SOPA, Megaupload, and the Cloud - Just How Secure is Your Data?

If you've been watching the news this week, or browsing the web, you're sure to have heard about SOPA and PIPA, two internet regulation laws making their way through Congress.  Their ostensible purpose is to protect copyright holders from piracy, but many experts and corporations have raised strong concerns about SOPA and PIPA and how such laws could impact the internet as we use it today.  Objections to these proposed laws culminated on Wednesday the 18th, with several voluntary black-outs of popular internet sites such as Wikipedia, Wired, Boing Boing, and Reddit. 

While the strong protests and unification in the internet community appears to have stopped SOPA and PIPA in their tracks, it wasn't even 24 hours later that the US Government flexed its muscles and showed just how far it can go under current law to do what it claims is protecting copyright.  In an impressively coordinated effort, the US Justice Department, working with local jurisdictions throughout the world, shut down and confiscated $50 million in computer equipment used by the cloud operator Megaupload.  Megaupload, founded in 2005, was one of the earliest shared file hosting sites, allowing users to upload and store data and share that data with other users.  Much like Rapidshare, Dropbox, Amazon Cloud Drive and other file sharing services, Megaupload provided a way for people to easily transfer and backup their data on the internet.

The US Government claim is that Megaupload was being used to illegally transmit copyright material.  Of course, this argument can be made for any cloud storage service, as what is stored is entirely up to the user and cannot be individually verified by the provider.  Legal misgivings aside, the important question for us to ask as users is, what happens to my data if my cloud provider disappears?  In the case of Megaupload, which Terminal did subscribe to and use for transferring company data, it appears that our data is retrievably lost, with no warning and no recourse.

While the US Government may feel that it is acting in the best interest of its constituents, the looming issue now becomes whether we, as consumers, should be trusting our critical data to any cloud service provider.  Knowing that the government can and will act without warning to disable and destroy any cloud operator means that no matter how redundant or reliable you think your provider may be, your data could still vanish overnight, stuck in a government warehouse and effectively lost in the red tape of months of litigation.

This week marks a dark point in the rapid growth of cloud services.  It will be interesting to see how some of the largest cloud providers react to these events and even more interesting to see how users respond to the realization that their data is not so safe in the cloud after all.

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Even the US Military Gets Malware

An article yesterday in the Washington Post, "Cyber-intruder sparks massive federal response," details how US military computer networks were infected by malware, dubbed Agent.btz, at some point in 2008.  An interesting read, it shows how differently the government responded to the incident, compared to the typical response in the civilian world.  However, the commonalities are also there, particularly in how the infection began.

As with many outbreaks these days, the infection came from portable media; in this case a USB thumb drive.  A favorite for people who travel and professionally network with others, USB thumb drives provide a simple way to transmit large files easily and quickly.  However, they very often also act as a vector for all types of computer infections.  Once infected, a thumb drive will attempt to infect any computer it comes into contact with, often spreading quickly throughout computer networks.

Infections caused this way are hard to block, as they bypass most of the centralized filters or safeguards on networks which protect the network from the internet.  In the case of the US military, their most critical networks are actually physically separated from the internet ("air-gapped" as they call it).  This is the ultimate firewall and content filtering system as it completely forbids any communication or transfer of data between the internal network and the public internet.  But even the best security defenses do not protect against human action, as we can clearly see from the military's situation.  At some point, a US military member used a USB thumb drive in a public internet kiosk in Afghanistan and then re-used that same thumb drive on a computer system connected to the most highly classified US military network.  Despite the military policy which forbid this exact scenario, the person clearly decided to act outside the rules.  And so the infection began.

The lesson learned here is that no matter how extensive your network protection and safeguards, ultimately the biggest liability any network will have is its users.  Users have a vested interest in getting their job done and will use whatever tools at their disposal to do it, even if this means going against a policy which they do not necessarily understand.  While it may be possible to completely lock down a network to the extent that a user can never put it at risk, the entire purpose of the network is to help the user do their job with the most efficiency possible.  This illustrates the age old challenge in security, risk versus convenience.  No matter how secure you try to make a network, you can never make it completely secure and completely usable.  Striking the balance between risk and convenience is a challenge for every organization and relies heavily on the proper education of its users.  In the case of the military, it would seem their education on security policy is a bit lacking when it comes to the IT world, though that has already begun to change in the aftermath of this incident.  Nonetheless, every organization needs to be aware of the liability of improper security training and take regular action to minimize this threat.

If you need help training your employees to understand the benefit and necessity of computer security policy, or need help developing such a policy in the first place, Contact Us today and we'll be happy to help.

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

IISReset after importing new SSL certificates for Exchange 2010

I ran into an interesting issue today with Exchange 2010.  I needed to add a few user mailboxes to an Exchange server, but when I tried to open the Exchange Management Console, I was greeted with a rather startling error:

"The WS-Management service cannot process the request. The user load quota of 1000 requests per 2 seconds has been exceeded. Send future requests at a slower rate or raise the quota for this user. The next request from this user will not be approved for at least <large number> milliseconds." 

I next tried to fire up the Exchange Management Shell and received the same error.  Worrisome, but I hadn't heard any reports from users about email issues, so I knew it couldn't be anything too severe.

My initial thought that somehow the server was under attack and being subjected to a large number of requests from a foreigh host proved to be untrue.  A bit of research turned up many different options for possible fixes, including registry modifications, IIS reconfigurations, and powershell commands to disable and remove SSL (see http://social.technet.microsoft.com/Forums/en/exchange2010/thread/4d396628-3867-4c95-9541-e0eb021e0135).  One blog even hinted at ADSIEdits.  However, the SSL issue tipped me off, as I had just recently renewed the SSL certificate on this server.  This turned up a very helpful blog entry (http://jasonshave.blogspot.com/2011/01/resolved-ws-management-service-cannot.html) which suggested a simple IIS reset.

I opened a run prompt and ran 'iisreset /noforce', after which everything was back to normal.  Just goes to show that even though an error can seem dire, the solution is often quite simple.  It's always worth looking for the simple solution before getting too complicated and making a situation much worse than it already is.

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Configure Exchange with One Certificate for Both Internal and External Connections

Starting with Exchange 2007 and Outlook 2007, client connections to the server are encrypted using SSL technology.  This requires a valid certificate be installed on the Exchange server or the Outlook client will warn the user each time they open Outlook.  By default, Exchange installs a self-signed certificate during installation which will be automatically valid for any Outlook clients connecting from computers within the same domain as the server.  However, if you plan to set up remote users with Outlook using RPC over HTTPS (also known as Outlook Anywhere), the the users internet-facing Client Access Server will require an externally valid SSL certificate.  In situation where a company only has one Exchange server handling all roles, this quickly becomes a problem.  Once the externally valid certificate is installed on the Exchange server, all internal clients on Outlook 2007 or later will receive a certificate error each time Outlook is opened.  This is because the Exchange server is presenting itself to the clients with its valid internal network name (e.g. exchange.company.local), while the certificate shows its valid external name (e.g. mail.company.com).  This conflict is the source of the Outlook warning.

The simplest way to circumvent this issue is to purchase a mutli-domain certificate, which will be valid for both the external and internal name of the server.  There are two major downsides to this, however.  One is cost.  Multi-domain certificates are significantly more expensive than standard, single name certificates.  The second downside is that the certificate will contain the internal name of the server and the certificate will be available publicly for anyone to see.  This can be a security liability, exposing internal network information to anyone who cares to look.

The better solution is to modify the Exchange server to use *only* the external server name when making connections to clients.  This allows a single name certificate to be used to secure all connections made by the server and ensures the server will only ever refer to itself by this chosen external name.  The steps to accomplish this are somewhat complex, but thankfully, some great people have written Powershell scripts which execute the necessary commands for both Exchange 2007 and Exchange 2010.  Using these scripts automatically changes the name used both internally and externally by all virtual directories as well as the SCP on the server.

Below are copies of the scripts for both Exchange 2010 and Exchange 2007.

Brian St. Marie - Sr. Systems Engineer

========================================================

 

Exchange 2007  Credit to Exchange Ninjas (http://www.exchangeninjas.com/set-allvdirs)

 

========================================================

 

# Script to allow you to set all virtual directories to a common name like mail.company.com

 

Start-Transcript

 

# Variables

 

[string]$UMExtend = '/UnifiedMessaging/Service.asmx'

[string]$OABExtend = '/OAB'

[string]$SCPExtend = '/Autodiscover/Autodiscover.xml'

[string]$EWSExtend = '/EWS/Exchange.asmx'

[string]$ConfirmPrompt = 'Set this Value? (Y/N)'

[string]$NoChangeForeground = 'white'

[string]$NoChangeBackground = 'red'

 

Write-host 'This will allow you to set the virtual directories associated with Autodiscover provided services to the name you provide.'

Write-host ''

[string]$base = Read-host 'Base name of virtual directory (e.g. mail.company.com)'

write-host ''

# =======================================================

# Validate if a third party trusted certificate is being used

# because BITS won't use untrusted certificates

[string]$set = Read-host 'Is the certificate being used an internally generated certificate? (Y/N)'

Write-host ''

 

if ($set -eq 'Y')    {

    [string]$OABprefix = 'http://'

}    else    {

    [string]$OABprefix = 'https://'

}

 

# =======================================================

# Build the Autodiscover URL and set the SCP Value

 

Write-host 'Setting Autodiscover Service Connection Point' -foregroundcolor Yellow

write-host ''

 

$SCPURL = 'https://' + $base + $SCPExtend

 

[array]$SCPCurrent = Get-ClientAccessServer

 

Foreach ($value in $SCPCurrent) {

    Write-host 'Looking at Server: ' $value.name

    Write-host 'Current SCP value: ' $value.AutoDiscoverServiceInternalUri.absoluteuri

    Write-host 'New SCP Value:     ' $SCPURL

    [string]$set = Read-host $ConfirmPrompt

    write-host ''

   

    if ($set -eq 'Y')    {

         Set-ClientAccessServer -id $value.identity -AutoDiscoverServiceInternalUri $SCPURL

    }    else {

        write-host 'Autodiscover Service Connection Point internal value NOT changed' -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

 

# =======================================================

# Build the EWS URL and set the internal Value

 

Write-host 'Setting Exchange Web Services Virtual Directories' -foregroundcolor Yellow

write-host ''

 

$EWSURL = 'https://' + $base + $EWSExtend

 

[array]$EWSCurrent = Get-WebServicesVirtualDirectory

 

Foreach ($value in $EWSCurrent) {

    Write-host 'Looking at Server: ' $value.server

    Write-host 'Current Internal Value: ' $value.internalURL

    Write-host 'New Internal Value:     ' $EWSUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host ''

 

    if ($set -eq 'Y')    {

        Set-WebServicesVirtualDirectory -id $value.identity -InternalURL $EWSURL

     } else {

        write-host 'Exchange Web Services Virtual Directory internal value NOT changed' -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

     }

 

    Write-host 'Looking at Server: ' $value.server

    Write-host 'Current External Value: ' $value.externalURL

    Write-host 'New External Value:     ' $EWSUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host ''

 

    if ($set -eq 'Y')    {

        Set-WebServicesVirtualDirectory -id $value.identity -ExternalURL $EWSURL

    } else {

        write-host 'Exchange Web Services Virtual Directory external value NOT changed' -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

 

# ======================================================

# Build the OAB URL and set the internal Value

 

Write-host 'Setting OAB Virtual Directories' -foregroundcolor Yellow

write-host ''

 

$OABURL = $OABprefix + $base + $OABExtend

 

[array]$OABCurrent = Get-OABVirtualDirectory

 

Foreach ($value in $OABcurrent) {

    Write-host 'Looking at Server: ' $value.server

    Write-host 'Current Internal Value: ' $value.internalURL

    Write-host 'New Internal Value:     ' $OABUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host ''

 

    if ($set -eq 'Y')    {

        Set-OABVirtualDirectory -id $value.identity -InternalURL $OABURL

    } else {

        write-host 'OAB Virtual Directory internal value NOT changed' -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

 

    Write-host 'Looking at Server: ' $value.server

    Write-host 'Current External Value: ' $value.externalURL

    Write-host 'New External Value:     ' $OABUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host ''

 

    if ($set -eq 'Y') {

        Set-OABVirtualDirectory -id $value.identity -ExternalURL $OABURL

    } else {

        write-host 'OAB Virtual Directory external value NOT changed' -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

 

# =======================================================

# Build the UM URL and set the internal Value

 

Write-host 'Setting UM Virtual Directories' -foregroundcolor Yellow

write-host ''

 

$UMURL = 'https://' + $base + $UMExtend

 

[array]$UMCurrent = Get-UMVirtualDirectory

 

foreach ($value in $UMCurrent) {

    Write-host 'Looking at Server: ' $value.server

    Write-host 'Current Internal Value: ' $value.internalURL

    Write-host 'New Internal Value:     ' $UMUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host ''

 

    if ($set -eq 'Y') {

        Set-UMVirtualDirectory -id $value.identity -InternalURL $UMURL

    } else {

        write-host 'UM Virtual Directory internal value NOT changed' -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

 

    Write-host 'Looking at Server: ' $value.server

    Write-host 'Current External Value: ' $value.externalURL

    Write-host 'New External Value:     ' $UMUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host ''

 

    if ($set -eq 'Y') {

        Set-UMVirtualDirectory -id $value.identity -ExternalURL $UMURL

    } else {

        write-host 'UM Virtual Directory external value NOT changed' -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

Stop-Transcript

 

 

 

========================================================

 

Exchange 2010                  Credit to Barry Martin (http://virtualbarrymartin.me/2009/12/29/how-to-setup-exchange-2010-to-use-a-single-certificate-for-internal-and-external-use/)

 

========================================================

 

# Script to allow you to set all virtual directories to a common name like mail.company.com

Start-Transcript

# Variables

[string]$UMExtend = “/UnifiedMessaging/Service.asmx”

[string]$OWAExtend = “/OWA”

[string]$OABExtend = “/OAB”

[string]$SCPExtend = “/Autodiscover/Autodiscover.xml”

[string]$EWSExtend = “/EWS/Exchange.asmx”

[string]$ECPExtend = “/ECP”

[string]$ConfirmPrompt = “Set this Value? (Y/N)”

[string]$NoChangeForeground = “white”

[string]$NoChangeBackground = “red”

Write-host “This will allow you to set the virtual directories associated with setting up a single SSL certificate to work with Exchange 2010.”

Write-host “”

[string]$base = Read-host “Base name of virtual directory (e.g. mail.company.com)”

write-host “”

# =======================================================

# Validate if a third party trusted certificate is being used

# because BITS won’t use untrusted certificates

[string]$set = Read-host “Is the certificate being used an internally generated certificate? (Y/N)”

Write-host “”

if ($set -eq “Y”)    {

    [string]$OABprefix = “http://”

}    else    {

    [string]$OABprefix = “https://”

}

# =======================================================

# Build the Autodiscover URL and set the SCP Value

Write-host “Setting Autodiscover Service Connection Point” -foregroundcolor Yellow

write-host “”

$SCPURL = “https://” + $base + $SCPExtend

[array]$SCPCurrent = Get-ClientAccessServer

Foreach ($value in $SCPCurrent) {

    Write-host “Looking at Server: ” $value.name

    Write-host “Current SCP value: ” $value.AutoDiscoverServiceInternalUri.absoluteuri

    Write-host “New SCP Value:     ” $SCPURL

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

  

    if ($set -eq “Y”)    {

         Set-ClientAccessServer -id $value.identity -AutoDiscoverServiceInternalUri $SCPURL

    }    else {

        write-host “Autodiscover Service Connection Point internal value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

# =======================================================

# Build the EWS URL and set the internal Value

Write-host “Setting Exchange Web Services Virtual Directories” -foregroundcolor Yellow

write-host “”

$EWSURL = “https://” + $base + $EWSExtend

[array]$EWSCurrent = Get-WebServicesVirtualDirectory

Foreach ($value in $EWSCurrent) {

    Write-host “Looking at Server: ” $value.server

    Write-host “Current Internal Value: ” $value.internalURL

    Write-host “New Internal Value:     ” $EWSUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”)    {

        Set-WebServicesVirtualDirectory -id $value.identity -InternalURL $EWSURL

     } else {

        write-host “Exchange Web Services Virtual Directory internal value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

     }

    Write-host “Looking at Server: ” $value.server

    Write-host “Current External Value: ” $value.externalURL

    Write-host “New External Value:     ” $EWSUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”)    {

        Set-WebServicesVirtualDirectory -id $value.identity -ExternalURL $EWSURL

    } else {

        write-host “Exchange Web Services Virtual Directory external value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

# ======================================================

# Build the OAB URL and set the internal Value

Write-host “Setting OAB Virtual Directories” -foregroundcolor Yellow

write-host “”

$OABURL = $OABprefix + $base + $OABExtend

[array]$OABCurrent = Get-OABVirtualDirectory

Foreach ($value in $OABcurrent) {

    Write-host “Looking at Server: ” $value.server

   Write-host “Current Internal Value: ” $value.internalURL

    Write-host “New Internal Value:     ” $OABUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”)    {

        Set-OABVirtualDirectory -id $value.identity -InternalURL $OABURL

    } else {

        write-host “OAB Virtual Directory internal value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

    Write-host “Looking at Server: ” $value.server

    Write-host “Current External Value: ” $value.externalURL

    Write-host “New External Value:     ” $OABUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”) {

        Set-OABVirtualDirectory -id $value.identity -ExternalURL $OABURL

    } else {

        write-host “OAB Virtual Directory external value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

# =======================================================

# Build the UM URL and set the internal Value

Write-host “Setting UM Virtual Directories” -foregroundcolor Yellow

write-host “”

$UMURL = “https://” + $base + $UMExtend

[array]$UMCurrent = Get-UMVirtualDirectory

foreach ($value in $UMCurrent) {

    Write-host “Looking at Server: ” $value.server

    Write-host “Current Internal Value: ” $value.internalURL

    Write-host “New Internal Value:     ” $UMUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”) {

        Set-UMVirtualDirectory -id $value.identity -InternalURL $UMURL

    } else {

        write-host “UM Virtual Directory internal value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

    Write-host “Looking at Server: ” $value.server

    Write-host “Current External Value: ” $value.externalURL

    Write-host “New External Value:     ” $UMUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”) {

        Set-UMVirtualDirectory -id $value.identity -ExternalURL $UMURL

    } else {

        write-host “UM Virtual Directory external value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

# =======================================================

# Build the ECP URL and set the internal Value

Write-host “Setting ECP Virtual Directories” -foregroundcolor Yellow

write-host “”

$ECPURL = “https://” + $base + $ECPExtend

[array]$ECPCurrent = Get-ECPVirtualDirectory

foreach ($value in $ECPCurrent) {

    Write-host “Looking at Server: ” $value.server

    Write-host “Current Internal Value: ” $value.internalURL

    Write-host “New Internal Value:     ” $ECPUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”) {

        Set-ECPVirtualDirectory -id $value.identity -InternalURL $ECPURL

    } else {

        write-host “ECP Virtual Directory internal value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

    Write-host “Looking at Server: ” $value.server

    Write-host “Current External Value: ” $value.externalURL

    Write-host “New External Value:     ” $ECPUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”) {

        Set-ECPVirtualDirectory -id $value.identity -ExternalURL $ECPURL

    } else {

       write-host “ECP Virtual Directory external value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

# =======================================================

# Build the OWA URL and set the internal Value

Write-host “Setting OWA Virtual Directories” -foregroundcolor Yellow

write-host “”

$OWAURL = “https://” + $base + $OWAExtend

[array]$OWACurrent = Get-OWAVirtualDirectory

foreach ($value in $OWACurrent) {

    Write-host “Looking at Server: ” $value.server

    Write-host “Current Internal Value: ” $value.internalURL

    Write-host “New Internal Value:     ” $OWAUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”) {

        Set-OWAVirtualDirectory -id $value.identity -InternalURL $OWAURL

    } else {

        write-host “OWA Virtual Directory internal value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

    Write-host “Looking at Server: ” $value.server

    Write-host “Current External Value: ” $value.externalURL

    Write-host “New External Value:     ” $OWAUrl

    [string]$set = Read-host $ConfirmPrompt

    write-host “”

    if ($set -eq “Y”) {

        Set-OWAVirtualDirectory -id $value.identity -ExternalURL $OWAURL

    } else {

       write-host “OWA Virtual Directory external value NOT changed” -foregroundcolor $NoChangeForeground -backgroundcolor $NoChangeBackground

    }

}

Stop-Transcript

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Group Policy Preferences Simplify Domain Management

Group Policy has been a standard element of domain management since Windows 2000 Server over a decade ago.  However, Group Policy hasn't always kept up with the changes in desktop operating systems, limiting the amount of control network administrators can maintain over client machines.

That all changed with the introduction of Group Policy Preferences, introduced with Windows 2008 Server.  By using GPP technology, Windows 2008 Server allows much more extensive control of client systems than ever before.  Essentially anything that can be configured through the Control Panel of the client system can now be controlled through a Group Policy Object.  But GPP is not limited to just Control Panel options.  Administrators can now install printers (both local and network), map network drives without using ancient DOS-based batch scripts, modify registry entries, install applications, and control folders and files all from a simple Group Policy interface.  And best of all, each of these features can be easily targeted to specific users, computers, or groups through a simple to use GUI.  Yes, you can now easily control which users are assigned which network drives or printers right from a Group Policy without having to use cumbersome and buggy logon scripts!

Unfortunately, because GPP was introduced with Windows 2008 Server, it does not support clients older than Windows Vista out of the box.  However, there is a small patch available from Microsoft (http://www.microsoft.com/download/en/details.aspx?id=3628) which enables support for GPP on Windows XP SP2 and SP3 machines.  This patch can be easily deployed across a network using any typical patch deployment software platform.  My personal favorite tool for doing this is PDQDeploy (http://www.adminarsenal.com/pdq-deploy/main/), which is an excellent, free utility.

Group Policy Preferences completely revolutionize network administration and management for Windows-based networks.  However, it is still extremely common to see older-style GPOs and custom logon scripts being used at companies of all sizes even today.  This results in unnecessary instability and difficulty in management for many networks.  If you're concerned that your network may not be utilizing the powerful new features of Windows 2008 Server such as GPP, Contact Us today and one of our engineers will be more than happy to review your network infrastructure with you.

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Active Directory Password Policies

Oftentimes, users have a hard time adapting to new password policies on their network.  Perhaps they are running an older version of Windows server or don't have a domain at all and use blank passwords or very simple passwords.  Once they move to a Windows 2003 or 2008 network, they find their old passwords are no longer acceptable.  Most times, users adapt and begin using more complex passwords, but sometimes users want to stick with their old password policy or modify the security level provided by the default Windows policy.  Unfortunately, this is not as easy as it may seem.

In a standard Windows 2008 or 2003 domain, the password policy is pre-defined in the Default Domain Policy Group Policy Object.  This policy is reasonably good for most configurations, though circumstances may vary from organization to organization.  Unfortunately, while you can create new GPOs and configure password policy settings in them, they will have no effect.  The only way to change the password policies of the domain is by editing the Default Domain Policy.  In fact, even if you set the Default Domain Policy password options all to "Not Defined", the standard Active Directory defaults will remain; you must define all the values for any changes to take effect.

This has long been a limitation of Active Directory and newer versions of Windows have not adequately provided alternatives.  In particular, some organizations wish to have multiple password policies, defining different restrictions and requirements for different sets of users.  This has never been possible until Windows 2008.

While common sense would lead you to believe you could simply create new GPOs with custom password policies and assign those to the appropriate Organizational Units, this does not work.  Instead, Microsoft has created an entirely new system specifically for multiple password policies.  This system is is known as Fine Grained Password Policies.  The basic process involves adding a new Active Directory object, known as a Password Settings Object (PSO), into a new container, known as the Password Settings Container (PSC).  The steps necessary to do this are complex and involve using ADSIEdit to manually create the new objects.  Microsoft provides a step-by-step explanation of the process (here)http://technet.microsoft.com/en-us/library/cc770842%28WS.10%29.aspx. 

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Encrypted Email - What Is It and Do You Need It?

Encrypted email is a pretty common term these days, but also a loaded term.  People make a lot of assumptions about what it means, but as with many things in IT, things get quite a bit more complex beneath the surface.

Encryption itself is fairly self-explanatory; encryption is the act of scrambling data so only people who are supposed to read it can do so.  Even if someone else gets ahold of that data, it will look like gibberish to them, unless they have the proper key to decrypt it.

So how does this apply to email?  Well, there are several places in email technology where encryption is a very good thing.  Some of them are more straightforward and easier to implement than others, however.  We'll go over each here.

1) Email storage.  The first and most obvious place to encrypt email is in your mailbox.  That is to say, if someone gets on your computer, can they simply copy your entire mailbox file onto a USB drive and read it later at their leisure?  If your mailbox is encrypted, it means that no one can read your email unless they can sign into it with your username and password.  This type of encryption has been used with email for many years and is an option with most email programs, such as Outlook.  If you use cloud email, such as with a company like Google (gmail), Rackspace, or Intermedia, the email would also be encrypted on their storage servers and to ensure that you and only you can look at the messages in your mailbox.  The same applies if your email is held on a central company server like with Microsoft Exchange; your mailbox would be encrypted on the mail server in your company's data center.

2) Sending email.  Email also can be encrypted in transit.  This is required by many modern technology compliance standards, such as the Massachusetts Personal Information protection laws, and for good reason.  Every time you send an email, it makes its way across the internet to its intended recipient.  Along the way, it passes through any number of internet devices, such as routers and switches, and even other mail servers.  At any point along this chain, your email can be read by anyone who happens to be looking.  Yes, you read that right; your email is just like an open letter in the mail that anyone can read as it passes them by.

In order to ensure that only the person you send the email to can read it, you would need to encrypt the message.  There are many technologies to make this work, but none of them are as seamless or user-friendly as might be hoped.  For instance, one type of technology doesn't send the email at all, but simply sends a message to the recipient redirecting them to a webpage where they can view your secure message by using a password.  Other programs work by requiring the person on the other end know a password to open the message in their inbox.  Each version works well, but neither is as obvious or easy to use as basic email.  Because of the added difficulty of using these kinds of technology, few companies or individuals use any kind of transit encryption, even though they may be required to do so by law.

3) Accessing email.  If your email is hosted in the cloud or on a server, you also need to be concerned with how you access that email.  For instance, if you access your email through a webpage, such as with a service like Gmail, each message you compose or read is being sent between you and that remote server.  If the messages aren't encrypted between you and your server, then anyone sitting between each endpoint can read your messages.  This is much like the example above about sending email, but it deals with the traffic between you and your server rather than the messages between you and your recipients.  Fortunately, this is a much easier area to encrypt than sending emails; most email systems already encrypt email access without the end user needing to do anything differently.  For example, Gmail uses HTTPS web addresses which encrypt your session with SSL technology and Outlook similarly uses SSL technology to encrypt data between itself and an Exchange server.

As you can see, "encrypted email" can mean many different things.  When looking at email solutions for yourself or your company, pay particular attention to what any solution means by encrypted email; you will often find that while it may cover points 1 and 3, it provides no solution for point 2, which is the most critical of the three.  This is of particular concern if your business works with personal information for your customers, such as credit card data, bank account info, social security numbers, or even phone numbers and addresses.  In these cases, you may be *legally required* to encrypt all your email containing any personal information, or face stiff fines and lawsuits.

Don't leave yourself wondering just how secure your email system is; Contact Us today and let a Terminal engineer go through your email system with you and help ensure you are doing everything you can to stay secure and compliant with today’s standards.

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Server Redundancy Can Only Go So Far

As a rule, we only recommend servers with redundancy built in.  Typically, this means multiple hard drives, but can also include CPUS, fans, power supplies, network cards, and other components.  The benefit of this to customers is extremely high, as if a component fails, rather than having a server which is completely down, you simply have a single bad component while the rest of the server continues to function as normal.  This can turn a drastic company-wide outage into a mere inconvenience.

For the most part, this works very well.  However, there is a human element to redundancy which cannot be ignored.  If a redundant component fails, there is some kind of alert or notification generated, typically an amber or red LED on the server, an audible alarm, an email notification or some other way of indicating there is a serious hardware problem.

While Terminal offers this type of real-time 24/7 monitoring as part of our MSPlus (link) package, some customers choose to do their own hardware monitoring.  Unfortunately, this sometimes means a critical hardware failure occurs and the customer is unaware.  The server continues to run, albeit with failed components, and the customer is often completely unaware that there is anything wrong.  It isn't until the second redundant component fails and the server goes down entirely that they realize there is a serious problem.  Of course, this completely defeats the purpose of redundant components in the first place, which is why constant monitoring of all server equipment is critical.  In most cases, having more than one component fail at the same time simply means the server is down.  In the worst case, if one hard drive fails and isn't noticed, and later a second hard drive fails, the server will likely suffer from massive data loss; not a situation any company every wants to be in.

If you're concerned about how well your servers are being monitored for both hardware failures and software errors, Contact Us today and ask about our MSPlus 24/7 monitoring program.

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

DNS? Registrar? Web Host?! All I want is a company web page!

Although the Domain Name System used on the internet is as old as the internet itself, it's still a very confusing technology for many businesses.  Understanding all the different hosts and services necessary to create a presence on the web can be confusing and overwhelming.

Most people understand that they need to register a name for their business on the web (referred to as a domain name) and host a website, but beyond that, they're unclear on what they might need.  In fact, there are several layers and different hosts who coordinate to make sure everything goes just right.  Just like when buying a cell phone, there are many parts to the equation to ensure everything works as you expect.

The Registrar

The registrar is the place you start; they are the service which officially creates and maintains your chosen domain name (e.g. terminal.com).  Using our cell phone analogy, this is much like choosing your carrier and cell phone plan.  Initially, Network Solutions was the only registrar, but some years ago law changed to allow other companies to act as internet registrars. Now there are hundreds, such as GoDaddy, Verisign, Tucows, and many others.  They all work essentially the same, though costs can vary quite a bit.

The Domain Host

Once you've registered your domain name, you need to host it somewhere.  Again, going back to our analogy, you need more than just a cell phone plan, you need to get a phone number as well, so people know how to reach you.  The domain host provides directions on the internet for anyone trying to reach your internet services, whether they be email or web or even remote access or corporate VPNs.

The Service Hosts (email, web, etc.)

If the registrar is the cell phone plan in our analogy, and the domain host is the phone number, the service host would be the cell phone itself.  The service hosts are the endpoint that your users are trying to reach.  This can be a web page, or email, or many other business services.  Some companies choose to host these services inside their own offices, while others choose to have other companies host them.  Traditionally, many small and medium businesses have relied on web hosting companies to host their web pages and sometimes their email, as well.  As companies grow in size, they will frequently host their own email and may even host their own web pages.  These days, as cloud computing becomes more popular, companies often host many services with third party service hosts.

While it's entirely possible to choose different companies for each of these categories, many companies offer some or all of these services together.  I often encourage clients to try to stick to as few companies as possible, as it helps keep a handle on recurring costs and creates a central contact point for service-related issues.

It's important to choose wisely, for this very reason; don't be stuck in the situation of not knowing just who to call when something breaks!  If you need help consolidating or making sense of your domain hosting, Contact Us today and a Terminal engineer can help you understand your domain configuration and simplify your management.

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!

Configuring Symantec's Endpoint Protection Manager for Domain Logon

A personal pet peeve of mine is the required authentication to access the Management Console of Symantec's Endpoint Protection Suite.  Since it doesn't typically require logging in very often yet requires frequent changing of the password, it's very easy to forget the login information which delays troubleshooting when it's most important.

Just recently, I discovered that there is a way to configure the Management Console to allow domain logins, greatly simplifying management of Symantec's Protection Suite.

Inside the console, browse to the Admin tab.  On the bottom left of the new pane, click on the Servers sub-tab.  Select your management server and click Edit Server Properties and then Directory Servers on the resulting window.  Here, you can add external authentication servers for the Symantec software to use.  Click Add and enter the information for your domain controller of choice, as well as the name of the account you wish the software to use when connecting to the domain.

Once that's complete, you can specify any Symantec Endpoint Protection Administrator to use this domain server and account to log into the console.  Simply browse to the Administrators sub-tab, edit or create an Administrator account and specify Directory Authentication for Authentication.  You don't even need to have the same username in Symantec as you do on the domain, but you must use the same password.  The advantage to this is you never need to worry about independent or unmanaged passwords in the Symantec management system.  This improves security and manageability, allowing administrators to focus on keeping your network protected.

Brian St. Marie - Sr. Systems Engineer

Give Us a Call 617-731-6319 and Ask a Professional IT Support Technician Any Questions You May Have!