RE: Encrypting a 2008 R2 Clustered File Server

To clarify one point: you can access RMS encrypted documents offline if you've already been issued a license key. But you can't open anything you haven't previously From: Ken Schaefer [mailto:k...@adopenstatic.com] Sent: Wednesday, 11 January 2012 3:15 PM To: NT System Admin Issues Subject: RE:

RE: Encrypting a 2008 R2 Clustered File Server

I think you need to define what you are trying to protect against. Bitlocker will protect disks at rest - it's whole disk encryption. It doesn't encrypt individual files. EFS is per file encryption - but it's also an attribute of the NTFS file system. EFS is thus not portable across any medium

Re: OT - Home Router ideas?

Ya, at the time my primary need was for a p2p tunnel. The other stuff appealed to me but the community was in a weird transistion state as well with the primary dev, etc. The whole thing was just too irritating overall in the end. Also the basic capabilities of the low end commerical offerings c

Re: OT - Home Router ideas?

The tunnels didn't appeal to me, because everything I need to connect with is IPSec, but they only support OpenSSL. Once I got over that, however, I was good, because I searched for the best router that would support the firmware before I bought it. To me, it's no different from any other HCL typ

Re: OT - Home Router ideas?

First their 'tunnels' did not work as advertised and I spent months trying things on their forums only to find out they didn't work per documentation. Second, it was such a pain to get the DD-WRT to work on the hardware and you had to be very very careful to get the supported routers model number

Re: OT - Home Router ideas?

What problems have you encountered? I have 3 DD-WRT based devices running now (2 at work; 1 at home) and I haven't had any issues. Still on the Aug 2010 release. Also, what do you use instead of DD-WRT? * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the S

Re: OT - Home Router ideas?

I realize there is a lot of love for dd-wrt but they burned their bridge with me a while ago. I just don't find their stuff dependable enough to actually use anymore. Granted this may have changed in two years, but not enough for me to trust them with something I may have to support. On Tue, Jan

Re: OT - Home Router ideas?

Anything found here:http://www.dd-wrt.com/site/support/router-database   On January 10, 2012 at 12:09 PM winsys wrote: > A friend of mine is looking for a new home router that he can > disable/enable internet access very easily from a web page. ~ Finally, powerful endpoint security that ISN'T

Re: A poll, of sorts...

I almost misread it myself. I kept wondering why this would even be a question, and then I noticed what all the hoopla was about. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 6:24 PM, Jon Harris wrote: > Man

Re: Expaning Subnet again

On Tue, Jan 10, 2012 at 12:40, Micheal Espinola Jr wrote: > Without a proper understanding of the fundamentals, you could very easily > make part of, if not all of your network unusable.  A subnet calculator is a > handy little tool, but you really should have a good grasp of the underlying > conc

Re: Expaning Subnet again

And lets not forget of doing a config backup before changing things, just in case something changes "on its own" and the network stops working. - Original Message - From: Micheal Espinola Jr To: NT System Admin Issues Sent: Tuesday, January 10, 2012 6:40 PM Subject: Re: Expa

Re: A poll, of sorts...

Man did I miss read that question! I have never seen this done since I started up my first domain. This was done previously at the Research Facility until there was a stink about some changes being made to profiles in Windows 2000. Stupid stupid Jon On Mon, Jan 9, 2012 at 11:40 PM, Jon Harris

RE: Encrypting a 2008 R2 Clustered File Server

AD RMS is independent of Bitlocker/TPM/EFS though and does some really slick stuff. Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Cameron Cooper [mailto:ccoo...@aurico.com] Sent: Tuesday, January 10, 2012 3:30 PM To: NT System Admin Issues Subject: RE:

RE: bougt the book

Up to the author to do the updates but yes it's possible and I did recently fix all the errata. O'Reilly has a very cool "on demand" production process that makes this possible. Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Michael B. Smith [mailto:mi

RE: bougt the book

They're floating around. I give them away to customers all the time plus the occasional conference give aways. Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: Mathew Shember [mailto:mathew.shem...@synopsys.com] Sent: Tuesday, January 10, 2012 1:21 PM To:

Re: OT - Home Router ideas?

This very much depends on the structure (materials) of your house, and the power output of your antennas (internal or external), etc. -- Espi On Tue, Jan 10, 2012 at 2:04 PM, MMF wrote: > Not true. I have my 2Wire router on second floor on top of bookcase and > I have no issues when down i

RE: IIS 6.0 Security

The Citrix eDocs says if you are using SSL v3 you are not FIPS compliant. You have to use TLS 1.0. SSL/TLS and FIPS Compliance When configured properly, deployments using TLS 1.0 can use FIPS 140-validated cryptographic modules in a manner that is compliant with FIPS 140-2; SSL 3.0 is not FIPS

Re: OT - Home Router ideas?

Not true. I have my 2Wire router on second floor on top of bookcase and I have no issues when down in my “man cave” in the basement! MMF From: Steven Peck Sent: Tuesday, January 10, 2012 3:04 PM To: NT System Admin Issues Subject: Re: OT - Home Router ideas? Router in the basemetn of a two st

Re: A poll, of sorts...

Nope... That reason doesn't get me any closer to the "contemplating it" line. I've routinely talked senior managers out of less dumb considerations before. (It should also be noted, however, that on occasion, I have utterly failed to talk some really cognitive-challenged senior mgmt persons from

RE: Encrypting a 2008 R2 Clustered File Server

Michael, Thanks for the warning on not using it. With my first research we couldn't use BitLocker on the cluster servers since they don't have TPM chips installed. Found the following article to use BitLocker without TPM

RE: A poll, of sorts...

Loaded gun, meet forehead. -Original Message- From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Tuesday, January 10, 2012 12:41 PM To: NT System Admin Issues Subject: Re: A poll, of sorts... On Tue, Jan 10, 2012 at 09:28, Andrew S. Baker wrote: > > >> miniumum10 characters in length, w

Re: OT - Home Router ideas?

I'm only throwing this out there since I am into home automation. I'm sure there are easier ways to do this, but ... http://www.smarthome.com/71935/INSTEON-X10-Internet-Controller/p.aspx So you would put this on the WAN side of the router. Controlling it could be a variety of other Insteon devi

Re: OT - Home Router ideas?

Router in the basemetn of a two story house? You are going to want something with a decent antenea then. On Tue, Jan 10, 2012 at 12:28 PM, winsys wrote: > Router is in the mechanical room of the basement. He is usually 2 floors > up where his home office and bedroom are. > He thinks it would be

RE: bougt the book

I had completely forgotten about that. Thanks for the reminder. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 1:45 PM To: NT System Admin Issues Subject: Re: bougt the book You

RE: IIS 6.0 Security

Ain't just FIPS. Also NIST and PCI and... etc. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 3:11 PM To: NT System Admin Issues Subject: Re: IIS 6.0 Security I am in the proces

Re: Expaning Subnet again

Without a proper understanding of the fundamentals, you could very easily make part of, if not all of your network unusable. A subnet calculator is a handy little tool, but you really should have a good grasp of the underlying concepts before taking on a challenge of [re]subnetting your network.

Re: A poll, of sorts...

On Tue, Jan 10, 2012 at 09:28, Andrew S. Baker wrote: > > >> miniumum10 characters in length, with no expiration, no history and > >> no mimimum age? > > When I determine what would make me comfortable with the above, I'll let you > know. > > In the mean time, I'll echo the "why" question you've

Re: OT - Home Router ideas?

I would rate those items higher. I went with the Netgear WNR-3500L a few months back, using the DD-WRT firmware, and have been very pleased. Should address all the listed concerns. BTW, if one is disabled some level of network access via a GUI, one should ensure that the GUI itself is not depen

Re: OT - Home Router ideas?

Router is in the mechanical room of the basement. He is usually 2 floors up where his home office and bedroom are. He thinks it would be more convenient to enable/disable from web page. thx. On Tue, Jan 10, 2012 at 2:38 PM, Jonathan Link wrote: > What's wrong with pulling the plug? > > > > On Tue

Re: Expaning Subnet again

Typically, there are easy ways and hard ways to go about things, and the latter outnumber the former for the most part. Once you've asked for guidance and received it, it pays to take that road, so as to minimize your time on the latter road. Just saying. * * *ASB* *http://XeeMe.com/AndrewBaker

Re: IIS 6.0 Security

I am in the process of writing four books simultaneously (XA5/2003, XA5/2008, XA6.0 and XA6.5). After this thread, I will make sure I add this SSL v3/TLS(FIPS) stuff. Thanks Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com

RE: Encrypting a 2008 R2 Clustered File Server

NO! Don't use EFS! Use BitLocker. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Cameron Cooper [mailto:ccoo...@aurico.com] Sent: Tuesday, January 10, 2012 1:49 PM To: NT System Admin Issues Subject: Encrypting a 2008 R2 Clustered File Server All, W

Re: bougt the book

On Tue, Jan 10, 2012 at 2:20 PM, Mathew Shember wrote: > Think my copy might be outdated.  Time for a new one. :) I've got the 1st edition and the 4th edition of the "cat and kitten" book, and I can say that the changes and improvements are dramatic. They're almost completely different books.

Re: OT - Home Router ideas?

No, but rest are fairly generic. Family of 4. use the web for browsing, email and xbox. Wireless N, decent range (home is about 3000 sq/ft), WAN/internet port over 10Mb (internet connection is 25Mb) thx. On Tue, Jan 10, 2012 at 1:41 PM, Andrew S. Baker wrote: > Those are his only needs? > > * *

Re: OT - How to determine vCPU over-commit in VMware ESX 4.1 - MORE

Here's what I decided to go with (for now): (snipped) == $ESXHost = "- - - - " $ESX = Get-VMHost $ESXHost $ESXHostTotalCPUMHz = $ESX.CPUTotalMHz $ESXHostNumCPU = $ESX.NumCPU $ESXHostCPUMHz = $ESX.CPUTotalMHz / $ESX.NumCPU ForEach ($

RE: Related to my Domain Admin thread

Yes split all those up. Thanks, Brian Desmond br...@briandesmond.com w - 312.625.1438 | c - 312.731.3132 From: David Lum [mailto:david@nwea.org] Sent: Tuesday, January 10, 2012 11:47 AM To: NT System Admin Issues Subject: RE: Related to my Domain Admin thread Cool. I already have some AD

Re: OT - Home Router ideas?

What's wrong with pulling the plug? On Tue, Jan 10, 2012 at 1:41 PM, Andrew S. Baker wrote: > Those are his only needs? > > * * > > *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of > Technology for the SMB market… > > * > > > > On Tue, Jan 10, 2012 at 12:09 PM, winsys wrote:

Re: Expaning Subnet again

" No I'm fighting with my switches to change to /22, looks like my Dell switches I have to connect the cable and do it from the CLI command line, can't edit the IP in the GUI! " That's for a very good reason that most networking experts would understand without even attempting... On Tue, Jan 10,

RE: bougt the book

But is it autographed? :p Didn't know there was a kindle version. Think my copy might be outdated. Time for a new one. :) From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 9:14 AM To: NT System Admin Issues Subject: Re: bougt the book Brian's book is a very us

RE: IIS 6.0 Security

Thanks! Went to your web site, but 4.5 seems to be too old for anything there. I think I have all but the "microsoft iis content location internal ip address leak" taken care of, and I have a bunch of tabs open concerning that. I'll find out for sure what has been taken care of after this upcom

Re: bougt the book

You have to create an account on the site, login to the account and you will see Register Print Books. They are hooked up with Microsoft Press, so I registered all my MS Press books, paid $4.99 each and now have them all on my Kindle, iPad and the PDFs in a folder on every computer. O'Reilly i

Re: OT - Home Router ideas?

Those are his only needs? * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Tue, Jan 10, 2012 at 12:09 PM, winsys wrote: > Hi All, > > A friend of mine is looking for a new home router that he can > disable/enable internet access very

RE: Fun with Hyper-V - and failover hardware Q's

You could attach the Buffalo NAS to the front end of a Windows Server. The server will handle ntfs for you. ISCSI Initiator is what you are looking for on the server. Don't know the Buffalo NAS's to say they support it, so check into that part. Basically is just a network SCSI connection to the

RE: Related to my Domain Admin thread

Split it in two. Interns or a vendor setting up new computers won't need to make user accounts. Maybe someday you will want HR to make new employee user accounts. From: David Lum [mailto:david@nwea.org] Sent: Tuesday, January 10, 2012 12:47 PM To: NT System Admin Issues Subject: RE: Related

Re: bougt the book

http://briandesmond.com/blog/active-directory-4th-edition/ Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com From: Damien Solodow mailto:damien.solo...@harrison.edu>> Reply-To: NT Issues mailto:ntsysadmin@lyris.sunbelt-softwar

Re: IIS 6.0 Security

>From what I can find, SSL v3 support is already there in just about every >Citrix recent product. http://support.citrix.com/proddocs/topic/xenapp65-sec/ps-sec-tls-ssl-protocols-xa6.html http://support.citrix.com/proddocs/topic/xenapp65-sec/ps-sec-considerations-xa-deployment-xa6.html When you

RE: bougt the book

Active Directory. (Fourth edition) Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Damien Solodow [mailto:damien.solo...@harrison.edu] Sent: Tuesday, January 10, 2012 12:48 PM To: NT System Admin Issues Subject: Re: bougt the book What's the title? --

Re: bougt the book

Showing up late to the party here, but Carl could you be so kind and enlighten me to as to what you mean by registering your book on o'reilly? Being new to the Kindle has me interested in bringing some of my PDF's and other books to it. A cursory search on o'reilly really doesn't provide much info

RE: Fun with Hyper-V - and failover hardware Q's

HEY...now there's a thought! User data and Shared folders on the NAS right? It's a Buffalo NAS to it's a little cumbersome to do all the users folders (no NTFS support), but each department (only three of them) has its own S: mapping and that wouldn't be too tough to set up. I hadn't thought of

Re: bougt the book

What's the title? -- Sent using BlackBerry From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 12:13 PM To: NT System Admin Issues Subject: Re: bougt the book Brian's book is a very useful resource and reference tool. (Broken record here) I

RE: Related to my Domain Admin thread

Cool. I already have some AD groups created for some of these kinds of things. Some need to be able to create user and workstation accounts, does it make sense to have two different groups? One for creating machine and another for user? Don't think I'll have a situation where anyone would need o

Re: IIS 6.0 Security

I am checking. Please hold for the next available Citrix support person. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com From: Michael Smith mailto:mich...@smithcons.com>> Reply-To: NT Issues mailto:ntsysadmin@lyris.sunbelt-

Re: A poll, of sorts...

*>> miniumum10 characters in length, with no expiration, no history and no mimimum age?* When I determine what would make me comfortable with the above, I'll let you know. In the mean time, I'll echo the "why" question you've already been asked... * * *ASB* *http://XeeMe.com/AndrewBaker* *Harn

Re: Expaning Subnet again

No I did not but i got the idea, i used the "Advanced Subnet Calculator" that shows me all my IP's. No I'm fighting with my switches to change to /22, looks like my Dell switches I have to connect the cable and do it from the CLI command line, can't edit the IP in the GUI! Stefan On Tue, Jan 10

RE: IIS 6.0 Security

Thanks! I did find a patch or two on the Citrix site I'll need to run. The claim is, it deals with the TLS Renegotiation vulnerability. I guess I'll find out what all works after the scan. This is a very promising start, however. From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Tu

Re: bougt the book

Brian's book is a very useful resource and reference tool. (Broken record here) I registered my book on oreilly.com, paid $4.99 and got the Kindle, epub, and PDF versions. Copy those files to the appropriate devices and I have Brian's book with me all the time. Carl Webster Consultant and

RE: Searching for SCCM MVP's or Guru's to answer this question

You saw this, I'm guessing? http://technet.microsoft.com/en-us/library/cc431377.aspx BTW: If you're using ConfigMgr, you might want to check out myITforum.com From: ed ziots [mailto:ezi...@hotmail.com] Sent: Tuesday, January 10, 2012 11:47 AM To: NT System Admin Issues Subject: Search

RE: Fun with Hyper-V - and failover hardware Q's

I was thinking more along the lines of taking the file load off the server (onto a NAS device) so that it is just running exchange and SharePoint, then you could test the backup server at load. You can even then leave the data there while you do the swing migration sometime in the future. Mike

RE: IIS 6.0 Security

Here is a few links for the ciphers issues: You can only use SSL v3 or TLS v1.0 http://manyrootsofallevilrants.blogspot.com/2011/11/disabling-low-ciphers-in-iis-60.html Here is the Blog from IIS.net that will set you straight on what to take care of in the registry. http://blogs.iis.net/saky

Re: A poll, of sorts...

On Tue, Jan 10, 2012 at 12:12 AM, Kurt Buff wrote: >>  What are the threats you are defending against?  What will this >> counter-measure cost you (e.g., forgotten passwords/resets, writing >> down of passwords, user hostility, political capital, etc.)? > > For the threats - well, the company is c

RE: Related to my Domain Admin thread

Yes best practice is not to use them. They have all sorts of little bits of extra access floating around in weird places, and they cause adminSDHolder to apply to accounts that probably shouldn't be covered. Do the legwork and delegate exactly what you need to groups - even better do it in logic

RE: IIS 6.0 Security

Just gotta know the right search string. http://blogs.iis.net/sakyad/archive/2008/12/11/enforcing-ssl-3-0-and-removing-weak-encryption-vulnerability-over-ssl-iis-6-0-and-isa.aspx http://geekswithblogs.net/dchristiansen/archive/2009/03/24/pcidss-disablessl2andweakciphersoniis6.aspx Now: Citrix/Xen

RE: Domain Admin accounts

I would concurr for PCI also, all accounts should be unique and auditable ( especially in the EA, DA, SA and administrator groups) service accounts should be properly documented with executive sign-off and proper risk management to the account for least privilege. Sincerely EZ Edward E. Zio

Searching for SCCM MVP's or Guru's to answer this question

Trying to find out why SCCM is using WEBDAV to communicate with endpoints, the configuration of SCCM in its install state, is causing PCI Scans to fail because the propfind method is enabled on IIS 7.5 and the configuration is to allow anonymous access and to anywhere in the path of allowed f

RE: Related to my Domain Admin thread

Theoretically, built-in groups are historical in nature (i.e., carryovers from NT4.0 and previous) and should not be used going forward. All of their capabilities are reproducible via delegation and GPOs and User Rights Assignments. But I don't think they are going anywhere. Brian Desmond may h

Re: Expaning Subnet again

Are you guessing, or did you try writing it out as explained to you? -- Espi On Tue, Jan 10, 2012 at 7:37 AM, Stefan Jafs wrote: > So for me *.255 are usable exept 3.255, correct? > > Stefan > > On Mon, Jan 9, 2012 at 11:00 PM, Ben Scott wrote: > >> On Mon, Jan 9, 2012 at 7:32 PM, Heaton,

bougt the book

Book bought. I expect big things Brian! ☺ Dave From: David Lum [mailto:david@nwea.org] Sent: Thursday, January 05, 2012 1:07 PM To: NT System Admin Issues Subject: RE: Concur for expense management You mean…buy the book? Get out… From: Free, Bob [mailto:r...@pge.com]

Re: Domain Admin accounts

Which means you're going to have to audit those applications to understand what they're doing. If, for instance, the websense account is only used for AD auth for the web filter, then it doesn't need to be a DA - for our Barracuda I created an account (_barracuda), with no special privileges, beca

RE: A poll, of sorts...

No expiration, no history, no minimum age? Sounds like a kiosk... From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Tuesday, January 10, 2012 5:25 AM To: NT System Admin Issues Subject: Re: A poll, of sorts... Why are you looking to change the password policy? what is the busine

Re: Expaning Subnet again

So for me *.255 are usable exept 3.255, correct? Stefan On Mon, Jan 9, 2012 at 11:00 PM, Ben Scott wrote: > On Mon, Jan 9, 2012 at 7:32 PM, Heaton, Joseph@DFG > wrote: > >>> .255 is broadcast > >> > >> Not always. > > > > Very true, if we go and break up a class C, that is absolutely true. >

RE: Domain Admin accounts

The gone employees I have handled. The accounts in question are like Websense, myonelogin and other application-like accounts. -Original Message- From: Webster [mailto:webs...@carlwebster.com] Sent: Tuesday, January 10, 2012 7:10 AM To: NT System Admin Issues Subject: Re: Domain Admin ac

OT - How to determine vCPU over-commit in VMware ESX 4.1

I am working on a PowerCLI (Powershell with VMware extension) script that I want to use to determine memory and vCPU over-commit - i.e., that I have allocated too much vCPU or memory to a VM. I can figure out the memory easily enough - I take the maximum of the last 30 days worth of 2 hour inte

Re: Domain Admin accounts

In a SOX audit I would require verification from HR that every member of Domain Admins, Enterprise Admins and Schema Admins is a valid employee. You would probably not be surprised how many are not employed and have been gone for quite some time. Same process for off-site backup access (Iron Mount

IIS 6.0 Security

Hopefully, the subject line is not a complete oxymoron... Yes, I am continuing to search Google as well as the MS TechNet pages (that Google returns) concerning IIS 6.0. We failed a PCI compliance audit on our Citrix server (Presentation Server 4.5, and yes, a new Citrix system is in the works,

RE: Domain Admin accounts

Yeah...I listed the DA accounts in question and the SE's didn't reply, and my bet is 1/2 the accounts in question the don't even know what they do. No security problem there "Yeah the dude has keys to the castle, but I don't know who he is". Dave -Original Message- From: Kurt Buff [mai

Re: A poll, of sorts...

Why are you looking to change the password policy? what is the business driver for this? Also what would be the effective loss to the business if one of the more high level employee's password's was cracked (i.e. an engineer that has access to software designs)? Chris Bodnar, MCSE, MCITP