jeff.sadowski

What kind of diagnostics have you run so far?

There are a few programs that need to have an admin logged in at all times. Two that I have are one for the office scanner and one for the phone syncs. I devised a method using TweakUI to automatically log these machines in and I created scripts in startup that check to see if it is being logged in via console and if so lock the screen. Works good but sometimes I have a tendency to forget or have a second admin log in and log off. Not too many log into the console since the room is locked and it takes extra effor on mstsc noted running it from run with the option /console but none the less is there a way to make it harder to log off? like display a warning message? Does anyone else deal with these kind of programs? I guess I could have the same script that locks the screen open a message saying please do not log off of this machine. Does anyone else have any better ideas? Thanks.

Insight Manager, Backup Exec, PC monitoring programs,Virus protection, all seem to need full domain admin in order to work. They need to be able to push to computers on the network. It really doesn't matter if an individuals computer blows up so not making them a local admin on the box is pointless all the important data is on the servers anyways secured with individual rights. The network is locked from the outside and we just moved to a more secure wireless using wpa2. Security is good and I trust our users. Different apps we sell need admin because of them having to push things to other computers. they need to be tested on our network and the engineers in charge of knowing theses apps need admin privileges. I shouldn't have said "my sales people use" sales people push engineers use.

What is VundoFix.exe? What licence is it under? how can we be guaranteed that it is safe to use and not hijacked itself? Using linux for so long has made me weary of software licenses and conferming that the file I download has the credentials it is suppose to. (I acctually like MS's plan to confirm the place that produced the software)

Yes my business's policies are very liberal. I would like to raise the level of security. We have too many users that have network admin accounts because of programs needing too many permissions. There are too many programs that are poorly designed that my sales people use I can only suggest against it. What can one person do against so many that have such a lack of security.

There was discussion on how to do this using syslinux as well on the syslinux mailing list.

Also you didn't follow up on how to use exchange admin to set the out of office?

I don't know passwords my coworker does. That is why I started this thread is because I do not. All important programs have their own passwords that differ from the user account password. There is plenty of accountability. Backups are accountable, and locked off sight encrypted and locked up by a separate company. Maybe I didn't make my self clear about my questions what happens when someone dies or is fired at your company. What procedures are in place to retrieve that persons work? What happens when the security disk gets destroyed how do you get the info back? Do you not? If not then your worse off than me. We have 2 people that know important passwords and its not us system admins we are in charge of keeping the files intact so that their encryption techniques work. They use proprietary encryption that I recommend against because I don't like being locked into vendors. But they work. They also have the passwords stored in a vault. And we have procedures in place in case of any accident. Not knowing what to do when something goes wrong would totally suck. But I guess that is what keeps me in business. We get called for many such incidents. I have capabilities of recovering most stuff but some encrypted stuff is next to impossible (and highly costly in time, sometime super computers working many years trying to crack(very costly), I've never done this just read about it I'd turn down a customer because I don't have the resources) to get back if you don't have any way of retrieving the password. There is always options sometimes the options are too costly to use. Many companies go out of business because of poorly implemented security policies.

What maps the home directories? At my work I have startup scripts in group policy take care of mapping home directories with variables such as %user% open a cmd prompt as some test user accounts and make sure your startup script variables you use are pointing to the right location I use a script that does the following net use v: /delete > NUL: net use W: /delete > NUL: net use X: /delete > NUL: net use Y: /delete > NUL: net use Z: /delete > NUL: net use V: \\<server1>\<directory1>\<folderpath>\%username% /persistent:yes > NUL: net use W: \\<server1>\<directory2> /persistent:yes > NUL: net use X: \\<server2>\<directory3> /persistent:yes > NUL: net use Y: \\<server3>\<directory4> /persistent:yes > NUL: net use Z: \\<sambaserver>\%username% /persistent:yes > NUL: script c:\windows\system32\prnmngr.vbs -d -p \\<printserver>\<printer> script c:\windows\system32\prnmngr.vbs -ac -p \\<printserver>\<printer> notice with a linux samba server you can have a share as a user and only that user can see it. samba is a pain to setup properly though if anyone needs help with samba I'd recommend http://fedoraforum.org I gave you printer removal and creation as well to guaranty that they have the latest drivers for some of this you might want to create if statments around and check a file created by the script that can be date changed so that the script doesn't have to run it all each time. only if you change the datechanged file

If the information is there its buried deep and I cannot find it. I'm guessing I want "Understanding SMTP Connectors" and I don't see anything on setting the outside appearing name of the machine. And so that just leads me to believe you need it to be the same DNS name inside as out. leading right back to my issue. Mail should be easy to setup it is not. I would expect it to be close to the HELO, EHLO since it is here in the communications that it mentions its name to the other server. I don't see it here I know it can be set(because currently my old inside mail server was setup by a previous admin and it was displaying different from its machine name) but I'm wondering where. By default it uses the AD name assigned thus setting it up on a AD that differs from the DNS outside name becomes complicated. Not to mention you need to create a group policy for all users added to have the outside email address with the domain and not the sub domain.

Other info about keys putty and winscp can use pagent to allow authentication via key. A key should always have a password and fingerprints are not good. When you touch anything you leave one eek. MS fingerprint readers can be fooled with I think it was a jelly belly with the carved in fingerprint taken elsewhere on the computer. mmmm jelly bellys :-P

I don't see the option in the Exchange System Manager if someone knows where it is I'd be glad to know. I use OWA if I were away I'd use it but others don't want to even think about work when they are away. If I can find the first option that would solve 80% of the issues. Scripting could probably solve the rest. But some stupid apps need to be done as the user and time is waisted when the user is away and the app needs things done to it. And about the encrypted email: what library do they use to encrypt the email? I don't trust all forms of encryption some are too easily breakable and or not recoverable. Encryption is only good if the intended audience can get access to the data. I don't know about you but I deal with multiple platforms(and MS stuff breaks too many times and I need another method of recovery) and if the security method is unknown or undocumented then there is no reason to trust it. As long as you can plug the right keys in you should be able to decrypt the data. Makes me curious if you ever thought about a block level copy of your security key. Do they keep a copy when they issue you one? Who is trusted with issuing them? This is the same as trusting admins with passwords. I see no difference conceptually. If it is just a smartcard it is a simple harddrive. Anyways does it also automatically encrypt files, that would be nice you could setup scripts to do so. Microsoft seems to be getting better at program design but that doesn't make all the other companies that write apps any better. And open methods such as ssl and pgp have gone through much scrutiny and are tested with math and reasoning in their design. I'd never trust a method that relies on obscurity.

Do not rely on Authentication to protect your data. Authentication is mute. Seems the government needs major introduction to security. Unless you encrypt files then any admin can obtain ownership of that file and do what they please with it. This is not a question of ethics. Duh it is wrong, but can it be done? yes. Using ethics and laws to protect is trusting in something that is bound to fail. Too many things go unnoticed. Sorry my data is more important to me. I think someone needs to update HIPAA. I'm pretty sure I remember them requiring you to send encrypted email in HIPAA and I remember parts of it. I've dealt with it with a few clients. If they use the smart card to establish an encryption of files it becomes better. But you need an Admin+supervisor way to retrieve important data if the user dies and the card is lost or destroyed. Again relying on that the card is never destroyed is placing trust that Murphy will not cross the line drawn in the sand.

Another aspect that bothers me is email address creation. By default exchange creates email addresses with the username@<internal domain name>

OK found it thanks you are right MS says I should have used a Different name according to the link below but then they mention nothing about the exchange server and it advertising itself as the internal name. Why is this so often left out in MS documentation? http://technet2.microsoft.com/WindowsServe...3.mspx?mfr=true

That would not fix the Exchange problem. Unless you dig deeper into the exchange setup the exchange machine will introduce itself to the other mail servers as its machine name. <exchange machine name>.<internal Microsoft Domain Name> There are other places this would need fixed also. and it creates a nightmarish scenario of other changes that need to be done if you want an easy to maintain network. Turning off dynamic updates has resulted in a working and error free windows network that works as I would expect. I am told mixed things and am looking for documentation from microsoft on this issue if you know of any good reads please point me in the right direction.

Ghost is good but I have a few free solutions that I know of. There are linux bootable cd's that you can use any number of tools to copy data bit per bit and even some tools that know to skip the empty sections. I'll look them up tommorow during lunch and edit my reply with the links to such disks. I have posted on the slax sight http://slax.org what programs to put on to make a disk that can do a good copy of a windows partition. Downside to this solution is you have to take the system offline. Good is that you don't need to install any software on the system and you have the bootable cd to recover by copyining the system image back.

Wouldn't a better solution be to have roaming profiles? I haven't set this up in a long time but I think it should be easy enough to find this. It is one of few advantages of having a windows "Domain" when I have some time I'm thinking of setting some users with roaming profiles.

Oh also to mention better security policies. Files of importance should be encrypted using passwords that are kept in safes. And important email should use something like pgp. Remember otherwise your message is sent clear text across the internet. Anyone that really wants to read your message is going to be able to some how someway. Hackers will stop at nothing if they really want something. Maybe you should revisit your security policies and update them. Illegal doesn't stop a criminal only someone that wishes not to break the law. Locks are to keep an honest man honest. A more devious way would be to use john the ripper and or other cracking software but that blows away my premise I don't want to know or ever know the users password.

It would be nice to live in a perfect world but remember we do not. Anyways I think I thought of a simpliler solution. copy the old files change the password and copy the files back. Just make sure you do it when no one else is changing their password. Relying on others is a good way to gain trust but sometimes you need a backup plan.

As the administrator I get asked if I can set the away message for someone that is on vacation. We have 2 admins and the other guy memorizes most the passwords. My memory sucks and he doesn't know all of them. I am in the mist of re-devising(I seem to recall someone else mentioning it) a method to do these things(setting away message, logging on as them, ...) without knowing their password. Well as any admin knows you could just set the password and login as them and thats that. but then they will need to reset their password and/or you will need to tell them the new password. I have a different way. I suspect that the password is stored in a hash(or remember someone telling me it is) in a registry somewhere I'm guessing since the sysvol is the part of active directory that one of the files in there contains this password hash and I'm betting it can be modified with a tool like the one I use in linux to set a computers password called chntpw(it exists for windows as well you don't need linux to use this). Anyways with this tool I should be able to save the current password hash. Then I can use the regular windows tools to change the password, and do what I need to as that user. Then when I am done I should be able to use the chntpw tool again to reset the old hash back. I havn't tried this yet and I would try it on a test domain that I can setup on a vmware network but I was wondering if there wasn't something out there like this already? I think it sounds like an interesting experiment. It will take me a few months maybe years before I have the time to experiment with it. But if someone else needs an idea I present mine ;-) It would be nice to have an "su" in windows.

Hmmm so the the picture gets my current ip I see hmm and my current browser hmm interesting I'll have to look at my html notes. I think I can manage something like that if not one up you. I don't have any time at the moment.

Hi my name is Jeff Sadowski for my job I am required to know how to make Linux and Windows talk together and I'm also required to know just about everything on both ends. I love cygwin tools for windows and I am pretty good at reading MS errors and figuring out how to fix them. I am the system admin at my company and I started with a dirty windows network. The log files were cluttered with errors. I fixed the majority of errors the first few days. Now with a lot of work I finally have my error logs free of errors except the ones I would expect like the mail server trying to send to a non-existent address. I learned the art of googling for windows problems which I am ashamed to say Microsoft does not make as easy as Linux. Forums are the only way information can be relayed with the best results. I kept wondering why MS didn't have their own Forum but now I found one for them :-) Hopefully we can pull together for ultimate answers.

One suggestion that someone gave me was not to name the Windows Domain the same as the DNS Domain. That seams to leave other issues. On this domain I have an exchange server and exchange servers like to have the same DNS name inside as outside in order to work correctly. Otherwise the exchange server would present itself as a name that does not exist on the outside and if a mail server goes to look up the DNS it would fail, gray listing it. I could go through exchange and try and fix all these issues but I already have the Domain and changing a Domain is next to impossible with out rebuilding the exchange server and exchange 2007 does not make it easy.

example lets say I have a domain named "domainname.com" and I have domain controllers "dc1.domainname.com" and "dc2.domainname.com" and a webserver outside that has the name "domainname.com" All the domain servers normally place them selfs in the DNS with A records for "domainname.com" as well as their names. For now I changed my DNS servers to not receive dynamic updates, and removed the root DNS entries for the Domain Controllers and added the root entry pointing to the outside web server. Now the DNS logs report errors. A fix for this would be to turn off the dynamic updates on the servers themselfs. I can do this I know how to. My question is why do Domain Controllers add themselfs to the root of a domain. Could I just turn off the part that adds the Domain Controller to the root of the DNS and turn back on dynamic updating?