Wednesday, July 08, 2009

Windows 2008 Sysprep?

Sysprep is a great tool for Windows administrators. It enables a server to be "reset" and copied so they can redeploy the server to a new system, saving time on the installation time. Normally it's a quick method to deploy a system on a physical server to save time but really shines on virtual servers where it's common to deploy new images.

So how does it work?

On 2008 go to the following

From here selection the following options.

1) System Cleanup Action - Select "Enter system out-of-box-experience"
2) Shutdown Options - "Power off"

I usually choose power off because I want to take a image or clone the server after it's been reset using the Sysprep tool. Overall the method to Sysprep is much simpler than before. In the older version of Sysprep in Windows 2003 and XP, you had to copy the Sysprep folder to the C:\ drive and then run the tool to built the options, then run Sysprep.

It's a good sign to see Microsoft make the effort to give a few more tools for the admins.
Follow up testing results with OpenDNS

After posting about OpenDNS I figure I try this out at home to test. So far after using it for a few days, I have not seen any slowness or change of Internet speeds. Using a custom filter, I blocked the usual sites any business would block, pornography, plus other sites like proxy bypass sites (these allow users to bypass OpenDNS's filtering).

Using Google I made a search for "proxy bypass" and just clicking the first result received a OpenDNS message window that the site in question has been blocked. A nice feature is each site blocked brings up a "contact your admin for questions" window. If a user is indeed using the site for business use, they can send a e-mail message and this will be directly sent to the registered e-mail address. From here you are given a choice as the admin, either continue blocking the site (no action needed) or "white list" the site, by unblocking it.

Overall it works but there are some slight issues. First is the filtering is connected to your IP address. For some ISP's they do not issue a static IP address but a dynamic IP address. Blocking these addresses is more difficult but not impossible, normally your router should not acquire a new IP address frequently so the filtering will still work. OpenDNS also features a nice tool that allows a computer in the network to update OpenDNS with a change in the dynamic address. This is important because if OpenDNS is not updated with the new IP address, the filtering will no longer work.

Overall I am giving a high recommendation for OpenDNS at home or work, anywhere you want to filter Internet access. It's great for parents who can't watch their kids all of the time on the Internet but still want some on-line safety. Important to say the best method of protection for kids is basic supervision and not leaving them alone with the computer.

Thursday, July 02, 2009

A bit technical, Microsoft Active Directory and password polices.

For years I worked in a large corporate environment where we have a large range of users. From the very basic who's task was only to enter data or scan documents, to a wide range of computer engineers. In the mix of these users was also a mix of people who has various rights to sensitive data, from payroll information to details of sales forecasting.

So you know that there's so much important information, how do you start securing the data? The first block is your password.

As simple as it sounds, many users don't take this very seriously. You can often find users keeping their passwords on a note on their desk, or even using a simple word for their password. While you can force all of the users with a strong password policy enforced by Group Policy, the problem is this will sometimes have a backwards effect.

Instead of the users making more complex passwords and remembering them, they might be more inclined to make a password to meet the requirements and then write this down on a note. An example of this is a password policy that requires 10 letters, special characters, users could use something simple such as JohnSmith123#, then change this as required to JohnSmith124#, etc.

So now you know the users have a problem with complex passwords, how do you get around this hurdle? There's ways where you can have upper management force password policies but the time and money spent on helping users with complex passwords might not be best for users who have no access or little risk to important data. Now you are considering two password policies on the domain.

With Windows 2003 Active Directory you are only available to apply a password policy to the Default Domain Policy that will take affect on all users in the domain. This is tough because you only want to limit the high risk users such as Administrator.

Introduced in Windows 2008 Active Directory you can now have "sub groups" called Password Settings Object (PSO) which can apply a password policy to a domain group instead of to the entire domain. This is great feature which many admins have battled with in their domain, trying to secure a group of powerful users.

It's a great feature and think this is a valid reason alone to upgrade to Windows 2008.

Wednesday, July 01, 2009

A cheap alternative to Websense

There's sometimes issues where you need to filter or block the Internet access at home, school or in special environments such as a church. There are solutions but many of them cost a subscription fee or their prices are beyond normal affordable prices. What can you do when the client is looking for something that is free or of little cost?

This where you can use a service from OpenDNS, which blocks or allows custom websites depending upon your requirements. The cost of this service is free and open to home user including small businesses, not sure if this is ok for large businesses you will need to check before implementing.

So how does this work? It's simple!

Basically you setup you computer or router and change the DNS address from your ISP to OpenDNS's DNS servers, and From there you create an account on OpenDNS to choose what you would like to filter or not. You can choose various options such as adult content, gambling, or chat sites, even steaming video like YouTube. It's that simple.

In the case you need to open or allow a certain site, or a site that is not included you can manually add sites as needed. It's great for a church Internet computer that you do not want people accessing porn sites, it's also great for a kids computer where you want to block social networking sites for their safety.

I'll report back how well this works out after I try this at home.
Ham radio field day 2009

A fun day in the park with the local radio club. While I didn't make any calls I did help out with the logging of calls to the station. Overall it was pretty fun, listening for that distant station and trying to understand what their call sign was. It's amazing to contact people about 400 miles away on the somewhat simple setup. At night, the distances are further, then you can contact about 1,000 miles away.

I want to get my General class license even more!



Posted by Picasa