RE: Local server name appears on the Internet DNS

[Mike French]

Somebody got something FUBAR'd if that's the case. I see your MX as
MX1.imcu.com from the ultrdns nameservers who claim to be authoritative
for your zone:

 

The SOA record is:
Primary nameserver: pdns1.ultradns.net
Hostmaster E-mail address: bill.krause.fiserv.com
Serial #: 2010072104 
Refresh: 10800 
Retry: 3600 
Expire: 2592000   4 weeks
Default TTL: 86400

 

5   mx1.imcu.com   206.18.123.221

 

If you are using "Mail.imcu.com" for your MX, make sure your DNS host
updates the record from MX1.imcu.com.

 

One other thing to keep in mind, When your Ironport is sending mail (I
assume inbound and outbound goes through the Ironport) the HELO in the
destination mail server will see your FQDN of the Ironport which in your
case will be "nachodevice.imcu.local". This could pose some problems; I
would suggest that you change the host name of your Ironport to whatever
your MX, and SMTP banner is, however you need to make that call since
this could have some adverse impact on you network internally. Ironport
Web Interface -> Network -> Select Interface Name to modify -> Enter
your Hostname in the Hostname field. 

 

Test - Test - Test

 

You can open up a couple of ssh sessions to your Ironport and use the
Tail command and watch "SMTP Conversations" and "mail_logs" which can
help

 

https://www.testexchangeconnectivity.com/Default.aspx

http://www.intodns.com/

http://www.whatsmydns.net/

http://www.sort-dns.com/

 

 

 



From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Friday, August 06, 2010 10:21 AM
To: NT System Admin Issues
Subject: RE: Local server name appears on the Internet DNS

 

I am working his list now.

Just curious as to how that name got to the Internet.

My faxed request to my ISP was for mail.imcu.com to have the PTR of
206.18.123.221.

So to have the imcu.local address having it I am a little bit concerned
as to how it was updated...

 

 



From: Richard Stovall [mailto:rich...@gmail.com] 
Posted At: Friday, August 06, 2010 10:57 AM
Posted To: itli...@imcu.com
Conversation: Local server name appears on the Internet DNS
Subject: Re: Local server name appears on the Internet DNS
  

I sure hope not.  :-)

 

I'd call ATT and ask them what's up, and also take the rest of the steps
suggested by Mike French earlier.

On Fri, Aug 6, 2010 at 10:36 AM, itli...@imcu.com 
wrote:

Could my Active Directory be pushing that address out to them?

 



From: Richard Stovall [mailto:rich...@gmail.com] 
Posted At: Friday, August 06, 2010 10:32 AM


Posted To: itli...@imcu.com
Conversation: Local server name appears on the Internet DNS
Subject: Re: Local server name appears on the Internet DNS
  

In the reverse zone at ATT?  It sure doesn't seem like it because the
answer coming back for that IP is 03030611n4m055.imcu.local.  A forward
lookup of mail.imcu.com returns 206.18.123.221.

 

You'll need to ask ATT to change the record in their reverse zone.

On Fri, Aug 6, 2010 at 10:23 AM, itli...@imcu.com 
wrote:

There is a ptr for mail.imcu.com to 206.18.123.221 though.

 



From: Richard Stovall [mailto:rich...@gmail.com] 
Posted At: Friday, August 06, 2010 9:35 AM
Posted To: itli...@imcu.com
Conversation: Local server name appears on the Internet DNS
Subject: Re: Local server name appears on the Internet DNS
  

The PTR record for 206.18.123.221 resolves to 03030611n4m055.imcu.local.
Ask your ISP to change it to mail.imcu.com or whatever is appropriate.

On Fri, Aug 6, 2010 at 9:24 AM, itli...@imcu.com 
wrote:

I am really confused.

I am using MXToolBox and the SMTP tool.
I get the below results:


220-nachodevice.imcu.local ESMTPIronport Success
 Not an open relay.
 0 seconds - Good on Connection time
 0.546 seconds - Good on Transaction time
 OK - 206.18.123.221 resolves to 03030611n4m055.imcu.local
 OK - Reverse DNS matches SMTP Banner
Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 nachodevice.imcu.local [16 ms]
MAIL FROM: 
250 sender  ok [31 ms]
RCPT TO: 
550 #5.1.0 Address rejected. [31 ms]
QUIT
221 nachodevice.imcu.local [47 ms]


The nachdevice.imcu.local is my ironport, I get that
The 03030611n4m055.imcu.local is my Exchange server, on the internal
side of the firewall.  I have an mx record for the ironport's external
port.
I do not know why the 0303... name is being published to the world??
Any ideas??







~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Local server name appears on the Internet DNS

[Mike French]

Your MX records that were reported by your nameservers are:

5   mx1.imcu.com   206.18.123.221

 

Your reverse (PTR) record:
221.123.18.206.in-addr.arpa ->  03030611n4m055.imcu.local

 

Banner Received: 220-nachodevice.imcu.local ESMTP

 

Get your ISP to change your PTR to: 221.123.18.206.in-addr.arpa ->
mx1.imcu.com

 

On your ironport, log into the web interface -> Mail Policies -> Mail
Flow Policies -> Default Policy Parameters -> Override SMTP Banner
Hostname: mx1.imcu.com

 

 

 

 



From: itli...@imcu.com [mailto:itli...@imcu.com] 
Sent: Friday, August 06, 2010 9:24 AM
To: NT System Admin Issues
Subject: RE: Local server name appears on the Internet DNS

 

There is a ptr for mail.imcu.com to 206.18.123.221 though.

 



From: Richard Stovall [mailto:rich...@gmail.com] 
Posted At: Friday, August 06, 2010 9:35 AM
Posted To: itli...@imcu.com
Conversation: Local server name appears on the Internet DNS
Subject: Re: Local server name appears on the Internet DNS
  

The PTR record for 206.18.123.221 resolves to 03030611n4m055.imcu.local.
Ask your ISP to change it to mail.imcu.com or whatever is appropriate.

On Fri, Aug 6, 2010 at 9:24 AM, itli...@imcu.com 
wrote:

I am really confused.

I am using MXToolBox and the SMTP tool.
I get the below results:


220-nachodevice.imcu.local ESMTPIronport Success
 Not an open relay.
 0 seconds - Good on Connection time
 0.546 seconds - Good on Transaction time
 OK - 206.18.123.221 resolves to 03030611n4m055.imcu.local
 OK - Reverse DNS matches SMTP Banner
Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 nachodevice.imcu.local [16 ms]
MAIL FROM: 
250 sender  ok [31 ms]
RCPT TO: 
550 #5.1.0 Address rejected. [31 ms]
QUIT
221 nachodevice.imcu.local [47 ms]


The nachdevice.imcu.local is my ironport, I get that
The 03030611n4m055.imcu.local is my Exchange server, on the internal
side of the firewall.  I have an mx record for the ironport's external
port.
I do not know why the 0303... name is being published to the world??
Any ideas??





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Group Recommendations for load balancers?

[Mike French]

Don't use an F5 Link controller - Maybe they have the issues fleshed out
now, but its expensive, complex and ours never has worked they way their
SA's said it would  On another note: We looked at www.peplink.com
  as a replacement and www.elfiq.com
  both seem easy not real expensive and will get
the job done. I believe both will do inbound and outbound LB, and have a
built-in DNS server to handle the delegated A records to serve up for
inbound. It's been awhile since we looked at these so YMMV.

 

 

 



From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: Monday, June 14, 2010 1:52 PM
To: NT System Admin Issues
Subject: RE: Group Reccomendations for load balancers?

 

Forefront TMG will do this - might be a cheap option.

 

Thanks,

Brian Desmond

br...@briandesmond.com

 

c   - 312.731.3132

 

From: N Parr [mailto:npar...@mortonind.com] 
Sent: Monday, June 14, 2010 12:51 PM
To: NT System Admin Issues
Subject: Group Reccomendations for load balancers?

 

Right now we have an ASA with two internet connections.  ASA can only
use secondary connection as failover, can't load balance.  Need to put
something in front of the ASA to handle 2-3 connections.  We do
hardware, software and SSL VPN's with the ASA.  Don't have a budget at
the moment.  Would prefer to keep it in the 2-3k range tops.  Zytel and
Barracuda are the only two I've done a bit of research on.

Thanks

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

OT: Made me chuckle

[Mike French]

46. March 17, Wired - (Texas) Hacker disables more than 100 cars
remotely. More than 100 drivers in Austin, Texas found their cars
disabled or the horns honking out of control, after an intruder ran amok
in a web-based vehicle-immobilization system normally used to get the
attention of consumers delinquent in their auto payments. Police with
Austin's High Tech Crime Unit on March 17 arrested a 20-year-old who was
a former Texas Auto Center employee who was laid off last month, and
allegedly sought revenge by bricking the cars sold from the dealership's
four Austin-area lots. The dealership used a system called Webtech Plus
as an alternative to repossessing vehicles that haven't been paid for.
Operated by Cleveland-based Pay Technologies, the system lets car
dealers install a small black box under vehicle dashboards that responds
to commands issued through a central website, and relayed over a
wireless pager network. The dealer can disable a car's ignition system,
or trigger the horn to begin honking, as a reminder that a payment is
due. The system will not stop a running vehicle. Texas Auto Center began
fielding complaints from baffled customers the last week in February,
many of whom wound up missing work, calling tow trucks or disconnecting
their batteries to stop the honking. The troubles stopped five days
later, when Texas Auto Center reset the Webtech Plus passwords for all
its employee accounts, says the manager of Texas Auto Center. Then
police obtained access logs from Pay Technologies, and traced the
saboteur's IP address to the suspect's AT&T internet service, according
to a police affidavit filed in the case. Source:
http://www.wired.com/threatlevel/2010/03/hacker-brickscars/?
utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index
+(Wired:+Index+3+(Top+Stories+2)) 

 

 

Mike French
Network Engineer
~EQUITY BANK <http://www.theequitybank.com/> 
Office: 214.231.4565
<mailto:mike.fre...@theequitybank.com> mike.fre...@theequitybank.com

"Evidently excellence in security by some 
security-centric vendors is defined as being the head of the class in a 
room filled with children without a propensity to learn." - Anonymous

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Watchguard appliances

[Mike French]

Seems every Watchguard owner is a "Beta" tester. Their support is
frustrating to say the least, and I have never had "them" actually
figure out a problem, I've done it myself. My next look will be a Palo
Alto - I'm done with UTM - Packet filtering - Bastardized Proxied
firewalls. Application awareness is a much better idea and "True" SSL
decryption all the better.. 

 



From: Jeff Brown [mailto:2jbr...@gmail.com] 
Sent: Friday, March 12, 2010 12:09 PM
To: NT System Admin Issues
Subject: Re: Watchguard appliances

 

6+ years since we went through our "mess" with Watchguard, I'm still not
completely over it, so I'll be happy to share.  We had 5 units, 2 mid to
large size firewalls and 3 SOHO devices.  We never had any issues with
the larger boxes, but every time we applied any kind of upgrade(CALS or
VPN licenses) to one of the SOHO units it would crap out the whole
network.  Took lots of time to trace down because problems did not
happen immediately...  we chased our tails for hours several times and
every time we rolled the firewalls back the issues went away.  No
logical connection between the firewall changes and the problems it
caused.  VERY frustrating.  Switched to fortinet and have no regrets.

On Fri, Mar 12, 2010 at 11:48 AM, Phillip Partipilo 
wrote:

Curious to hear of experiences with their appliances and support, as
well as comparisons with competing products.  I am ready to throw this
thing off the roof, along with Pavel Checkov from the support
department.


Phillip Partipilo
Parametric Solutions Inc.
Jupiter, Florida
(561) 747-6107



THIS ELECTRONIC MESSAGE AND ANY ATTACHMENTS ARE CONFIDENTIAL
AND PROPRIETARY PROPERTY OF THE SENDER. THE INFORMATION IS
INTENDED FOR USE BY THE ADDRESSEE ONLY. ANY OTHER INTERCEPTION,
COPYING, ACCESSING, OR DISCLOSURE OF THIS MESSAGE IS PROHIBITED.
IF YOU HAVE RECEIVED THIS MESSAGE IN ERROR, PLEASE IMMEDIATELY
NOTIFY THE SENDER AND DELETE THIS MAIL AND ALL ATTACHMENTS. DO NOT
FORWARD THIS MESSAGE WITHOUT PERMISSION OF THE SENDER.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: OT: Please rob me

[Mike French]

Somehow this is a good idea: 
http://www.americanbanker.com/btn_issues/23_2/direct-access-cu-pushes-twitter-banking-1006614-1.html

Maybe we should just stick our heads in the sand and pretend we are somehow 
smarter then the criminals

Here another one "Blippy" 
http://www.walletpop.com/blog/2009/12/17/would-you-tweet-your-credit-card-purchases/


-Original Message-
From: Miguel González Castaños [mailto:miguel_3_gonza...@yahoo.es] 
Sent: Saturday, February 20, 2010 8:41 AM
To: NT System Admin Issues
Subject: Re: OT: Please rob me

David L Herrick wrote:
> Wonder how many of the robbers would also be posting location and activities 
> whilst doing the job and later posting video on facebook?
well, here in spain we already have our case:

http://translate.google.es/translate?js=y&prev=_t&hl=es&ie=UTF-8&layout=1&eotf=1&u=http://www.laprovincia.es/nacional/2010/02/18/mossos-detienen-miembros-eta-girona/285975.html&sl=es&tl=en
 


although we can't forget these guys are terrorist, it's kind of funny to 
see this kind of stupid behavior in people that should be cautious and 
try to go unnoticed.

Miguel

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: OT: Data Center Built 22 Stories Underground in 300M Yr Old Cave

[Mike French]

Or take the elevator

-Original Message-
From: mse...@ont.com [mailto:mse...@ont.com] 
Sent: Wednesday, December 16, 2009 8:16 AM
To: NT System Admin Issues
Subject: RE: OT: Data Center Built 22 Stories Underground in 300M Yr Old
Cave

What a great idea. Security is easier too. Let see thieves dig through
hundreds of feet of limestone!

Original Message:
-
From: Sam Cayze sam.ca...@rollouts.com
Date: Tue, 15 Dec 2009 18:45:18 -0600
To: ntsysadmin@lyris.sunbelt-software.com
Subject: OT: Data Center Built 22 Stories Underground in 300M Yr Old
Cave


This is pretty neat.

 

http://www.treehugger.com/files/2009/12/ultra-efficient-data-center-hous
ed-22-stories-underground-in-limestone-cave.php

 

http://preview.tinyurl.com/ycp3oop

 

 

 

Sam Cayze
Information Technology Administrator
ROLLOUTS
ONSITE * ON DEMAND

LinkedIn: http://www.linkedin.com/in/samcayze
FaceBook: http://www.facebook.com/samcayze
Do you have tech skills?  Sign up at our site and become a Rollouts
e-Technician: https://www.e-technicians.net/

 

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


mail2web.com - What can On Demand Business Solutions do for you?
http://link.mail2web.com/Business/SharePoint



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Fiber Cable Tester

[Mike French]

Maybe so, but all of my MMF transceivers are Class I laser

-Original Message-
From: Phil Brutsche [mailto:p...@optimumdata.com] 
Sent: Thursday, September 24, 2009 7:03 PM
To: NT System Admin Issues
Subject: Re: Fiber Cable Tester

Multimode optics tend to be LED, not laser.

Still wouldn't point the output side of a fiber pair at my eyeball.

Ben Scott wrote:
>   It depends.  The lasers used for single-mode LX fiber can blind you.
>  Multimode, I'm not sure.  I wouldn't take the risk.

-- 

Phil Brutsche
p...@optimumdata.com

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

ESET 4435 and Spector

[Mike French]

For those of you running Spector 360 / CNE and ESET Nod32:

 

Update 4435 (20090917)

2009-09-17 21:36

BAT/KillWin.NAS (2), BAT/Qhost.NCS, VBS/TrojanDownloader.Agent.NAX,
Win32/Adware.Antivirus2009 (2), Win32/BHO.NTJ (3), Win32/Boberog.AF,
Win32/EBlaster, Win32/HackAV.CR (3), Win32/NoAdware (2),
Win32/Olmarik.HI (4), Win32/Olmarik.IJ (4), Win32/Olmarik.LW (7),
Win32/PSW.OnLineGames.OMW, Win32/PSW.Pebox.AA, Win32/PSW.Pebox.BA,
Win32/PSW.YahooPass.AF, Win32/Qhost, Win32/SpectorPro (3),
Win32/Spy.Banbra.NVE, Win32/Spy.Bancos.NNL (2), Win32/Spy.Banker.SCI
(2), Win32/Spy.Banker.SCJ, Win32/Spy.Zbot.JF (2), Win32/Spy.Zbot.UN (2),
Win32/StartPage.NMW (2), Win32/TrojanDownloader.Bredolab.AA,
Win32/TrojanDownloader.Delf.OXF (2),
Win32/TrojanDownloader.FakeAlert.AHR,
Win32/TrojanDownloader.FakeAlert.AHS,
Win32/TrojanDownloader.FakeAlert.AIJ (2),
Win32/TrojanDownloader.FakeAlert.AIK,
Win32/TrojanDownloader.FakeAlert.AJA,
Win32/TrojanDownloader.FakeAlert.AJD (2),
Win32/TrojanDownloader.FakeAlert.AJE (2),
Win32/TrojanDownloader.Small.NFE, Win32/TrojanDropper.Agent.OII,
Win32/Urlbot.NAC (2), Win32/Urlbot.NAD (2)

The 4435 Definitions might false on your client monitoring deployments
and your CNE sever. I just got hammered with it. I submitted to ESET
so we shall see

 

False hit on Win32/Urlbot.NAD - Virus total confirmed and Sunbelt
sandbox confirmed..

 

Mike French
Network Engineer
~EQUITY BANK <http://www.theequitybank.com/> 
Office: 214.231.4565
<mailto:mike.fre...@theequitybank.com> mike.fre...@theequitybank.com

"Evidently excellence in security by some 
security-centric vendors is defined as being the head of the class in a 
room filled with children without a propensity to learn." - Anonymous

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: [OT] Managing Geeks

[Mike French]

I concur, I've been in a few BOD meetings and it was all I could do to just 
keep my mouth shut. I quit going due to the "poo" pile getting bigger then I 
like to shovel and in those situation's I have little to offer them for 
input.

 



From: Jon Harris [mailto:jk.har...@gmail.com] 
Sent: Monday, September 14, 2009 9:01 AM
To: NT System Admin Issues
Subject: Re: [OT] Managing Geeks

 

>From my personal prospective I see that most of the people on government 
>boards (volunteer), are either mainly BS'ers or just out of their depth and 
>trying hard to keep up with the BS'ers pulling the wool over their eyes when 
>ever they can.  I have had to attend BOD meetings at my previous gig and 
>watched it happen all the time.  Boards usually have a lot of politics that 
>necessitate a lot of BS to get things done to the majorities desires.

 

Jon

2009/9/14 David Lum 

I don't see this as OT at all, this is hugely relevant! My two favorite quotes:

* "Good IT pros are not anti-bureaucracy, as many observers think. They 
are anti-stupidity"

* Periodically, bring a few key IT brains to the boardroom to observe 
the problems of the organization at large, even about things outside of the IT 
world, if only to make use of their exquisitely refined BS detectors"

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


> 
> From: Mike French
> To: NT System Admin Issues
> Sent: Fri Sep 11 19:08:54 2009
> Subject: [OT] Managing Geeks
>
> I find an uncomfortable amount in common with this articl  Аж
>
>
>
> http://www.computerworld.com/s/article/9137708/Opinion_The_unspoken_truth_about_managing_geeks
>
>
>
>
>
> Mike French
> Network Engineer
> ~EQUITY BANK
> Office: 214.231.4565
> mike.fre...@theequitybank.com
>
> "Evidently excellence in security by some
> security-centric vendors is defined as being the head of the class in a
> room filled with children without a propensity to learn." - Anonymous
>
>
>
>
>
>
>
> 
> CONFIDENTIALITY STATEMENT: The information transmitted, or contained or
> attached to or with this Notice is intended only for the person or entity to
> which it is addressed and may contain Protected Health Information (PHI),
> confidential and/or privileged material. Any review, transmission,
> dissemination, or other use of, and taking any action in reliance upon this
> information by persons or entities other than the intended recipient without
> the express written consent of the sender are prohibited. This information
> may be protected by the Health Insurance Portability and Accountability Act
> of 1996 (HIPAA), and other Federal and Florida laws. Improper or
> unauthorized use or disclosure of this information could result in civil
> and/or criminal penalties.
> Consider the environment. Please don't print this e-mail unless you really
> need to.
>
> This email and any attached files are confidential and intended solely for
> the intended recipient(s). If you are not the named recipient you should not
> read, distribute, copy or alter this email. Any views or opinions expressed
> in this email are those of the author and do not represent those of the
> company. Warning: Although precautions have been taken to make sure no
> viruses are present in this email, the company cannot accept responsibility
> for any loss or damage that arise from the use of this email or attachments.
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~




-- 
Sherry Abercrombie

"Any sufficiently advanced technology is indistinguishable from magic." 
Arthur C. Clarke

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

[OT] Managing Geeks

[Mike French]

I find an uncomfortable amount in common with this article...

 

http://www.computerworld.com/s/article/9137708/Opinion_The_unspoken_trut
h_about_managing_geeks

 

 

Mike French
Network Engineer
~EQUITY BANK <http://www.theequitybank.com/> 
Office: 214.231.4565
<mailto:mike.fre...@theequitybank.com> mike.fre...@theequitybank.com

"Evidently excellence in security by some 
security-centric vendors is defined as being the head of the class in a 
room filled with children without a propensity to learn." - Anonymous

 


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virus?

[Mike French]

Virus total's numbers aren't very comforting if that IS actually a
virus... 

Did you submit to McAfee? I'm curious as what they have to say. If you
have support I would get in touch with them, this might be a 0-day?

-Original Message-
From: RAY ZORZ [mailto:rz...@azcorrections.gov] 
Sent: Wednesday, August 05, 2009 5:43 PM
To: NT System Admin Issues
Subject: RE: Virus?

http://www.virustotal.com/analisis/d7935fdf6102f1fd869f6337c45e7d690e40a
e9c31ac5d7c7f3ee3d141a14a4a-1249508892 

McAfee still isn't cleaning it, but if this site is legit, and
Malwarebytes is also catching the "right thing", then a lot of vendors
aren't catching it either. 

Oy. 

>>> "Mike French"  8/4/2009 2:54 PM >>>
Upload it to sunbelts sandbox: 

http://www.sunbeltsecurity.com/Submit.aspx?type=cwsandbox&cs=A41CD150B37

359889A553671CBFD2360

It might give you better insight. Also upload to Virus Total:
http://www.virustotal.com/ 

See who else is seeing it as a virus...


-Original Message-
From: RAY ZORZ [mailto:rz...@azcorrections.gov] 
Sent: Tuesday, August 04, 2009 4:40 PM
To: NT System Admin Issues
Subject: Virus?

Our McAfee is picking up a buffer overflow error on IE.   The actual
.exe changes, but the path is the same each time:

C:\Documents and Settings\username\Application Data\upnpsvc.exe
(Trojan.Agent)

McAfee doesn't seem to clean it, just report it.   

Does this look familiar to anyone?

Ray


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Virus?

[Mike French]

Upload it to sunbelts sandbox: 

http://www.sunbeltsecurity.com/Submit.aspx?type=cwsandbox&cs=A41CD150B37
359889A553671CBFD2360

It might give you better insight. Also upload to Virus Total:
http://www.virustotal.com/

See who else is seeing it as a virus...


-Original Message-
From: RAY ZORZ [mailto:rz...@azcorrections.gov] 
Sent: Tuesday, August 04, 2009 4:40 PM
To: NT System Admin Issues
Subject: Virus?

Our McAfee is picking up a buffer overflow error on IE.   The actual
.exe changes, but the path is the same each time:

C:\Documents and Settings\username\Application Data\upnpsvc.exe
(Trojan.Agent)

McAfee doesn't seem to clean it, just report it.   

Does this look familiar to anyone?

Ray


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Server Downtime

[Mike French]

LOL! Brings new meaning to "You get what you pay for..."

-Original Message-
From: Angus Scott-Fleming [mailto:angu...@geoapps.com] 
Sent: Saturday, August 01, 2009 11:27 AM
To: NT System Admin Issues
Subject: OT: Server Downtime

No Uptime Hosting - Guaranteed Server Downtime!
http://www.nouptime.com/

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Exchange TLS (ssl) cert ???

[Mike French]

Godaddy?

 



From: Erik Goldoff [mailto:egold...@gmail.com] 
Sent: Wednesday, July 29, 2009 1:19 PM
To: NT System Admin Issues
Subject: Exchange TLS (ssl) cert ???

 

I've got a law office client ( cheap ) that needs to have TLS setup for
secure email with a european colleague ... anybody have a recommended
source for inexpensive SSL certs that would work for this ?

 


Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Test

[Mike French]

*   Outgoing Connections 

*   HTTP Data 

*   Method: GET 
*   Url:
206.125.45.119/smc/webex/o3h289.php?getowner=1&uniqueid=ab4f4437-7414-87
d4-55b1-173bcfb20c38 
*   HTTP Version: HTTP/1.1 

*   Header Data 

*   Accept: */* 
*   User-Agent: Mozilla/4.0
(compatible; Win32; WinHttp.WinHttpRequest.5) 
*   Host: www.msjupdate.com 
*   Connection: Keep-Alive 

*   Method: GET 
*   Url:
206.125.45.119/smc/webex/o3h289.php?adduser=1&owner_id=40&macaddress=00-
80-C8-82-4F-FE&logonid=HOME-OFF-D5F0AC\\Jim 
*   HTTP Version: HTTP/1.1 

*   Header Data 

*   Accept: */* 
*   User-Agent: Mozilla/4.0
(compatible; Win32; WinHttp.WinHttpRequest.5) 
*   Host: www.msjupdate.com 
*   Connection: Keep-Alive 

 

1206.125.45.119USA - California
AIRLINERES-CALPOP-COMAirlineReservations.Com, Inc.
206.125.40.0  206.125.47.255Yes AirlineReservations.Com,
Inc. 600 W. 7th Street, Suite 360, Los Angeles
supp...@calpop.com ab...@calpop.com   +1-213-627-1937
unknown.calpop.com 

 

That's interesting.wonder why it would open a winsock connection
there?

 

 



From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] 
Sent: Tuesday, July 28, 2009 10:38 AM
To: NT System Admin Issues
Subject: Re: Test

 

And look what it wants to install:

http://shipmentoffail.com//wp-content/plugins/install_flash_player_ax.ex
e
<http://shipmentoffail.com/wp-content/plugins/install_flash_player_ax.ex
e> 

--
ME2



On Tue, Jul 28, 2009 at 11:24 AM, Mike French
 wrote:

Interesting code in that sites source:

 

http://dvd-chat.com/files/26.swf";
quality="high" bgcolor="#ff" width="1" height="1" name="movie"
align="" type="application/x-shockwave-flash"
pluginspage="http://www.macromedia.com/go/getflashplayer";>

 

Nice of it to ask me to update adobe flash since I have to most current
version from Adobe. 

 

Pwnage?

 

 



From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Sent: Tuesday, July 28, 2009 10:08 AM


To: NT System Admin Issues

Subject: RE: Test

 

www.shipmentoffail.com

 

 

 

-sc

 

From: Stefan Jafs [mailto:sj...@amico.com] 
Sent: Tuesday, July 28, 2009 11:06 AM
To: NT System Admin Issues
Subject: Test

 

I'm not receiving any postings to my e-mail, testing

 

___

Stefan Jafs

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Test

[Mike French]

Virus total gets a few hits I need to get my sandbox going
again...If I can keep the cats out of it.

 



From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] 
Sent: Tuesday, July 28, 2009 10:38 AM
To: NT System Admin Issues
Subject: Re: Test

 

And look what it wants to install:

http://shipmentoffail.com//wp-content/plugins/install_flash_player_ax.ex
e
<http://shipmentoffail.com/wp-content/plugins/install_flash_player_ax.ex
e> 

--
ME2



On Tue, Jul 28, 2009 at 11:24 AM, Mike French
 wrote:

Interesting code in that sites source:

 

http://dvd-chat.com/files/26.swf";
quality="high" bgcolor="#ff" width="1" height="1" name="movie"
align="" type="application/x-shockwave-flash"
pluginspage="http://www.macromedia.com/go/getflashplayer";>

 

Nice of it to ask me to update adobe flash since I have to most current
version from Adobe. 

 

Pwnage?

 

 



From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Sent: Tuesday, July 28, 2009 10:08 AM


To: NT System Admin Issues

Subject: RE: Test

 

www.shipmentoffail.com

 

 

 

-sc

 

From: Stefan Jafs [mailto:sj...@amico.com] 
Sent: Tuesday, July 28, 2009 11:06 AM
To: NT System Admin Issues
Subject: Test

 

I'm not receiving any postings to my e-mail, testing

 

___

Stefan Jafs

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Test

[Mike French]

Interesting code in that sites source:

 

http://dvd-chat.com/files/26.swf";
quality="high" bgcolor="#ff" width="1" height="1" name="movie"
align="" type="application/x-shockwave-flash"
pluginspage="http://www.macromedia.com/go/getflashplayer";>

 

Nice of it to ask me to update adobe flash since I have to most current
version from Adobe. 

 

Pwnage?

 

 



From: Steven M. Caesare [mailto:scaes...@caesare.com] 
Sent: Tuesday, July 28, 2009 10:08 AM
To: NT System Admin Issues
Subject: RE: Test

 

www.shipmentoffail.com

 

 

 

-sc

 

From: Stefan Jafs [mailto:sj...@amico.com] 
Sent: Tuesday, July 28, 2009 11:06 AM
To: NT System Admin Issues
Subject: Test

 

I'm not receiving any postings to my e-mail, testing

 

___

Stefan Jafs

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Blackberry - FYI

[Mike French]

July 21, Abu Dhabi National - (International) Blackberry maker questions
Etisalat software upgrade. Research in Motion (RIM), the Canadian
company that produces the BlackBerry mobile e-mail device, has distanced
itself from a recent software patch sent to its UAE customers by
Etisalat, and called into question statements made by the operator. In a
statement mailed to the media, RIM said the Etisalat software, labeled
as "spyware" by a prominent mobile security company, is "not a patch and
it is not a RIM authorized upgrade." "RIM did not develop this software
application and RIM was not involved in any way in the testing,
promotion or distribution of this software application," it said.
"Independent sources have concluded that the Etisalat update is not
designed to improve performance of your BlackBerry hand-held, but rather
to send received messages back to a central server." Like Etisalat, RIM
has said little on the software patch since reports of its negative
effects on handsets and intended function as an e-mail monitoring and
tool emerged last week. The company cancelled scheduled interviews with
the local media and has not replied to requests for comment. But in the
eight-page statement, the company took issue with Etisalat's response,
which described the patch as "required for service enhancements
particularly for issues identified related to the handover between 2G to
3G network coverage areas." According to the RIM document, "in general
terms, a third-party patch cannot provide any enhancements to network
services as there is no capability for third parties to develop or
modify the lowlevel radio communications protocols that would be
involved in making such improvements." "In this case, Etisalat appears
to have distributed a telecommunications surveillance application," it
added, saying that it "does not endorse the development of this type of
software for any platform." Source:
http://www.thenational.ae/apps/pbcs.dll/article?AID=/20090721/BUSINESS/7
07219986 /-1/SPORT

MIKE...


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Ping?

[Mike French]

Ping request could not find host. Please check the name and try again.

-Original Message-
From: Maglinger, Paul [mailto:pmaglin...@scvl.com] 
Sent: Friday, July 17, 2009 10:39 AM
To: NT System Admin Issues
Subject: Ping?

Paul

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Win2003 DC on Win2000 domain

[Mike French]

Hopefully "Whole" disk encryption will mitigate this risk.

 



From: KenM [mailto:kenmli...@gmail.com] 
Sent: Tuesday, July 07, 2009 12:00 PM
To: NT System Admin Issues
Subject: Re: Win2003 DC on Win2000 domain

 

I dont think this is all about trust.

 

What happens when your laptop gets stolen and someone has full access to
the DC image files.

 



 

On Tue, Jul 7, 2009 at 12:47 PM, Erik Goldoff 
wrote:

With all due respect, if they cannot trust a network security engineer
that helps to maintain and improve their security ( have remote access
to firewall and TS ) then they may as well still run on paper.  Their
internal security knowledge, as well as any BCP is practically
non-existant.

 

But from a best practices perspective, you are right. 

 


Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

 



From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: Tuesday, July 07, 2009 12:28 PM 


To: NT System Admin Issues
Subject: RE: Win2003 DC on Win2000 domain

 

That is pretty scary from a risk management perspective that you're
walking off with a copy of the customer's AD.

 

Thanks,

Brian Desmond

br...@briandesmond.com

 

c - 312.731.3132

 

Active Directory, 4th Ed - http://www.briandesmond.com/ad4/
 

Microsoft MVP - https://mvp.support.microsoft.com/profile/Brian
 

 

From: Erik Goldoff [mailto:egold...@gmail.com] 
Sent: Tuesday, July 07, 2009 9:18 AM 


To: NT System Admin Issues

Subject: RE: Win2003 DC on Win2000 domain

 

Yep, FALLBACK is my concern.  I'll be doing most of the work remotely,
as the two new 2003 servers are in place and on the wire.  Low level
help desk type will be on site, but as of yet, no spare/temp machine as
a 2000 DC ...  ( I normally bring in my laptop with a 2000 server and a
2003 server running virtually and promote to DC to grab a copy for 'just
in case' in the first few days, but I won't be on site this time )

 

once forestprep & domainprep run, it's a one way race to the finish

 


Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

 



From: Jon Harris [mailto:jk.har...@gmail.com] 
Sent: Tuesday, July 07, 2009 10:05 AM 


To: NT System Admin Issues

Subject: Re: Win2003 DC on Win2000 domain

Agreed.  The only difference is since you have Exchange on a DC you
might want to make a 2000 DC on some desktop as a fall back.  Once the
fall back is finished with the sync turn it off.  Do the domain/forest
prep if all go well put the fall back on the network again let it sync
again then turn it off while bringing up the new DC's.  Once all is well
and good bring it up and kill it off.

 

Jon

On Tue, Jul 7, 2009 at 9:59 AM, KenM  wrote:

Why not just install 2003 on the new hardware run dcpromo /forestprep
and /domainprep and run dcpromo on 2003 servers and transfer roles.

 

 



 

On Tue, Jul 7, 2009 at 9:54 AM, Erik Goldoff  wrote:

Client wants to bring in two new servers ( forklift new hardware ) into
their current Windows 2000 domain, but wants to upgrade Active Directory
to 2003 ... two new servers will ultimately replace two existing 2000
servers which are File/Print/DC  and Exchange/DC  

 

My normally cautious method would be to bring in a temp 2000 box,
promote it to DC in the 2000 domain, move FSMOs to it, then demote
existing DCs... upgrade OS on temp box to 2003, then promote new 2003
servers to DC, moving FSMOs to one of them.

 

Question :  Is there an unreasonable risk to promoting a 2003 server to
DC on the 2000 domain with 2000 DCs in place when there is no plan ( or
license ) to upgrade the OS on the 2000 boxes to 2003 ?

 

 

 


Erik Goldoff


IT  Consultant

Systems, Networks, & Security 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Data closet monitoring

[Mike French]

>From their site:

"Emergency Automatic Shutdown
Enviromon's Linux devices will automatically send a shutdown message to
your Linux or Windows based servers. You can rest assured that your
servers will be safely shot down before your UPS runs out."

Safely "Shot" down Nice feature...

-Original Message-
From: Andy Ognenoff [mailto:andyognen...@gmail.com] 
Sent: Wednesday, June 24, 2009 11:33 AM
To: NT System Admin Issues
Subject: RE: Data closet monitoring

We use SensorHawk. 

http://store.enviromon.net/cart.php?target=category&category_id=60

 - Andy O.

>-Original Message-
>From: Craig Gauss [mailto:gau...@rhahealthcare.org]
>Sent: Wednesday, June 24, 2009 11:27 AM
>To: NT System Admin Issues
>Subject: Data closet monitoring
>
>We have a new data closet being built.  We used to purchase APC
>AP9319X446 for monitoring but I see those are discontinued.  Does
anyone
>have any suggestions for devices to monitor the temp and humidity of a
>data closet?
>
>
>Craig Gauss,  Technical Supervisor/Security Officer
>Riverview Hospital Association
>Phone: 715-423-6060 ext. 8572
>
>
>
>~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>~   ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Finding Old files

[Mike French]

Agreed I'll whine about it, but inevitably the command line is where
I'll end up. 

 



From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, June 09, 2009 8:36 AM
To: NT System Admin Issues
Subject: RE: Finding Old files

 

Too bad about the command line thing, there are so many things you can
do in seconds from the command line that take everyone else hours to do
via GUI. :-)

 

Old school, rules :-)

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

-Original Message-----
From: Mike French [mailto:mike.fre...@theequitybank.com] 
Sent: Monday, June 08, 2009 3:13 PM
To: NT System Admin Issues
Subject: RE: Finding Old files

 

It's Monday... It's odd that Micro$oft would have something that

powerful built-in.. :> Been playing around with Robocopy to get this

done. My (ab)users have surprised me with some creative folder

structures, some of the levels are too deep and the paths too

long...Nice.

 

The command line gives me hives.

 

LOL! 

 

Thanks All!

 

-Original Message-

From: Ben Scott [mailto:mailvor...@gmail.com] 

Sent: Monday, June 08, 2009 5:03 PM

To: NT System Admin Issues

Subject: Re: Finding Old files

 

On Mon, Jun 8, 2009 at 3:12 PM, Mike

French wrote:

> My google fu is not going well today. Anybody have a favorite utility

> (preferably not just a script piped to a text file) that can search a

> file server and filter the files based on last modified date?

 

  I'd use command line tools, but since you're allergic to that...

 

  Right-click folder, "Search".  In "Search Options", enable the

"Date" checkbox, select "between", fill in the date range you want,

and click "Search Now".

 

  This assumes you have the %PROFANITY% animated dog turned off.  (I

swear that thing's a relative of Barney the dinosaur.)

 

-- Ben

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~

~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~

~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Finding Old files

[Mike French]

It's Monday... It's odd that Micro$oft would have something that
powerful built-in.. :> Been playing around with Robocopy to get this
done. My (ab)users have surprised me with some creative folder
structures, some of the levels are too deep and the paths too
long...Nice.

The command line gives me hives.

LOL! 

Thanks All!

-Original Message-
From: Ben Scott [mailto:mailvor...@gmail.com] 
Sent: Monday, June 08, 2009 5:03 PM
To: NT System Admin Issues
Subject: Re: Finding Old files

On Mon, Jun 8, 2009 at 3:12 PM, Mike
French wrote:
> My google fu is not going well today. Anybody have a favorite utility
> (preferably not just a script piped to a text file) that can search a
> file server and filter the files based on last modified date?

  I'd use command line tools, but since you're allergic to that...

  Right-click folder, "Search".  In "Search Options", enable the
"Date" checkbox, select "between", fill in the date range you want,
and click "Search Now".

  This assumes you have the %PROFANITY% animated dog turned off.  (I
swear that thing's a relative of Barney the dinosaur.)

-- Ben

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Finding Old files

[Mike French]

My google fu is not going well today. Anybody have a favorite utility
(preferably not just a script piped to a text file) that can search a
file server and filter the files based on last modified date? We do full
daily backups even though only about 2% of our data actually changes. I
want to move old data (2+ years old) off the file shares targeted for
backup over to an external Archive drive. It's a pain drilling into
folders with explorer.... 

MIKE FRENCH
NETWORK ENGINEER
~EQUITY BANK
Office: 214.231.4565
mike.fre...@theequitybank.com


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: NOD32 FP

[Mike French]

Maybe OT?

March 10, IDG News Service - (International) Bad Symantec update leads to 
trouble. Symantec says a buggy diagnostic program spurred a rash of Norton 
antivirus user complaints on March 9 and 10. Problems started around 4:30 p.m. 
Pacific Time on March 9, when Norton Internet Security and Norton Antivirus 
2006 and 2007 users started receiving error messages connected to a Symantec 
software update that tried to download a program called PIFTS.exe. "In a case 
of human error, the patch was released by Symantec 'unsigned,' which caused the 
firewall user prompt for this file to access the Internet," wrote a Symantec 
spokesman in a forum post explaining the problem. Users reported that Norton's 
own firewall software was popping up error messages asking them if they wanted 
to install the PIFTS.exe file. Norton's firewall would have let it pass, had it 
been digitally signed. The update was available for about three hours and was 
pushed out to a small, "limited number" of Norton users, said a group product 
manager of consumer products with Symantec. PIFTS (Product Information 
Framework Troubleshooter) is a diagnostic program that Symantec periodically 
sends out to users to anonymously collect information such as the operating 
system and version number of the product being used in order to get a snapshot 
of its user base. The troublesome, unsigned PIFTS.exe file is no longer being 
distributed, but it never represented any kind of security threat, the group 
product manager said. "If a user would have accepted it they should have been 
fine, and if they declined it they should have been fine."


From: David Lum [mailto:david@nwea.org] 
Sent: Wednesday, March 11, 2009 3:13 PM
To: NT System Admin Issues
Subject: RE: NOD32 FP

"NOD screwing up doesn't make Symantec not suck."

This gets my vote for quote of the week.

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764
From: Tim Vander Kooi [mailto:tvanderk...@expl.com] 
Sent: Tuesday, March 10, 2009 10:17 AM
To: NT System Admin Issues
Subject: RE: NOD32 FP

Yes it sure does.
NOD screwing up doesn't make Symantec not suck. Sorry.
TVK

From: HELP_PC [mailto:g...@enter.it] 
Sent: Tuesday, March 10, 2009 12:15 PM
To: NT System Admin Issues
Subject: R: NOD32 FP

Oh , isn't Symantec !
 
GuidoElia
HELPPC
 


Da: Andy Ognenoff [mailto:andyognen...@gmail.com] 
Inviato: martedì 10 marzo 2009 14.20
A: NT System Admin Issues
Oggetto: NOD32 FP
Anyone hit by this?

http://www.eset.com/joomla/index.php?option=com_content&task=view&id=5839&Itemid=2

"Unfortunately, an error in the heuristics module, coupled with the 
specific virus signature database update, caused ESET to incorrectly identify 
several Windows operating system files, including dllhost.exe and msdtc.exe, as 
being infected with Win32/Kryptik.JX."

 - Andy O.

 
 

 
 

 
 

 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Foxit PDF Reader Flaws

[Mike French]

Just an FYI:

March 9, Computerworld - (International) Foxit PDF viewer open to
attack, say researchers. Security researchers on March 9 warned of
several vulnerabilities in Foxit, a free PDF document viewer that has
been recommended as an alternative to Adobe Reader, which currently
contains an unpatched critical bug of its own. Foxit Software Co.
patched its namesake on March 9 to plug three holes. One of the three
vulnerabilities is in the same JBIG2 image compression format fingered
by researchers last month as the root of the bug in Adobe System Inc.'s
popular Reader and Acrobat applications. The flaw in Adobe's software,
which has been exploited by hackers since at least early January, will
not be patched until March 11, according to Adobe's schedule. The Foxit
and Adobe bugs are unrelated, however, except for the fact that they are
both in the code that parses JBIG2 images, said the chief technology
officer at Secunia, the Danish company that reported the flaw to Foxit.
"It is a completely different vulnerability related to JBIG2," he said
in an e-mail on March 9. It was Adobe's confirmation of its bug that
prompted Secunia researchers to dig into other PDF viewers. "We did,
however, start the research in Foxit out of curiosity based on the Adobe
vulnerability, and discovered this new vulnerability," the chief
technology officer said. Secunia reported the bug to Foxit on February
27. The remaining two bugs in Foxit were reported February 18 by Core
Security Technologies, a developer of penetration testing software. One
of the vulnerabilities can trigger a buffer overflow, while the other
could be used by attackers to circumvent security warnings.



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: NOD32 FP

[Mike French]

+1


From: Tim Vander Kooi [mailto:tvanderk...@expl.com] 
Sent: Tuesday, March 10, 2009 12:17 PM
To: NT System Admin Issues
Subject: RE: NOD32 FP

Yes it sure does.
NOD screwing up doesn't make Symantec not suck. Sorry.
TVK

From: HELP_PC [mailto:g...@enter.it] 
Sent: Tuesday, March 10, 2009 12:15 PM
To: NT System Admin Issues
Subject: R: NOD32 FP

Oh , isn't Symantec !
 
GuidoElia
HELPPC
 


Da: Andy Ognenoff [mailto:andyognen...@gmail.com] 
Inviato: martedì 10 marzo 2009 14.20
A: NT System Admin Issues
Oggetto: NOD32 FP
Anyone hit by this?

http://www.eset.com/joomla/index.php?option=com_content&task=view&id=5839&Itemid=2

"Unfortunately, an error in the heuristics module, coupled with the 
specific virus signature database update, caused ESET to incorrectly identify 
several Windows operating system files, including dllhost.exe and msdtc.exe, as 
being infected with Win32/Kryptik.JX."

 - Andy O.

 
 

 
 

 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Cisco parts source

[Mike French]

Try here:

Steve O'Neil - Buy and Sell Networking Hardware
Cisco, Extreme, Foundry, HP, Nortel, 3Com and more 
Dexon Computer, Inc 
9201 E. Bloomington Freeway, Suite BB
Minneapolis, MN 55420
952-888-8922 Ext 104 
952-888-9136 Fax
son...@dexon.com
www.dexon.com


From: Jim Majorowicz [mailto:jmajorow...@gmail.com] 
Sent: Tuesday, March 10, 2009 12:17 PM
To: NT System Admin Issues
Subject: Cisco parts source

Anyone got a recommendation for a source on Refurbished Cisco parts?

I need 3 WIC-1ENET cards for a Cisco 1760.



 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: NOD32 FP

[Mike French]

One of my DC's got hit - msdtc.exe got quarantined.


From: Andy Ognenoff [mailto:andyognen...@gmail.com] 
Sent: Tuesday, March 10, 2009 8:20 AM
To: NT System Admin Issues
Subject: NOD32 FP

Anyone hit by this?

http://www.eset.com/joomla/index.php?option=com_content&task=view&id=5839&Itemid=2

"Unfortunately, an error in the heuristics module, coupled with the 
specific virus signature database update, caused ESET to incorrectly identify 
several Windows operating system files, including dllhost.exe and msdtc.exe, as 
being infected with Win32/Kryptik.JX."

 - Andy O.

 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Windows 2003 wont boot up help!!!

[Mike French]

+1 on Belarc too...

 



From: Lee Douglas [mailto:lee.doug...@gmail.com] 
Sent: Monday, February 16, 2009 1:52 PM
To: NT System Admin Issues
Subject: Re: Windows 2003 wont boot up help!!!

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Windows 2003 wont boot up help!!!

[Mike French]

This used to work for me: http://magicaljellybean.com/keyfinder/


-Original Message-
From: Dennis Rogov [mailto:dennis_rogov2...@yahoo.com] 
Sent: Monday, February 16, 2009 1:39 PM
To: NT System Admin Issues
Subject: RE: Windows 2003 wont boot up help!!!

I am going to give that a try.. I rather not wipe the box as their is
important dev work on this drive... My other question does anyone know
of a software that will allow me to see what this machine serial number.
I cant seem to find a serial number anywhere?

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Windows 2003 wont boot up help!!!

[Mike French]

Take a look here: http://support.microsoft.com/kb/332199

This might help...

-Original Message-
From: Dennis Rogov [mailto:dennis_rogov2...@yahoo.com] 
Sent: Monday, February 16, 2009 1:17 PM
To: NT System Admin Issues
Subject: RE: Windows 2003 wont boot up help!!!

Hi All hopefully everyone had a pleasent weekend. 

I finally got to the bottom of the windows 2003 server it was a faulty
memory. Which for odd reasons Dell diagnostic failed to pick up... My
question is that i already removed the DC manually utilzing
Ntdsutil.exe. Now that i have the faulty DC back online but not plugged
into the network. What is the best method to demote it to member
server... Its a windows 2003 R2  Standard Server 

I am going to run DCPROMO and see what that gives me.

Thanks 



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Remote Access to PC's with Logging

[Mike French]

Have you looked at Bomgar? http://www.bomgar.com/

I haven't used them in-house but, have a vendor that uses it and
supports one of our internal apps. Works pretty well from what I can
see.

More of an appliance then software

-Original Message-
From: Roger Wright [mailto:rwri...@evatone.com] 
Sent: Thursday, January 22, 2009 10:54 AM
To: NT System Admin Issues
Subject: RE: Remote Access to PC's with Logging

I'm thinking about the possibility for remote support for various
clients.  But it looks like it requires admin access for the
installation, not quite as versatile as AMMYY or Team Viewer.

Ports 6129 & 6130?

Remote Support System (RSS) looks very promising and comprehensive, is
VNC-based with ton of useful features added to make it ideal for
business support. However, it didn't work extremely well in my
Vista-to-Vista tests last night.  www.remotesupportsystem.com 

   

Roger Wright
Network Administrator
Evatone, Inc.
727.572.7076  x388
_  


-Original Message-
From: Mike French [mailto:mike.fre...@theequitybank.com] 
Sent: Thursday, January 22, 2009 11:44 AM
To: NT System Admin Issues
Subject: RE: Remote Access to PC's with Logging

Personally I wouldn't do this unless I had a VPN connection. But, yes
you could open the appropriate ports on your firewall. I haven't tried
it so YMMV.



-Original Message-
From: Roger Wright [mailto:rwri...@evatone.com] 
Sent: Wednesday, January 21, 2009 8:13 PM
To: NT System Admin Issues
Subject: RE: Remote Access to PC's with Logging

Does DWMR work across the internet and firewalls?

   

Roger Wright
Network Administrator
Evatone, Inc.
727.572.7076  x388
_____  


-Original Message-
From: Mike French [mailto:mike.fre...@theequitybank.com] 
Sent: Wednesday, January 21, 2009 5:09 PM
To: NT System Admin Issues
Subject: RE: Remote Access to PC's with Logging

I use Dameware mini-remote. Set it to an obscure port, run it in FIPS
mode and have it e-mail when a connection is made. No database, but it's
cheap and works well.

-Original Message-
From: Mark Milo [mailto:markmil...@gmail.com] 
Sent: Wednesday, January 21, 2009 4:00 PM
To: NT System Admin Issues
Subject: Remote Access to PC's with Logging

Hi,

We currently use VNC for access to remote PC's. I have now been asked to
find software that apart from allowing remote access, the software must
also log each access in a central database to show who and when remote
access was granted.

Any ideas of suitable software?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Remote Access to PC's with Logging

[Mike French]

Personally I wouldn't do this unless I had a VPN connection. But, yes
you could open the appropriate ports on your firewall. I haven't tried
it so YMMV.



-Original Message-
From: Roger Wright [mailto:rwri...@evatone.com] 
Sent: Wednesday, January 21, 2009 8:13 PM
To: NT System Admin Issues
Subject: RE: Remote Access to PC's with Logging

Does DWMR work across the internet and firewalls?

   

Roger Wright
Network Administrator
Evatone, Inc.
727.572.7076  x388
_  


-Original Message-----
From: Mike French [mailto:mike.fre...@theequitybank.com] 
Sent: Wednesday, January 21, 2009 5:09 PM
To: NT System Admin Issues
Subject: RE: Remote Access to PC's with Logging

I use Dameware mini-remote. Set it to an obscure port, run it in FIPS
mode and have it e-mail when a connection is made. No database, but it's
cheap and works well.

-Original Message-
From: Mark Milo [mailto:markmil...@gmail.com] 
Sent: Wednesday, January 21, 2009 4:00 PM
To: NT System Admin Issues
Subject: Remote Access to PC's with Logging

Hi,

We currently use VNC for access to remote PC's. I have now been asked to
find software that apart from allowing remote access, the software must
also log each access in a central database to show who and when remote
access was granted.

Any ideas of suitable software?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Remote Access to PC's with Logging

[Mike French]

I use Dameware mini-remote. Set it to an obscure port, run it in FIPS
mode and have it e-mail when a connection is made. No database, but it's
cheap and works well.

-Original Message-
From: Mark Milo [mailto:markmil...@gmail.com] 
Sent: Wednesday, January 21, 2009 4:00 PM
To: NT System Admin Issues
Subject: Remote Access to PC's with Logging

Hi,

We currently use VNC for access to remote PC's. I have now been asked to
find software that apart from allowing remote access, the software must
also log each access in a central database to show who and when remote
access was granted.

Any ideas of suitable software?
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Selling servers

[Mike French]

Would that cover indemnification as well? I never really thought about
this until it came up in this thread... We have a mini storage full of
equipment that we are getting rid of.

 



From: NTSysAdmin [mailto:ntsysad...@optimum.bm] 
Sent: Wednesday, December 31, 2008 4:48 PM
To: NT System Admin Issues
Subject: RE: Selling servers

 

All  that is required is a signed copy of the bill of sale or an
invoice. Just like any other piece of merchandise.

 

S

 

From: Dallas Burnworth [mailto:dallas.burnwo...@zones.com] 
Sent: Wednesday, December 31, 2008 6:33 PM
To: NT System Admin Issues
Subject: RE: Selling servers

 

Unless you can transfer the warranty or ownership on the manufacturer's
site like Bob says below, you probably want to get with a reseller that
can handle lifecycle management in order to address the following:

 

1. Indemnification of improper use and disposal of equipment-if you sell
or donate equipment without legal indemnification you can be liable if
those serial numbers show up in a landfill or are used in committing
some kind of crime. (Once it leaves your hands you just never know.)  A
reseller can provide al of the necessary protective services and handle
brokering your usable equipment to someone else, and you get the money
less the fee. It costs you money instead of time, but all the bases are
covered.

 

In California the fine for throwing a PC in the landfill is so high you
won't believe me unless you Google it and look it up, but they are the
highest. Sometimes you can even go to jail depending on what regulations
your industry is required to obey. Other states have big fines too, like
MA, MD, ME, NJ, and WA.

 

2. Not destroying the drives by shredding or degaussing and DOD
overwriting-there are lots of ways even damaged drives can have
information taken from them. Protect yourself at all times and know what
the applicable laws are.

 



From: Bob Fronk [mailto:b...@btrfronk.com] 
Sent: Wednesday, December 31, 2008 2:04 PM
To: NT System Admin Issues
Subject: RE: Selling servers

 

I have sold Dell equipment before an eBay.  There is a warranty transfer
site (see link)

 

http://support.dell.com/support/topics/global.aspx/support/change_order/
en/tag_transfer

 

 

 

From: Travis Robinson [mailto:travis.robin...@octanner.com] 
Sent: Wednesday, December 31, 2008 4:59 PM
To: NT System Admin Issues
Subject: OT: Selling servers

 

Hello,

 

We are looking at migrating to an all blade environment and have some
1yr old Dell 1950s with Gold support. 

 

Has anyone sold off old servers that are still under warranty? Any
recommendations on how to do it; eBay or reseller?

 

Any suggestions are appreciated

 

Thanks and Happy New Year

 

Travis

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Label printers

[Mike French]

I use a Rino 3000 (http://www.rhinopromo.com/Printers_3000_Features.shtm)




From: Orland, Kathleen [mailto:korl...@rogers.com] 
Sent: Saturday, December 27, 2008 10:09 PM
To: NT System Admin Issues
Subject: RE: Label printers

I use the same thing. In addition I purchase bright yellow tapes to make 
identification distinct and easy. 


From: Jacob [mailto:ja...@excaliburfilms.com] 
Sent: Saturday, December 27, 2008 3:34 PM
To: NT System Admin Issues
Subject: RE: Label printers
Brother P Touch III

What I use to label cable, tapes, etc...

From: Gavin Wilby [mailto:gavin.wi...@gmail.com] 
Sent: Saturday, December 27, 2008 12:24 PM
To: NT System Admin Issues
Subject: Label printers

Not as off topic as it might sound - I want to get my own lable printer, to do 
things like patch cables, patch panels, back up tapes and the like.

Anyone got any favorites?

Gavin.

Hope you have all had a great Christmas break!
 
 

 
 

 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: BIG IP

[Mike French]

Hey Joe,
 Are you load balancing inbound and outbound or just outbound? Any problems 
with FTP inbound, or Branch VPN Connections? I'm looking at the ElfIQ and 
Alvaco solutions, I'm tired of dumping money into the BigIP.


From: Joe Fox [mailto:jwfo...@gmail.com] 
Sent: Monday, December 29, 2008 7:32 AM
To: NT System Admin Issues
Subject: Re: BIG IP

 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: BIG IP

[Mike French]

Let me give you first hand experience with the BIG-IP device, save yourself the 
headache and don't go this route. We did this for aggregation of 3 - ISP links, 
after several sets of consultants (F5 experts) we still don't have a 100% 
working solution and it's been a year now. Service after the sale has been less 
than stellar, I've had a ticket open for almost a year now They probably do 
get server load balancing but, not WAN's.add Branch VPN's to the mix and 
you'll start drinking whiskey neat and in large quantities...






From: Benjamin Zachary - Lists [mailto:li...@levelfive.us] 
Sent: Saturday, December 13, 2008 9:23 AM
To: NT System Admin Issues
Subject: BIG IP

Im looking for some global failover devices. These are the only guys I know but 
in reading through their specs, besides being 20k, I didn't truly see what was 
going to be required.

Basically I have 3 sites a primary and 2 failover locations (the company is 
split into two divisions each one fails over to another locale)

I would like to be able to failover automatically to both. They are in the same 
public ip subnet but just need routing to different areas.

I guess the overall question is what is required on our end to make this 
scenario work, and is there something other than big ip that could accomplish 
this successfully that I can research. At one of my colo's I see a bunch of 
Coyote Points but those seem to be load balancers not really wan failover type 
products.

I was also looking at global dns providers which apparently offer this kind of 
masking service but I saw pricing from 1k-1.5k/month which doesn't make a lot 
of sense either. 

Thanks


 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Firewall Recommendation

[Mike French]

I've used Watchguard for a LONG time, I like the product but the support
sucks. Their management software development leaves a lot to be desired
also. I'm looking at palo alto networks, the SSL
decryption/re-encryption intrigues me, looking into encrypted traffic
for threats is a big plus in my book. The interface looks pretty
straight forward as well.  

 



From: Jim S. Walters [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 31, 2008 4:51 PM
To: NT System Admin Issues
Subject: Firewall Recommendation

 

Hello, we have a Checkpoint firewall that is coming up for maintenance
renewal and the price is going up and up and finding qualified
consultants to assist with upgrades is getting harder and harder.

I'm very satisfied with the firewall itself, but feel it's time to
review what other people are using.

Our needs are simple, we have one office with 160 users now but expect
to open other offices in the future.  We have a dozen or so remote users
who VPN in.  We have a half dozen machines in the DMZ for various uses
and use RSA for authentication.

What firewall systems are you using and which would you buy if you had
the opportunity to start fresh?

 

Thanks

Jim Walters

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Cisco ASA 5500

[Mike French]

Agreed, I don't even consider Cisco Firewalls anymore.

-Original Message-
From: NTSysAdmin [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 24, 2008 12:49 PM
To: NT System Admin Issues
Subject: RE: Cisco ASA 5500

Time to do what the good Dr Shinder says & move to ISA.still not 1
documented compromise or security issue since 2000. Get rid of your
packet filters and put in a real firewall.

:)

-Original Message-----
From: Mike French [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 24, 2008 2:42 PM
To: NT System Admin Issues
Subject: Cisco ASA 5500

FYI.

October 23, SearchSecurity - (International) Cisco warns of security
appliance flaws. Cisco Systems Inc. warned of multiple flaws in its ASA
5500 Series Adaptive Security Appliances and PIX Security Appliances
that could be used by an attacker to bypass security controls and gain
access to critical systems. The appliances are used to provide a variety
of network security features to address Voice over Internet Protocol
(VoIP) security, VPN connections for remote employees and firewall
services. Cisco's advisory warned of a Windows NT domain authentication
bypass vulnerability, IPv6 denial of service flaw and crypto accelerator
memory leak vulnerability. Cisco said its ASA and PIX devices could be
susceptible to VPN authentication bypass since they support Microsoft
Windows server operating systems, which are vulnerable to a Windows NT
Domain authentication flaw. Appliances configured for IPSec or SSL-based
remote access VPN may be vulnerable, Cisco said. The IPv6
denial-of-service flaw could cause an IPv6 packet to force ASA and PIX
devices to reload. Cisco said devices running software versions from
7.2(4)9 or 7.2(4)10 that have IPv6 enabled are vulnerable to this issue.
ASA appliances are vulnerable to a crypto accelerator memory leak
vulnerability. Source:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1335
757,00.html


MIKE FRENCH
NETWORK ENGINEER
~EQUITY BANK
Office: 214.231.4565
[EMAIL PROTECTED]
Doing IT Right!


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Cisco ASA 5500

[Mike French]

FYI.

October 23, SearchSecurity - (International) Cisco warns of security
appliance flaws. Cisco Systems Inc. warned of multiple flaws in its ASA
5500 Series Adaptive Security Appliances and PIX Security Appliances
that could be used by an attacker to bypass security controls and gain
access to critical systems. The appliances are used to provide a variety
of network security features to address Voice over Internet Protocol
(VoIP) security, VPN connections for remote employees and firewall
services. Cisco's advisory warned of a Windows NT domain authentication
bypass vulnerability, IPv6 denial of service flaw and crypto accelerator
memory leak vulnerability. Cisco said its ASA and PIX devices could be
susceptible to VPN authentication bypass since they support Microsoft
Windows server operating systems, which are vulnerable to a Windows NT
Domain authentication flaw. Appliances configured for IPSec or SSL-based
remote access VPN may be vulnerable, Cisco said. The IPv6
denial-of-service flaw could cause an IPv6 packet to force ASA and PIX
devices to reload. Cisco said devices running software versions from
7.2(4)9 or 7.2(4)10 that have IPv6 enabled are vulnerable to this issue.
ASA appliances are vulnerable to a crypto accelerator memory leak
vulnerability. Source:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1335
757,00.html


MIKE FRENCH
NETWORK ENGINEER
~EQUITY BANK
Office: 214.231.4565
[EMAIL PROTECTED]
Doing IT Right!


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Watchguard firewall question

[Mike French]

I'm sure you have your Authentication Servers set to: Active Directory
Make sure your search base is correct: DC=mydomain,DC=local 
Group String: memberOF
Login Attribute: sAMAccountName
Point it at a Global catalog on port 3268 - Works much better.

Also check to see if your Group name is the same in your Firebox (It's case 
sensitive) and the Auth Server is set to Active Directory in VPN with IPSec.

Be sure to define your domain name, DNS servers (Internal DNS Server) and a 
WINS server (If you have one) on the Firebox's Network Configuration. The VPN 
Client will use these when it get's connected. Be sure your IP range you are 
giving your VPN clients is outside your DHCP scope (If you're providing DHCP 
from a windows server to your local clients).






From: Joe Heaton [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 14, 2008 6:01 PM
To: NT System Admin Issues
Subject: RE: Watchguard firewall question

Well, then hopefully the upgrade will help.  I'm running 10.0 at the moment, 
and plan to upgrade to 10.2.3 in the morning...

Joe Heaton
Employment Training Panel

From: Jim Majorowicz [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 14, 2008 3:36 PM
To: NT System Admin Issues
Subject: RE: Watchguard firewall question

Just that getting a Firebox to actually search the right OU is a pain in the 
freaking ass.  Of course, the two times I've configured such, I was using 9.1, 
so take that for what it's worth.  It's suppose to just "work" in 10.2 and 
later, but I have not had to set that up from scratch, just updated the ones I 
did a year ago.

From: Joe Heaton [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, October 14, 2008 3:05 PM
To: NT System Admin Issues
Subject: RE: Watchguard firewall question

Ok, so I've gotten a successful connection using the Firebox DB for 
authentication.  I'd like, however, to use AD authentication, but I keep 
getting a PAP/CHAP error of Wrong username or password.  I've created a 
security group, named VPN, I've put myself in the group, and I've setup the 
authentication server within the firebox to go to the correct OU.  Any ideas on 
this?  I haven't upgraded the firebox yet, plan to do that in the morning, but 
any tips I can find in here to help point me would be appreciated.


By the way, I ended up checking the IPsec passthru box to get to where I am now.

Joe Heaton
Employment Training Panel

From: Mark Boersma [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 10, 2008 5:16 PM
To: NT System Admin Issues
Subject: RE: Watchguard firewall question

Actually 10.2.3 is out now.

Usually the IKE errors occur if the client can't see the server, as in no 
internet connection.  Can you ping the IP of the Firebox you are trying to 
connect to?

Mark
-
Two rules to success in life:
1. Never tell people everything you know.


From: Jim Majorowicz [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 10, 2008 4:29 PM
To: NT System Admin Issues
Subject: RE: Watchguard firewall question

If it's never worked before, I suggest contacting your support.  You might try 
upgrading the firewall to 10.2.2.  There were some issues with 10.0 and even 
10.0.1 with certain types of MUVPNs.

From: Joe Heaton [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 10, 2008 1:07 PM
To: NT System Admin Issues
Subject: RE: Watchguard firewall question

Fireware v.10 on the box, Yes, using Watchguard Mobile VPN client v. 10.04.  
Using a laptop for the connection, at the moment directly connected to the 
network.  I do have support, I just figured I'd post here, to see if anyone had 
any previous experience with this general error, before I called them.

Joe Heaton
Employment Training Panel

From: Jim Majorowicz [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 10, 2008 10:49 AM
To: NT System Admin Issues
Subject: RE: Watchguard firewall question

What version of the software is installed on your Core?  Are you using the 
Watchguard Moble Client software?  What kind of PC are you connecting from?  Do 
you get support from your reseller?

From: Joe Heaton [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 10, 2008 10:15 AM
To: NT System Admin Issues
Subject: Watchguard firewall question

Anyone familiar with setting up VPN w/IPsec on these?  I have a 750x and I keep 
getting an IKE error - Lost contact to peer.  I have the log file, but it's not 
very enlightening either.  I know there's a couple of Watchguard guys on here, 
and I figured I'd give it a shot before I call support.

Thanks,

Joe Heaton
AISA
Employment Training Panel
1100 J Street, 4th Floor
Sacramento, CA  95814
(916) 327-5276
[EMAIL PROTECTED]


 
 

 
 

 
 

 
 

Please consider the environment before printing this email.


CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for 
the sole use of the intended recipients(s) and may contain confidential and 
privileged 

RE: RegEX

[Mike French]

That's on my list - Thanks Kurt!

-Original Message-
From: Kurt Buff [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 03, 2008 12:22 PM
To: NT System Admin Issues
Subject: Re: RegEX

http://www.bookpool.com/sm/0596528124

On Fri, Oct 3, 2008 at 8:34 AM, Mike French
<[EMAIL PROTECTED]> wrote:
> Anybody use a Regex (prce) builder for windows? I've not played with
> Regex much (doing my leg work on the context) and would like to find a
> utility that would give me some debugging output and correct syntax on
> expressions. I played with a few but, I'm such a noob that I don't
know
> if I'm looking in the right places. The feed back from a utility will
> help me learn the how, why etc. on expression building
>
> MIKE FRENCH
> NETWORK ENGINEER
> ~EQUITY BANK
> Office: 214.231.4565
> [EMAIL PROTECTED]
> Doing IT Right!
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: RegEX

[Mike French]

Thanks Andy,
 Looks like the road to Regex will be a little easier; I'm still doing
some digging. Looks like a lot to learn but, once I get my brain wrapped
around this, it might not be too bad.

-Original Message-
From: Andy Ognenoff [mailto:[EMAIL PROTECTED] 
Sent: Friday, October 03, 2008 11:23 AM
To: NT System Admin Issues
Subject: RE: RegEX

I've been using RegExBuddy to learn and to maintain a library of useful
expressions. It comes with a standard set of expressions that are pretty
useful too. It's got a really nice "explain" function that tells you
what
each part of the expression you're building does.

http://www.regexbuddy.com/

 - Andy O.

>-Original Message-
>From: Mike French [mailto:[EMAIL PROTECTED]
>Sent: Friday, October 03, 2008 10:35 AM
>To: NT System Admin Issues
>Subject: RegEX
>
>Anybody use a Regex (prce) builder for windows? I've not played with
>Regex much (doing my leg work on the context) and would like to find a
>utility that would give me some debugging output and correct syntax on
>expressions. I played with a few but, I'm such a noob that I don't know
>if I'm looking in the right places. The feed back from a utility will
>help me learn the how, why etc. on expression building
>
>MIKE FRENCH
>NETWORK ENGINEER
>~EQUITY BANK
>Office: 214.231.4565
>[EMAIL PROTECTED]
>Doing IT Right!
>
>
>~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RegEX

[Mike French]

Anybody use a Regex (prce) builder for windows? I've not played with
Regex much (doing my leg work on the context) and would like to find a
utility that would give me some debugging output and correct syntax on
expressions. I played with a few but, I'm such a noob that I don't know
if I'm looking in the right places. The feed back from a utility will
help me learn the how, why etc. on expression building 

MIKE FRENCH
NETWORK ENGINEER
~EQUITY BANK
Office: 214.231.4565
[EMAIL PROTECTED]
Doing IT Right!


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Two Enterprise Root CA's

[Mike French]

I thought if I followed this thread long enough I would get an answer to
a question I had (but not posted) for awhile. I too have an Old DC with
cert services installed (enterprise CA) from a previous admin. We are
not using it for anything. No client or apps are renewing certs from it
etc... But, I was a little apprehensive at removing it before finally
dcpromoing the box out of existence. Your response just reinforced what
I have been researching, so thanks Troy!


-Original Message-
From: Troy Meyer [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 01, 2008 3:10 PM
To: NT System Admin Issues
Subject: RE: Two Enterprise Root CA's

Devin,

That last KB should work just fine, but its OVERLY uptight. Existing
certs wont hurt the laptops if they remain valid and if you don't have
services that look at that CA, they aren't doing anything.  With three
clients revoking them and continuing to publish a CRL is no big deal,
but with many it may become a troublesome un-needed effort.

I would create the GPO that assigns the new CA to the trusted
authorities, re-create any policies and templates on the new CA (doesn't
sound like you have many), and then finally alter any services that used
those certs (RAS, IAS, etc).  Then as long as no enterprise services
depend on certificates from the old CA, uninstall cert services and
decommission the machine.

Good Luck

Troy


-Original Message-
From: Devin Meade [mailto:[EMAIL PROTECTED]
Sent: Wednesday, October 01, 2008 12:20 PM
To: NT System Admin Issues
Subject: Two Enterprise Root CA's

I posted this when NTSYSADMIN list was on spamcop and am reposting
now...

Group,

We have two Enterprise Root CA's and need to remove one.  The one I want
to remove has only three computer certificates issued via an auto
enrollment Group Policy, for VPN.

After some googling, I see that I might be able to start the Cert
Authority MMC on the bad CA, navigate to Certification Templates, then
delete all of them.  This should force the machines to renew them on the
other root CA server.

I ran certutil per http://support.microsoft.com/kb/29 to find that I
have two of these.
Per http://forums.techarena.in/microsoft-security/934673.htm and
http://groups.google.com/group/microsoft.public.windows.server.security/
browse_thread/thread/af6cb6614c34f88f/5414636b3d971257?hl=en&lnk=st&q=de
lete+%22enterprise+root+ca%22#5414636b3d971257 I can delete all
templates and let them expire.

This seems very heavy handed.  Is this a safe way to proceed?  This is
an Enterprise Root CA for a 2003 Active Directory.

I only have three certs to replace, I wonder if I can just revoke them
one-by-one while I have the laptops in my possession, stop the cert
service on the bad CA, then let the GPO issue a new computer cert on the
good CA.  Then after the three certs are reissued, uninstall Cert
Services from the bad server (decomission it via
http://support.microsoft.com/kb/889250).

-Devin






~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: An alternate storage solution needed...

[Mike French]

Have you taken a look at these?

http://www.buffalotech.com/products/network-storage/terastation/




From: MarvinC [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, October 01, 2008 1:28 PM
To: NT System Admin Issues
Subject: An alternate storage solution needed...

 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Video Conferencing

[Mike French]

How about www.polycom.com 

Used them at a client site, had good results. Just make sure your firewall will 
play nice with whatever you choose...


From: Steve Ens [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 30, 2008 2:07 PM
To: NT System Admin Issues
Subject: Video Conferencing

 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Windows disk encryption?

[Mike French]

PGP appliance here, noticeable performance impact especially on laptops (5400 
RPM drives). Saw this at Network World here in Dallas: 
http://www.wave.com/products/eras.asp

They say that Seagate is offering a 7200 RPM drive with the FDE chip soon.



From: David Lum [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 25, 2008 8:42 AM
To: NT System Admin Issues
Subject: Windows disk encryption?

Anyone use this? Experiences, comments?
David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764


 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Exchange on a DC migration

[Mike French]

I found the answer:

Since the OLDSERVER (DC, Exchange) is going away, I'm not concerned
about it not talking to other DC's / GC's. The NEWSERVER was affected by
an SACL that wasn't correct:

"We've had one of our AD Domain Controllers reporting that it didn't
have the SACL right. This was logged constantly on event ID 2080. We
tried nearly everything but without success. This morning I came up with
a solution to fix it, while trying to desperately find the
ntSecurityDescriptor property in ADSI Edit and other places. Well, it's
more simple than that!

On whatever DC, fire up Active Directory Users & Computers, click on the
View menu and select Advanced Features. Then browse to Domain
Controllers OU, right click on the DC which misses the SACL right and
select Properties. Click on the Security tab and select Advanced. Be
patient... then on the Permissions tab, click on Add ... Select the
Exchange Servers security group and click on OK. You will see a dialog
with two tabs: Object and Properties. Select Properties. Then scroll
down until you find Read nTSecurityDescriptor. Check Allow, click on OK
as much as needed to close the window. Then check your event log after a
while. Your DC should now report that it has the SACL right."

I re-ran setup /domainprep and now the NEWEXCHANGE server is seeing
other DC's / GC's as it should. The OWA front-end server is also seeing
the other DC /GC's too. I'm finally able to move on to do some testing
to make sure that when the OLDSERVER get dumped mail will flow. 

-Original Message-
From: Mike French [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 17, 2008 4:34 PM
To: NT System Admin Issues
Subject: RE: Exchange on a DC migration

I found reference to that a few minutes ago, so maybe a new question is:
Should I ignore this and proceed with the exchange removal from the DC
and trust that once it's out of the domain that the new exchange member
server will finally be able to see the other DC / GC's? 

-Original Message-
From: Michael B. Smith [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 17, 2008 4:21 PM
To: NT System Admin Issues
Subject: RE: Exchange on a DC migration

Exchange, when installed on a DC, will NEVER EVER attempt to talk to
another
DC.

I think I cover this in at least 3 different places on my blog.

Regards,

Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP
My blog: http://TheEssentialExchange.com/blogs/michael
Link with me at: http://www.linkedin.com/in/theessentialexchange


-Original Message-
From: Mike French [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 17, 2008 5:07 PM
To: NT System Admin Issues
Subject: Exchange on a DC migration

This is probably a re-hash but please bear with me..

OLDSERVER - (Domain Controller (The was the first one in the domain))
Windows 2003 STD Native + Exchange 2003 SP2 Native

NEWSERVER - (Member Server) Windows 2003 ENT + Exchange 2003 SP2 Native

I have moved the Public Folders and Sync'd and moved the Mailboxes. I
re-homed RUS and the Default Offline Address List to the NEWSERVER. I
moved off all the FSMO roles to my new DC's. I've had the Exchange
services disabled on the OLDSERVER for about a month now without any
problems. I still have to migrate the DHCP scope over to a different
server (Not a big deal). I was planning on removing exchange and demote
it to a member server before I remove it from the domain this Friday.
Murphy's Law stepped in and I came in to the OLDSERVER with two failed
drives on the Raid-5 array, I restored from backup (Fortunately the
backup completed before it went south) and got the box back up. What I
noticed is that the NEWSERVER dismounted the stores and the MTA service
stopped and would not come back up without the OLDSERVER online. The
DSAccess was choking according to the logs. After finally getting the
OLDSERVER up I restarted the NEWSERVER store and MTA and mail started to
flow once again. Digging a little deeper as to why, I went into the ESM
on the NEWSERVER got the properties of the NEWSERVER and checked the
"Directory Access" tab and all I see is the OLDSERVER entries listed,
none of my other DC's, GC's are their (Auto discover is checked). This
explained why the NEWSERVER stores and MTA choked, but what I can't
confirm is why no other DC's / GC's are discovered? IF I hardcode the
other DC's, GC's and config server, I get the DSAccess errors about not
being able to reach the defined servers. I turned up logging to MAX for
DSAccess Topology, Config, and LDAP and it successfully discovers the
other servers but doesn't populate them. I ran NETDIAG without errors,
LDAP utility works fine (both on 389 and 3268) from the NEWSERVER.
Setspn -l displays the correct info for all the DC's, DNS looks good
(SRV records are correct). I also did the tasklist -m dsaccess.dll and
it display's the

RE: OT: We're all doomed

[Mike French]

LOL! Maybe the scientific community should shoot some politicians through the 
collider?


From: TJ [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 18, 2008 8:36 AM
To: NT System Admin Issues
Subject: Re: OT: We're all doomed

 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Exchange on a DC migration

[Mike French]

Is your server having an issue?

Server Error in '/' Application.



Runtime Error 
Description: An application error occurred on the server. The current
custom error settings for this application prevent the details of the
application error from being viewed remotely (for security reasons). It
could, however, be viewed by browsers running on the local server
machine. 

Details: To enable the details of this specific error message to be
viewable on remote machines, please create a  tag within a
"web.config" configuration file located in the root directory of the
current web application. This  tag should then have its
"mode" attribute set to "Off".









 

Notes: The current error page you are seeing can be replaced by a custom
error page by modifying the "defaultRedirect" attribute of the
application's  configuration tag to point to a custom
error page URL.











-Original Message-
From: Michael B. Smith [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 17, 2008 4:21 PM
To: NT System Admin Issues
Subject: RE: Exchange on a DC migration

Exchange, when installed on a DC, will NEVER EVER attempt to talk to
another
DC.

I think I cover this in at least 3 different places on my blog.

Regards,

Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP
My blog: http://TheEssentialExchange.com/blogs/michael
Link with me at: http://www.linkedin.com/in/theessentialexchange


-Original Message-
From: Mike French [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 17, 2008 5:07 PM
To: NT System Admin Issues
Subject: Exchange on a DC migration

This is probably a re-hash but please bear with me..

OLDSERVER - (Domain Controller (The was the first one in the domain))
Windows 2003 STD Native + Exchange 2003 SP2 Native

NEWSERVER - (Member Server) Windows 2003 ENT + Exchange 2003 SP2 Native

I have moved the Public Folders and Sync'd and moved the Mailboxes. I
re-homed RUS and the Default Offline Address List to the NEWSERVER. I
moved off all the FSMO roles to my new DC's. I've had the Exchange
services disabled on the OLDSERVER for about a month now without any
problems. I still have to migrate the DHCP scope over to a different
server (Not a big deal). I was planning on removing exchange and demote
it to a member server before I remove it from the domain this Friday.
Murphy's Law stepped in and I came in to the OLDSERVER with two failed
drives on the Raid-5 array, I restored from backup (Fortunately the
backup completed before it went south) and got the box back up. What I
noticed is that the NEWSERVER dismounted the stores and the MTA service
stopped and would not come back up without the OLDSERVER online. The
DSAccess was choking according to the logs. After finally getting the
OLDSERVER up I restarted the NEWSERVER store and MTA and mail started to
flow once again. Digging a little deeper as to why, I went into the ESM
on the NEWSERVER got the properties of the NEWSERVER and checked the
"Directory Access" tab and all I see is the OLDSERVER entries listed,
none of my other DC's, GC's are their (Auto discover is checked). This
explained why the NEWSERVER stores and MTA choked, but what I can't
confirm is why no other DC's / GC's are discovered? IF I hardcode the
other DC's, GC's and config server, I get the DSAccess errors about not
being able to reach the defined servers. I turned up logging to MAX for
DSAccess Topology, Config, and LDAP and it successfully discovers the
other servers but doesn't populate them. I ran NETDIAG without errors,
LDAP utility works fine (both on 389 and 3268) from the NEWSERVER.
Setspn -l displays the correct info for all the DC's, DNS looks good
(SRV records are correct). I also did the tasklist -m dsaccess.dll and
it display's the correct PID's (7 of them). Is this inline with the
"Don't install Exchange on a DC"? Even though the NEWSERVER is on a
member server did it pickup and somehow hardcode the "Directory Access"
entries to the OLDSERVER (DC, Exchange)? I'm REAL hesitant to plow
forward and finish the removal because I don't want mail down while I
try to figure this one out. Any incite would be welcomed, I've been
searching Google and TechNet all morning



MIKE FRENCH
NETWORK ENGINEER
~EQUITY BANK
Office: 214.231.4565
[EMAIL PROTECTED]
Doing IT Right!


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Exchange on a DC migration

[Mike French]

I found reference to that a few minutes ago, so maybe a new question is:
Should I ignore this and proceed with the exchange removal from the DC
and trust that once it's out of the domain that the new exchange member
server will finally be able to see the other DC / GC's? 

-Original Message-
From: Michael B. Smith [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 17, 2008 4:21 PM
To: NT System Admin Issues
Subject: RE: Exchange on a DC migration

Exchange, when installed on a DC, will NEVER EVER attempt to talk to
another
DC.

I think I cover this in at least 3 different places on my blog.

Regards,

Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP
My blog: http://TheEssentialExchange.com/blogs/michael
Link with me at: http://www.linkedin.com/in/theessentialexchange


-Original Message-----
From: Mike French [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, September 17, 2008 5:07 PM
To: NT System Admin Issues
Subject: Exchange on a DC migration

This is probably a re-hash but please bear with me..

OLDSERVER - (Domain Controller (The was the first one in the domain))
Windows 2003 STD Native + Exchange 2003 SP2 Native

NEWSERVER - (Member Server) Windows 2003 ENT + Exchange 2003 SP2 Native

I have moved the Public Folders and Sync'd and moved the Mailboxes. I
re-homed RUS and the Default Offline Address List to the NEWSERVER. I
moved off all the FSMO roles to my new DC's. I've had the Exchange
services disabled on the OLDSERVER for about a month now without any
problems. I still have to migrate the DHCP scope over to a different
server (Not a big deal). I was planning on removing exchange and demote
it to a member server before I remove it from the domain this Friday.
Murphy's Law stepped in and I came in to the OLDSERVER with two failed
drives on the Raid-5 array, I restored from backup (Fortunately the
backup completed before it went south) and got the box back up. What I
noticed is that the NEWSERVER dismounted the stores and the MTA service
stopped and would not come back up without the OLDSERVER online. The
DSAccess was choking according to the logs. After finally getting the
OLDSERVER up I restarted the NEWSERVER store and MTA and mail started to
flow once again. Digging a little deeper as to why, I went into the ESM
on the NEWSERVER got the properties of the NEWSERVER and checked the
"Directory Access" tab and all I see is the OLDSERVER entries listed,
none of my other DC's, GC's are their (Auto discover is checked). This
explained why the NEWSERVER stores and MTA choked, but what I can't
confirm is why no other DC's / GC's are discovered? IF I hardcode the
other DC's, GC's and config server, I get the DSAccess errors about not
being able to reach the defined servers. I turned up logging to MAX for
DSAccess Topology, Config, and LDAP and it successfully discovers the
other servers but doesn't populate them. I ran NETDIAG without errors,
LDAP utility works fine (both on 389 and 3268) from the NEWSERVER.
Setspn -l displays the correct info for all the DC's, DNS looks good
(SRV records are correct). I also did the tasklist -m dsaccess.dll and
it display's the correct PID's (7 of them). Is this inline with the
"Don't install Exchange on a DC"? Even though the NEWSERVER is on a
member server did it pickup and somehow hardcode the "Directory Access"
entries to the OLDSERVER (DC, Exchange)? I'm REAL hesitant to plow
forward and finish the removal because I don't want mail down while I
try to figure this one out. Any incite would be welcomed, I've been
searching Google and TechNet all morning



MIKE FRENCH
NETWORK ENGINEER
~EQUITY BANK
Office: 214.231.4565
[EMAIL PROTECTED]
Doing IT Right!


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Exchange on a DC migration

[Mike French]

This is probably a re-hash but please bear with me..

OLDSERVER - (Domain Controller (The was the first one in the domain))
Windows 2003 STD Native + Exchange 2003 SP2 Native

NEWSERVER - (Member Server) Windows 2003 ENT + Exchange 2003 SP2 Native

I have moved the Public Folders and Sync'd and moved the Mailboxes. I
re-homed RUS and the Default Offline Address List to the NEWSERVER. I
moved off all the FSMO roles to my new DC's. I've had the Exchange
services disabled on the OLDSERVER for about a month now without any
problems. I still have to migrate the DHCP scope over to a different
server (Not a big deal). I was planning on removing exchange and demote
it to a member server before I remove it from the domain this Friday.
Murphy's Law stepped in and I came in to the OLDSERVER with two failed
drives on the Raid-5 array, I restored from backup (Fortunately the
backup completed before it went south) and got the box back up. What I
noticed is that the NEWSERVER dismounted the stores and the MTA service
stopped and would not come back up without the OLDSERVER online. The
DSAccess was choking according to the logs. After finally getting the
OLDSERVER up I restarted the NEWSERVER store and MTA and mail started to
flow once again. Digging a little deeper as to why, I went into the ESM
on the NEWSERVER got the properties of the NEWSERVER and checked the
"Directory Access" tab and all I see is the OLDSERVER entries listed,
none of my other DC's, GC's are their (Auto discover is checked). This
explained why the NEWSERVER stores and MTA choked, but what I can't
confirm is why no other DC's / GC's are discovered? IF I hardcode the
other DC's, GC's and config server, I get the DSAccess errors about not
being able to reach the defined servers. I turned up logging to MAX for
DSAccess Topology, Config, and LDAP and it successfully discovers the
other servers but doesn't populate them. I ran NETDIAG without errors,
LDAP utility works fine (both on 389 and 3268) from the NEWSERVER.
Setspn -l displays the correct info for all the DC's, DNS looks good
(SRV records are correct). I also did the tasklist -m dsaccess.dll and
it display's the correct PID's (7 of them). Is this inline with the
"Don't install Exchange on a DC"? Even though the NEWSERVER is on a
member server did it pickup and somehow hardcode the "Directory Access"
entries to the OLDSERVER (DC, Exchange)? I'm REAL hesitant to plow
forward and finish the removal because I don't want mail down while I
try to figure this one out. Any incite would be welcomed, I've been
searching Google and TechNet all morning



MIKE FRENCH
NETWORK ENGINEER
~EQUITY BANK
Office: 214.231.4565
[EMAIL PROTECTED]
Doing IT Right!


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Firewalls

[Mike French]

I'm looking at Palo Alto Networks. What I like is the SSL decryption so
it can check SSL encrypted communications for VIRI, policy compliance
etc.. It's application aware also. Lot's of BotNet C&C communication
happens over SSL sessions now so you might not ever know it's leaking
out of your network if compromised.

 

Here's some contact info: 

 

Dave Smith   |   South Central Sales

O. 972-517-0005  |  Cell. 214-674-7854 |  F. 972-517-3595

[EMAIL PROTECTED] | www.paloaltonetworks.com
 

 

 



From: James Kerr [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 16, 2008 4:36 PM
To: NT System Admin Issues
Subject: Firewalls

 

I was looking into replacing an old Watchguard Firebox 700 and wanted to
find a better box with better support then what Watchguard provided to
me in the past. I had heard a while back that sonicwall made a solid box
and had somewhat decent support. Well, I bought a Sonicwall NSA 2400 and
had to send back for a replacement because it would freeze up every few
minutes right out of the box. The replacement I got gets DNS errors in
the content filter after working for just a few minutes. Their support
is practically non existent and I've had it, the Sonicwall is going
bye-bye. What else is similar out there with some kind of decent
support? Netscreen perhaps? Any suggestions what to take a look at? I
really don't want to go back to Watchguard.

 

James

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: We're all doomed

[Mike French]

SWEET! So the "Blackhole" effect is TRUE!

-Original Message-
From: David Mazzaccaro [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 16, 2008 10:35 AM
To: NT System Admin Issues
Subject: RE: We're all doomed

http://www.cyriak.co.uk/lhc/lhc-webcams.html
 

-Original Message-
From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 16, 2008 11:29 AM
To: NT System Admin Issues
Subject: Re: We're all doomed

And then bend-over and KYAG.   lol.

On Tue, Sep 16, 2008 at 11:04 AM, James Kerr <[EMAIL PROTECTED]>
wrote:
> Hug your children people
>
>
> ----- Original Message - From: "Mike French"
> <[EMAIL PROTECTED]>
> To: "NT System Admin Issues" 
> Sent: Tuesday, September 16, 2008 10:51 AM
> Subject: OT: We're all doomed
>
>
> September 15, ABC News - (International) Large Hadron Collider's 
> hacker infiltration highlights vulnerabilities. Though the Large 
> Hadron Collider's infiltration by hackers did not disrupt the historic

> project, experts warn that its computer systems are vulnerable. 
> Shortly after physicists activated the Collider on Wednesday, hackers 
> identifying themselves as Group 2600 of the Greek Security Team 
> accessed computers connected to the Compact Muon Solenoid detector, 
> one of four key subsystems responsible for monitoring the collisions 
> of protons speeding around the 18-mile track near Geneva, Switzerland.

> A few scientists had worried that the experiment could inadvertently 
> create a planet-swallowing black hole. Physicists called this 
> impossible, or at least extraordinarily unlikely. But the hack raises 
> a different sort of worst-case scenario: the largest and most 
> complicated science experiment in history, intended to reveal basic 
> information about the composition of matter, derailed by malevolent 
> intruders. The LHC experiments have very complex computer systems for 
> data recording and analysis and even more sensitive systems for 
> experiment control, trigger and data acquisition," said an MIT 
> physicist and Collider collaborator. "You could imagine that 
> penetrating the 'real time domain' could have catastrophic
consequences." Source:
> http://www.abcnews.go.com/Technology/story?id=5804254&page=1
>
> MIKE FRENCH
> NETWORK ENGINEER
> ~EQUITY BANK
> [EMAIL PROTECTED]
> Doing IT Right!
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~
>



--
ME2

~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~
<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

OT: We're all doomed

[Mike French]

September 15, ABC News - (International) Large Hadron Collider's hacker
infiltration highlights vulnerabilities. Though the Large Hadron
Collider's infiltration by hackers did not disrupt the historic project,
experts warn that its computer systems are vulnerable. Shortly after
physicists activated the Collider on Wednesday, hackers identifying
themselves as Group 2600 of the Greek Security Team accessed computers
connected to the Compact Muon Solenoid detector, one of four key
subsystems responsible for monitoring the collisions of protons speeding
around the 18-mile track near Geneva, Switzerland. A few scientists had
worried that the experiment could inadvertently create a
planet-swallowing black hole. Physicists called this impossible, or at
least extraordinarily unlikely. But the hack raises a different sort of
worst-case scenario: the largest and most complicated science experiment
in history, intended to reveal basic information about the composition
of matter, derailed by malevolent intruders. The LHC experiments have
very complex computer systems for data recording and analysis and even
more sensitive systems for experiment control, trigger and data
acquisition," said an MIT physicist and Collider collaborator. "You
could imagine that penetrating the 'real time domain' could have
catastrophic consequences." Source:
http://www.abcnews.go.com/Technology/story?id=5804254&page=1

MIKE FRENCH
NETWORK ENGINEER
~EQUITY BANK
[EMAIL PROTECTED]
Doing IT Right!


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: Comparing files and folder

[Mike French]

I've used Beyond Compare in the past with good results: 
http://www.scootersoftware.com/




From: Matt Plahtinsky [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 02, 2008 12:22 PM
To: NT System Admin Issues
Subject: Comparing files and folder

 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

NASA has a Virus?

[Mike French]

(National) Computer virus hits ISS, should NASA worry? It was confirmed
yesterday by National Aeronautics and Space Administration (NASA) that
they discovered a computer virus that has the ability to steal passwords
on a laptop that is aboard the International Space Station (ISS). The
virus was first discovered by Symantec back on August 27, 2008, with the
virus being called W32.Gammima.AG. It impacts systems running Windows
2000, 95, 98, Me, NT, XP, and Windows Server 2003. At this point though,
it does not seem that there is much of a threat to NASA directly from
the virus. The report states that the virus is very easy to contain and
remove, and can cause minimal damage. Source:
http://www.dbtechno.com/space/2008/08/28/computer-virus-hits-iss-shouldn
asa- worry/

I wonder if you could add the a space station to a Bot Net?

MIKE FRENCH
NETWORK ENGINEER
~EQUITY BANK
Office: 214.231.4565
[EMAIL PROTECTED]
Doing IT Right!


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

RE: How much network traffic per app?

[Mike French]

Netflow? Are your switches capable?


From: Benjamin Zachary - Lists [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 27, 2008 10:37 PM
To: NT System Admin Issues
Subject: How much network traffic per app?

I have been asked to determine what the network traffic is for a particular 
client/server app. Other than running some bandwidth tests, and then running 
them while running the application is about the best thing I came up with. Is 
there any particular software that could do something like that? A sniffer and 
such wouldn't tell me bandwidth used. We are deciding whether a terminal server 
(75k/user) is better than vpn for the particular app. 

Personally I like TS for the other advantages but I need to have something 
close to accurate. 

Thx



 
 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Aug 27th - power down IT day?

[Mike French]

I'm powering down HP's webserver farm... Think they'll notice?

 



From: David Mazzaccaro [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 27, 2008 7:45 AM
To: NT System Admin Issues
Subject: RE: Aug 27th - power down IT day?

 

LOL

Exactly.

 

 



From: James Rankin [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, August 27, 2008 8:43 AM
To: NT System Admin Issues
Subject: Re: Aug 27th - power down IT day?

I am powering down my entire Citrix farm as I type

2008/8/27 David Mazzaccaro <[EMAIL PROTECTED]>

Yikes... anyone here doing this? 
http://h10038.www1.hp.com/poweritdown.asp?agencyid=1&jumpid=ex_r33_xbu_g
o_poweritdown_fed
  

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: Mutliple Floor building

[Mike French]

Check with your building engineers and make sure the 2nd floor can
handle the weight. They may have specific areas on the above ground
floors where high weight can be handled better Just a thought.

 

 



From: David W. McSpadden [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 8:57 AM
To: NT System Admin Issues
Subject: Mutliple Floor building

 

If you have a Multiple Floor building where is the preferred placement
of the IS/Data Center?

Case in point:

3 level building

Ground Level

and 2 floor above.

We are being told we will be in the Ground Level but we kind of wanted
the 2nd Floor.

Any ideas?

 

 

 

Data Security is everyone's responsibility.

 

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: People that keep scanning my firewall

[Mike French]

Agreed - Nepenthes with Honeytrap works nice... send all the bad ports
to the honeypot and tell Honeytrap to Mirror the connection (LOL, use
with caution)
I also use http://www.nirsoft.net/utils/ipnetinfo.html IPNETInfo for the
looks up of rouge IP's it works nice...


-Original Message-
From: Ziots, Edward [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 1:41 PM
To: NT System Admin Issues
Subject: RE: People that keep scanning my firewall

Set up a honeypot and watch the scans go way up. 

Z

Edward E. Ziots
Network Engineer
Lifespan Organization
MCSE,MCSA,MCP,Security+,Network+,CCA
Phone: 401-639-3505

-Original Message-
From: Phil Brutsche [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 2:36 PM
To: NT System Admin Issues
Subject: Re: People that keep scanning my firewall

In that case, good luck getting them to do anything about it.

If they are being a particular nuisance you could block that subnet at
the router upstream from your firewall.

David W. McSpadden wrote:
> most are out of country.

-- 

Phil Brutsche
[EMAIL PROTECTED]

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Any know how to install IO::Socket::SSL with active state perl

[Mike French]

Maybe: perl -MCPAN -e shell
 Install IO::Socket::SSL

Should grab all the dependencies too...


-Original Message-
From: Micheal Espinola Jr [mailto:[EMAIL PROTECTED] 
Sent: Friday, July 25, 2008 11:34 AM
To: NT System Admin Issues
Subject: Re: Any know how to install IO::Socket::SSL with active state
perl

Its in the University of Winnipeg repository.  Type this to add it
(single line may wrap):

   ppm repo add "University of Winnipeg"
http://theoryx5.uwinnipeg.ca/ppms/

after which,

   ppm install IO::Socket::SSL

should work just fine.



On Fri, Jul 25, 2008 at 11:59 AM, Ski Kacoroski <[EMAIL PROTECTED]>
wrote:
> I was not able to find it in any PPM repositories.  Do you know of
one?
>
> ski
>
> Micheal Espinola Jr wrote:
>>
>> Do you know how to use the PPM?  Have you found a repository that you
>> can install this module from?
>>
>> On Wed, Jul 23, 2008 at 11:01 AM, Ski Kacoroski <[EMAIL PROTECTED]>
>> wrote:
>>>
>>> Hi,
>>>
>>> I get a Net::SSLeay could not find a random number generator error.
The
>>> docs for this say I need a RNG such as /dev/random (unix speak) or
an
>>> alternate, but all the only alternate I can find is no longer
available
>>> (EGADS).
>>>
>>> cheers,
>>>
>>> ski
>>>
>>> --
>>> "When we try to pick out anything by itself, we find it
>>>  connected to the entire universe"John Muir
>>>
>>> Chris "Ski" Kacoroski, [EMAIL PROTECTED], 206-501-9803
>>> or ski98033 on most IM services
>>>
>>> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
>>> ~   ~
>>>
>>
>>
>>
>
> --
> "When we try to pick out anything by itself, we find it
>  connected to the entire universe"John Muir
>
> Chris "Ski" Kacoroski, [EMAIL PROTECTED], 206-501-9803
> or ski98033 on most IM services
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
>



-- 
ME2

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: WiFi setup

[Mike French]

http://www.wardrive.net/wi-foo-samplechapter.pdf

Start on Page 173.

-Original Message-
From: Mike Gill [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 01, 2008 2:42 PM
To: NT System Admin Issues
Subject: RE: WiFi setup

Maybe you could shoot a link this way. I've been looking for the last
half
hour on Google and can't find anything regarding Session Hacking and WPA
other than this was one of the things WPA/2 is suppose to defend against
using random session id's.

-- 
Mike Gill

> -Original Message-
> From: Mike French [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, July 01, 2008 6:15 AM
> To: NT System Admin Issues
> Subject: RE: WiFi setup
> 
> I didn't say it couldn't be cracked, but 802.1x with certificates is
> not
> currently exploitable in the same way WPA/WPA2 shared keys are.
> "session
> hijacking" - Do a little research


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: WiFi setup

[Mike French]

I didn't say it couldn't be cracked, but 802.1x with certificates is not
currently exploitable in the same way WPA/WPA2 shared keys are. "session
hijacking" - Do a little research

-Original Message-
From: Ken Schaefer [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 01, 2008 1:05 AM
To: NT System Admin Issues
Subject: RE: WiFi setup

Um, how do you think certificates work? They use public/private key
technology to exchange a symmetric key pair. Given enough time and
processing power you can break any TLS based encryption mechanism as
well :-)

Cheers
Ken

> -Original Message-----
> From: Mike French [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, 1 July 2008 7:09 AM
> To: NT System Admin Issues
> Subject: RE: WiFi setup
>
> If you are forced to WPA/WPA2 use a Max length pass phrase with
> randomized Upper lower, Numbers, Special Characters (you know the
> drill). It might take the sting out of the crackers Anything with
> pre-shared keys is crackable given enough time and processor power. I
> don't think 802.1x with Radius is susceptible, provided you are using
> certificates.
>
>
> -Original Message-
> From: Marc Maiffret [mailto:[EMAIL PROTECTED]
> Sent: Monday, June 30, 2008 3:04 PM
> To: NT System Admin Issues
> Subject: RE: WiFi setup
>
> You shouldn't have any problems then. It is more of a track record on
> WEP/WPA and related that is to worry about, but you can always handle
> that when the time comes. Currently the only WPA2 that can be cracked
is
> that which uses pre-shared keys.
>
> Marc Maiffret
> Founder/CEO
> Invenio Security
> Security Services & Training
> http://www.inveniosecurity.com
>
>
> > -Original Message-
> > From: Chyka, Robert [mailto:[EMAIL PROTECTED]
> > Sent: Monday, June 30, 2008 12:35 PM
> > To: NT System Admin Issues
> > Subject: RE: WiFi setup
> >
> > We have cisco 440r controllers and a acs appliance.  We use WPA2
with
> > 8021.X for authentication against our active directory..
> >
> > -Original Message-
> > From: "Carl Houseman" <[EMAIL PROTECTED]>
> > To: "NT System Admin Issues" 
> > Sent: 6/30/08 3:17 PM
> > Subject: RE: WiFi setup
> >
> > I wouldn't worry about separate IPSEC if your Wi-Fi hardware
supports
> > WPA2 and uses a 802.1x (Radius server) for client authentication.
> >
> > In fact, if you go for 802.11n, you're required to use WPA2 to get
the
> > "n" throughput boost.
> >
> > Carl


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: WiFi setup

[Mike French]

BlackMagic


From: Don Ely [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 30, 2008 4:23 PM
To: NT System Admin Issues
Subject: Re: WiFi setup



~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: WiFi setup

[Mike French]

If you are forced to WPA/WPA2 use a Max length pass phrase with
randomized Upper lower, Numbers, Special Characters (you know the
drill). It might take the sting out of the crackers Anything with
pre-shared keys is crackable given enough time and processor power. I
don't think 802.1x with Radius is susceptible, provided you are using
certificates.


-Original Message-
From: Marc Maiffret [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 30, 2008 3:04 PM
To: NT System Admin Issues
Subject: RE: WiFi setup

You shouldn't have any problems then. It is more of a track record on
WEP/WPA and related that is to worry about, but you can always handle
that when the time comes. Currently the only WPA2 that can be cracked is
that which uses pre-shared keys.

Marc Maiffret
Founder/CEO
Invenio Security
Security Services & Training
http://www.inveniosecurity.com


> -Original Message-
> From: Chyka, Robert [mailto:[EMAIL PROTECTED]
> Sent: Monday, June 30, 2008 12:35 PM
> To: NT System Admin Issues
> Subject: RE: WiFi setup
> 
> We have cisco 440r controllers and a acs appliance.  We use WPA2 with
> 8021.X for authentication against our active directory..
> 
> -Original Message-
> From: "Carl Houseman" <[EMAIL PROTECTED]>
> To: "NT System Admin Issues" 
> Sent: 6/30/08 3:17 PM
> Subject: RE: WiFi setup
> 
> I wouldn't worry about separate IPSEC if your Wi-Fi hardware supports
> WPA2 and uses a 802.1x (Radius server) for client authentication.
> 
> In fact, if you go for 802.11n, you're required to use WPA2 to get the
> "n" throughput boost.
> 
> Carl
> 
> -Original Message-
> From: Chyka, Robert [mailto:[EMAIL PROTECTED]
> Sent: Monday, June 30, 2008 1:56 PM
> To: NT System Admin Issues
> Subject: RE: WiFi setup
> 
> Do you have any good reference sites or docs on how to design and
> engineer this?
> 
> Thanks!
> 
> -Original Message-
> From: "Marc Maiffret" <[EMAIL PROTECTED]>
> To: "NT System Admin Issues" 
> Sent: 6/30/08 1:54 PM
> Subject: RE: WiFi setup
> 
> Do not forget to use IPSEC or related to secure access between WiFi
> systems
> and your main network. Almost all of the built-in WiFi protection
> mechanisms
> such as MAC filtering, WEP, disabling broadcast, etc are all prone to
> attacks.
> 
> Marc Maiffret
> Founder/CEO
> Invenio Security
> Security Services & Training
> http://www.inveniosecurity.com
> 
> 
> > -Original Message-
> > From: David W. McSpadden [mailto:[EMAIL PROTECTED]
> > Sent: Monday, June 30, 2008 6:51 AM
> > To: NT System Admin Issues
> > Subject: WiFi setup
> >
> > I get to build a whole new datacenter for the Credit Union.
> > Yeah.
> > I am pretty good on everything with the exception that the new
> > datacenter will have to have WiFi built in
> > I am looking at 802.11g for now but I thought n was coming out.
> > Does anyone have any comments on how to WiFi a 4000sqft building
with
> 3
> > floors?
> >
> >
> >
> >
> >
> >
> >
> > Data Security is everyone's responsibility.
> >
> >
> 
> 
> 
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
> 
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
> 
> 
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~
> 
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: NOD32 v2 definition issue?

[Mike French]

Same here, 3217 pegged a bunch of word docs. 3218 - Scanned again and are OK. 
It HAD to happen today, we have FDIC auditors in.


From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2008 3:01 PM
To: NT System Admin Issues
Subject: RE: NOD32 v2 definition issue?

3218 fixed our issues here


...Tim

From: Durf [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, June 25, 2008 12:48 PM
To: NT System Admin Issues
Subject: Re: NOD32 v2 definition issue?

Latest defs still popping false positives.  Anyone got anything on this? 

-- Durf
On Wed, Jun 25, 2008 at 12:57 PM, Jon Harris <[EMAIL PROTECTED]> wrote:
Rescanned my local system and the file that popped up for me the first time did 
not pop up this time.  Definitions were updated to the 3218.  Now to go back 
and check the server.
 
Jon
On Wed, Jun 25, 2008 at 12:32 PM, Jon Harris <[EMAIL PROTECTED]> wrote:
The server seeing all the errors is on 3217 though.
 
Jon
On Wed, Jun 25, 2008 at 12:32 PM, Jon Harris <[EMAIL PROTECTED]> wrote:
I am on 3218 definitions at the moment I am hoping that it passed through to 
that one as well.
 
Jon
On Wed, Jun 25, 2008 at 12:23 PM, Andy Ognenoff <[EMAIL PROTECTED]> wrote:
There is a problem with the 3217 definitions.  I saw a post about it on the
Wilder Security Forums.  Causing me a headache too...

 - Andy O.

From: Jon Harris [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 25, 2008 11:09 AM
To: NT System Admin Issues
Subject: NOD32 v2 definition issue?


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!    ~
~   ~






-- 
--
Give a man a fish, and he'll eat for a day. 
Give a fish a man, and he'll eat for weeks! 



~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

IP Data Center Camera

[Mike French]

Anybody have a recommendation for a Data Center IP Camera? I hear Axis
makes good one's? We currently have an over-priced D-Link pan/tilt
camera...Need to dump it...


MIKE FRENCH
NETWORK ENGINEER
~EQUITY BANK
Office: 214.231.4565
[EMAIL PROTECTED]
Doing IT Right!


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: Remote Control Application

[Mike French]

I use Dameware mini-remote www.dameware.com 
Works pretty good for us and is cheap...

-Original Message-
From: Matthew W. Ross [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, May 21, 2008 10:08 AM
To: NT System Admin Issues
Subject: RE: Remote Control Application

When I try to use Remote Control, it forces the remote machine's user to
be locked/logged out while I take control... Is there a way to use
Microsoft's built in RDP without forcing the online user off?

Also, does anybody have any good RDP/VNC "monitoring" programs?
Something that will keep a list of machines, and make it easy for me to
connect? I have seen VNCScan and tried VNC Neighborhood, which is okay,
but I haven't seen one for Microsoft's Remote Control.

--Matt

- Original Message -
From: Christopher Boggs
[mailto:[EMAIL PROTECTED]
To: NT System Admin Issues
[mailto:[EMAIL PROTECTED]
Sent: Wed, 21 May 2008
07:00:20 -0700
Subject: RE: Remote Control Application


> With remote assistance, yes, but not with remote desktop.
> 
>  
> 
> With Remote Assistance, you can set up unsolicited offers so that you
> can offer to take control but they always have to OK it, as far as I
> know.
> 
>  
> 
> 
> 
> From: David Mazzaccaro [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, May 21, 2008 8:48 AM
> To: NT System Admin Issues
> Subject: RE: Remote Control Application
> 
>  
> 
> Is it true that with Microsoft's remote assistance, the user on the
> remote computer always has to initiate the connection?
> 
> As with UltraVNC, I can remote connect to any computer with or without
> the end user being there.
> 
>  
> 
>  
> 
> 
> 
> From: Edwards, David [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, May 21, 2008 9:32 AM
> To: NT System Admin Issues
> Subject: RE: Remote Control Application
> 
>  
> 
> Assuming you have VPN or some sort of remote connectivity to their
> network, RDP works great. I use it daily from home and remote
locations
> to access my work computer. Also it is free and supported by MS. Make
> sure the remote computer does not have any power saving, sleep mode,
> etc. enabled. 
> 
>  
> 
> Regards, 
> 
> Dave
> 
> 
> 
> From: tom lohrmann [mailto:[EMAIL PROTECTED] 
> Sent: Wednesday, May 21, 2008 6:24 AM
> To: NT System Admin Issues
> Subject: Remote Control Application
> 
>  
> 
> I help manage a network across town.  There resides a pc on their
> network that has a specialized application for printing.  I need to be
> able to gain access of the display, keyboard and mouse from my office
or
> my home to access that application periodically during the week
without
> any user intervention on their side.   
> 
>  
> 
> We currently use "gotomeeting.com" but that requires them to start a
> meeting and since the pc is in a distant location in their building
they
> don't like it. 
> 
>  
> 
> Anyone have a good solution?  Anyone have a GREAT Solution? 
> 
> Thanks
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: OT Intrusion Protection systems

[Mike French]

We looked at Top Layer's offering: http://www.toplayer.com/

We are also looking at this: http://www.paloaltonetworks.com/ (PA-4020)

What I like about the PA offering is the ability to "Man-in-the-middle"
an SSL connection. I've had concerns with encrypted (Malicious)traffic
over known ports, currently hard to spot.  


From: Eldridge, Dave [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, May 13, 2008 12:03 PM
To: NT System Admin Issues
Subject: OT Intrusion Protection systems

I have a site that is looking to replace their Forescout "Active Scout"
IPS system. I have no idea what's out there. I know Cisco has a couple
of things including a card for their ASA box. Anyone with
recommendations for these or are IPS systems even relevant anymore?
TIA
This e-mail contains the thoughts and opinions of the sender and does
not represent official Parkview Medical Center policy.
This communication is intended only for the recipient(s) named above,
may be confidential and/or legally privileged: and, must be treated as
such in accordance with state and federal laws. If you are not the
intended recipient, you are hereby notified that any use of this
communication, or any of its contents, is prohibited. If you have
received this communication in error, please return to sender and delete
the message from your computer system.



~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: NTFS Permissions

[Mike French]

1) was the user added to the group _during the current login session_,
or before the current login session.

- Yes they did not log off to refresh the session.

2) are there any explicit DENY entries in place?

- None (I kept it a simple as possible)

3) what does Effective Permissions return for the user account?

- I should have done this I'll check this out.


1.  have a user in that managers group, log off and log back on to
ensure they get the new security token.


- A correlation with #1 far above... This makes sense but sucks... I
assume M$ has a refresh interval... I'll google... 

I bet the Token Refresh is the culprit here.  

2. If #1 doesn't solve it, recreate the group as a domain local security
group.

- I tried it both ways, no love...


-Original Message-
From: Andy Shook [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 08, 2008 2:49 PM
To: NT System Admin Issues
Subject: RE: NTFS Permissions

Two thoughts...

1.  have a user in that managers group, log off and log back on to
ensure they get the new security token.
2. If #1 doesn't solve it, recreate the group as a domain local security
group.

Shook
-Original Message-----
From: Mike French [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 08, 2008 3:08 PM
To: NT System Admin Issues
Subject: NTFS Permissions



I have an issue with my file server and NTFS permissions. I checked the
"Shared Permissions" and they are Domain Admins Full control and Doman
Users Change. 
The structure is simple: \\FileServer\Shared\Managers

In AD I created a Global group called "Managers" and added the
appropriate users to the group. Now back over to the file server I add
the "Managers" group to the Managers folder NTFS permissions, gave them
"Full Control" and the permissions inherited down through the child
folders. Now when I go to a user's machine who is a member of the
"Managers" group and try to access the Managers folder "Access is
denied"? They can get through the "Shared" directory so I don't think
its "Share Permissions". If I configure the NTFS permissions explicitly
for each user it works? Maybe replication? Folder owner problems? I've
been googling and haven't run into anything that fits the bill.

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

NTFS Permissions

[Mike French]

I have an issue with my file server and NTFS permissions. I checked the
"Shared Permissions" and they are Domain Admins Full control and Doman
Users Change. 
The structure is simple: \\FileServer\Shared\Managers

In AD I created a Global group called "Managers" and added the
appropriate users to the group. Now back over to the file server I add
the "Managers" group to the Managers folder NTFS permissions, gave them
"Full Control" and the permissions inherited down through the child
folders. Now when I go to a user's machine who is a member of the
"Managers" group and try to access the Managers folder "Access is
denied"? They can get through the "Shared" directory so I don't think
its "Share Permissions". If I configure the NTFS permissions explicitly
for each user it works? Maybe replication? Folder owner problems? I've
been googling and haven't run into anything that fits the bill.

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: mapped drives - having no FREE space

[Mike French]

Disk Quota on the file server?


From: Jeff Gottlieb [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, April 09, 2008 12:29 PM
To: NT System Admin Issues
Subject: mapped drives - having no FREE space

We are having a nightmare!  All 3 mapped drives for one user indicates 36.0 
KB.  This is not a global issue.  It happened overnight.  Other users are 
OK...with plenty of drive space coming from the same mapped drives off the same 
server.  Ironically, the roaming profile failed to connect to the server during 
startup too.  Roaming profiles for this user were then turned off.  The user's 
desktop (local) profile was completely rebuilt from ground-up., but the same 
problem exists.

The same problem follows only this user even when logged on to other 
computers...perhaps something in AD.  We are bashing our heads against the wall 
and would certainly appreciate a recommendation.  Cheers. -Jeff







~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Huge spike in spam

[Mike French]

Saw a big spike from these Ip's:

208.73.238.232  
208.73.238.233  
208.73.238.234

Stared around 2PM CST claiming to be "toolauthor.com".. They got the "tool" 
part right, I'll have a nice dirty e-mail sent out their ISP...


From: Barsodi.John [mailto:[EMAIL PROTECTED] 
Sent: Monday, April 07, 2008 5:45 PM
To: NT System Admin Issues
Subject: RE: Huge spike in spam

Nope, I saw a drop off around 2PM PST.

Our largest hit was the 6-8AM hours today.  

From: Louis, Joe [mailto:[EMAIL PROTECTED] 
Sent: Monday, April 07, 2008 3:39 PM
To: NT System Admin Issues
Subject: Huge spike in spam

Anyone see this in the last hour? My hourly count has gone up 6 times what is 
normally is for this time and the hour is only 36 minutes in. 
 
 





~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: site-to-site VPN question

[Mike French]

You might also want to look into the "Hub Network" feature of the VPN tunnel, 
much more secure since all traffic from your branch office will route through 
the tunnel and out your central office WAN. 


From: Joe Heaton [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 25, 2008 11:40 AM
To: NT System Admin Issues
Subject: site-to-site VPN question

When you implement a site-to-site VPN between firewalls, does this affect 
routes?
 
Joe Heaton
AISA
Employment Training Panel
1100 J Street, 4th Floor
Sacramento, CA  95814
(916) 327-5276
[EMAIL PROTECTED]
 



~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

TriGEO Log Correlation Appliance

[Mike French]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Anybody using the TriGEO SIM Appliance (http://www.trigeo.com/)? I've
been trough a couple of WebEX's and it looks promising, we audit quite a
bit here and with syslog in the mix, we need a solution to normalize,
correlate and possibly remediate. Their offering even takes care of USB
storage without extra cost. Their rule based but looks easy to setup and
alert. I haven't found many out there doing this, SNARE comes to mind
but, I want a little more out of the data collection. Anybody have any
idea's? 

MIKE FRENCH
NETWORK ENGINEER
~EQUITY BANK

-BEGIN PGP SIGNATURE-
Version: PGP Universal 2.6.3
Charset: us-ascii

wsBVAwUBR9mPg3sd9fh7bf6mAQjvMQgAjrLAkQuCGPdOobFqygENnat6ZWBGSl3t
aJh1qeiD4z8YpxqCInZoOnmQAQzfS5h/GWBxrf0S235nC9uCJz1KcISze9STv/46
c3qCkJIQJ1fMG5QvL+HGsmymJhGs4b4zanXUji5f2/dKDPFtGzctykrvSK1QgUWw
hiyeMSWRfOGmiu805eeYOuJb0Bl1W4msndz+wQiMrGWG1MYyo7fQl8Fe2iE/w0r+
lSUF2xblfxa1S8rH8eXDCTWEwDRviIjqgiwBLkV6YNgd2xVIDvE34m/RDzwG7i2x
TxlrRzPxJOWQV0Ir3KEagZbvSC4JF7wmLwkI1S7TjPpWfAx4ImDyag==
=5nQu
-END PGP SIGNATURE-

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: Big log file

[Mike French]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

These might be useful: http://baremetalsoft.com/index.php

I use baretail (here come the jokes) and baregrep




From: Joe Heaton [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, February 05, 2008 2:02 PM
To: NT System Admin Issues
Subject: Big log file


Anyone have any useful ideas on how to open a 250MB log file?  I tried opening 
it in Wordpad, but it gets stuck around 75%.  It's a file level log of a backup 
job, which normally backs up around 420,000 files.  There's a discrepancy on 
the summary report, of about 20 files, between what it says it looks at, 
filters out, and actually backs up.  The company has no idea what those 20 
files could be, and they're probably no big deal, but I want to know what the 
backup isn't backing up...
 
Joe Heaton
AISA
Employment Training Panel
1100 J Street, 4th Floor
Sacramento, CA  95814
(916) 327-5276
[EMAIL PROTECTED]
 







-BEGIN PGP SIGNATURE-
Version: PGP Universal 2.6.3
Charset: iso-8859-1

wsBVAwUBR6ncMXsd9fh7bf6mAQjA8AgAjP1xs95zld0fBrO/CWnAW8yzffSJmb8+
RdV09dYRhK3+FUKe88QuQxdZLZT6ySA6eGyKQfNluQ3Z5zD4GgleBoLe2c3fwKww
ue3jb2T/OiiwM1SC5+svizsEMAF6SPSHRyqhdvYJYcE+pJRpEWRhJGmz17ZSNfwx
Qr62b/H9c3CgFCIj1/+LD6D9TEihKL5W05ls9/aN4g95lbzcu1yu7aGeW1A6MiYd
hsPdZLkb4OvQghArqH8+IRqnKkPrajiBJiORLtTqUWJNF1eYlDAEiIF18viZJPTf
+12WhiNF3RCod06OuM496U2XY66kva7ZewJazDQBn3osf1yFZbU2Pg==
=WLZ3
-END PGP SIGNATURE-

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: Business Continuity / Disaster Recovery Consultants

[Mike French]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Try these too:
http://acp-international.com/

http://sfba.acp-international.com/




From: Erik Goldoff [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 02, 2008 7:26 PM
To: NT System Admin Issues
Subject: RE: Business Continuity / Disaster Recovery Consultants


I don't know CA, but check the following websites, may have links that can help 
you out :
 
www.scpa.us   
http://www.scpa.us/bcplinks.html
 
www.drii.org   
http://www.drii.org/DRII/Careers/LocateProfessionals.aspx
 
 
 
 


From: Phil Guevara [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 02, 2008 6:06 PM
To: NT System Admin Issues
Subject: Business Continuity / Disaster Recovery Consultants

Anyone have any BC/DR consultants to recommend in california?
 
Thanks,
 
Phil







No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.516 / Virus Database: 269.17.13/1207 - Release Date: 1/2/2008 
11:29 AM
 







-BEGIN PGP SIGNATURE-
Version: PGP Universal 2.6.3
Charset: iso-8859-1

wsBVAwUBR31ZWXsd9fh7bf6mAQiYQAf/aMbRHdrJVBXF/d0vzWeai54B1aMUiYLt
Irqn7RrwT54WjFVrORxcJuiDwWJsfaEA8FeezyGhbRT3P2N3cqmaQfScEuwxrsoU
Aw4JET5rZXEU6e7TA/9i/HTG1xMwEYPLN9JoXk3Nrdgb5iJCPkpzfz6kz/zxtXP/
2gGq8rbo3axHVbpzoUAY22cyonrM9HXFumwR6ilhPrN2Jfi3mZkfvspjMydq+OVv
AsQ+HaPgZrGVYjy65pijKVGGmPagYwpiyK3rIOCzkt7E+nDZQAOYGoXq9kPeuy9u
FATU/2Aj8kNEq4aScqegtS+s1ZjGiy/AfE5492MbwfC7xriBz4XRog==
=bQgl
-END PGP SIGNATURE-

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

SAN Gig Switch Recommendation

[Mike French]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

We will be implementing a SAN in 2008; we are mainly a Cisco Shop. We
will be deploying to a SAN Network Isolated from our core network
switches. I believe a 24 Port Gig switch will fit the bill, but I'm
unsure if Cisco is the vendor we should look at? Any advise from you
guys that are running SAN's...


-BEGIN PGP SIGNATURE-
Version: PGP Universal 2.6.3
Charset: us-ascii

wsBVAwUBR3WPAnsd9fh7bf6mAQgKUQgAnJAqRb6SkY6+dGS4C0DieXnrCk/1k1Ne
PmxPHIT3d1qIQksrp77H/uua44TyAqo3bvze/IwlFrpidXrQkB2gv7WBFMN8C+b4
sseWv4S7S9Un/KdX5LnvDF8hUq78ImoKsro883YdvwEkhEkenfOf1e1oYbkD9Q5h
JW/qXWWCwTZrmjcBlBZpWwv7JHRxfZInddUhV5luKfYIfHHyStfl7X1vs8NSsqAf
2HUruXkRZXAGNN2FmE7IZgrVCTAw4ksFI34rudUtxBKdczeKBnC69aRcfATSLHnI
5EKKnNBGeiY/oAdJ1Io7wQ7N3nNkZF7ET00I5HBgMP8qS7Ejs1SzFA==
=/0k0
-END PGP SIGNATURE-

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~