003 and 2003 R2 are very similar. David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with
Re: Expaning Subnet again
No I'm fighting with my switches to change to /22, looks like my Dell switches I have to connect the cable and do it from the CLI command line, can't edit the IP in the GUI! That's for a very good reason that most networking experts would understand without even attempting... On Tue, Jan 10, 2012 at 9:24 AM, Stefan Jafs stefan.j...@gmail.com wrote: No I did not but i got the idea, i used the Advanced Subnet Calculator that shows me all my IP's. No I'm fighting with my switches to change to /22, looks like my Dell switches I have to connect the cable and do it from the CLI command line, can't edit the IP in the GUI! Stefan On Tue, Jan 10, 2012 at 11:36 AM, Micheal Espinola Jr michealespin...@gmail.com wrote: Are you guessing, or did you try writing it out as explained to you? -- Espi On Tue, Jan 10, 2012 at 7:37 AM, Stefan Jafs stefan.j...@gmail.comwrote: So for me *.255 are usable exept 3.255, correct? Stefan On Mon, Jan 9, 2012 at 11:00 PM, Ben Scott mailvor...@gmail.com wrote: On Mon, Jan 9, 2012 at 7:32 PM, Heaton, Joseph@DFG jhea...@dfg.ca.gov wrote: .255 is broadcast Not always. Very true, if we go and break up a class C, that is absolutely true. But, seeing as he's going the other way, and making the subnet bigger, not smaller... .255 is still not always the broadcast address. For example, in a /23, there will be two addresses where the dotted-decimal ends in .255. One will be the broadcast address, and the other will just be a regular host. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Stefan Jafs ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Stefan Jafs ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: OT - Home Router ideas?
What's wrong with pulling the plug? On Tue, Jan 10, 2012 at 1:41 PM, Andrew S. Baker asbz...@gmail.com wrote: Those are his only needs? * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 12:09 PM, winsys winsysad...@gmail.com wrote: Hi All, A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. Any ideas? thx! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Related to my Domain Admin thread
Yes split all those up. Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: David Lum [mailto:david@nwea.org] Sent: Tuesday, January 10, 2012 11:47 AM To: NT System Admin Issues Subject: RE: Related to my Domain Admin thread Cool. I already have some AD groups created for some of these kinds of things. Some need to be able to create user and workstation accounts, does it make sense to have two different groups? One for creating machine and another for user? Don't think I'll have a situation where anyone would need one capability but not another, doesn't mean it won't happen. The other thing I see is they want local admin access to servers in case there's some hardware/software issue, I have that handled via restricted groups for the Service Desk team but what SE's get me with is what if it's a DC?. Same for being able to do a file restore. Dave From: Brian Desmond [mailto:br...@briandesmond.com]mailto:[mailto:br...@briandesmond.com] Sent: Tuesday, January 10, 2012 8:55 AM To: NT System Admin Issues Subject: RE: Related to my Domain Admin thread Yes best practice is not to use them. They have all sorts of little bits of extra access floating around in weird places, and they cause adminSDHolder to apply to accounts that probably shouldn't be covered. Do the legwork and delegate exactly what you need to groups - even better do it in logical groupings of access (e.g. reset password, account unlock, update personal info, etc.), and then you can just add people to groups when they need the access. Thanks, Brian Desmond br...@briandesmond.commailto:br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Michael B. Smith [mailto:mich...@smithcons.com]mailto:[mailto:mich...@smithcons.com] Sent: Tuesday, January 10, 2012 10:47 AM To: NT System Admin Issues Subject: RE: Related to my Domain Admin thread Theoretically, built-in groups are historical in nature (i.e., carryovers from NT4.0 and previous) and should not be used going forward. All of their capabilities are reproducible via delegation and GPOs and User Rights Assignments. But I don't think they are going anywhere. Brian Desmond may have more insight than I do on this topic. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: Related to my Domain Admin thread Best practice to not add users to a builtin group? Account Operators: By default, this built-in group has no members. It can create and manage users and groups in the domain, but it cannot manage service administrator accounts. As a best practice, do not add members to this group, and do not use it for any delegated administration. http://technet.microsoft.com/en-us/library/cc700835.aspx David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: OT - How to determine vCPU over-commit in VMware ESX 4.1 - MORE
Here's what I decided to go with (for now): (snipped)
==
$ESXHost = - - - -
$ESX = Get-VMHost $ESXHost
$ESXHostTotalCPUMHz = $ESX.CPUTotalMHz
$ESXHostNumCPU = $ESX.NumCPU
$ESXHostCPUMHz = $ESX.CPUTotalMHz / $ESX.NumCPU
ForEach ($VM_Server in (Get-VM))
{
$VMname= $VM_Server
$VMConfiguredMemMB = $VMname.MemoryMB
$VMConfiguredCPUMHz = $VMname.NumCPU * $ESXHostCPUMHz
$MonthlyMemUsageStats=get-stat -entity $VMname -stat mem.usage.average
-Start $StartOfMonth -Finish $EndOfMonth -IntervalMins 120
$MonthlyCPUUsageStats=get-stat -entity $VMname -stat
cpu.usageMHz.average -Start $StartOfMonth -Finish $EndOfMonth
-IntervalMins 120
$MaxAvgMemUsedPct= [system.math]::round(($MonthlyMemUsageStats |
Measure-Object -Property Value -Maximum).maximum,2)
$MaxAvgMemUsedMB= [system.math]::round(($MaxAvgMemUsedPct / 100.00) *
$VMConfiguredMemMB,0)
$MemOverCommitMB= [system.math]::round(($VMConfiguredMemMB /
$MaxAvgMemUsedMB),2)
$MaxAvgCPUUsedMHz= [system.math]::round(($MonthlyCPUUsageStats |
Measure-Object -Property Value -Maximum).maximum,2)
$CPUOverCommitMHz= [system.math]::round(($VMConfiguredCPUMHz /
$MaxAvgCPUUsedMHz),2)
==
This gives me output like this:
VM NAME: mem allocated: 4096MB. Highest AVG Mem [MB]: 1198MB;
Overcommit= 3.42
VM NAME: CPU MHz allocated: 4528MHz. Highest AVG CPU [MHz]: 1059MHz;
Overcommit= 4.28
And I'm thinking that any memory overcommit of 1.5+ will be reported
(more than 50% memory unneeded is too much). Still debating a CPU
overcommit percentage maybe 3? Two might not be enough for a really
heavy usage period ...
Also still debating how to relate this to reservations/limits for mem
and CPU, or if we should even set them ...
On 1/10/2012 10:12 AM, Mike Leone wrote:
I am working on a PowerCLI (Powershell with VMware extension) script
that I want to use to determine memory and vCPU over-commit - i.e.,
that I have allocated too much vCPU or memory to a VM. I can figure
out the memory easily enough - I take the maximum of the last 30 days
worth of 2 hour intervals of mem.usage.stat counter, and compare
that to the amount of memory allocated to the VM (MemoryMB). If
MemoryMB / Max MemUsed is more than 2.0, then I've allocated more than
twice what the memory needs of this VM are (based on the last 30 days
usage), and I should be able to drop down the allocated memory, still
have enough of a buffer for unusual needs for the VM, and save some
cluster resources as a reserve.
But how can I get a similar result for vCPU? For example, if I have a
VM with 4 vCPUs, is there any way to determine that I can get along
just fine with 2 vCPUs, based on max CPU usage for the last 30 days?
What counters do I look at, and how do they relate to the number of
vCPUs allocated? On the VMware forums, I've been advised like this:
Once you have collected your max CPU usage stat I would do the following.
CPUsageMax * ( CurrentCPUCount / NewCPUCount)
If output is 85 reduce by 1 vCPU. Loop this to see if you need to
remove more then one vCPU. Same equation for adding vCPUs
For instance. You have 3 vCPUs at 50% utilisation.
50 * (3/2) = 75
In this case you can drop down to one vCPU.
Thoughts on this methodology? I know that there are commercial
programs to analyze your VMware cluster, and tell you these things,
and even adjust them, but we don't have the budget for Capacity IQ. So
I'm trying for a some improvement is better than no improvement. Is
there a better way to estimate this? I have a few VMs with 4 vCPUs,
and while I'm sure I can knock a CPU off those VMs, I need some
numbers to back me up, and to show that removing one vCPU won't
negatively impact that VM too much ...
Thanks, and sorry for the OT.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin
Re: OT - Home Router ideas?
No, but rest are fairly generic. Family of 4. use the web for browsing, email and xbox. Wireless N, decent range (home is about 3000 sq/ft), WAN/internet port over 10Mb (internet connection is 25Mb) thx. On Tue, Jan 10, 2012 at 1:41 PM, Andrew S. Baker asbz...@gmail.com wrote: Those are his only needs? * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 12:09 PM, winsys winsysad...@gmail.com wrote: Hi All, A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. Any ideas? thx! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: bougt the book
On Tue, Jan 10, 2012 at 2:20 PM, Mathew Shember mathew.shem...@synopsys.com wrote: Think my copy might be outdated. Time for a new one. :) I've got the 1st edition and the 4th edition of the cat and kitten book, and I can say that the changes and improvements are dramatic. They're almost completely different books. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Encrypting a 2008 R2 Clustered File Server
NO! Don't use EFS! Use BitLocker. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Cameron Cooper [mailto:ccoo...@aurico.com] Sent: Tuesday, January 10, 2012 1:49 PM To: NT System Admin Issues Subject: Encrypting a 2008 R2 Clustered File Server All, We're in the process of migrating all of our company servers from server 2003 to server 2008 R2. We've installed and configured two Server 2008 R2 Enterprise cluster servers with a failover cluster role and are connected to a MD3000 storage. Here's what we're looking to do... we're going to create network shares that are dependent on dept. and user access (ie Someone from our researching dept. doesn't need to see/have access to accounting dept. share) and encrypt the entire file server. We also want the encrypt/decrypt to be transparent to the end user. First question: Has anyone used EFS with AD RMS with network shares? Has this worked and how easy was it to setup? Second question: Is there a recommended encryption solution that someone has implemented? Regards, Cameron _ Cameron Cooper | IT Manager | Aurico Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896 ccoo...@aurico.commailto:ccoo...@aurico.com | www.aurico.comhttp://www.aurico.com CONFIDENTIALITY NOTICE: This email message is intended only for the person or entity to which it is addressed and may contain confidential material. Any unauthorized review, use, disclosure, downloading, copying or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please advise the sender immediately. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: IIS 6.0 Security
I am in the process of writing four books simultaneously (XA5/2003, XA5/2008, XA6.0 and XA6.5). After this thread, I will make sure I add this SSL v3/TLS(FIPS) stuff. Thanks Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Richard McClary richard.mccl...@aspca.orgmailto:richard.mccl...@aspca.org Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 19:14:26 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: RE: IIS 6.0 Security Thanks! Went to your web site, but 4.5 seems to be too old for anything there. I think I have all but the “microsoft iis content location internal ip address leak” taken care of, and I have a bunch of tabs open concerning that. I’ll find out for sure what has been taken care of after this upcoming scan… From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 11:38 AM To: NT System Admin Issues Subject: Re: IIS 6.0 Security I am checking. Please hold for the next available Citrix support person. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Michael Smith mich...@smithcons.commailto:mich...@smithcons.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:49:40 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: RE: IIS 6.0 Security Just gotta know the right search string. http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx http://geekswithblogs.net/dchristiansen/archive/2009/03/24/pcidss-disablessl2andweakciphersoniis6.aspx Now: Citrix/XenApp support for SSL 3.0 – I don’t know anything about that. Carl Webster needs to speak to that! :) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Richard McClary [mailto:richard.mccl...@aspca.org] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: IIS 6.0 Security Hopefully, the subject line is not a complete oxymoron… Yes, I am continuing to search Google as well as the MS TechNet pages (that Google returns) concerning IIS 6.0. We failed a PCI compliance audit on our Citrix server (Presentation Server 4.5, and yes, a new Citrix system is in the works, but this one needs to pass a scan test.) The system does have a VeriSign SSL certificate. -- Here are the issues found by the scan: Disable TLS Renegotiation Fix Microsoft IIS Content Location Internal IP Address Leak (Note – the server is accessed via web through a MIP’s IP address) Upgrade to the latest version of OpenSSL Disable SSL support for weak ciphers Disable SSL v2 protocol support -- Anyway, we need assistance in dealing with those security issues without hosing the Citrix services (which our clients are paying for). Thank you; back to Google and Technet… - richard ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a
Re: Expaning Subnet again
Typically, there are easy ways and hard ways to go about things, and the latter outnumber the former for the most part. Once you've asked for guidance and received it, it pays to take that road, so as to minimize your time on the latter road. Just saying. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 12:24 PM, Stefan Jafs stefan.j...@gmail.com wrote: No I did not but i got the idea, i used the Advanced Subnet Calculator that shows me all my IP's. No I'm fighting with my switches to change to /22, looks like my Dell switches I have to connect the cable and do it from the CLI command line, can't edit the IP in the GUI! Stefan On Tue, Jan 10, 2012 at 11:36 AM, Micheal Espinola Jr michealespin...@gmail.com wrote: Are you guessing, or did you try writing it out as explained to you? -- Espi On Tue, Jan 10, 2012 at 7:37 AM, Stefan Jafs stefan.j...@gmail.comwrote: So for me *.255 are usable exept 3.255, correct? Stefan On Mon, Jan 9, 2012 at 11:00 PM, Ben Scott mailvor...@gmail.com wrote: On Mon, Jan 9, 2012 at 7:32 PM, Heaton, Joseph@DFG jhea...@dfg.ca.gov wrote: .255 is broadcast Not always. Very true, if we go and break up a class C, that is absolutely true. But, seeing as he's going the other way, and making the subnet bigger, not smaller... .255 is still not always the broadcast address. For example, in a /23, there will be two addresses where the dotted-decimal ends in .255. One will be the broadcast address, and the other will just be a regular host. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: OT - Home Router ideas?
Router is in the mechanical room of the basement. He is usually 2 floors up where his home office and bedroom are. He thinks it would be more convenient to enable/disable from web page. thx. On Tue, Jan 10, 2012 at 2:38 PM, Jonathan Link jonathan.l...@gmail.comwrote: What's wrong with pulling the plug? On Tue, Jan 10, 2012 at 1:41 PM, Andrew S. Baker asbz...@gmail.comwrote: Those are his only needs? * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 12:09 PM, winsys winsysad...@gmail.com wrote: Hi All, A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. Any ideas? thx! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: OT - Home Router ideas?
I would rate those items higher. I went with the Netgear WNR-3500L a few months back, using the DD-WRT firmware, and have been very pleased. Should address all the listed concerns. BTW, if one is disabled some level of network access via a GUI, one should ensure that the GUI itself is not dependent on that same connection. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 2:58 PM, winsys winsysad...@gmail.com wrote: No, but rest are fairly generic. Family of 4. use the web for browsing, email and xbox. Wireless N, decent range (home is about 3000 sq/ft), WAN/internet port over 10Mb (internet connection is 25Mb) thx. On Tue, Jan 10, 2012 at 1:41 PM, Andrew S. Baker asbz...@gmail.comwrote: Those are his only needs? * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 12:09 PM, winsys winsysad...@gmail.com wrote: Hi All, A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. Any ideas? thx! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: A poll, of sorts...
On Tue, Jan 10, 2012 at 09:28, Andrew S. Baker asbz...@gmail.com wrote: miniumum10 characters in length, with no expiration, no history and no mimimum age? When I determine what would make me comfortable with the above, I'll let you know. In the mean time, I'll echo the why question you've already been asked... The timeless parental/management reason: Because we want it that way. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Expaning Subnet again
Without a proper understanding of the fundamentals, you could very easily make part of, if not all of your network unusable. A subnet calculator is a handy little tool, but you really should have a good grasp of the underlying concepts before taking on a challenge of [re]subnetting your network. A prerequisite to IP Addressing and Subnetting is understanding Binary and Decimal numbers. And I can tell you from an experience, if you are re-configuring switch or router, you assuredly want to do it from the command line and have full-control of what you are doing. There are web interfaces out there that will take additional liberties with settings based on what you choose in the wizard interface. -- Espi On Tue, Jan 10, 2012 at 11:23 AM, Don Ely don@gmail.com wrote: No I'm fighting with my switches to change to /22, looks like my Dell switches I have to connect the cable and do it from the CLI command line, can't edit the IP in the GUI! That's for a very good reason that most networking experts would understand without even attempting... On Tue, Jan 10, 2012 at 9:24 AM, Stefan Jafs stefan.j...@gmail.comwrote: No I did not but i got the idea, i used the Advanced Subnet Calculator that shows me all my IP's. No I'm fighting with my switches to change to /22, looks like my Dell switches I have to connect the cable and do it from the CLI command line, can't edit the IP in the GUI! Stefan On Tue, Jan 10, 2012 at 11:36 AM, Micheal Espinola Jr michealespin...@gmail.com wrote: Are you guessing, or did you try writing it out as explained to you? -- Espi On Tue, Jan 10, 2012 at 7:37 AM, Stefan Jafs stefan.j...@gmail.comwrote: So for me *.255 are usable exept 3.255, correct? Stefan On Mon, Jan 9, 2012 at 11:00 PM, Ben Scott mailvor...@gmail.comwrote: On Mon, Jan 9, 2012 at 7:32 PM, Heaton, Joseph@DFG jhea...@dfg.ca.gov wrote: .255 is broadcast Not always. Very true, if we go and break up a class C, that is absolutely true. But, seeing as he's going the other way, and making the subnet bigger, not smaller... .255 is still not always the broadcast address. For example, in a /23, there will be two addresses where the dotted-decimal ends in .255. One will be the broadcast address, and the other will just be a regular host. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Stefan Jafs ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Stefan Jafs ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: IIS 6.0 Security
Ain't just FIPS. Also NIST and PCI and... etc. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 3:11 PM To: NT System Admin Issues Subject: Re: IIS 6.0 Security I am in the process of writing four books simultaneously (XA5/2003, XA5/2008, XA6.0 and XA6.5). After this thread, I will make sure I add this SSL v3/TLS(FIPS) stuff. Thanks Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Richard McClary richard.mccl...@aspca.orgmailto:richard.mccl...@aspca.org Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 19:14:26 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: RE: IIS 6.0 Security Thanks! Went to your web site, but 4.5 seems to be too old for anything there. I think I have all but the microsoft iis content location internal ip address leak taken care of, and I have a bunch of tabs open concerning that. I'll find out for sure what has been taken care of after this upcoming scan... From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 11:38 AM To: NT System Admin Issues Subject: Re: IIS 6.0 Security I am checking. Please hold for the next available Citrix support person. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Michael Smith mich...@smithcons.commailto:mich...@smithcons.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:49:40 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: RE: IIS 6.0 Security Just gotta know the right search string. http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx http://geekswithblogs.net/dchristiansen/archive/2009/03/24/pcidss-disablessl2andweakciphersoniis6.aspx Now: Citrix/XenApp support for SSL 3.0 - I don't know anything about that. Carl Webster needs to speak to that! :) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Richard McClary [mailto:richard.mccl...@aspca.org] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: IIS 6.0 Security Hopefully, the subject line is not a complete oxymoron... Yes, I am continuing to search Google as well as the MS TechNet pages (that Google returns) concerning IIS 6.0. We failed a PCI compliance audit on our Citrix server (Presentation Server 4.5, and yes, a new Citrix system is in the works, but this one needs to pass a scan test.) The system does have a VeriSign SSL certificate. -- Here are the issues found by the scan: Disable TLS Renegotiation Fix Microsoft IIS Content Location Internal IP Address Leak (Note - the server is accessed via web through a MIP's IP address) Upgrade to the latest version of OpenSSL Disable SSL support for weak ciphers Disable SSL v2 protocol support -- Anyway, we need assistance in dealing with those security issues without hosing the Citrix services (which our clients are paying for). Thank you; back to Google and Technet... - richard ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals(r) (ASPCA(r)) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: bougt the book
I had completely forgotten about that. Thanks for the reminder. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 1:45 PM To: NT System Admin Issues Subject: Re: bougt the book You have to create an account on the site, login to the account and you will see Register Print Books. They are hooked up with Microsoft Press, so I registered all my MS Press books, paid $4.99 each and now have them all on my Kindle, iPad and the PDFs in a folder on every computer. O'Reilly is VERY good about updating the e versions when they make corrections and updates. They send you an e-mail and you can download the updated e files. Well worth the $4.99 IMNSHO. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Harry Singh hbo...@gmail.commailto:hbo...@gmail.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 12:51:33 -0500 To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: Re: bougt the book Showing up late to the party here, but Carl could you be so kind and enlighten me to as to what you mean by registering your book on o'reilly? Being new to the Kindle has me interested in bringing some of my PDF's and other books to it. A cursory search on o'reilly really doesn't provide much info. On Tue, Jan 10, 2012 at 12:13 PM, Webster webs...@carlwebster.commailto:webs...@carlwebster.com wrote: Brian's book is a very useful resource and reference tool. (Broken record here) I registered my book on oreilly.comhttp://oreilly.com, paid $4.99 and got the Kindle, epub, and PDF versions. Copy those files to the appropriate devices and I have Brian's book with me all the time. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: David Lum david@nwea.orgmailto:david@nwea.org Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:08:07 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: bougt the book Book bought. I expect big things Brian! :) Dave From: David Lum [mailto:david@nwea.org] Sent: Thursday, January 05, 2012 1:07 PM To: NT System Admin Issues Subject: RE: Concur for expense management You mean...buy the book? Get out... From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Thursday, January 05, 2012 11:47 AM To: NT System Admin Issues Subject: RE: Concur for expense management Without going in to all the gory details, Brian's homegrown glue is reference is fairly spot on :) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: OT - Home Router ideas?
Router in the basemetn of a two story house? You are going to want something with a decent antenea then. On Tue, Jan 10, 2012 at 12:28 PM, winsys winsysad...@gmail.com wrote: Router is in the mechanical room of the basement. He is usually 2 floors up where his home office and bedroom are. He thinks it would be more convenient to enable/disable from web page. thx. On Tue, Jan 10, 2012 at 2:38 PM, Jonathan Link jonathan.l...@gmail.comwrote: What's wrong with pulling the plug? On Tue, Jan 10, 2012 at 1:41 PM, Andrew S. Baker asbz...@gmail.comwrote: Those are his only needs? * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 12:09 PM, winsys winsysad...@gmail.com wrote: Hi All, A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. Any ideas? thx! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: OT - Home Router ideas?
I'm only throwing this out there since I am into home automation. I'm sure there are easier ways to do this, but ... http://www.smarthome.com/71935/INSTEON-X10-Internet-Controller/p.aspx So you would put this on the WAN side of the router. Controlling it could be a variety of other Insteon devices (stay away from X10). In essence you are pulling the plug, but can do it anywhere. All my IP security cams are on their own network. I am contemplating using this or similar, tied in with my alarm system such that the cameras are only accessible while we are away. That way when we arm the alarm, the cameras are viewable via internet. Disarm, they aren't. On Tue, Jan 10, 2012 at 3:28 PM, winsys winsysad...@gmail.com wrote: Router is in the mechanical room of the basement. He is usually 2 floors up where his home office and bedroom are. He thinks it would be more convenient to enable/disable from web page. thx. On Tue, Jan 10, 2012 at 2:38 PM, Jonathan Link jonathan.l...@gmail.comwrote: What's wrong with pulling the plug? On Tue, Jan 10, 2012 at 1:41 PM, Andrew S. Baker asbz...@gmail.comwrote: Those are his only needs? * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 12:09 PM, winsys winsysad...@gmail.com wrote: Hi All, A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. Any ideas? thx! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: A poll, of sorts...
Loaded gun, meet forehead. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 10, 2012 12:41 PM To: NT System Admin Issues Subject: Re: A poll, of sorts... On Tue, Jan 10, 2012 at 09:28, Andrew S. Baker asbz...@gmail.com wrote: miniumum10 characters in length, with no expiration, no history and no mimimum age? When I determine what would make me comfortable with the above, I'll let you know. In the mean time, I'll echo the why question you've already been asked... The timeless parental/management reason: Because we want it that way. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Encrypting a 2008 R2 Clustered File Server
Michael, Thanks for the warning on not using it. With my first research we couldn't use BitLocker on the cluster servers since they don't have TPM chips installed. Found the following article to use BitLocker without TPMhttp://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/. Regards, Cameron _ Cameron Cooper | IT Manager | Aurico Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896 ccoo...@aurico.commailto:ccoo...@aurico.com | www.aurico.comhttp://www.aurico.com From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Tuesday, January 10, 2012 2:10 PM To: NT System Admin Issues Subject: RE: Encrypting a 2008 R2 Clustered File Server NO! Don't use EFS! Use BitLocker. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Cameron Cooper [mailto:ccoo...@aurico.com]mailto:[mailto:ccoo...@aurico.com] Sent: Tuesday, January 10, 2012 1:49 PM To: NT System Admin Issues Subject: Encrypting a 2008 R2 Clustered File Server All, We're in the process of migrating all of our company servers from server 2003 to server 2008 R2. We've installed and configured two Server 2008 R2 Enterprise cluster servers with a failover cluster role and are connected to a MD3000 storage. Here's what we're looking to do... we're going to create network shares that are dependent on dept. and user access (ie Someone from our researching dept. doesn't need to see/have access to accounting dept. share) and encrypt the entire file server. We also want the encrypt/decrypt to be transparent to the end user. First question: Has anyone used EFS with AD RMS with network shares? Has this worked and how easy was it to setup? Second question: Is there a recommended encryption solution that someone has implemented? Regards, Cameron _ Cameron Cooper | IT Manager | Aurico Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896 ccoo...@aurico.commailto:ccoo...@aurico.com | www.aurico.comhttp://www.aurico.com CONFIDENTIALITY NOTICE: This email message is intended only for the person or entity to which it is addressed and may contain confidential material. Any unauthorized review, use, disclosure, downloading, copying or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please advise the sender immediately. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email message is intended only for the person or entity to which it is addressed and may contain confidential material. Any unauthorized review, use, disclosure, downloading, copying or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please advise the sender immediately. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: A poll, of sorts...
Nope... That reason doesn't get me any closer to the contemplating it line. I've routinely talked senior managers out of less dumb considerations before. (It should also be noted, however, that on occasion, I have utterly failed to talk some really cognitive-challenged senior mgmt persons from pursuing even dumber options.) * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 3:40 PM, Kurt Buff kurt.b...@gmail.com wrote: On Tue, Jan 10, 2012 at 09:28, Andrew S. Baker asbz...@gmail.com wrote: miniumum10 characters in length, with no expiration, no history and no mimimum age? When I determine what would make me comfortable with the above, I'll let you know. In the mean time, I'll echo the why question you've already been asked... The timeless parental/management reason: Because we want it that way. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: OT - Home Router ideas?
Not true. I have my 2Wire router on second floor on top of bookcase and I have no issues when down in my “man cave” in the basement! MMF From: Steven Peck Sent: Tuesday, January 10, 2012 3:04 PM To: NT System Admin Issues Subject: Re: OT - Home Router ideas? Router in the basemetn of a two story house? You are going to want something with a decent antenea then. On Tue, Jan 10, 2012 at 12:28 PM, winsys winsysad...@gmail.com wrote: Router is in the mechanical room of the basement. He is usually 2 floors up where his home office and bedroom are. He thinks it would be more convenient to enable/disable from web page. thx. On Tue, Jan 10, 2012 at 2:38 PM, Jonathan Link jonathan.l...@gmail.com wrote: What's wrong with pulling the plug? On Tue, Jan 10, 2012 at 1:41 PM, Andrew S. Baker asbz...@gmail.com wrote: Those are his only needs? ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market… On Tue, Jan 10, 2012 at 12:09 PM, winsys winsysad...@gmail.com wrote: Hi All, A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. Any ideas? thx! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: IIS 6.0 Security
The Citrix eDocs says if you are using SSL v3 you are not FIPS compliant. You have to use TLS 1.0. SSL/TLS and FIPS Compliance When configured properly, deployments using TLS 1.0 can use FIPS 140-validated cryptographic modules in a manner that is compliant with FIPS 140-2; SSL 3.0 is not FIPS compliant. For more information, refer to the Guidelines for the Selection and Use of the Transport Layer Security (TLS) implementations at http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Tuesday, January 10, 2012 2:52 PM To: NT System Admin Issues Subject: RE: IIS 6.0 Security Ain't just FIPS. Also NIST and PCI and... etc. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Webster [mailto:webs...@carlwebster.com]mailto:[mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 3:11 PM To: NT System Admin Issues Subject: Re: IIS 6.0 Security I am in the process of writing four books simultaneously (XA5/2003, XA5/2008, XA6.0 and XA6.5). After this thread, I will make sure I add this SSL v3/TLS(FIPS) stuff. Thanks Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Richard McClary richard.mccl...@aspca.orgmailto:richard.mccl...@aspca.org Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 19:14:26 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: RE: IIS 6.0 Security Thanks! Went to your web site, but 4.5 seems to be too old for anything there. I think I have all but the microsoft iis content location internal ip address leak taken care of, and I have a bunch of tabs open concerning that. I'll find out for sure what has been taken care of after this upcoming scan... From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 11:38 AM To: NT System Admin Issues Subject: Re: IIS 6.0 Security I am checking. Please hold for the next available Citrix support person. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Michael Smith mich...@smithcons.commailto:mich...@smithcons.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:49:40 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: RE: IIS 6.0 Security Just gotta know the right search string. http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx http://geekswithblogs.net/dchristiansen/archive/2009/03/24/pcidss-disablessl2andweakciphersoniis6.aspx Now: Citrix/XenApp support for SSL 3.0 - I don't know anything about that. Carl Webster needs to speak to that! :) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Richard McClary [mailto:richard.mccl...@aspca.org] Sent: Tuesday, January 10, 2012 10:06 AM To: NT System Admin Issues Subject: IIS 6.0 Security Hopefully, the subject line is not a complete oxymoron... Yes, I am continuing to search Google as well as the MS TechNet pages (that Google returns) concerning IIS 6.0. We failed a PCI compliance audit on our Citrix server (Presentation Server 4.5, and yes, a new Citrix system is in the works, but this one needs to pass a scan test.) The system does have a VeriSign SSL certificate. -- Here are the issues found by the scan: Disable TLS Renegotiation Fix Microsoft IIS Content Location Internal IP Address Leak (Note - the server is accessed via web through a MIP's IP address) Upgrade to the latest version of OpenSSL Disable SSL support for weak ciphers Disable SSL v2 protocol support -- Anyway, we need assistance in dealing with those security issues without hosing the Citrix services (which our clients are paying for). Thank you; back to Google and Technet... - richard ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: OT - Home Router ideas?
This very much depends on the structure (materials) of your house, and the power output of your antennas (internal or external), etc. -- Espi On Tue, Jan 10, 2012 at 2:04 PM, MMF mmfree...@ameritech.net wrote: Not true. I have my 2Wire router on second floor on top of bookcase and I have no issues when down in my “man cave” in the basement! MMF *From:* Steven Peck sep...@gmail.com *Sent:* Tuesday, January 10, 2012 3:04 PM *To:* NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Subject:* Re: OT - Home Router ideas? Router in the basemetn of a two story house? You are going to want something with a decent antenea then. On Tue, Jan 10, 2012 at 12:28 PM, winsys winsysad...@gmail.com wrote: Router is in the mechanical room of the basement. He is usually 2 floors up where his home office and bedroom are. He thinks it would be more convenient to enable/disable from web page. thx. On Tue, Jan 10, 2012 at 2:38 PM, Jonathan Link jonathan.l...@gmail.comwrote: What's wrong with pulling the plug? On Tue, Jan 10, 2012 at 1:41 PM, Andrew S. Baker asbz...@gmail.comwrote: Those are his only needs? ** *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 12:09 PM, winsys winsysad...@gmail.com wrote: Hi All, A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. Any ideas? thx! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: bougt the book
They're floating around. I give them away to customers all the time plus the occasional conference give aways. Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Mathew Shember [mailto:mathew.shem...@synopsys.com] Sent: Tuesday, January 10, 2012 1:21 PM To: NT System Admin Issues Subject: RE: bougt the book But is it autographed? :p Didn't know there was a kindle version. Think my copy might be outdated. Time for a new one. :) From: Webster [mailto:webs...@carlwebster.com]mailto:[mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 9:14 AM To: NT System Admin Issues Subject: Re: bougt the book Brian's book is a very useful resource and reference tool. (Broken record here) I registered my book on oreilly.com, paid $4.99 and got the Kindle, epub, and PDF versions. Copy those files to the appropriate devices and I have Brian's book with me all the time. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: David Lum david@nwea.orgmailto:david@nwea.org Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:08:07 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: bougt the book Book bought. I expect big things Brian! :) Dave From: David Lum [mailto:david@nwea.org] Sent: Thursday, January 05, 2012 1:07 PM To: NT System Admin Issues Subject: RE: Concur for expense management You mean...buy the book? Get out... From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Thursday, January 05, 2012 11:47 AM To: NT System Admin Issues Subject: RE: Concur for expense management Without going in to all the gory details, Brian's homegrown glue is reference is fairly spot on :) From: David Lum [mailto:david@nwea.org]mailto:[mailto:david@nwea.org] Sent: Wednesday, January 04, 2012 2:00 PM To: NT System Admin Issues Subject: RE: Concur for expense management Wait - Concur is telling us we need ADFS 2.0 to use SAML. How do you do it without ADFS? From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Wednesday, January 04, 2012 1:01 PM To: NT System Admin Issues Subject: RE: Concur for expense management Ditto. We went from our old internal hosted to external Concur last year using SAML for authN. No ADFS. From: Christopher Bodnar [mailto:christopher_bod...@glic.com]mailto:[mailto:christopher_bod...@glic.com] Sent: Wednesday, January 04, 2012 7:01 AM To: NT System Admin Issues Subject: Re: Concur for expense management the 2003 to 2003 R2 is very simple. More like adding additional features, than a true OS upgrade. You should be fine. No issues. We use Concur here, but do not have federation services configured. Chris Bodnar, MCSE, MCITP Technical Support III Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.commailto:christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 From:David Lum david@nwea.orgmailto:david@nwea.org To:NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date:01/04/2012 09:17 AM Subject:Concur for expense management Does anyone here use Concur for expense management? I need to configure Federation with them and they sent me a SAML document and it looks like I need to install ADFS...which requires 2003 R2 and we don't have any 2003 R2 servers, ours are straight 2003. It's not a big deal to stand up a 2003 R2 DC in a 2003 domain is it? Is an in-place upgrade possible? I seem to think on the 2003 versions, 2003 and 2003 R2 are very similar. David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to
RE: bougt the book
Up to the author to do the updates but yes it's possible and I did recently fix all the errata. O'Reilly has a very cool on demand production process that makes this possible. Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Tuesday, January 10, 2012 3:03 PM To: NT System Admin Issues Subject: RE: bougt the book I had completely forgotten about that. Thanks for the reminder. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Webster [mailto:webs...@carlwebster.com]mailto:[mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 1:45 PM To: NT System Admin Issues Subject: Re: bougt the book You have to create an account on the site, login to the account and you will see Register Print Books. They are hooked up with Microsoft Press, so I registered all my MS Press books, paid $4.99 each and now have them all on my Kindle, iPad and the PDFs in a folder on every computer. O'Reilly is VERY good about updating the e versions when they make corrections and updates. They send you an e-mail and you can download the updated e files. Well worth the $4.99 IMNSHO. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: Harry Singh hbo...@gmail.commailto:hbo...@gmail.com Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 12:51:33 -0500 To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: Re: bougt the book Showing up late to the party here, but Carl could you be so kind and enlighten me to as to what you mean by registering your book on o'reilly? Being new to the Kindle has me interested in bringing some of my PDF's and other books to it. A cursory search on o'reilly really doesn't provide much info. On Tue, Jan 10, 2012 at 12:13 PM, Webster webs...@carlwebster.commailto:webs...@carlwebster.com wrote: Brian's book is a very useful resource and reference tool. (Broken record here) I registered my book on oreilly.comhttp://oreilly.com, paid $4.99 and got the Kindle, epub, and PDF versions. Copy those files to the appropriate devices and I have Brian's book with me all the time. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.comhttp://www.carlwebster.com/ From: David Lum david@nwea.orgmailto:david@nwea.org Reply-To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Date: Tue, 10 Jan 2012 16:08:07 + To: NT Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: bougt the book Book bought. I expect big things Brian! :) Dave From: David Lum [mailto:david@nwea.org] Sent: Thursday, January 05, 2012 1:07 PM To: NT System Admin Issues Subject: RE: Concur for expense management You mean...buy the book? Get out... From: Free, Bob [mailto:r...@pge.com]mailto:[mailto:r...@pge.com] Sent: Thursday, January 05, 2012 11:47 AM To: NT System Admin Issues Subject: RE: Concur for expense management Without going in to all the gory details, Brian's homegrown glue is reference is fairly spot on :) ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Encrypting a 2008 R2 Clustered File Server
AD RMS is independent of Bitlocker/TPM/EFS though and does some really slick stuff. Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Cameron Cooper [mailto:ccoo...@aurico.com] Sent: Tuesday, January 10, 2012 3:30 PM To: NT System Admin Issues Subject: RE: Encrypting a 2008 R2 Clustered File Server Michael, Thanks for the warning on not using it. With my first research we couldn't use BitLocker on the cluster servers since they don't have TPM chips installed. Found the following article to use BitLocker without TPMhttp://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/. Regards, Cameron _ Cameron Cooper | IT Manager | Aurico Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896 ccoo...@aurico.commailto:ccoo...@aurico.com | www.aurico.comhttp://www.aurico.com From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Tuesday, January 10, 2012 2:10 PM To: NT System Admin Issues Subject: RE: Encrypting a 2008 R2 Clustered File Server NO! Don't use EFS! Use BitLocker. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Cameron Cooper [mailto:ccoo...@aurico.com]mailto:[mailto:ccoo...@aurico.com] Sent: Tuesday, January 10, 2012 1:49 PM To: NT System Admin Issues Subject: Encrypting a 2008 R2 Clustered File Server All, We're in the process of migrating all of our company servers from server 2003 to server 2008 R2. We've installed and configured two Server 2008 R2 Enterprise cluster servers with a failover cluster role and are connected to a MD3000 storage. Here's what we're looking to do... we're going to create network shares that are dependent on dept. and user access (ie Someone from our researching dept. doesn't need to see/have access to accounting dept. share) and encrypt the entire file server. We also want the encrypt/decrypt to be transparent to the end user. First question: Has anyone used EFS with AD RMS with network shares? Has this worked and how easy was it to setup? Second question: Is there a recommended encryption solution that someone has implemented? Regards, Cameron _ Cameron Cooper | IT Manager | Aurico Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896 ccoo...@aurico.commailto:ccoo...@aurico.com | www.aurico.comhttp://www.aurico.com CONFIDENTIALITY NOTICE: This email message is intended only for the person or entity to which it is addressed and may contain confidential material. Any unauthorized review, use, disclosure, downloading, copying or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please advise the sender immediately. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email message is intended only for the person or entity to which it is addressed and may contain confidential material. Any unauthorized review, use, disclosure, downloading, copying or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please advise the sender immediately. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: A poll, of sorts...
Man did I miss read that question! I have never seen this done since I started up my first domain. This was done previously at the Research Facility until there was a stink about some changes being made to profiles in Windows 2000. Stupid stupid Jon On Mon, Jan 9, 2012 at 11:40 PM, Jon Harris jk.har...@gmail.com wrote: I have done it with under 30 users and some of those temps. It would depend on the situation though. The case I was using was a research facility where in addition to research there was funding decisions on inside and outside research going on. I have seen operations with 100 users only using simple passwords where I would have gone with complex. Jon On Mon, Jan 9, 2012 at 11:31 PM, Kurt Buff kurt.b...@gmail.com wrote: All, In the interest of curiosity, I have a theoretical question for your consideration and debate... What measures would you need to see in place in a small business (fewer than 500 users) to feel comfortable with setting a password policy that sets standard complexity (that is, at least three of the standard four character types - UC, LC, numeric and special), miniumum10 characters in length, with no expiration, no history and no mimimum age? Assume a Win2k8R2 single domain forest. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Expaning Subnet again
And lets not forget of doing a config backup before changing things, just in case something changes on its own and the network stops working. - Original Message - From: Micheal Espinola Jr To: NT System Admin Issues Sent: Tuesday, January 10, 2012 6:40 PM Subject: Re: Expaning Subnet again Without a proper understanding of the fundamentals, you could very easily make part of, if not all of your network unusable. A subnet calculator is a handy little tool, but you really should have a good grasp of the underlying concepts before taking on a challenge of [re]subnetting your network. A prerequisite to IP Addressing and Subnetting is understanding Binary and Decimal numbers. And I can tell you from an experience, if you are re-configuring switch or router, you assuredly want to do it from the command line and have full-control of what you are doing. There are web interfaces out there that will take additional liberties with settings based on what you choose in the wizard interface. -- Espi On Tue, Jan 10, 2012 at 11:23 AM, Don Ely don@gmail.com wrote: No I'm fighting with my switches to change to /22, looks like my Dell switches I have to connect the cable and do it from the CLI command line, can't edit the IP in the GUI! That's for a very good reason that most networking experts would understand without even attempting... On Tue, Jan 10, 2012 at 9:24 AM, Stefan Jafs stefan.j...@gmail.com wrote: No I did not but i got the idea, i used the Advanced Subnet Calculator that shows me all my IP's. No I'm fighting with my switches to change to /22, looks like my Dell switches I have to connect the cable and do it from the CLI command line, can't edit the IP in the GUI! Stefan On Tue, Jan 10, 2012 at 11:36 AM, Micheal Espinola Jr michealespin...@gmail.com wrote: Are you guessing, or did you try writing it out as explained to you? -- Espi On Tue, Jan 10, 2012 at 7:37 AM, Stefan Jafs stefan.j...@gmail.com wrote: So for me *.255 are usable exept 3.255, correct? Stefan On Mon, Jan 9, 2012 at 11:00 PM, Ben Scott mailvor...@gmail.com wrote: On Mon, Jan 9, 2012 at 7:32 PM, Heaton, Joseph@DFG jhea...@dfg.ca.gov wrote: .255 is broadcast Not always. Very true, if we go and break up a class C, that is absolutely true. But, seeing as he's going the other way, and making the subnet bigger, not smaller... .255 is still not always the broadcast address. For example, in a /23, there will be two addresses where the dotted-decimal ends in .255. One will be the broadcast address, and the other will just be a regular host. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Stefan Jafs ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- Stefan Jafs ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click
Re: Expaning Subnet again
On Tue, Jan 10, 2012 at 12:40, Micheal Espinola Jr michealespin...@gmail.com wrote: Without a proper understanding of the fundamentals, you could very easily make part of, if not all of your network unusable. A subnet calculator is a handy little tool, but you really should have a good grasp of the underlying concepts before taking on a challenge of [re]subnetting your network. A prerequisite to IP Addressing and Subnetting is understanding Binary and Decimal numbers. And I can tell you from an experience, if you are re-configuring switch or router, you assuredly want to do it from the command line and have full-control of what you are doing. There are web interfaces out there that will take additional liberties with settings based on what you choose in the wizard interface. +1024 Experience may not be the best teacher, but it's almost always the most expensive and painful... Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: A poll, of sorts...
I almost misread it myself. I kept wondering why this would even be a question, and then I noticed what all the hoopla was about. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 6:24 PM, Jon Harris jk.har...@gmail.com wrote: Man did I miss read that question! I have never seen this done since I started up my first domain. This was done previously at the Research Facility until there was a stink about some changes being made to profiles in Windows 2000. Stupid stupid Jon On Mon, Jan 9, 2012 at 11:40 PM, Jon Harris jk.har...@gmail.com wrote: I have done it with under 30 users and some of those temps. It would depend on the situation though. The case I was using was a research facility where in addition to research there was funding decisions on inside and outside research going on. I have seen operations with 100 users only using simple passwords where I would have gone with complex. Jon On Mon, Jan 9, 2012 at 11:31 PM, Kurt Buff kurt.b...@gmail.com wrote: All, In the interest of curiosity, I have a theoretical question for your consideration and debate... What measures would you need to see in place in a small business (fewer than 500 users) to feel comfortable with setting a password policy that sets standard complexity (that is, at least three of the standard four character types - UC, LC, numeric and special), miniumum10 characters in length, with no expiration, no history and no mimimum age? Assume a Win2k8R2 single domain forest. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: OT - Home Router ideas?
Anything found here:http://www.dd-wrt.com/site/support/router-database On January 10, 2012 at 12:09 PM winsys winsysad...@gmail.com wrote: A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: OT - Home Router ideas?
I realize there is a lot of love for dd-wrt but they burned their bridge with me a while ago. I just don't find their stuff dependable enough to actually use anymore. Granted this may have changed in two years, but not enough for me to trust them with something I may have to support. On Tue, Jan 10, 2012 at 6:01 PM, joeu...@chronic.org joeu...@chronic.orgwrote: ** Anything found here: http://www.dd-wrt.com/site/support/router-database On January 10, 2012 at 12:09 PM winsys winsysad...@gmail.com wrote: A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: OT - Home Router ideas?
What problems have you encountered? I have 3 DD-WRT based devices running now (2 at work; 1 at home) and I haven't had any issues. Still on the Aug 2010 release. Also, what do you use instead of DD-WRT? * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 9:17 PM, Steven Peck sep...@gmail.com wrote: I realize there is a lot of love for dd-wrt but they burned their bridge with me a while ago. I just don't find their stuff dependable enough to actually use anymore. Granted this may have changed in two years, but not enough for me to trust them with something I may have to support. On Tue, Jan 10, 2012 at 6:01 PM, joeu...@chronic.org joeu...@chronic.orgwrote: ** Anything found here: http://www.dd-wrt.com/site/support/router-database On January 10, 2012 at 12:09 PM winsys winsysad...@gmail.com wrote: A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: OT - Home Router ideas?
First their 'tunnels' did not work as advertised and I spent months trying things on their forums only to find out they didn't work per documentation. Second, it was such a pain to get the DD-WRT to work on the hardware and you had to be very very careful to get the supported routers model number and even then risk your money/investment flashing them. After a while, the risk vs what they gave you wasn't enough to overcome the annoyance factor of the occasional brick at a time when the hardware was my spare cash. I don't handle work routers (Cisco) at home I have a D-Link that works well enough. For a point to point with a neighbor I have two Groove-5Hn that I like a lot (PoE sitting in the attic just fine, though if I didn't have the antenna's already then I would have gotten one of their integrated solutions) . I wil probably replace the D-Link with something of theirs later this year. Probably RB751U-2HnD or get a board and daughterboards which would cost more. Not sure yet. http://routerboard.com/GrooveA5Hn http://routerboard.com/RB751U-2HnD Steven Peck http://www.blkmtn.org On Tue, Jan 10, 2012 at 7:13 PM, Andrew S. Baker asbz...@gmail.com wrote: What problems have you encountered? I have 3 DD-WRT based devices running now (2 at work; 1 at home) and I haven't had any issues. Still on the Aug 2010 release. Also, what do you use instead of DD-WRT? * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 9:17 PM, Steven Peck sep...@gmail.com wrote: I realize there is a lot of love for dd-wrt but they burned their bridge with me a while ago. I just don't find their stuff dependable enough to actually use anymore. Granted this may have changed in two years, but not enough for me to trust them with something I may have to support. On Tue, Jan 10, 2012 at 6:01 PM, joeu...@chronic.org joeu...@chronic.org wrote: ** Anything found here: http://www.dd-wrt.com/site/support/router-database On January 10, 2012 at 12:09 PM winsys winsysad...@gmail.com wrote: A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: OT - Home Router ideas?
The tunnels didn't appeal to me, because everything I need to connect with is IPSec, but they only support OpenSSL. Once I got over that, however, I was good, because I searched for the best router that would support the firmware before I bought it. To me, it's no different from any other HCL type situation. If you get the wrong hardware, you're on a wing an a prayer. DD-WRT is getting to the point where hardware vendors are providing their equipment with it installed, so that's a good thing, IMO. Thanks for the feedback, though.I have my own list of not likely to use products for similar reasons over time. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 11:25 PM, Steven Peck sep...@gmail.com wrote: First their 'tunnels' did not work as advertised and I spent months trying things on their forums only to find out they didn't work per documentation. Second, it was such a pain to get the DD-WRT to work on the hardware and you had to be very very careful to get the supported routers model number and even then risk your money/investment flashing them. After a while, the risk vs what they gave you wasn't enough to overcome the annoyance factor of the occasional brick at a time when the hardware was my spare cash. I don't handle work routers (Cisco) at home I have a D-Link that works well enough. For a point to point with a neighbor I have two Groove-5Hn that I like a lot (PoE sitting in the attic just fine, though if I didn't have the antenna's already then I would have gotten one of their integrated solutions) . I wil probably replace the D-Link with something of theirs later this year. Probably RB751U-2HnD or get a board and daughterboards which would cost more. Not sure yet. http://routerboard.com/GrooveA5Hn http://routerboard.com/RB751U-2HnD Steven Peck http://www.blkmtn.org On Tue, Jan 10, 2012 at 7:13 PM, Andrew S. Baker asbz...@gmail.comwrote: What problems have you encountered? I have 3 DD-WRT based devices running now (2 at work; 1 at home) and I haven't had any issues. Still on the Aug 2010 release. Also, what do you use instead of DD-WRT? * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 9:17 PM, Steven Peck sep...@gmail.com wrote: I realize there is a lot of love for dd-wrt but they burned their bridge with me a while ago. I just don't find their stuff dependable enough to actually use anymore. Granted this may have changed in two years, but not enough for me to trust them with something I may have to support. On Tue, Jan 10, 2012 at 6:01 PM, joeu...@chronic.org joeu...@chronic.org wrote: ** Anything found here: http://www.dd-wrt.com/site/support/router-database On January 10, 2012 at 12:09 PM winsys winsysad...@gmail.com wrote: A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: OT - Home Router ideas?
Ya, at the time my primary need was for a p2p tunnel. The other stuff appealed to me but the community was in a weird transistion state as well with the primary dev, etc. The whole thing was just too irritating overall in the end. Also the basic capabilities of the low end commerical offerings covered my home needs. Now that I found the RouterBoard folks that will cover any more specialized needs quite nicely now. On Tue, Jan 10, 2012 at 8:53 PM, Andrew S. Baker asbz...@gmail.com wrote: The tunnels didn't appeal to me, because everything I need to connect with is IPSec, but they only support OpenSSL. Once I got over that, however, I was good, because I searched for the best router that would support the firmware before I bought it. To me, it's no different from any other HCL type situation. If you get the wrong hardware, you're on a wing an a prayer. DD-WRT is getting to the point where hardware vendors are providing their equipment with it installed, so that's a good thing, IMO. Thanks for the feedback, though.I have my own list of not likely to use products for similar reasons over time. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 11:25 PM, Steven Peck sep...@gmail.com wrote: First their 'tunnels' did not work as advertised and I spent months trying things on their forums only to find out they didn't work per documentation. Second, it was such a pain to get the DD-WRT to work on the hardware and you had to be very very careful to get the supported routers model number and even then risk your money/investment flashing them. After a while, the risk vs what they gave you wasn't enough to overcome the annoyance factor of the occasional brick at a time when the hardware was my spare cash. I don't handle work routers (Cisco) at home I have a D-Link that works well enough. For a point to point with a neighbor I have two Groove-5Hn that I like a lot (PoE sitting in the attic just fine, though if I didn't have the antenna's already then I would have gotten one of their integrated solutions) . I wil probably replace the D-Link with something of theirs later this year. Probably RB751U-2HnD or get a board and daughterboards which would cost more. Not sure yet. http://routerboard.com/GrooveA5Hn http://routerboard.com/RB751U-2HnD Steven Peck http://www.blkmtn.org On Tue, Jan 10, 2012 at 7:13 PM, Andrew S. Baker asbz...@gmail.comwrote: What problems have you encountered? I have 3 DD-WRT based devices running now (2 at work; 1 at home) and I haven't had any issues. Still on the Aug 2010 release. Also, what do you use instead of DD-WRT? * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 9:17 PM, Steven Peck sep...@gmail.com wrote: I realize there is a lot of love for dd-wrt but they burned their bridge with me a while ago. I just don't find their stuff dependable enough to actually use anymore. Granted this may have changed in two years, but not enough for me to trust them with something I may have to support. On Tue, Jan 10, 2012 at 6:01 PM, joeu...@chronic.org joeu...@chronic.org wrote: ** Anything found here: http://www.dd-wrt.com/site/support/router-database On January 10, 2012 at 12:09 PM winsys winsysad...@gmail.com wrote: A friend of mine is looking for a new home router that he can disable/enable internet access very easily from a web page. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Encrypting a 2008 R2 Clustered File Server
I think you need to define what you are trying to protect against. Bitlocker will protect disks at rest - it's whole disk encryption. It doesn't encrypt individual files. EFS is per file encryption - but it's also an attribute of the NTFS file system. EFS is thus not portable across any medium which doesn't support that NTFS file attribute (e.g. FAT file system, SMB network). Additionally, EFS works by using a certificate in the user's profile - so if you want to use per-user EFS encryption on a file server, you need to have (a) roaming profiles that store the EFS certs and (b) Kerberos delegation from the file server to the server hosting the roaming profiles, so that the server can authN as the user and load their profile and cert. As the cert is stored in the user's profile, it can be used offline. Giving multiple people access to a file is a bit of a pain - individual decryption keys need to be inserted into each file. Hence you pretty much need a PKI for anything larger than the most trivial of environments AD-RMS is based on license keys issued by an RMS server. So issuance is centrally controlled - no need to store things in user profiles per se. However you need to be able to contact the RMS server to obtain a license key (decrypt) or encrypt a document. So, it doesn't really work offline. Additionally, it's reliant on the application to implement the functionality to control access. So, no ability to RMS encrypt a Access file, Visio file, Photoshop file etc. Excel, Word, Powerpoint and Outlook are the only supported Office applications. There are plenty of third party products as well. Most work on the same principles of either EFS or AD-RMS: either a central license store, or a distributed key store. Cheers Ken From: Cameron Cooper [mailto:ccoo...@aurico.com] Sent: Wednesday, 11 January 2012 5:30 AM To: NT System Admin Issues Subject: RE: Encrypting a 2008 R2 Clustered File Server Michael, Thanks for the warning on not using it. With my first research we couldn't use BitLocker on the cluster servers since they don't have TPM chips installed. Found the following article to use BitLocker without TPMhttp://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/. Regards, Cameron _ Cameron Cooper | IT Manager | Aurico Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896 ccoo...@aurico.commailto:ccoo...@aurico.com | www.aurico.comhttp://www.aurico.com From: Michael B. Smith [mailto:mich...@smithcons.com]mailto:[mailto:mich...@smithcons.com] Sent: Tuesday, January 10, 2012 2:10 PM To: NT System Admin Issues Subject: RE: Encrypting a 2008 R2 Clustered File Server NO! Don't use EFS! Use BitLocker. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Cameron Cooper [mailto:ccoo...@aurico.com]mailto:[mailto:ccoo...@aurico.com] Sent: Tuesday, January 10, 2012 1:49 PM To: NT System Admin Issues Subject: Encrypting a 2008 R2 Clustered File Server All, We're in the process of migrating all of our company servers from server 2003 to server 2008 R2. We've installed and configured two Server 2008 R2 Enterprise cluster servers with a failover cluster role and are connected to a MD3000 storage. Here's what we're looking to do... we're going to create network shares that are dependent on dept. and user access (ie Someone from our researching dept. doesn't need to see/have access to accounting dept. share) and encrypt the entire file server. We also want the encrypt/decrypt to be transparent to the end user. First question: Has anyone used EFS with AD RMS with network shares? Has this worked and how easy was it to setup? Second question: Is there a recommended encryption solution that someone has implemented? Regards, Cameron _ Cameron Cooper | IT Manager | Aurico Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896 ccoo...@aurico.commailto:ccoo...@aurico.com | www.aurico.comhttp://www.aurico.com CONFIDENTIALITY NOTICE: This email message is intended only for the person or entity to which it is addressed and may contain confidential material. Any unauthorized review, use, disclosure, downloading, copying or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please advise the sender immediately. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe
RE: Encrypting a 2008 R2 Clustered File Server
To clarify one point: you can access RMS encrypted documents offline if you've already been issued a license key. But you can't open anything you haven't previously From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Wednesday, 11 January 2012 3:15 PM To: NT System Admin Issues Subject: RE: Encrypting a 2008 R2 Clustered File Server I think you need to define what you are trying to protect against. Bitlocker will protect disks at rest - it's whole disk encryption. It doesn't encrypt individual files. EFS is per file encryption - but it's also an attribute of the NTFS file system. EFS is thus not portable across any medium which doesn't support that NTFS file attribute (e.g. FAT file system, SMB network). Additionally, EFS works by using a certificate in the user's profile - so if you want to use per-user EFS encryption on a file server, you need to have (a) roaming profiles that store the EFS certs and (b) Kerberos delegation from the file server to the server hosting the roaming profiles, so that the server can authN as the user and load their profile and cert. As the cert is stored in the user's profile, it can be used offline. Giving multiple people access to a file is a bit of a pain - individual decryption keys need to be inserted into each file. Hence you pretty much need a PKI for anything larger than the most trivial of environments AD-RMS is based on license keys issued by an RMS server. So issuance is centrally controlled - no need to store things in user profiles per se. However you need to be able to contact the RMS server to obtain a license key (decrypt) or encrypt a document. So, it doesn't really work offline. Additionally, it's reliant on the application to implement the functionality to control access. So, no ability to RMS encrypt a Access file, Visio file, Photoshop file etc. Excel, Word, Powerpoint and Outlook are the only supported Office applications. There are plenty of third party products as well. Most work on the same principles of either EFS or AD-RMS: either a central license store, or a distributed key store. Cheers Ken From: Cameron Cooper [mailto:ccoo...@aurico.com]mailto:[mailto:ccoo...@aurico.com] Sent: Wednesday, 11 January 2012 5:30 AM To: NT System Admin Issues Subject: RE: Encrypting a 2008 R2 Clustered File Server Michael, Thanks for the warning on not using it. With my first research we couldn't use BitLocker on the cluster servers since they don't have TPM chips installed. Found the following article to use BitLocker without TPMhttp://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/. Regards, Cameron _ Cameron Cooper | IT Manager | Aurico Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896 ccoo...@aurico.commailto:ccoo...@aurico.com | www.aurico.comhttp://www.aurico.com From: Michael B. Smith [mailto:mich...@smithcons.com]mailto:[mailto:mich...@smithcons.com] Sent: Tuesday, January 10, 2012 2:10 PM To: NT System Admin Issues Subject: RE: Encrypting a 2008 R2 Clustered File Server NO! Don't use EFS! Use BitLocker. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Cameron Cooper [mailto:ccoo...@aurico.com]mailto:[mailto:ccoo...@aurico.com] Sent: Tuesday, January 10, 2012 1:49 PM To: NT System Admin Issues Subject: Encrypting a 2008 R2 Clustered File Server All, We're in the process of migrating all of our company servers from server 2003 to server 2008 R2. We've installed and configured two Server 2008 R2 Enterprise cluster servers with a failover cluster role and are connected to a MD3000 storage. Here's what we're looking to do... we're going to create network shares that are dependent on dept. and user access (ie Someone from our researching dept. doesn't need to see/have access to accounting dept. share) and encrypt the entire file server. We also want the encrypt/decrypt to be transparent to the end user. First question: Has anyone used EFS with AD RMS with network shares? Has this worked and how easy was it to setup? Second question: Is there a recommended encryption solution that someone has implemented? Regards, Cameron _ Cameron Cooper | IT Manager | Aurico Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896 ccoo...@aurico.commailto:ccoo...@aurico.com | www.aurico.comhttp://www.aurico.com CONFIDENTIALITY NOTICE: This email message is intended only for the person or entity to which it is addressed and may contain confidential material. Any unauthorized review, use, disclosure, downloading, copying or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please advise
