Computer Knowledge

Cross-forest Mailbox Moves using the Exchange Management Console

2009-04-25T01:40:00.001-07:00

Another great feature in the Exchange 2010 Management Console is that you now can do cross-forest mailbox moves using the new “New Move Request” wizard. To launch this wizard right-click a User Mailbox in the EMC, then select New Move Request in the context menu as shown in the figure below.

This brings up the wizard shown next. Here you can specify to which Exchange organization you want to move a mailbox.

Note
Before you can perform a cross-forest move, you must add the Exchange org in the target forest to the EMC. In addition, you must have the AD account of the source user mailbox migrated/replicated to the target forest using ILM or a similar tool. Yes doesn’t work like the Move-Mailbox cmdlet did in Exchange 2007, where the AD object would be created if it didn’t already exist.

Online Mailbox Moves with the Exchange Management Shell

2009-04-25T01:36:00.001-07:00

A cool improvement revolving around mailbox moves in Exchange 2010 is that they by default are done in so called online mode. That is the Outlook client won’t be disconnected while a user’s mailbox is being moved. Only end-user impact is that with Outlook 2003/2007, the user is asked to restart Outlook after the mailbox moved has been completed.

There’s still support for the Move-Mailbox cmdlet, but in Exchange 2010 you’re supposed to use the New-MoveRequest and Complete-MoveRequest cmdlets when performing mailbox moves.

To move one mailbox enter: New-MoveRequest –Local –TargetDatabase

Note
It’s not required to specify a target database, if you don’t one will be picked randomly.

While mailboxes are moved, you can type Get-MoveRequest | fl to see the status for the mailbox move.

When the mailbox data has been moved to another mailbox database, you can finish the move using Complete-MoveRequest . Note this is the command that will trigger the warning in the end-user’s Outlook client in regards to the requested restart.

Exchange 2010 Database Availability Groups

2009-04-25T01:31:00.001-07:00

Because I deal a lot with HA/site resilience in my job as a Technology Architect, one of my favorite features in Exchange 2010 is naturally the new Database Availability Group (DAG) HA/site resilience feature, which replaces CCR/SCR/LCR. Also note that SCC has been deprecated/cut with Exchange 2010.

DAG built on the functionality we know from CCR and SCR, that is it still uses asynchronous log shipping and replay etc.

An interesting thing about DAGs is that you’re no longer required to form a cluster before you install the MBX server role. The limited cluster features that are used by DAGs (primarily cluster heartbeat and quorum) are configured automatically when adding the first MBX server to the DAG and thereby more or less invisible to the administrator.

With DAG you can have up to 16 copies of a Mailbox database. In addition, you can also have other Exchange 2010 server roles such as HT and CAS installed on the MBX server which is member of a DAG. Also, you can have DAG members located on different subnets and in separate AD sites.

There’s a lot to say about DAG, but I’ll stop here and instead let you know I currently am writing a multi-part articles series on this very subject. Look forward to seeing it published here on MSExchange.org in a near future.

Connecting to a remote Exchange 2010 Organization using Remote PowerShell

2009-04-25T01:20:00.000-07:00

In this blog post I wanted to show you how you can connect to an Exchange 2010 server in a remote organization using Remote PowerShell (Windows PowerShell 2.0) running on a Windows client/server. In this specific example, I’ve installed Windows PowerShell V2 CTP3 and WSMan on a Windows 2008 server).

First step is to launch Windows PowerShell. Then we will create a variable storing the credentials for the administrator in the remote Exchange 2010 organization. We do so using the below command:

$UserCredential = Get-Credential

Now enter the credentials of the administrator account from the remote Exchange 2010 organization.

We will now connect to the remote Exchange 2010 organization by specifying the name of an Exchange 2010 server in that specific organization. In this particular example we use the following command:

$Session = New-PSSession –ConfigurationName Microsoft.Exchange –ConnectionUri https://E2K10EX01/PowerShell/ –Credential $UserCredential

Note
In order to connect to the remote Exchange 2010 organization, your local machine must either trust the certificate on the specific Exchange 2010 server you connect to or you must use the -SessionOption $SkipCertificate parameter in the above command.

We now need to import the server-side PowerShell session which is done with the following command:

Import-PSSession $Session

The cmdlets etc. will now be imported to the client-side session. You will probably get a few warning because some of the cmdlet’s already are available in the client-side session. as can be seen below.

Now let’s try to issue a command against the remote Exchange organization. In the below figure, I retrieve details for an Exchange 2010 server in the remote Exchange organization.

Let’s try to create an Exchange object and then manipulate it afterwards. Below I create a new distribution group and then add a user mailbox to it.

We’ll now switch to an Exchange 2010 Management Console in the remote org and verify the distribution group were created properly and that the user mailbox were added to it.

When finished administering the remote Exchange 2010 organization, you can disconnect the the client-side session using:

Remove-PSSession $Session

Yes Windows PowerShell in Exchange 2007 was pretty cool, but it simply rocks in Exchange 2010

Installing E2K7 and E2K10 Management tools on the same machine

2009-04-25T00:14:00.000-07:00

When the time comes where you need to transition from Exchange 2007 to Exchange 2010, depending on the size of your organization, it can take weeks, months or in some cases even years to complete the transition. During the co-existence period, you would need to manage both Exchange 2007 and Exchange 2010 users, groups, servers and so on. Since some Exchange 2007 objects must be managed using the Exchange 2007 Management Console or Shell and most Exchange 2010 objects must be managed using the Exchange 2010 Management console or Shell, it would be nice if you could just install both management tool version on the same machine right? Guess what? Yes this is in fact possible.

Just install the prerequisites for the Exchange 2010 Management tools. Then install the Exchange 2010 Management tools followed by the Exchange 2007 Management tools.

You can now open the management tools for both versions from the start menu as shown below.

You can even have the management tools for each version run side by side.

And since both Exchange 2007 and 2010 management tools are based on MMC 3.0, you could as well add the respective snap-in for each version to the same MMC console.

You can of course also run each version of the Exchange Management Shell by side.

Pretty cool huh?

Customizing Managed Folders in Exchange Server 2007

2009-03-01T04:45:00.000-08:00

Exchange Server 2007 allows an administrator to manage the default managed folders and also the managed custom folders which are used by the Message Records Management (MRM) feature. My fellow MVP Neil Hobson created an article series about Messaging Records Management and you can check this out at: Exchange 2007 Messaging Records Management (part 1).

In this article we are going to validate how an Exchange admin is able to improve the end-user experience with some features available in the Managed Folders. By using such features, we can educate the users to use these new resources properly.

Configuring a personalized display page for Managed Folders

First of all, let us pick a server with IIS installed. We will then create a virtual directory on this server to host a page that will instruct the users on how to use Managed Folders. This page will be accessed when a user clicks on the “Managed folder” item in their Outlook 2007 client. You can use your current CAS server to host this webpage or any other IIS in your environment.

Now that we are logged onto the chosen server we can follow these steps:

1. Open IIS Manager.
2. Expand Web Site.
3. Right click on Default Web Site and click on New and then on Virtual Directory.
4. In the first page of Virtual Directory wizard, click Next.
5. Virtual Directory Alias. Type in ManagedFolderHP and click on Next. (Figure 01)

Figure 01

6. Web Site Content Directory. Choose the local path where all pages related to the Managed Folder HP virtual directory will be kept and click on Next.
7. Virtual Directory Access Permissions. You can leave the default settings and click Next.
8. Final wizard page, click on Finish.

Note:
If you are using a IIS/CAS Server in NLB make sure that you copy and update the content of the Managed Folder page in both servers and also that the Exchange configuration that we are going to see next is using the NLB name.

Now, create a set of pages demonstrating how to use Managed Folders and instruct the users to use this resource step by step. By the way, you can use multiple pages and create a link between them (use pictures and so forth). Before testing the page, let us validate these points:

- Validate if you can access using http or https. If you website is configured to require SSL you will be able to access only using SSL unless you check that option.
- Make sure that in the properties of the Virtual Directory on Documents tab the main page that you created is listed.
- Try to access from any client computer the page that you have just created, if you are able to access it we are ready to go to the Exchange Server 2007 organization configuration.

Next step, Open Exchange Management Shell, and let’s set the page that we have just tested configuring the ManagedFolderHomePage attribute, as shown in Figure 02. The following cmdlet can be used:

Set-OrganizationConfig –ManagedFolderHomePage:http:///ManagedFolderHP

You can also run Get-OrganizationConfig cmdlet afterwards to validate the current organization parameter.

Figure 02

The Exchange Server configuration and website configuration are done, now we have to test the solution on the client side. In order to test it, just click on Managed Folders item under Mailbox and on the right side the page that we have configured, as shown in Figure 03.

Figure 03

If you have clients using Outlook Anywhere you should consider using a public URL instead of a local one, and also publishing it on your Firewall for external access. Besides that, the URL configured must be accessible from both locations: internal and external. In some cases you may have to play with DNS resolution.

Managing Folder description

Using Exchange Server 2007 we can configure comments for Managed Default Folders (like Inbox, Calendar, Outbox and so forth) and also Managed Custom Folders (those folders created by the Administrator and they are located under Managed Folders in the Outlook client). A comment can be seen in OWA, Outlook 2007 and Outlook 2003 SP2 or superior (In Outlook 2003 or higher, the comment does not appear like in the new versions, the user must click on View menu and Policy to see the comments).

In order to manage comments in a folder you can use either Exchange Management Console or Exchange Management Shell, we can follow these steps to manage comments:

1. Open Exchange Management Console.
2. Expand Organization Configuration.
3. Click on Mailbox.
4. Click on Managed Default Folders or Managed Custom Folders tab. In this article we are going to add a comment on Inbox folder, then let’s click on Managed Default Folders tab.
5. Double click on Inbox.
6. Inbox Properties. We can enter the comment that will be displayed for all users and we have a check box that enable or disable the user to minimize this comment. (Figure 04).

Figure 04

We can do the same using Exchange Management Shell using the following syntax:

"Set-ManagedFolder -Comment: " -"MustDisplayCommentEnabled:<$true/$false>"

We can take advantage of Exchange Management Shell and use pipeline to retrieve extra information that we cannot get from Exchange Management Console, such as:

Getting all the information about Managed Folder object
Get-ManagedFolder | FL
Getting all Managed Folders that have Comment associated
Get-ManagedFolder | where { $_.Comment –ne ‘’ }
Getting all Managed Folders that have Comment
Get-ManagedFolder | where { $_.MustDisplayCommentEnabled –eq 1 }

Now, we can go back to the Outlook Client and click on Inbox item and we will have the comment created before showing up on the right, as shown in Figure 05.

Figure 05

The comment configuration is also displayed in an Outlook Web Access session, as shown in Figure 06.

Figure 06

If you have done all the process described previously and the Folder Comment is not showing, we can use the following steps to troubleshoot the process:

1. Validate the Managed Default Folders and/or Managed Custom Folders

Validate which folders you have configured to use comments. In this article we are going to troubleshoot the Inbox folder.
Validate the Policy

2. Open Exchange Management Console.
3. Expand Organization Configuration.
4. Click on Mailbox.
5. Click on Managed Folder Mailbox Policies tab.
6. Double click on the desired policy and make sure that the folder that we have changed is listed, as shown in Figure 07.

Figure 07

Validate the user configuration

7. Open Exchange Management Console.
8. Expand Recipient Configuration.
9. Double click on the desired mailbox.
10. Click on Mailbox Settings tab.
11. Select Message Records Management.
12. Click on Properties button.
13. Make sure that Managed folder mailbox policy is checked and you are using the same policy that we have just seen in the previous step. (Figure 08).

Figure 08

Force the updates

14. You can force at server level or user level, these two cmdlets will do the trick:
Start-ManagedFolderAssistant –Mailbox
Start-ManagedFolderAssistant –Identity
15. Finally, you can go back to the client and the Folder’s comment will be there.

Conclusion

In this article we have seen how to manage Exchange Server 2007 to display information to an end-user using the Folder’s comments. We have also seen how to use a personalized page and utilize it with the Managed Folder features.

Troubleshooting Logon Problems

2009-02-02T06:02:00.001-08:00

Logging into a computer is such a routine part of the day that it is easy to not even think about the login process. Even so, things can and occasionally do go wrong when users log into Windows. In this article, I will talk about some of the things that can cause logon failures, and show you how to get around those problems.

Before I Begin

Before I get started, I just want to quickly mention that in order to provide as much useful information as possible, I am going to avoid talking about the most obvious causes of logon failures. This article assumes that before you begin the troubleshooting process, you have checked to make sure that the user is entering the correct password, the user's password has not expired, and that there are no basic communications problems between the workstation and the domain controller.

The System Clock

It may seem odd, but a workstation's clock can actually be the cause of a logon failure. If the clock is more than five minutes different from the time on your domain controllers, then the logon will fail.

In case you are wondering, the reason for this has to do with the Kerberos authentication protocol. At the beginning of the authentication process, the user enters their username and password. The workstation then sends a Kerberos Authentication Server Request to a the Key Distribution Server. This Kerberos Authentication Server Request contains several different pieces of information, including:

- The user’s identification
- The name of the service that the user is requesting (in this case it’s the Ticket Getting Service)
- An authenticator that is encrypted with the user’s master key. The user’s master key is derived by encrypting the user’s password using a one way function.

When the Key Distribution Server receives the request, it looks up the user’s Active Directory account. It then calculates the user’s master key and uses it to decrypt the authenticator (also known as pre authentication data).

When the user’s workstation created the authenticator, it placed a time stamp within the encrypted file. Once the Key Distribution Server decrypts this file, it compares the time stamp to the current time on its own clock. If the time stamp and the current time are within five minutes of each other, then the Kerberos Authentication Server Request is assumed to be valid, and the authentication process continues. If the time stamp and the current time are more than five minutes apart, then Kerberos assumes that the request is a replay of a previously captured packet, and therefore denies the logon request. When this happens, the following message is displayed:

The system cannot log you on due to the following error: There is a time difference between the client and server. Please try again or consult your system administrator.

The solution to the problem is simple; just set the workstation’s clock to match the domain controller’s clock.

Global Catalog Server Failures
Another major cause of logon problems is a global catalog server failure. A global catalog server is a domain controller that has been configured to act as a global catalog server. Global catalog servers contain a searchable representation of every object in every domain of the entire forest.

When the forest is initially created, the first domain controller that you bring online is automatically configured to act as a global catalog server. The problem is that this server can become a single point of failure, because Windows does not automatically designate any other domain controllers to act as global catalog servers. If the global catalog server fails, then only domain administrators will be able to log into the Active Directory.

Given the global catalog server’s importance, you should work to prevent global catalog server failures. Fortunately, you can designate any or all of your domain controllers to act as global catalog servers. Keep in mind though that you should only configure all of your domain controllers to act as global catalog servers if your forest consists of a single domain. Having multiple global catalog servers is a good idea even for forests with multiple domains, but figuring out which domain controllers should act as global catalog servers is something of an art form. You can find Microsoft’s recommendations here.

If your global catalog server has already failed, and nobody can log in, then the best thing that you can do is work to return the global catalog server to a functional state. There is a way of allowing users to log in even though the global catalog server is down, but there are security risks associated with doing so.

If the Active Directory is running in native mode, then the global catalog server is responsible for checking user’s universal group memberships. If you choose to allow users to logon during the failure, then universal group memberships will not be checked. If you have assigned explicit denials to members of certain universal groups, then those denials will not be in effect until the global catalog server is brought back online.

If you decide that you must allow users to log on, then you will have to edit the registry on each of your domain controllers. Keep in mind that editing the registry is dangerous, and that making a mistake can destroy Windows. I therefore recommend making a full system backup before continuing.

With that said, open the Registry Editor and navigate through the registry tree to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. Now, create a new DWORD value named IgnoreGCFailures, and set the value to 1. You will have to restart the domain controller after making this change.

DNS Server Failure
If you suddenly find that none of your users can log into the network, and your domain controllers and global catalog servers seem to be functional, then a DNS server failure might have occurred. The Active Directory is completely dependent on the DNS services.

The DNS server contains host records for each computer on your network. The computers on your network use these host records to resolve computer names to IP addresses. If a DNS server failure occurs, then host name resolution will also fail, eventually impacting the logon process.

There are two things that you need to know about DNS failures in regard to troubleshooting logon problems. First, the logon failures may not happen immediately. The Windows operating system maintains a DNS cache, which includes the results of previous DNS queries. This cache prevents workstations from flooding DNS servers with name resolution requests for the same objects over and over.

In many cases, workstations will have cached the IP addresses of domain controllers and global catalog servers. Even so, items in the DNS cache do eventually expire and will need to be refreshed. You will most likely start noticing logon problems when cached host records begin to expire.

The other thing that you need to know about DNS server failures is that often times there are plenty of other symptoms besides logon failures. Unless machines on your network are configured to use a secondary DNS server in the event that the primary DNS server fails, the entire Active Directory environment will eventually come to a grinding halt. Although there are exceptions, generally speaking, the absence of a DNS server on an Active Directory network basically amounts to a total communications breakdown.

Conclusion
Although I have discussed some of the major causes of logon failures on Active Directory networks, an important part of the troubleshooting process is to look at how widespread the problem is. For example, if only a single host on a large network is having logon problems, then you can probably rule out DNS or global catalog failures. If a DNS or a global catalog failure were to blame, then the problem would most likely be much more wide spread. If the problem is isolated to a single machine, then the problem is most likely related to the machine’s configuration, connectivity, or to the user’s account.

Troubleshooting Logon Problems

2009-02-02T06:02:00.000-08:00

Routing Protocols

2009-01-22T21:47:00.000-08:00

The routed vs. the routing
There has always been a great attraction for me to the networking protocols. I don’t know why I have always been fascinated by them, but they do interest me greatly. A good deal of my time has been spent studying and playing with the protocols contained in the TCP/IP protocol suite. What all those protocols have in common is that they are routed protocols. This begs the question of what routes them? A very good question indeed, and one that a great many books have been written about.

What I shall cover in this article is a breakdown of what routing protocols are. How they work, and what kinds of routing protocols there are. Things I won’t be covering are the Cisco IOS syntax used when configuring these routing protocols. Quite a few excellent books out there already do an admirable job of doing just that. Instead, as mentioned, I will concentrate on giving you a high level overview of what routing protocols are, the various types, and what it is that they do.

Onwards and upwards
Well we already know that the packets generated by our computers are comprised of routed protocols. These protocols in turn need to be routed if they are to reach their intended recipients. How does a packet ultimately get to its destination? Well this is accomplished via it being routed by a series of routers, and this is also done primarily via the IP address listed in the IP header. With this simplistic explanation in hand we will now take a look at the two categories of routing protocols.

The routing protocols themselves are broken down into two groups. Those are the IGP and EGP, or Interior Gateway Protocols, and Exterior Gateway Protocols. Much like their respective names infer, one group is used internally and the other externally. For example the IGP series of routing protocols are used on internal networks, and the EGP series of routing protocols is used on the actual Internet itself. What does that all really mean though? Well it means that when you do the initial configuration of your, in all likelihood, Cisco router that you will need to choose what type of routing protocol to install and configure.

Now is as good a time as any to list the various types of routing protocols for each group. Interior Gateway Protocols are comprised of the following;

IGRP: Interior Gateway Routing Protocol
EIGRP: Enhanced Interior Gateway Routing Protocol
OSPF: Open Shortest Path First
RIP: Routing Information Protocol
IS-IS: Intermediate System – Intermediate System
For Exterior Gateway Protocols there are;

EGP: Exterior Gateway Protocol
BGP: Border Gateway Protocol

Interior Gateway Protocols
We can see from the above noted examples of IGP protocols that there are several of them. Are they all used in today’s internal networks? Well I suppose they very well could be, but likely the most common ones used today are OSPF and RIP. With that in hand let’s go over RIP. RIP is what is called a dynamic routing protocol. What that means is that it will automatically figure out routing tables on its own. In other words the system administrator does not have to manually input all the various routes. That would be a serious pain in the butt!

So RIP will automatically compute the routes, as well as secondary routes to be used in case a primary path should fail. If you are thinking that this sounds like “load balancing” you would indeed be correct. Another key piece of information to remember about RIP is that it is a “distance vector” protocol. Seen as this article is only a high level overview I will say only that “distance vector” involves the method of discovering routes. For more information on this very important topic please click here. Some key points to remember about RIP are that it uses port 520 and uses UDP as its transport protocol.

OSPF is the other commonly used IGP. A key differentiator between RIP and OSPF is that OSPF is a “link state protocol”. This simply means that it uses a different way to build its routing tables. OSPF enabled routers will advertise metrics which contain the information that the other OSPF enabled routers will use to build its routing tables. It is as simple and as complicated as that. Further reading can be found here. Also, as above, some key points to remember are that OSPF supports multicasting and subnets. Lastly, OSPF uses IP, and not TCP or UDP.

Exterior Gateway Protocols
Well we covered the two main IGP’s at a very high level, but what about the EGP protocols? Well let’s indeed take a look at the two better known ones. BGP or Border Gateway Protocol is the routing protocol in use today by the routers which populate the Internet. By that I mean routers that are used by your ISP for example, or what are also called Internet facing routers. These routers form the backbone of the Internet and BGP v4 is what is currently running on them. Much like RIP above, BGP is essentially itself a distance vector protocol or algorithm. One notable fact about BGP is that it uses TCP for its transport protocol and will communicate via port 179. In other words, routing tables are exchanged using TCP for transport and done via port 179. With that said about BGP, what is there to know about EGP? Well realistically not a whole lot as it is not really used anymore. It has been replaced, if you will, by BGP. Should you wish to read more about it please click here.

Wrapping up
Well as you can see I was not kidding about the high-level overview of routing protocols. There have literally been thick books written on BGP alone. It really is impossible to cover all about these routing protocols in one article, let alone a book. What this article hopes to convey rather is the diversity within the routing protocols themselves, and the difference between them and the routed protocols. What can you do to learn more about these routing protocols? I have always been a big believer in putting concepts into practice. It is, in my opinion, the only way to really learn and furthermore cement lessons learnt.

To that end you should, if financially possible, pick up some used Cisco networking gear. They are not all that expensive to buy and will pay dividends in your quest to know more about how traffic is actually routed. Further to buying some networking gear I would advise you to use programs such as Nemesis which will allow you to craft RIP, OSPF, and IGMP amongst others. Being able to craft some routing protocol packets will also let you see how they react to certain stimulus. Packet crafting is how I initially taught myself about TCP/IP, and I would certainly encourage you to do so with these routing protocols. Doing so will force you to learn more about the protocol itself and how it works. Lastly, as mentioned, getting some networking gear really is the key as much of the protocol configurations must be done via this hardware. You will only get so far by actually reading. If you really are on a limited budget then you may wish to buy one of many available simulators.

Well this brings to an end my high-level overview of routing protocols. I hope that this is enough to whet your appetite and push you to further study this critically important area of computer networks. As always I welcome your feedback, and on that note till next time!

Exchange Server 2007 SPAM filtering features without using Exchange Server 2007 Edge Server

2009-01-22T21:35:00.000-08:00

Introduction
Many Exchange Server administrators know how to use features from Exchange Server 2003 which will not be available by default, if they do not use Exchange Server 2007 Edge Server Role as message hygiene server in the DMZ. This feature is only available within that role by default but can be enabled on each Exchange Server 2007 running Hub Transport Role. In this article we will have a look how to enable and configure this feature.

Activating AntiSpamAgent Feature
Adding this functionality to your Hub Transport servers is a pretty simple process. First, launch the Exchange Management Shell. In the Scripts folder that was created, you will find a PowerShell script to install the Anti-spam agents. After you run this command, you will need to restart your transport service and restart the Exchange Management Console. The script we need to run is called install-AntiSpamAgents.ps1.

Figure 1: Activating AntiSpamAgent Feature

After restarting the Exchange Transport Service, we have a new tab in Exchange Management Console available which will look like this:

Figure 2: The Anti-Spam Tab of Exchange Management Console

Note:

We will now take a closer look into each feature of Anti-Spam:

Content Filtering
IP Allow List
IP Allow List Providers
IP Block List
IP Block List Providers
Recipient Filtering
Sender Filtering
Sender ID
Sender Reputation
Content Filtering
The Content Filter agents works with spam confidence level rating. This rating is a number from 0-9 for each message; a high SCL will mean that it is most likely spam. You can configure the agent according to the message ratings to:

Delete the message
Reject the message
Quarantine the message
You can also customize this filter using your own custom words and configure exceptions if you wish.

IP Allow List
With this feature you are able to configure which IP addresses are allowed to successfully connect to your Exchange Server. So, if you probably have a dedicated mail relay server in your DMZ, you can add its IP addresses so that your server will not accept connections from other servers anymore.

IP Allow List Providers
In general, you are unable to configure your own “IP Allow Lists” without making mistakes that will lead to problems receiving emails from your customers or any other business partners. Therefore, you should contact a public IP allow list provider which does the work for you. This would mean that you will have more quality in this service and a higher business value.

IP Block Lists
This feature gives you the possibility to configure IP addresses that are not allowed to connect to your server. Contrary to “IP Allow Lists”, this feature provides a black list and not a white one.

IP Block List Providers
“IP Block List Providers” have been known in the past as “Blacklist Providers” too. Their task is to publish lists from servers / IP addresses that are spamming.

Recipient Filtering
If you need to block emails to specific internal users or domains, this feature is the one you will need. You can configure this feature and then add the appropriate addresses or SMTP domains to your black list. Another interesting feature is that it allows you to set up the configuration so that only you will accept emails from recipients that are included in your global address lists.

Sender Filtering
If you need to block specific domains or external email addresses, you will have to use this feature. You can configure a black list of what sender addresses or domains you will accept or not.

Sender ID
The Sender ID agent relies on the RECEIVED Simple Mail Transfer Protocol (SMTP) header and a query to the sending system's domain name system (DNS) service to determine what action, if any, to take on an inbound message. This feature is relatively new and relies on the need of a specific DNS setting.

Sender ID is intended to combat the impersonation of sender and domain also called spoofing. A spoofed mail is an e-mail message that has a sending address that was modified to appear as if it originates from a sender other than the actual sender of the message. Spoofed mails typically contain a FROM in the header of a message that claims to originate from a dedicated organization.

The Sender ID evaluation process generates a Sender ID status for each message. The Sender ID status is used to evaluate the SCL rating for that message. This status can have one of the following settings:

Pass - IP address is included the permitted set
Neutral - Published Sender ID data is explicitly inconclusive.
Soft fail - IP address may be in the not permitted set.
Fail - IP address is in the not permitted set.
None - No published data in DNS.
TempError - transient error occurred, such as an unavailable DNS server
PermError - unrecoverable error occured, such as the record format error
The Sender ID status is added to email metadata and is then converted to a MAPI property. The Junk E-mail filter in Microsoft Office Outlook uses the MAPI property during the generation of the spam confidence level (SCL) value.

You can configure this feature to act as the following:

Stamp the status
Reject
Delete

Sender Reputation
Sender Reputation is a new Exchange Server 2007 anti-spam functionality that is intended to block messages based on many characteristics.

The calculation of the Sender Reputation Level is based on the following information:

HELO/EHLO analysis
Reverse DNS lookup
Analysis of SCL
Sender open proxy test
Sender reputation weighs each of these statistics and calculates an SRL for each sender. The SRL is a number between 0 and 9. You can then configure what to do with the message in one of the following ways:

Reject
Delete and archive
Accept and mark as blocked sender
Conclusion
As you have seen in this article, Exchange Server 2007 provides a lot of features to increase anti-spam functionality on each Exchange Server box. If you do not use a dedicated Exchange Edge Server, you can add this functionality to Exchange Server 2007 Hub Transport as described above. If you define a configuration for your specific server design, you will not have to add third party software to meet your basic business needs.

If you decide to have more than the described functions above, you should think of implementing Microsoft ForeFront Security for Exchange Servers.

Implementing Captcha Validation with OWA 2007 and Forms-Based Authentication

2008-12-25T22:18:00.001-08:00

A while back, I wrote an article describing how to add a CAPTCHA image and text input field to the Outlook Web Access 2003 Forms-based Authentication logon form. Now that Exchange 2007 is established in the marketplace, I have received a number of requests for an updated article describing how to do the same for Exchange 2007. While the procedure is mostly similar to the OWA 2003 version, there are several important differences in the detail.

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. You will no doubt have seen this implemented in various web pages as an image of a visually distorted common word, which must be typed into an input field, thus proving that you are indeed a real person. This has become necessary to prevent the actions of bots, which roam the web looking for opportunities to inject spam into message boards, etc. Shown here in Figure 1 is an example of such an image. The idea is that a human user will recognize the word 'part', whereas a spambot will not.

Figure 1: A CAPTCHA image displaying the word 'part'

OWA Forms-based Authentication is very secure by itself, of course, since you still need to supply valid credentials to log in, but there is still a significant amount of interest in adding CAPTCHA validation to it. Here, I will show how it can be done by modifying Exchange's logon.aspx file. I have chosen to use a freely available CAPTCHA script written by Jonathan Feaster, which is available for download from Archreality . This script uses JavaScript, and unlike some other solutions has the advantage of not requiring a second .aspx page to process the form input; the validation is done by the user's browser before the credentials are sent to the OWA server. Any CAPTCHA scripts which require a second page will not work with FBA, since there is no opportunity to insert anything between the logon page and the OWA GUI.

Procedure

First, extract the files to a suitable place on the server. There are two .js files, and a folder named cimg, which contains the word images to be displayed on the logon page. Place the entire extracted jcap folder in the C:\Program Files\Microsoft\Exchange Server\ClientAccess\Owa\auth folder as shown in figure 2:

Figure 2: The extracted jcap files in the auth folder

Next, use Explorer to locate the logon.aspx file that creates the FBA logon page. This is inside the same auth folder that you just placed the jcap folder into. Before doing anything else, make a backup copy of the logon.aspx file. Right-click it, then select Copy, then right-click the folder, and then select Paste. This creates a copy of your logon.aspx file named 'Copy of logon.aspx' . If your modifications are unsuccessful, you will need to revert to this original file to restore FBA functionality. Now, open the logon.aspx using Notepad. I'm going to insert the image just above the 'Public Computer' radio button, so press F3 and search for the text rdoPblc . Assuming that you successfully found the text, insert the following just before the preceding tag:

Enter the code as it is shown below

The result should look something like figure 3:

Figure 3: The amended contents of logon.aspx in Notepad

Next, press CTRL-HOME to go back to the top of the file, and then press CTRL-F, and search for the text

onsubmit="return doJcap();"

This part of the page should now look like that shown in figure 4:

Figure 4: The modified tag

Now save the file back to disk, and close Notepad. All that is required now is a small change to the jcap.js file that was saved in C:\Program Files\Microsoft\Exchange Server\ClientAccess\Owa\auth\jcap . Right-click the jcap.js file, and select Edit. It should open in Notepad. On the line that begins with var imgdir, you need to change the path to point to the current location of the cimg folder. Change it so that the beginning of the line looks like this:

var imgdir = "/owa/auth/jcap/cimg/";

The complete line looks like this:

Figure 5: Defining the path to the image files

Save the file, and we're finished. The next time you open the FBA logon page, it should look something like this (figure 6). Also shown is the alert message displayed if the typed text does not match the distorted text in the image when you click the Log On button.

Figure 6: The modified FBA logon page

Please remember that due to updates made by Exchange service packs and patches, future versions of the logon.aspx file may be different to the version shown. The basic principles described should, however, remain the same.

Exchange 2007 Availability Services

2008-12-25T22:07:00.000-08:00

I do not know about you, but when I think of the Client Access Server role in Exchange 2007, I immediately think of Outlook Web Access, Outlook Anywhere, ActiveSync and other non-MAPI forms of connectivity to the mailbox server. However, the Client Access Server role is also home to other important services such as the Autodiscover and Availability services. These are vital services in the Exchange 2007 infrastructure and in this article we will be taking an introductory and thus high-level look at the Availability service and what its main role is.

What is The Availability Service?

The availability service in Exchange 2007 is largely concerned with how users access the free/busy information of other users. Before we get into the detail of this service, it’s important to review how the free/busy information is stored and accessed in Exchange 2000 and Exchange 2003 so that we can draw comparisons on how the process works in these older versions of Exchange and more importantly what has been improved in Exchange 2007. In these older versions of Exchange, a site folder exists by the name of Schedule+ Free/Busy that is used to store the calendar free/busy information for each user. You can see this folder in Exchange System Manager by viewing the system folders instead of the public folders. Figure 1 shows an example of the Schedule+ Free/Busy system folders as seen in Exchange System Manager.

Figure 1: The Schedule+ Free/Busy System Folder

You’ll note that there are two of these system folders, one per administrative group. By default, Outlook periodically publishes the calendar free/busy information into the system folder which then allows other users’ Outlook clients to query the data when booking appointments. On smaller systems this is generally fine, although on larger systems the use of public folders as the free/busy storage medium can pose a few problems. For example, there is always the possibility of the lack of up-to-date free/busy information due to public folder replication delays, or, in the worst case, the failure of the public folder replication process for whatever reason. However, the main problem with this approach going forward is the future of public folders in Exchange. Over the last few years, you may have heard or read about Microsoft’s plans to retire public folders from a future version of Exchange and thus a new mechanism is required to handle free/busy requests. That’s where the availability service in Exchange 2007 comes in.

A Better Free/Busy Method

The availability service in Exchange 2007 is one of the new Web services. Briefly speaking, the Exchange 2007 Web services allow applications to access mailbox contents via HTTP, so clearly application development is aimed at these services in Exchange 2007. As we will discuss in detail, the free/busy information for a user hosted on Exchange 2007 is now stored directly in the mailbox, so accessing free/busy information can be achieved via the Web services and thus, specifically, the Availability service. As we shall see, this new method relies on Outlook 2007 and Exchange 2007, so things are not always achieved via this new method if Outlook 2003 and Exchange 2003 are still in the mix. Outlook 2007 locates the Availability service via the Autodiscover service.

This article will not focus specifically on the Autodiscover service as this is a huge topic within itself. However, as a brief piece of background information, it is important to understand what the Autodiscover service is if you do not already understand it. Briefly, the Autodiscover service gives Outlook 2007 clients access to specific Exchange 2007 features such as the Availability service as we have already mentioned, plus other common services such as the Offline Address Book (OAB) as well as less common services such as Unified Messaging (UM). Essentially, Outlook 2007 makes a request to a virtual directory called Autodiscover that is present on a Client Access Server. This Autodiscover service returns to the client many different pieces of information, some of which are URLs for services such as the Availability service.

Version Issues

Different access methods for free/busy information retrieval are used in environments that consist of Outlook 2003 and Outlook 2007 as well as Exchange 2003 and Exchange 2007. For example, when Outlook 2007 is used in conjunction with Exchange 2007, the main improvement is the fact that the free/busy information is now obtained directly from the Exchange 2007 target mailbox rather than from the Schedule+ Free/Busy system folder. This is how free/busy information is much more up-to-date than via the traditional public folder method. Consider Figure 2 below, where an Outlook 2007 user with an Exchange 2007 mailbox requests free busy information for another Exchange 2007 user. In this case, the connection from Outlook is made to the Availability service running on the Client Access Server which in turn determines which mailbox server hosts the target Exchange 2007 mailbox. A Remote Procedure Call (RPC) connection is then made to that mailbox server and the results returned to the Client Access Server before being passed back to the user.

Figure 2: Outlook 2007 User Querying Exchange 2007 Free/Busy Information

Figure 2 above assumes that the Client Access Server and mailbox server are in the same Active Directory site. What if the free/busy request is made for a user whose mailbox resides on an Exchange 2007 mailbox server in a different Active Directory site? In this case, the Client Access Server in the Active Directory site of the user who originates the request will proxy the request to a Client Access Server located in the Active Directory site of the target user. The results are returned to the original Client Access Server and then ultimately passed back to the originating user.

There is another important scenario that must be considered. What if a free/busy request was also made to another mailbox at the same time, but that mailbox was still on an Exchange 2003 server? This situation will be very common during any transition from Exchange 2003 to Exchange 2007. In these cases, the free/busy information for the Exchange 2003 user is stored in the Schedule+ Free/Busy system folder as we’ve already seen in this article. Therefore, the Availability service has to obtain the relevant information from this folder and it does this by making HTTP requests to the /Public virtual directory on the target Exchange 2003 mailbox server. This process is depicted in Figure 3. Once the information has been retrieved from the Exchange 2007 and Exchange 2003 servers, the Availability service combines the results and returns them to the Outlook 2007 user.

Figure 3: Outlook 2007 User Querying Exchange 2003 and Exchange 2007 Free/Busy Information

So far we have covered what happens when a user is running Outlook 2007. How about when the user is running Outlook 2003 but connected to an Exchange 2007 mailbox? In this case, it doesn’t matter whether the target mailbox is on Exchange 2003 or Exchange 2007 as the Outlook 2003 client will attempt to retrieve free/busy information from the Schedule+ Free/Busy system folder. The reason for this is simply that Outlook 2003 always expects to publish the free/busy information in this location and therefore has no knowledge of the Availability service. As you can probably guess, this is also the situation for earlier versions of Outlook, such as Outlook 2002 or Outlook 2000.

Up to this point I’ve only listed Outlook as the client type in use. I should also mention that the principles are the same if you are using Outlook Web Access. In other words, if the target mailbox is on Exchange 2007, the Availability service will make a RPC connection to that mailbox server. If the target mailbox is on Exchange 2003, the Availability service will make HTTP calls and retrieve the information from the Schedule+ Free/Busy system folder.

Summary

The Availability service in Exchange 2007 is important in the fact that it’s responsible for obtaining up-to-date free/busy information for users, providing they are running both Outlook 2007 and Exchange 2007. In this article I’ve covered a high-level introduction to the Exchange 2007 Availability service and how it is used to retrieve this free/busy information.

Installing Exchange 2007 on Windows Server 2008

2008-12-20T06:59:00.000-08:00

In this article I will cover the installation of Exchange 2007 SP1 on Windows Server 2008. I will lay out which versions of Exchange are supported on which OS version and also which domain controller version they can use. I will detail the supported methods to move from Exchange 2007 on Window Server 2003, to Exchange 2007 on Windows Server 2008 and finally I will cover the prerequisites needed, before showing the actual install.

Note:
At this time, neither Windows Server 2008 nor Exchange Server 2007 SP1 have released to manufacturing. As I am therefore working with beta code, certain elements of what follows (in particular the screenshots, may change before the final version.

Introduction
It is nearly a year after the release of Exchange 2007 and many of us now have complete Exchange 2007 implementations. I guess that means we are looking for something new to do! If this is the case then you won’t be disappointed, as very soon we will be presented with the new challenge of moving our existing Exchange 2007 systems onto Windows Server 2008.

Table 1 lists the various supported scenarios for Exchange and OS versions.

Table 1: Exchange/OS versions supported for install

The first thing to note is that Exchange 2007 RTM is not supported on Windows Server 2008. To install Exchange 2007 on Server 2008 you must run Exchange 2007 SP1. This service pack, as many of you may know, is a little different from previous service packs in that it is a complete installation of Exchange. Effectively SP1 is RTM with the SP1 code slipstreamed into it. Having established that Exchange 2007 SP1 is required to install on Server 2008, what other considerations are there?

Probably the biggest consideration is Active Directory. Table 2 sets out the different Domain Controller versions supported by different versions of Exchange.

Table 2: The Exchange/Domain Controller support matrix

One new Active Directory feature of Windows Server 2008 which I haven’t mentioned is Read Only Domain Controllers (RODC) (and Global Catalog servers). These are servers which do not hold a writable copy of the AD and also do not hold account passwords. They are most likely to be used in branch office scenarios to prevent security breaches either intentional or accidental. So how do these RODCs affect Exchange? Simply put, Exchange doesn’t use them! When left to automatically associate with a domain controller (or global catalog server) Exchange will ignore the RODC or ROGC. The important thing for administrators to remember is not to manually set Exchange to work with a RODC as things simply will not work correctly.

One other area that will be welcome to administrators is that with the release of Exchange 2007 SP1, the Exchange Management Console will finally be supported on Windows Vista, and for that matter on Server 2008 as well.

Before moving on to how we upgrade, I think it is worth clarifying that Exchange 2007 SP1 will not install on Windows Server 2008 Server Core. Server Core, for those who haven’t heard, is a cut down version of Windows Server 2008 which only presents a command line interface. It has been stripped down to run various server roles including amongst others Domain Controller, DHCP, DNS, File and Print. However, because a lot of functionality has been stripped out to ensure a small footprint and less need for patching, important components such as the .Net Framework are not present to support Exchange.

Note:
As I mentioned we are currently working with beta code. It is because of this that the Unified Messaging role does not currently install on Server 2008. This will be rectified before release.

The upgrade path
So how do you actually get from Exchange 2007 running on Windows Server 2003 to Exchange 2007 SP1 running on Windows Server 2008?

Unfortunately, although understandably given the massive architecture changes involved, you cannot simply upgrade Exchange 2007 to Exchange 2007 SP1 and then upgrade the OS to Windows Server 2008. This simply breaks Exchange completely!

Even when you have a clustered mailbox server, you cannot perform a rolling upgrade by upgrading one node of the cluster failing over and then doing the other node.

The only way is to perform a migration! In other words you must do a clean install of Windows Server 2008 on a new server and then migrate your data. Mailboxes can be moved using the Move-Mailbox cmdlet and public folder data must be replicated.

This has caused a fair amount of discontent on various online forums but it is the only way!

Installation
Having looked at all the background, let’s get started with the installation. The first thing to cover is preparing your Windows Server 2008 machine for Exchange 2007. There are a bunch of prerequisites which must be met as listed below:

.Net Framework v2.0 or 3.0
PowerShell RTM
MMC 3.0 (installed by default)
IIS 7 (Various components needed by different roles)
For a much more detailed look at the requirements for each Exchange server role see Exchange 2007 System Requirements.

For now we are going to install an Exchange 2007 SP1 server in a new domain and new organisation. We will install the CAS, HT and Mailbox roles. In order to install the prerequisites we will run the following commands one after the other at a command prompt:

ServerManagerCmd -i RSAT-ADDS

ServerManagerCmd -i PowerShell

ServerManagerCmd -i Web-Server

ServerManagerCmd -i Web-ISAPI-Ext

ServerManagerCmd -i Web-Metabase

ServerManagerCmd -i Web-Lgcy-Mgmt-Console

ServerManagerCmd -i Web-Basic-Auth

ServerManagerCmd -i Web-Digest-Auth

ServerManagerCmd -i Web-Windows-Auth

ServerManagerCmd -i Web-Dyn-Compression

After the first command (RSAT-ADDS) you will need to reboot as shown in Figure 1.

Figure 1: Installing Active Directory Management Tools and being prompted to reboot

After the reboot, I used a simple batch file to run the other commands in sequence. Part of the output from the commands is shown in Figure 2.

Figure 2: Part of the output from the prerequisite installation

For more detailed information about the Windows Server 2008 roles/features required for the other Exchange 2007 roles (Edge Transport Server and Unified Messaging Server) see How to Install Exchange 2007 SP1 Prerequisites on Windows Server 2008.

Having successfully completed the installation of prerequisites, it is time to install Exchange. Start setup and click “Install Microsoft Exchange Server 2007 SP1” as shown in Figure 3.

Figure 3: Starting Setup of Exchange Server 2007 SP1

Next run through the usual setup steps as shown in Figures 4 – 11.

Figure 4: The SP1 Setup introduction screen

Figure 5: Accepting the license agreement

Figure 6: Opting into the Microsoft Error Reporting scheme

Figure 7: Selecting a typical install which installs CAS, HT, Mailbox roles and the management tools

Figure 8: Setting the new Exchange Organisation name

Figure 9: Opting not to create public folders for legacy clients

Figure 10: Exchange Readiness checks in progress

Figure 11: The not for production use warning before install about using a 32 bit version of Exchange 2007

Having completed the steps in Figures 3-11 installation begins. However, it is at this point that an error occurs as shown in Figure 12. It would appear that for whatever reason, the registry key “HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent” does not exist!

Figure 12: The registry key doesn’t exist error message

Note:
It is highly unlikely that this problem will still exist once the products ship.

To rectify this problem locate the relevant area in the registry and create the required key as shown in Figure 13.

Figure 13: The newly created registry key

Having resolved the problem with the registry key you are left with no other option than to exit setup. On doing this you will be prompted to reboot, which you should do.

When the server is backed up, restart setup which will start in Exchange Maintenance Mode as shown in Figure 14.

Figure 14: Exchange setup restarting in Maintenance Mode

At this point, step through the remaining setup screens as shown in Figures 15-17.

Figure 15: Selecting the relevant roles for installation

Figure 16: Again making the choice not to create public folders for legacy clients

Figure 17: Setup completed!

Once setup completes you will have a working Exchange 2007 SP1 install on Windows Server 2008 as shown in Figure 18.

Figure 18: Exchange 2007 SP1 installed on Windows Server 2008

Before completing this article I thought it might be interesting to show the registry key that we created earlier. As can be seen in Figure 19, it is now populated with various values.

Figure 19: The values in the registry key created to solve the installation error

Summary
As you can see from the steps above, the install process to put Exchange 2007 on Windows Server 2008 is basically very simple. At this time there is the odd glitch but there is no doubt these will be ironed out before Release to Manufacturing. I feel the only thing that has the potential to cause a delay in deployment are the usual worries about deploying a brand new OS and the fact that if you already have Exchange 2007 on Server 2003 you will have to perform a migration which requires extra hardware.

Managing Receive Connectors (Part 2)

2008-12-20T06:38:00.000-08:00

In the last article we created a Receive Connector to receive mail coming from the Internet, and we also tested it using the telnet utility.

In order to test a receive connector we have to be aware of the basic SMTP verbs to send a message using a telnet session. These following commands will enable you to send a test message using the telnet utility. All the basic SMTP verbs required to send a message are below:

The receive connectors that we have just created is listening on port 25 and on a specific IP address. Let’s use the telnet utility to connect in our server:

telnet 25
Expected result: 220 Banner information
Start the SMTP communication.

EHLO example.org

Expected result: a list of all SMTP verbs that are accepted by the receive connector. In the first line a hello answer with the IP Address used by the sender will be shown.
Define the sender of the test message.

Mail from:user@example.org

Expected result: 250 2.1.0 Sender OK

Define the recipient of this test message. The SMTP domain used by the recipient must exist in the current organization.

Rcpt to:user@

Expected result: 250 2.1.5 Recipient OK

Start the test message.

Data

Expected result: 354 Start mail input; end with .

Hit the key twice and type in the content that will appear in the body of the test message. To finish type a period “.” in a blank line and hit .

This is a test message.

.

Expected result: 250 2.6.0 Queued mail for delivery

Closing the session.

Quit

Expected result: 221 2.0.0 Service closing transmission channel

We can log on to OWA to check if the message was received. The entire process can be seen in Figure 01.

Figure 01

Knowing this process is important to troubleshooting mail flow and to validate a Receive Connector as well.

Playing with Receive Connector security features...

Now that we have just configured a Receive Connector using both the Exchange Management Console and Exchange Management Shell we can start playing with some security configurations for our Receive Connectors. All the security that we are going to see here is modified by the Receive Connector and they must be configured using the Exchange Management Shell. Let’s configure some features in our new Internet Receive Connector, as follows:

Changing Banner information…

Some companies do not like the idea of displaying the server name in SMTP connections. We can change the banner information used by a Receive Connector using the cmdlet below and the result will be shown in Figure 02.

Set-ReceiveConnector -Banner “220 Mail Server”

Figure 02

If you still have Exchange Server 2003/2000 and you want to change this behavior you can use the following Microsoft KB Article: How to change the default connection response that you receive after you connect to the SMTP port in Exchange 2003.

Specifying a number of errors during a session…
We can control the number of protocol errors in a single session. The default value is 5, to configure it to 2 we can use the following cmdlet:

Set-ReceiveConnector -MaxProtocolErrors 2

Now if an SMTP Server/user connects and reaches the maximum number of errors defined in the receive connector the following message will be shown (Figure 03):

Figure 03

Throttling a Receive Connector…
Receive connectors allow us to restrict inbound traffic to prevent high usage from a determined source, preventing an unnecessary overload of the system. Here are the three options that we have:

MaxInboundConnectionsperSource: Defines the maximum number of connections made in the receive connector at the same time by the same source. This default value of this setting is 100.
MaxInboundConnection: Defines how many connections the receive connector will accept at the same time. The default value of this setting is 5000.
MaxInboundConnectionPercentagePersource: Based on the MaxInboundConnection value it indicates how many connections the same source can establish with the receive connector. The default value is 2%.
To configure the Receive Connector using the new settings that we have just seen, we can run the following cmdlet:

Set-ReceiveConnector -MaxInboundConnection -MaxInboundConnectionsperSource -MaxInboundConnectionPercentagePerSource

We can also configure time-out in a receive connector in certain aspects, such as: during SMTP communication and also during an inactive connection .To configure the ConnectionTimeout we can run this following cmdlet:

Set-ReceiveConnector -ConnectionTimeout

To disconnect due to Inactive time, we can use the cmdlet below:

Set-ReceiveConnector -ConnectionInactiveTimeout

We can also restrict the number of recipients, Rate Limit and Max message size at connector level, to configure these settings we can use the following parameters:

MaxRecipientsPerMessage: The maximum number of recipients in a single message, the default value is 200.
MaxMessageSize: The maximum size of a message; the default value is 10MB.
MaxRateLimit: This specifies the maximum number of messages that can be sent by the same client per minute.
Let’s change our Internet Receive connector to accept 100 users maximum, the message size should be more than 2MB and the rate limit is 200, as follows:

Set-ReceiveConnector –MaxRecipientsPerMessage:100 –MaxMessageSize:5MB –MaxRateLimit:200

The last feature we will cover in this article is the TarpitIntervall. In Exchange Server 2003 we have to configure it through the Registry Editor (http://support.microsoft.com/kb/842851). In Exchange Server 2007 we can do that using the Exchange Management Shell. The tarpit feature inserts a pre-defined delay in each SMTP response that contains the 5.x.x error code during the SMTP communication between servers. The tarpit feature is only applied to anonymous connections and it should be used with the Recipient Filter Agent and Recipient Lookup features enabled.

In this article we are using a single Exchange Server 2007 box with all three main roles installed (Mailbox, CAS and Hub Transport) and it is receiving messages from the Internet, we also configured the Anti-spam agents on that box (we can validate how to configure a single Exchange Server to receive internet messages and anti-spam features in this article: Configuring Mail Flow in a Single Exchange Server 2007). Let’s look at the Recipient Filtering agent and enable the Recipient Lookup feature:

Open the Exchange Management Console.
Expand Organization Configuration.
Click on Hub Transport.
Click the Anti-Spam Tab.
Double click Recipient Filtering.
Click the Blocked Recipients tab.
Check the first option “Block messages sent to recipients not listed in the Global Address list” (Figure 04).

Figure 04

Okay, from now on all messages addressed to unknown address in our organization will be refused by the Exchange Server, as shown in the first rcpt to: SMTP verb in Figure 05. However we might encounter a problem where a spammer can try a harvest attack against our Exchange Server using a dictionary attack to find out which e-mails are valid in your organization. So, how can we stop it? There is no way to stop it but for each wrong address tried in the SMTP communication a “5.1.1 User unknown” error is displayed and for each of these errors we can configure tarpit to delay the server response.

Figure 05

The default value is 5 seconds, to change this configuration we can run the following cmdlet:

Set-ReceiveConnector “” –TarPitInterval:

Conclusion
In this article we have gone over how to configure some security settings and limits in a Receive Connector. We also saw that the some configuration must be done using the Exchange Management Shell. In the next article we are going to play with logging information and start playing with authentication methods and how to configure permissions using AdsiEdit.msc and the Exchange Management Shell.

Managing Exchange Server 2007 Receive Connectors (Part 1)

2008-12-18T18:57:00.000-08:00

Introduction

Exchange Server 2003 uses the SMTP Virtual Server that comes with the Operation System to control message flow. In Exchange Server 2007 the SMTP service bits are installed within the Exchange Server 2007 installation process. Because of this, we have two different components when we are talking about SMTP traffic in the Exchange 2007 architecture: the receive connectors and the send connectors. They are configured in two different places, the Send Connector is configured at Organization level and the receive connector at Server level. The receive connector is responsible for all SMTP incoming traffic which can originate from an external source, a client, a partner, or another Exchange Server and on top of that the receive connector uses authentication and some other features to manage all received connections.

By default Exchange Server 2007 has two new receive Connectors called Client Receive Connector and Default , where is the Netbios name of the Exchange Server. The default Receive connectors can be found under Server Configuration / Hub item using the Exchange Management Console, as shown in Figure 01. They can also be found using the Get-ReceiveConnector cmdlet through the Exchange Management Shell. By default any new Exchange Server can receive messages from other Hub Transport servers due the Default Receive connector which is named Default and is configured to receive traffic from any host, to any local IP address on port 25 but this traffic must be authenticated first.

Now we are going to create a new Receive Connector from scratch and during the process we will explain the available options that can be defined during the wizard. The server used in this article has two IP addresses: 172.16.171.11 and 172.16.171.12.

Each connector has a unique set of the following attributes: IP Address, Port number and remote IP Address range. These parameters are always validated during the New Receive Connector wizard. If you have an existent connector with the same values a new connector cannot be created.

In this article we are going to create an Internet Receive Connector using the second IP address of the server, as follows:

-Open the Exchange Management Console.

-Expand Server Configuration.

-Click on Hub Transport.

-Select the server name on the right hand side.

-In the Toolbox Actions. Click on New Receive Connector.

-Introduction. Let’s name this new connector using the Name field, and we can also select which kind of connector it is for (Figure 02). We have five options: Internet, Internal, Partner, Client and Custom and each one of them defines a set of authentication and permissions on the connector that we are creating. The choice of connector also changes the New Receive Connector wizard, so it is not the same wizard for all types of pre-configured connectors. In this article we are going to start playing with an Internet Receive Connector, so let’s click on Internet and click on Next.

Note:
If we choose a wrong type of connector we can always change the configuration afterwards. It is not necessary to recreate it due to choosing the incorrect option.

Figure 02

Okay, what if we had chosen Client, Partner or Internal instead of Internet? What would be the difference? The following table shows which changes will be applied for each type of receive connector chosen. We have three columns, the first one (During Wizard) shows which information will be required during the New Receive Connector Wizard; the second one (Authentication) shows what authentication method will be configured by default in the new Receive Connector and the last one (Permissions) shows which groups are marked in the Receive Connector permissions. Remember that all those values can be changed through the Exchange Management Console or Exchange Management Shell afterwards.

We will go over Authentication and Permissions later on in this article series, for now let’s finish our Internet Receive Connector.

Local Network Settings. Let’s use only the second IP address of the local server on port 25. We are also going to use the mail.andersonpatricio.org as FQDN, as shown in Figure 03. This name will be displayed when a connection is established with this Receive Connector. Click on Next.

Figure 03

New Connector. A summary of our choices made so far. Click on New to create the Receive Connector.
Completion. Final screen of the new receive connector wizard with all the information provided during the wizard and the cmdlet used to create it. Click on Finish.

Okay, these are the steps required to create a new receive connector; we can do the same using the Exchange Management Shell. To create we have to use the New-ReceiveConnector cmdlet. In this example we are going to create the same connector described in the steps above:

New-ReceiveConnector -Name “Connector Name” –Usage:Internet –Bindings:: -fqdn: ‘’ –Server

Testing the new Receive connector…

Okay, we have just created our new connector. We can start testing it using the following command: telnet 172.16.171.12 25 where 25 is the port that will be used (Figure 04). The connection will be made and the FQDN name that we defined in our new Receive Connector will be shown. If we try to connect using the IP address 172.16.171.11 we will receive a different prompt because it is a different connector. Our Internet connector is only listening on the 172.16.171.12 IP address.

Figure 04

Conclusion
In this article we have seen how to create a receive connector and we also saw that a Receive Connector must be unique in at least one of these attributes: IP Address, port, Remote IP Address, in order to be created. In the following article we are going to use the telnet utility to test a Receive Connector and also take a look at some security and throttling configurations.

Sanity check: 10 dirty little secrets you should know about working in IT

2008-12-02T06:36:00.000-08:00

If you are preparing for a career in IT or are new to IT, many of the “dirty little secrets” listed below may surprise you because we don’t usually talk about them out loud. If you are an IT veteran, you’ve probably encountered most of these issues and have a few of your own to add — and please, by all means, take a moment to add them to the discussion. Most of these secrets are aimed at network administrators, IT managers, and desktop support professionals. This list is not aimed at developers and programmers — they have their own set of additional dirty little secrets — but some of these will apply to them as well.

10.) The pay in IT is good compared to many other professions, but since they pay you well, they often think they own you

Although the pay for IT professionals is not as great as it was before the dot-com flameout and the IT backlash in 2001-2002, IT workers still make very good money compared to many other professions (at least the ones that require only an associate’s or bachelor’s degree). And there is every reason to believe that IT pros will continue to be in demand in the coming decades, as technology continues to play a growing role in business and society. However, because IT professionals can be so expensive, some companies treat IT pros like they own them. If you have to answer a tech call at 9:00 PM because someone is working late, you hear, “That’s just part of the job.” If you need to work six hours on a Saturday to deploy a software update to avoid downtime during business hours, you get, “There’s no comp time for that since you’re on salary. That’s why we pay you the big bucks!”

9.) It will be your fault when users make silly errors

Some users will angrily snap at you when they are frustrated. They will yell, “What’s wrong with this thing?” or “This computer is NOT working!” or (my personal favorite), “What did you do to the computers?” In fact, the problem is that they accidentally deleted the Internet Explorer icon from the desktop, or unplugged the mouse from the back of the computer with their foot, or spilled their coffee on the keyboard.

8.) You will go from goat to hero and back again multiple times within any given day

When you miraculously fix something that had been keeping multiple employees from being able to work for the past 10 minutes — and they don’t realize how simple the fix really was — you will become the hero of the moment and everyone’s favorite employee. But they will conveniently forget about your hero anointment a few hours later when they have trouble printing because of a network slowdown — you will be enemy No. 1 at that moment. But if you show users a handy little Microsoft Outlook trick before the end of the day, you’ll soon return to hero status.

7.) Certifications won’t always help you become a better technologist, but they can help you land a better job or a pay raise

Headhunters and human resources departments love IT certifications. They make it easy to match up job candidates with job openings. They also make it easy for HR to screen candidates. You’ll hear a lot of veteran IT pros whine about techies who were hired based on certifications but who don’t have the experience to effectively do the job. They are often right. That has happened in plenty of places. But the fact is that certifications open up your career options. They show that you are organized and ambitious and have a desire to educate yourself and expand your skills. If you are an experienced IT pro and have certifications to match your experience, you will find yourself to be extremely marketable. Tech certifications are simply a way to prove your baseline knowledge and to market yourself as a professional. However, most of them are not a good indicator of how good you will be at the job.

6.) Your nontechnical co-workers will use you as personal tech support for their home PCs

Your co-workers (in addition to your friends, family, and neighbors) will view you as their personal tech support department for their home PCs and home networks. They will e-mail you, call you, and/or stop by your office to talk about how to deal with the virus that took over their home PC or the wireless router that stopped working after the last power outage and to ask you how to put their photos and videos on the Web so their grandparents in Iowa can view them. Some of them might even ask you if they can bring their home PC to the office for you to fix it. The polite ones will offer to pay you, but some of them will just hope or expect you can help them for free. Helping these folks can be very rewarding, but you have to be careful about where to draw the line and know when to decline. For help, take a look at TechRepublic’s free download “Ten ways to decline a request for free tech support.”

5.) Vendors and consultants will take all the credit when things work well and will blame you when things go wrong

Working with IT consultants is an important part of the job and can be one of the more challenging things to manage. Consultants bring niche expertise to help you deploy specialized systems, and when everything works right, it’s a great partnership. But you have to be careful. When things go wrong, some consultants will try to push the blame off on you by arguing that their solution works great everywhere else so it must be a problem with the local IT infrastructure. Conversely, when a project is wildly successful, there are consultants who will try to take all of the credit and ignore the substantial work you did to customize and implement the solution for your company.

4.) You’ll spend far more time babysitting old technologies than implementing new ones

One of the most attractive things about working in IT is the idea that we’ll get to play with the latest cutting edge technologies. However, that’s not usually the case in most IT jobs. The truth is that IT professionals typically spend far more time maintaining, babysitting, and nursing established technologies than implementing new ones. Even IT consultants, who work with more of the latest and greatest technologies, still tend to work primarily with established, proven solutions rather than the real cutting edge stuff.

3.) Veteran IT professionals are often the biggest roadblock to implementing new technologies

A lot of companies could implement more cutting edge stuff than they do. There are plenty of times when upgrading or replacing software or infrastructure can potentially save money and/or increase productivity and profitability. However, it’s often the case that one of the largest roadblocks to migrating to new technologies is not budget constraints or management objections; it’s the veteran techies in the IT department. Once they have something up and running, they are reluctant to change it. This can be a good thing because their jobs depend on keeping the infrastructure stable, but they also use that as an excuse to not spend the time to learn new things or stretch themselves in new directions. They get lazy, complacent, and self-satisfied.

2.) Some IT professionals deploy technologies that do more to consolidate their own power than to help the business

Another subtle but blameworthy thing that some IT professionals do is select and implement technologies based on how well those technologies make the business dependent on the IT pros to run them, rather than which ones are truly best for the business itself. For example, IT pros might select a solution that requires specialized skills to maintain instead of a more turnkey solution. Or an IT manager might have more of a Linux/UNIX background and so chooses a Linux-based solution over a Windows solution, even though the Windows solution is a better business decision (or, vice versa, a Windows admin might bypass a Linux-based appliance, for example). There are often excuses and justifications given for this type of behavior, but most of them are disingenuous.

1.) IT pros frequently use jargon to confuse nontechnical business managers and hide the fact that they screwed up

All IT pros — even the very best — screw things up once in a while. This is a profession where a lot is at stake and the systems that are being managed are complex and often difficult to integrate. However, not all IT pros are good at admitting when they make a mistake. Many of them take advantage of the fact that business managers (and even some high-level technical managers) don’t have a good understanding of technology, and so the techies will use jargon to confuse them (and cover up the truth) when explaining why a problem or an outage occurred. For example, to tell a business manager why a financial application went down for three hours, the techie might say, “We had a blue screen of death on the SQL Server that runs that app. Damn Microsoft!” What the techie would fail to mention was that the BSOD was caused by a driver update he applied to the server without first testing it on a staging machine.

Five new developments in storage infrastructure solutions

2008-11-01T01:26:00.000-07:00

First there was Ethernet. Then, there was IP over Ethernet. Next came the mixed use of Ethernet, IP, and the SCSI command set (iSCSI) to simplify storage and to bring down the cost and complexity of storage. Today, iSCSI and Fibre Channel are fighting it out in all but the largest enterprises, and both have their pros and cons. Even though these are the two primary contenders in today’s block-level shared storage market, there are some other alternatives. The line is continuing to blur between these solutions as new initiatives are brought to market. Let’s take a look at some new developments in storage infrastructure solutions.

Faster Fibre ChannelTwo Gbps and 4 Gbps Fibre Channel are very common in the marketplace, and manufacturers are just now beginning to demonstrate 8 Gbps Fibre Channel gear. There are also standards in the works for Fibre Channel running at 10 Gbps and 20 Gbps. This venerable technology continues to improve to meet the increasingly robust storage needs demanded by the enterprise. In some cases, Fibre Channel solutions on the market rival iSCSI solutions from a price perspective (i.e., Dell/EMC AX150) for simple solutions. However, faster Fibre Channel still has the same skill set hurdles to overcome. Just about every network administrator knows IP, but Fibre Channel skills are a different matter.

iSCSI over 10G EthernetiSCSI has become a technology that deserves short-list status… and at a gigabit per second, no less. Many iSCSI naysayers point to its slower interlink speed as a reason that it won’t stack up to Fibre Channel. However, iSCSI solutions are now on the cusp of moving to 10 Gbps Ethernet, meaning that iSCSI’s link speed could surpass even the fastest Fibre Channel solutions on the market. Of course, iSCSI still has IP’s overhead and latency, so we’ll see how well 10 Gbps Ethernet performs in real-world scenarios when compared to 8 Gbps Fibre Channel.

Further, 10 Gbps Ethernet gear is still extremely expensive, so, for the foreseeable future, 10 Gbps-based iSCSI solutions probably won’t fit the budgets of many organizations considering iSCSI as a primary storage solution. All this said, interlink speed is not necessarily the primary driver for replacement storage infrastructure in the enterprise. Performance boosts are often achieved by adding more disk spindles to the infrastructure or by moving to faster disk drives (i.e., SATA to 15K RPM SAS or Fibre Channel).

Fibre channel-over-IP (FCIP)Fibre Channel-over-IP (FCIP) is a method by which geographically distributed Fibre Channel-based SANs can be interconnected with one another. In short, FCIP is designed to extend the reach of Fibre Channel networks over wide distances.

Internet Fibre Channel Protocol (iFCP)Internet Fibre Channel Protocol (iFCP) is an effort to bring an IP-based infrastructure to the Fibre Channel world. Much of the cost of Fibre Channel is necessary infrastructure, such as dedicated host bus adapters (HBAs) and switches. These components can, on a per-port basis, add thousands of dollars to connect a server to the storage infrastructure. In contrast, transmitting Fibre Channel commands over an IP network would drive down infrastructure costs in a major way, requiring only gigabit Ethernet connections, which are already found on most servers. Further, even high-density Gigabit Ethernet switches cost only a couple thousand dollars. The main drawback to this proposal is the limitation to 1 Gbps Ethernet; although 10 Gbps gear is available, it would negate some of the cost benefit. On the plus side, iFCP (even on 10 Gbps Ethernet) would open Fibre Channel solutions to administrators that have IP-based skill sets. iFCP was ratified by the Internet Engineering Task Force in late 2002/early 2003.

ATA-over-Ethernet (AoE)ATA-over-Ethernet (AoE) hasn’t enjoyed the popularity of iSCSI, but this isn’t due to any technical hurdles. The AoE specification is completely open and only eight pages in length. AoE doesn’t have the overhead of IP as does iSCSI since it runs right on top of Ethernet. Of course, this does limit AoE’s use to single locations, generally, since raw Ethernet can’t be routed. You can find more about AoE in one of my previous posts.

SummaryThe future of storage is wide open. Between iSCSI, Fibre Channel ,and even AoE, solutions abound for organizations of any size and as the lines blur between some of these technologies, cost becomes less of an issue across the board.

Intel open sources Fibre Channel over Ethernet package

2008-11-01T01:25:00.000-07:00

has released a software package that is intended to encourage the development of Fibre Channel over Ethernet (FCoE) products for the Linux operating system.

If you are scratching your head about what FCoE is, here’s an excerpt from Network World:

FCoE is a proposed specification that allows Fibre Channel storage-area-network (SAN) traffic to run over Ethernet. Consolidating LAN and SAN traffic onto a single fabric is said to simplify network infrastructure in the data center.

Linux developers can test and modify the FCoE software stack as part of the released package.

First 8Gbps Fibre Channel products are out

2008-11-01T01:24:00.000-07:00

It appears that the first 8Gbps Fibre Channel storage networking products are out, as reported by The Register. Still, the sentiment is that it will be unlikely that this new technology will do much to stem the drift to iSCSI over 10Gbps Ethernet, although it might perhaps slow it somewhat.

The main advantage of 8Gbps is that it not only uses the same infrastructure as earlier generations of Fibre Channel, but it is also backwards compatible to them. Slap the new 8Gbps devices onto an existing SAN, and they should interoperate without any issues, automatically running at the highest speed supported by both ends of the channel.

Interestingly, most SAN users have not (even) reached the limits of 2Gbps technology, never mind 4Gbps, according to Enterprise Strategy Group analyst Brian Garrett.

However, he hastened to add:

Administrators of infrastructure applications like disk-to-disk replication and vertical business applications like video post-production are already asking for higher performance storage networks.

The backwards compatibility of 8Gbps Fibre Channel will be warmly embraced in data centers, video production houses, and other application environments where performance counts.

The first 8Gbps products are promised by Emulex and QLogic, and according to the companies, they should be available for just a 10 to 20 percent price premium over existing 4Gbps products. While Brocade and Cisco have not yet made any announcements, I’m sure that they aren’t too far behind.

Fibre Channel and Ethernet starting to converge

2008-11-01T01:23:00.000-07:00

Ethernet, the longtime standard for LAN traffic, is seeing another upgrade on the horizon, with 10 Gbps Ethernet beginning to explode onto the market. The speed upgrade will help Ethernet and Fibre Channel, the longtime standard for SAN traffic, converge onto one high speed network, linking servers in large farms to the storage arrays that store their data. Intel has just released “barely out of Alpha” code for Fibre Channel over Ethernet (FCoE) for Linux, though only for a specific release and configuration.

Cisco has seen sales of 10 Gbps Ethernet ports triple since they entered the market in the second quarter of 2007. The strong sales indicate that there is still plenty of demand for increased bandwidth in the data center. The ability to send Fibre Channel packets over Ethernet will help to reduce the number of data centers that have to maintain two architectures — one for storage and another for servers.

Until recently, I didn’t think that I would have 10 Gbps Ethernet in my shop, because we are so small. However, if I can use Ethernet to access my NAS and iSCSI boxes rather than Fibre Channel, I can see us bypassing SAN technology altogether in favor of technology that fits in better with what we are doing already. Do you see 10 Gbps in your data center in the near future?

Shared block-level storage continues to become more accessible

2008-11-01T01:20:00.000-07:00

considered entitling this post “Is storage becoming commoditized?” but the technical definition of “commodity” doesn’t quite fit the bill. My question is this: Is the market for shared block-level storage continuing to become more accessible to a wider variety of customer? Personally, I think it is, and this is a good thing. With one exception, for most of my career, I’ve worked for fairly small organizations. A few years ago, the idea of a Fibre Channel-based SAN didn’t even get raised because of the cost and complexity of such a solution. It was RAID all the way in most servers. For some servers, even RAID wasn’t considered due to cost. Remember, RAID and SCSI drives used to be expensive!

Now, though, the storage market has exploded. With the introduction of iSCSI and new breeds of Fibre Channel being offered, it seems like there is something for everyone and at every price range. Here are some examples:

Dell AX150 array, Fibre Channel, 6TB raw, dual processors, refurbished, not scalable, 10 hosts max: $7,500.
EqualLogic PS400E, iSCSI, 10.5TB raw, fully redundant, scalable, unlimited hosts: $60K - $65K.
Overland ULTAMUS RAID 4800, Fibre Channel (4Gb), 18TB raw, redundant: $42K.
Left Hand Networks NSM 160, iSCSI, 2TB raw, redundant with three units (6TB): guess - ~ $40K or so.
Nexsan SATABoy, Fibre Channel/iSCSI, 7TB raw: $18K.
Nexsan SATABeast, Fibre Channel/iSCSI, 42TB raw: $55K.
Please don’t use these prices for your budget. I Googled for this information, so some may be out of date. The point of this exercise, however, is to demonstrate that choice and price is all over the map. If you need shared storage for 2 or 3 servers and are on a super-tight budget, buy the Dell AX150. If money isn’t an object and you want “best of breed” iSCSI, go for the EqualLogic PS400E. If your storage needs are a little more modest and budget is somewhat important, look to the SATABoy. For kicks, take a look at the SATABeast specs, too. At $55K for 42TB, it easily wins the price/TB comparison and supports both Fibre Channel (4Gb no less) and iSCSI.

Every time I look, there is something new to consider in the storage space. Sure, not all of the new options have whizbang new features, but they are certainly providing additional choice at prices that are all over the map. As a result, although the storage market is becoming a little more complex to navigate, there is incredible opportunity for customers of almost any size to take part in the shared block-level storage game.

iSCSI anyone?

2008-11-01T01:18:00.000-07:00

iSCSI is a technology which seems to have been cropping up a
lot recentlywhile visiting a conference on the topic of data protection and
compliance, iSCSI was being pushed as the next big thing in storage.

So what is iSCSI? iSCSI is a protocol defined by the
Internet Engineering Task Force (IETF) which enables SCSI commands to be
encapsulated in TCP/IP traffic, thus allowing access to remote storage over low
cost IP networks.

What advantages would using an iSCSI Storage Area Network
(SAN) give to your organisation over using Direct Attached Storage (DAS) or a
Fibre Channel SAN?

iSCSI
is cost effective, allowing use of low cost Ethernet rather than expensive
Fibre architecture.
Traditionally
expensive SCSI controllers and SCSI disks no longer need to be used in
each server, reducing overall cost.
Many
iSCSI arrays enable the use of cheaper SATA disks without losing hardware
RAID functionality.
The
iSCSI storage protocol is endorsed by Microsoft, IBM and Cisco, therefore
it is an industry standard.
Administrative/Maintenance
costs are reduced.
Increased
utilisation of storage resources.
Expansion
of storage space without downtime.
Easy
server upgrades without the need for data migration.
Improved
data backup/redundancy.
Youll notice that I mentioned reduced administrative costs;
I was very interested to find this document prepared
by Adaptec on the cost advantages of iSCSI SAN over DAS or Fibre Channel
SANmost notably the Total Cost of Ownership analysis, stating that one
administrator can manage 980GB of DAS storage, whereas the same administrator
could manage 4800GB of SAN storage. Quite an increase!

Isnt there going to be a bandwidth issue with all of this
data flying around? Well, this is a question I had but found the answers in
this very informative iSCSI
Technology Brief from Westek UK. Direct
attached U320 SCSI gives a theoretical data transfer rate of 320Mbytes/s; on a
standard Gigabit network, iSCSI will provide around 120Mbytes/s; and Fibre
Channel provides up to 200Mbytes/s, but at considerable cost. 120Mbytes/s is
probably fast enough for all but the most demanding applications. All
connectivity between the iSCSI storage and your servers would be on a dedicated
Ethernet network, therefore not interfering with your standard network traffic
(and vice versa). If this isnt enough, 10Gbit copper Ethernet is now pushing
its way on to the market and costs are fallingthis would give a possible
1Gbyte/s of throughput!

Most iSCSI devices I have seen give the ability to take
snapshots; this snapshot will only save changes made to the file system since
the previous snapshotmeaning you wont need to put aside huge amounts of
storage while maintaining the possibility of rolling back to a previous state
after disaster (data corruption/deletion). Snapshots only take a few seconds to
perform (compared to hours for a traditional image to be created) and can be
scheduled for regular, automatic creation.

I have recently been asked to look at consolidating our
storage, and iSCSI looks like an innovative, well supported, and cost effective
way of doing this. The Power iSCSI range from Westek UK looks very promising
with the option of 10GBit connectivity, Hardware RAID6 (offsetting reliability
concerns due to SATA disks), plus an option of real-time replication and
fail-over between two units.

Have you deployed iSCSI-based SAN within your organisation?
Do you know of any other iSCSI appliance providers offering innovative
features? Maybe you decided to go with Fibre Channel instead? What kind of data
transfer rates do you require for your storage? Do you feel modern SATA disks
provide good enough performance and reliability or are expensive SCSI disks
still worth the premium?

Windows Home Server - Real-life scenario

2008-10-28T06:43:00.000-07:00

I’ve been running Windows Home Server for just under a year now and thought I’d take a little time to explain my setup in detail and explain why I use this product when I could also simply build a Linux server to do many of the things handled by WHS.

My setup
Late last year, I bought an HP MediaSmart EX470 Windows Home Server for a project I was working on. Prior to buying the MediaSmart system, I had built a custom system with an evaluation copy of Windows Home Server provided by Microsoft, and gave it up in favor of the HP server. The HP MediaSmart systems ship with a paltry 512MB of RAM, but, with a little know-how, it’s not all that hard to upgrade to 2GB of RAM, which is almost a must. Frankly, HP will probably have to address the RAM issue at some point and give customers the option of easily expanding the RAM without voiding the warranty. The EX470 ships with a single 500GB hard drive. In order to enjoy the full benefit of Windows Home Server, you really need multiple hard drives. Since installing my server, I’ve added three more 500GB drives for a total of 2TB capacity. While that sounds like a ton of space, due to the way that WHS uses disk space, it’s actually less than it sounds like. This is not meant to be a negative point… just fact.

The MediaSmart server includes a gigabit Ethernet port and I’ve connected it, as well as my two primary workstations, to a gigabit Ethernet switch. I also use a wireless-N network at home to connect my wife’s Windows desktop computer and my MacBook to the network. I run VMware Fusion on my MacBook so I can run Windows programs.

How I use WHS
I save almost everything to my Windows Home Server. I write a lot, so all of my work is stored there, as is my iTunes library, backups of my DVDs and a lot more. All of the computers in my house are automatically backed up to my server, too. I have personally used WHS’ client restoration capability to restore a client computer and it’s an absolutely fantastic and surprisingly easy to use procedure.

Although WHS Power Pack 1 now includes the ability to backup the Windows Home Server to an external hard drive, a feature that was missing from the OEM release, I’ve opted to use Windows Home Server Gold Plan ($199/year, but right now, $99/year special) to automatically back up mu Windows Home Server to KeepVault’s servers. I’ve been using KeepVault for almost a year now and am very pleased. The only disadvantage to this method is that KeepVault won’t back up files that are larger than 5GB in size, but KeepVault provides unlimited storage space. The only files I have that are larger than 5GB in size are generally ISO files and virtual machine images and, if I so desired, I could take steps to protect even these files. However, for performance reasons, I don’t run my virtual machines from my server anyway, although I would give it a shot if WHS included a good way to handle iSCSI.

With the Power Pack 1 release, WHS is finally ready for prime time. Prior to this release, WHS suffered from a serious data corruption bug which, unfortunately, I feel victim to. The resulting damage was more of an annoyance as I had to work around it, but as I said, PP1 fixes this issue and adds some additional capability.

Windows Home Server includes very good remote access capability, too. When I’m on the road for business, I don’t have to try to remember exactly which files I need to take with me. If I forget something, I can just browse to my server and get the file. Configuring this capability is a breeze, too, as long as you have a router that supports uPnP, which I do. Otherwise, it would take manual router configuration, making WHS less than desirable for the average home user.

Could I have replicated this functionality with Linux, other open source products and some scripts? Sure. Would it have worked. Well, probably not as seamlessly. Even something like WHS is a tool for me and I’ve gotten to a point where I just need stuff to work so that I can focus on getting a job done. My WHS system protects my files at two levels-locally in the event of a client failure, and remotely in the event of a server failure-and gives me an easy way to get to my information if necessary.

Although the market need is still somewhat questionable, WHS is aimed at users that lack the technical expertise to build computers from scratch or that want to focus on the end result of the product-a working, stable server. For those that enjoy the thrill of building something from scratch, WHS is probably not for you. For me, however, it’s a perfect complement to my clients and perfectly fits my work style.

Help! My SQL Server Log File is too big!!!

2008-10-28T06:41:00.000-07:00

Over the years, I have assisted so many different clients whose transactional log file has become “too large” that I thought it would be helpful to write about it. The issue can be a system crippling problem, but can be easily avoided. Today I’ll look at what causes your transaction logs to grow too large, and what you can do to curb the problem.

Note: For the purposes of today’s article, I will assume that you’re using SQL Server 2005 or later.

Every SQL Server database has at least two files; a data file and a transaction log file. The data file stores user and system data while the transaction log file stores all transactions and database modifications made by those transactions. As time passes, more and more database transactions occur and the transaction log needs to be maintained. If your database is in the Simple recovery mode, then the transaction log is truncated of inactive transaction after the Checkpoint process occurs. The Checkpoint process writes all modified data pages from memory to disk. When the Checkpoint is performed, the inactive portion of the transaction log is marked as reusable.

Transaction Log Backups
If your database recovery model is set to Full or Bulk-Logged, then it is absolutely VITAL that you make transaction log backups to go along with your full backups. SQL Server 2005 databases are set to the Full recovery model by default, so you may need to start creating log backups even if you haven’t ran into problems yet. The following query can be used to determine the recovery model of the databases on your SQL Server instance.

SELECT name, recovery_model_descFROM sys.databasesBefore going into the importance of Transactional Log Backups, I must criticize the importance of creating Full database backups. If you are not currently creating Full database backups and your database contains data that you cannot afford to lose, you absolutely need to start. Full backups are the starting point for any type of recovery process, and are critical to have in case you run into trouble. In fact, you cannot create transactional log backups without first having created a full backup at some point.

The Full or Bulk-logged Recovery Mode
With the Full or Bulk-Logged recovery mode, inactive transactions remain in the transaction log file until after a Checkpoint is processed and a transaction log backup is made. Note that a full backup does not remove inactive transactions from the transaction log. The transaction log backup performs a truncation of the inactive portion of the transaction log, allowing it to be reused for future transactions. This truncation does not shrink the file, it only allows the space in the file to be reused (more on file shrinking a bit later). It is these transaction log backups that keep your transaction log file from growing too large. An easy way to make consistent transaction log backups is to include them as part of your database maintenance plan.

If your database recovery model is set to FULL, and you’re not creating transaction log backups and never have, you may want to consider switching your recovery mode to Simple. The Simple recovery mode should take care of most of your transaction log growth problems because the log truncation occurs after the Checkpoint process. You’ll not be able to recover your database to a point in time using Simple, but if you weren’t creating transactional log backups to begin with, restoring to a point in time wouldn’t have been possible anyway. To switch your recovery model to Simple mode, issue the following statement in your database.

ALTER DATABASE YourDatabaseNameSET RECOVERY SIMPLENot performing transaction log backups is probably the main cause for your transaction log growing too large. However, there are other situations that prevent inactive transactions from being removed even if you’re creating regular log backups. The following query can be used to get an idea of what might be preventing your transaction log from being truncated.

SELECT name, log_reuse_wait_descFROM sys.databasesLong-Running Active TransactionsA long running transaction can prevent transaction log truncation. These types of transactions can range from transactions being blocked from completing to open transactions waiting for user input. In any case, the transaction ensures that the log remain active from the start of the transaction. The longer the transaction remains open, the larger the transaction log can grow. To see the longest running transaction on your SQL Server instance, run the following statement.

DBCC OPENTRANIf there are open transactions, DBCC OPENTRAN will provide a session_id (SPID) of the connection that has the transaction open. You can pass this session_id to sp_who2 to determine which user has the connection open.

EXECUTE sp_who2 spidAlternatively, you can run the following query to determine the user.

SELECT * FROM sys.dm_exec_sessionsWHERE session_id = spid --from DBCC OPENTRANYou can determine the SQL statement being executed inside the transactions a couple of different ways. First, you can use the DBCC INPUTBUFFER() statement to return the first part of the SQL statement

DBCC INPUTBUFFER(spid) --from DBCC OPENTRANAlternatively, you can use a dynamic management view included in SQL Server 2005 to return the SQL statement:

SELECT

r.session_id,

r.blocking_session_id,

s.program_name,

s.host_name,

t.text

FROM

sys.dm_exec_requests r

INNER JOIN sys.dm_exec_sessions s ON r.session_id = s.session_id

CROSS APPLY sys.dm_exec_sql_text(r.sql_handle) t

WHERE

s.is_user_process = 1 AND

r.session_id = SPID --FROM DBCC OPENTRANBackupsLog truncation cannot occur during a backup or restore operation. In SQL Server 2005 and later, you can create a transaction log backup while a full or differential backup is occurring, but the log backup will not truncate the log due to the fact that the entire transaction log needs to remain available to the backup operation. If a database backup is keeping your log from being truncated you might consider cancelling the backup to relieve the immediate problem.

Transactional ReplicationWith transactional replication, the inactive portion of the transaction log is not truncated until transactions have been replicated to the distributor. This may be due to the fact that the distributor is overloaded and having problems accepting these transactions or maybe because the Log Reader agent should be ran more often. IF DBCC OPENTRAN indicates that your oldest active transaction is a replicated one and it has been open for a significant amount of time, this may be your problem.

Database MirroringDatabase mirroring is somewhat similar to transactional replication in that it requires that the transactions remain in the log until the record has been written to disk on the mirror server. If the mirror server instance falls behind the principal server instance, the amount of active log space will grow. In this case, you may need to stop database mirroring, take a log backup that truncates the log, apply that log backup to the mirror database and restart mirroring.

Disk SpaceIt is possible that you’re just running out of disk space and it is causing your transaction log to error. You might be able to free disk space on the disk drive that contains the transaction log file for the database by deleting or moving other files. The freed disk space will allow for the log file to enlarge. If you cannot free enough disk space on the drive that currently contains the log file then you may need to move the file to a drive with enough space to handle the log. If your log file is not set to grow automatically, you’ll want to consider changing that or adding additional space to the file. Another option is to create a new log file for the database on a different disk that has enough space by using the ALTER DATABASE YourDatabaseName ADD LOG FILE syntax.

Shrinking the FileOnce you have identified your problem and have been able to truncate your log file, you may need to shrink the file back to a manageable size. You should avoid shrinking your files on a consistent basis as it can lead to fragmentation issues. However, if you’ve performed a log truncation and need your log file to be smaller, you’re going to need to shrink your log file. You can do it through management studio by right clicking the database, selecting All Tasks, Shrink, then choose Database or Files. If I am using the Management Studio interface, I generally select Files and shrink only the log file.

This can also be done using TSQL. The following query will find the name of my log file. I’ll need this to pass to the DBCC SHRINKFILE command.

SELECT nameFROM sys.database_filesWHERE type_desc = 'LOG'Once I have my log file name, I can use the DBCC command to shrink the file. In the following command I try to shrink my log file down to 1GB.

DBCC SHRINKFILE ('SalesHistory_Log', 1000)Also, make sure that your databases are NOT set to auto-shrink. Databases that are shrank at continuous intervals can encounter real performance problems.

TRUNCATE_ONLY and NOLOGIf you’re a DBA and have ran into one of the problems listed in this article before, you might be asking yourself why I haven’t mentioned just using TRUNCATE_ONLY to truncate the log directly without creating the log backup. The reason is that in almost all circumstances you should avoid doing it. Doing so breaks the transaction log chain, which makes recovering to a point in time impossible because you have lost transactions that have occurred not only since the last transaction log backup but will not able to recovery any future transactions that occur until a differential or full database backup has been created. This method is so discouraged that Microsoft is not including it in SQL Server 2008 and future versions of the product. I’ll include the syntax here to be thorough, but you should try to avoid using it at all costs.

BACKUP LOG SalesHistoryWITH TRUNCATE_ONLYIt is just as easy to perform the following BACKUP LOG statement to actually create the log backup to disk.

BACKUP LOG SalesHistoryTO DISK = 'C:/SalesHistoryLog.bak'Moving forward
Today I took a look at several different things that can cause your transaction log file to become too large and some ideas as to how to overcome your problems. These solutions range from correcting your code so that transactions do not remain open so long, to creating more frequent log backups. In additional to these solutions, you should also consider adding notifications to your system to let you know when your database files are reaching a certain threshold. The more proactive you are in terms of alerts for these types of events, the better chance you’ll have to correct the issue before it turns into a real problem.

The top four mistakes organizations make when building datacenters

2008-10-28T06:39:00.000-07:00

I had the opportunity to speak with Etienne Guerou, who is the Vice President, a company - a world leader in power solutions. Over a cup of coffee, Mr. Guerou, who has 20 years of experience in designing and building datacenters, briefed me on some of the top mistakes that IT professionals and decision-makers make when building their own datacenters.

Here are the main mistakes he outlined:

1. Harboring the wrong appreciation of a datacenter

One typical mistake is that would be that IT professionals and decision makers don’t differentiate between datacenters. Instead, they treat a datacenter as an all-inclusive black box where “many” servers are to be housed. That mindset is typically exposed when confronted with the simple question: “What do you intend to use your datacenter for?”

Ask yourself about the scale and anticipated usage of the datacenter, expansion plans of at least two to three years down the road, whether blade servers or standard rack mount servers will be utilized, etc. When you answer these questions, you can then extrapolate power consumption, as well as current and future capacities in terms of cabling, cooling and power.

2. Attempting to run a datacenter from improper facilities

It would be a mistake to simply acquire an ad-hoc facility and have it rebadged as a datacenter without a proper appraisal of its suitability, cautions Guerou. He cites an example in which a client, after having signed the lease for a fairly large space, sought out Mr. Guerou’s advice on how to proceed. To the client’s horror, the answer is that the venue was simply not suitable for a datacenter due to granite floorings and thick beams across the ceiling - resulting in an effective height that is simply inadequate for cabling and cooling purposes.

While it might not be possible for most organizations to put up custom-built datacenters on whim, what this client should have done was get an experienced consultant in and involved right from the get-go.

Ideally, in Mr. Guerou’s own words: “A datacenter should be a technical building dedicated to a very particular business of processing data.”

3. Buying by brands

Another common mistake is that many IT professionals attempt to buy into selected brands. While this strategy might work well when it comes to standardizing on servers or networking gear, an efficient and well-run datacenter has nothing to do with specific hardware brands or models. Rather, you should approach the datacenter from the perspective of a complete solution, where the entire design has to be considered as an integrated whole.

As an unfortunate side-effect of strong marketing by enterprise vendors, many users have, consciously or subconsciously, bought into the idea of designing a datacenter by snapping together disparate pieces of hardware. While not wrong, it’s imperative that the end-result be evaluated as a whole - and not in a piecemeal fashion.

Various hardware, such as types of servers, positioning of racks, networking equipment and redundant power supplies should dovetail properly with infrastructure such as cooling, ventilation, wiring, fire-suppression systems, and security measures.

4. Rushing onto the “Green IT” bandwagon

The increasingly popularity of “Green IT” has vendors unveiling new servers and equipment touted for their superior power efficiency. While the idea is definitely laudable, you should sieve out the marketing hype from actual operational consumption.

For example, two UPS from “vendor X,” while individually more power efficient at 90% loading, might actually offer a much poorer showing if deployed in a redundant configuration, where they will end up running at 45% loading. In the absence of proper scrutiny, green IT initiatives could degenerate into a numbers game.

At the end of the day, you should take overall power efficiency - or power factor, of the entire datacenter -a benchmark rather than weigh it by individual vendor claims. After all, a yardstick of a well-run datacenter has always been about power efficiency.

In parting, Mr. Guerou has the following advice for organizations thinking of building their own datacenter. “Hire an experienced consultant.”

iSCSI is the future of storage

2008-10-28T06:33:00.001-07:00

This week, HP announced their $360 million acquisition of LeftHand networks. Last year, Dell surprised the tech industry with a $1.4 billion purchase of the formerly independent EqualLogic. With these iSCSI snap-ups by true tech titans, iSCSI has officially arrived, is here to stay, and, I believe, will become the technology of choice for most organizations in the future.

This is not to say that iSCSI has been sitting in the background up to this point. On the contrary, the technology has taken the industry by storm. Both of these companies based their entire business hopes on the possibility that organizations would see the intrinsic value to be found in iSCSI’s simplistic installation and management. To say that both companies have been successful would be an understatement.

I’m a big fan of both EqualLogic and LeftHand Networks offerings, having purchased an EqualLogic unit in a former life. At that time, I narrowed my selection down to two options - LeftHand and EqualLogic. Both solutions had their pros and cons, but both were more than viable.

It’s not all about EqualLogic and LeftHand, though. The big guns in storage have finally jumped feet first into the iSCSI fray with extremely compelling products of their own. Previously, these players, including EMC and NetApp, simply bolted iSCSI onto existing products. Lately, even the biggest Fibre Channel vendors are releasing native iSCSI arrays aimed at the mid-tier of the market. EMC’s AX4, for example, is available in both native iSCSI and native Fibre Channel versions and is priced in such a way that any organization considering EqualLogic or LeftHand should make sure to give the EMC AX4 a look. To be fair, the iSCSI-only AX4:

Does not support SAN copy for SAN to SAN replication
Is not as easy to install or manage as one of the aforementioned devices, but isn’t bad either
The bandwidth to the array does not increase as additional space is added
It does not include thin provisioning, although this was rumored to be rectified in a future software release
The AX4 supports up to 64 attached hosts
But, the price per TB is simply incredible and a solution based on a different vendor would not have been attainable. This year, I purchased just shy of 14 TB of raw space on a pair of AX4 arrays-4.8 TB SAS and 9 TB SATA-for under $40K. For the foreseeable future, I don’t need SAN copy and space can be managed in ways other than through thin provisioning. Over time, we’ll run about two dozen virtual machines on the AX4 along with our administrative databases and Exchange 2007 databases. By the time I need additional features, the AX4 will be due for replacement anyway.

iSCSI started out at the low end of the market, helping smaller organizations begin to move toward shared storage and away from direct attached solutions. As time goes on, iSCSI is moving up the food chain and, in many cases, is supplanting small and mid-sized Fibre Channel arrays, particularly in organizations that have never had a SAN before. As iSCSI continues to take advantage of high-speed SAS disks and begins to use 10Gb Ethernet for a transport mechanism, I see iSCSI continuing to move higher into the market. Of course, faster, more reliable disks and faster networking capabilities will begin to close the savings gap between iSCSI and Fibre Channel, but iSCSI’s reliance on Ethernet for an underlying transport mechanism brings major simplicity to the storage equation and I doubt that iSCSI’s costs will ever surpass Fibre Channel anyway, mainly due to the expensive networking hardware needed for significant Fibre Channel implementations.

Even though iSCSI will continue to make inroads further into many organizations, I don’t think that iSCSI will ever completely push Fibre Channel out of the way. Many organizations rely on the raw performance afforded by Fibre Channel and the folks behind Fibre Channel’s specifications aren’t sitting still. Every year brings advances to Fibre Channel, including faster disks and improved connection speeds.

In short, I see the iSCSI market continuing to grow very rapidly and, over time, supplanting what would have been Fibre Channel installations. Further, as organizations continue to expand their storage infrastructures, iSCSI will be a very strong contender, particularly as the solution is updated to take advantage of improvements to the networking speed and disk performance.

Introduction to Policy-Based Management in SQL Server 2008

2008-10-28T06:31:00.000-07:00

Policy-Based Management in SQL Server 2008 allows the database administrator to define policies that tie to database instances and objects. These policies allow the Database Administrator (DBA) to specify rules for which objects and their properties are created, or modified. An example of this would be to create a database-level policy that disallows the AutoShrink property to be enabled for a database. Another example would be a policy that ensures the name of all table triggers created on a database table begins with tr_.

As with any new SQL Server technology (or Microsoft technology in general), there is a new object naming nomenclature associated with Policy-Based Management. Below is a listing of some of the new base objects.

PolicyA Policy is a set of conditions specified on the facets of a target. In other words, a Policy is basically a set of rules specified for properties of database or server objects.

TargetA Target is an object that is managed by Policy-Based Management. Includes objects such as the database instance, a database, table, stored procedure, trigger, or index.

FacetA Facet is a property of an object (target) that can be involved in Policy Based Management. An example of a Facet is the name of a Trigger or the AutoShrink property of a database.

ConditionA Condition is the criteria that can be specify for a Target’s Facets. For example, you can set a condition for a Fact that specifies that all stored procedure names in the Schema ‘Banking’ begin with the name ‘bnk_’.

You can also assign a policy to a category. This allows you manage a set of policies assigned to the same category. A policy belongs to only one category.

Policy Evaluation Modes
A Policy can be evaluated in a number of different ways:

On demand - The policy is evaluated only when directly ran by the administrator.
On change: prevent - DDL triggers are used to prevent policy violations.
On change: log only - Event notifications are used to check a policy when a change is made.
On schedule - A SQL Agent job is used to periodically check policies for violations.
Advantages of Policy Based ManagementPolicy-Based Management gives you much more control over your database procedures as a DBA. You as a DBA have the ability to enforce your paper policies at the database level. Paper polices are great for defining database standards are guidelines. However, it takes time and effort to enforce these. To strictly enforce them, you have to go over your database with a fine-toothed comb. With Policy-Based Management, you can define your policies and rest assured that they will be enforced.

Next TimeToday I took a look at the basic ideas behind Policy-Based Management in SQL Server 2008. In my next article I’ll take a look at how you can make these ideas a reality by showing you how you can create your own polices to use to administer your SQL Server.

Defining SQL Server 2008 Policies

2008-10-28T06:23:00.000-07:00

A new SQL Server 2008 feature that allows the Database Administrator the ability to define and enforce policies through the database engine. In today’s article I’ll look at how you can use SQL Server Management Studio to define your own policies.

Define your PoliciesThe most challenging part of creating an effective database policy system is deciding what exactly it is your want to create policies for. SQL Server 2008 provides a large range of Facets (objects) for which conditions and policies can be defined for, so it will absolutely be worth the effort to take some time to map out what Policies you want to enforce.

To define a new Policy, open SQL Server Management Studio and navigate to the Management node in Object Explorer. Before I can define a Policy, I’ll first need to define a new Condition and can easily do so by right-clicking on the Conditions folder under the Policy Management folder.

A Condition is a set of criteria defined on a Facet. A Facet is really nothing more than a SQL Server object that you can involve in a Policy. In the Create New Condition screen, I define a new Condition named NewStoredProcedureNames. I can define the criteria for my new Condition in the Expressions section. Each Facet (Stored Procedure in this case) has a set of Fields for which condition expressions can be defined. For this particular Condition, I want to set criteria so that any new Stored Procedure name begins with usp_, and this is fairly straightforward to do through the editor.

Now that I have my Condition defined, I can create a new Policy.

Right click the Policy folder and select New Policy. In the Open Policy window, choose the NewProcedureNames check condition we just created. Choose the On change: prevent Evaluation Mode. This mode will evaluate the Policy when a new stored procedure is created, and if the procedure does not start with usp_, an error will be thrown and the new procedure will be disallowed. Be sure to click the Enabled box to enable the Policy.

To test my new Policy, I write a script to create a new stored procedure named GetCurrentDate that returns the current date. When I attempt to execute the script, I receive an error message letting me know that I have violated a Policy. For a friendlier message, you can define informative descriptions with your Policies so that the user is given more instruction as to what condition was violated.

Here is the text of the procedure I attempted to create above.

CREATE PROCEDURE GetCurrentDateASSELECT CAST(GETDATE() AS DATE)ConclusionToday I defined a simple Policy to prevent the creation of any new stored procedure that does not begin with usp_. The great thing about Policy-Based management is how complex you can define your Policies to adhere to your defined database policies. The more you play around with defining policies, the more creative and effective you’ll become at defining your own polices, so take advantage as soon as you can!

See what process is using a TCP port in Windows Server 2008

2008-10-28T06:20:00.001-07:00

You may find yourself frequently going to network tools to determine traffic patterns from one server to another; Windows Server 2008 (and earlier versions of Windows Server) can allow you to get that information locally on its connections. You can combine the netstat and tasklist commands to determine what process is using a port on the Windows Server.

The following command will show what network traffic is in use at the port level:

Netstat -a -n -oThe -o parameter will display the associated process identifier (PID) using the port. This command will produce an output similar to what is in Figure A.

Figure A

With the PIDs listed in the netstat output, you can follow up with the Windows Task Manager (taskmgr.exe) or run a script with a specific PID that is using a port from the previous step. You can then use the tasklist command with the specific PID that corresponds to a port in question. From the previous example, ports 5800 and 5900 are used by PID 1812, so using the tasklist command will show you the process using the ports. Figure B shows this query.

Figure B

This identifies VNC as the culprit to using the port. While a quick Google search on ports could possibly obtain the same result, this procedure can be extremely helpful when you’re trying to identify a viral process that may be running on the Windows Server.

Consider running the browser service on Windows Server 2008 DCs

2008-10-28T06:13:00.000-07:00

Many Windows administrators, myself included, are trying to stop using NetBIOS and switch to DNS exclusively for name resolution. But under certain situations, a Windows Server 2008 domain controller may not display networks correctly when browsing the network.

For Windows Server 2008 installations, the computer browser is disabled by default, and dcpromo does not change the configuration of the service when Active Directory is installed. The network browsing is convenient for drive mappings and quick access to systems, and this browsing depends on the short name features of NetBIOS.

One way to correct these computer display issues is to configure the computer browser service to be an automatic starting service. There are a number of ways to do this, including the sc command. Figure A shows the sc command used to configure the service to be automatic and then immediately start the computer browser service.

Figure A

If you have this configuration for domain controllers running, the flexible single master operation (FSMO) role can prevent the browse-ready computers from being removed from display. However, this service has been set with a default state of Disable and should only be changed if your browse-ready list of computers is shrinking or is only a local subnet.

NetBIOS resolution is handy except for very large Active Directory networks. Larger networks are better use the Windows Server 2008 GlobalNames zone.

10 things you should know about launching an IT consultancy

2008-10-07T05:49:00.000-07:00

Oh yeah. You’re going to work for yourself, be your own boss. Come and go when you want. No more kowtowing to The Man, right?

Running your own computer consulting business is rewarding, but it’s also full of numerous and competing challenges. Before you make the jump into entrepreneurship, take a moment to benefit from a few hundred hours of research I’ve invested and the real-world lessons I’ve learned in launching my own computer consulting franchise.

There are plenty of launch-your-own-business books out there. I know. I read several of them. Most are great resources. Many provide critical lessons in best managing liquid assets, understanding opportunity costs, and leveraging existing business relationships. But when it comes down to the dirty details, here are 10 things you really, really need to know (in street language) before quitting your day job.

#1: You need to incorporateYou don’t want to lose your house if a client’s data is lost. If you try hanging out a shingle as an independent lone ranger, your personal assets could be at risk. (Note that I’m not dispensing legal nor accounting advice. Consult your attorney for legal matters and a qualified accountant regarding tax issues.)

Ultimately, life is easier when your business operates as a business and not as a side project you maintain when you feel like it. Clients appreciate the assurance of working with a dedicated business. I can’t tell you how many clients I’ve obtained whose last IT guy “did it on the side” and has now taken a corporate job and doesn’t have time to help the client whose business has come to a standstill because of computer problems. Clients want to know you’re serious about providing service and that they’re not entering a new relationship in which they’re just going to get burned again in a few months time.

#2: You need to register for a federal tax ID numberNext, you need to register for a federal tax ID number. Hardly anyone (vendors, banks, and even some clients) will talk to you if you don’t.

Wait a second. Didn’t you just complete a mountain of paperwork to form your business (either as a corporation or LLC)? Yes, you did. But attorneys and online services charge incredible rates to obtain a federal tax ID for you.

Here’s a secret: It’s easy. Just go to the IRS Web site, complete and submit form SS-4 online, and voila. You’ll be the proud new owner of a federal tax ID.

#3: You need to register for a state sales tax exemptionYou need a state sales tax exemption, too (most likely). If you’re in a state that collects sales tax, you’re responsible for ensuring sales tax gets paid on any item you sell a client. In such states, whether you buy a PC for a customer or purchase antivirus licenses, taxes need to be paid.

Check your state’s Web site. Look for information on the state’s department of revenue. You’ll probably have to complete a form, possibly even have it notarized, and return it to the state’s revenue cabinet. Within a few weeks, you’ll receive an account number. You’ll use that account number when you purchase products from vendors. You can opt NOT to pay sales tax when you purchase the item, instead choosing to pay the sales tax when you sell the item to the client.

Why do it this way? Because many (most) consultants charge clients far more for a purchase than the consultant paid. Some call it markup; accountants prefer to view it as profit. But you certainly don’t want to have to try to determine what taxes still need to be paid if some tax was paid earlier. Thus, charge tax at the point of sale to the customer, not when you purchase the item.

#4: You need to register with local authoritiesLocal government wants its money, too. Depending on where your business is located and services customers, you’ll likely need to register for a business license. As with the state sales tax exemption, contact your local government’s revenue cabinet or revenue commission for more information on registering your business. Expect to pay a fee for the privilege.

#5: QuickBooks is your friendOnce your paperwork’s complete, it’s time for more paperwork. In fact, you’d better learn to love paperwork, as a business owner. There’s lots of it, whether it’s preparing quarterly tax filings, generating monthly invoicing, writing collection letters, or simply returning monthly sales reports to state and local revenue cabinets.

QuickBooks can simplify the process. From helping keep your service rates consistent (you’ll likely want one level for benchwork, another for residential or home office service, and yet a third for commercial accounts) to professionally invoicing customers, QuickBooks can manage much of your finances.

I recommend purchasing the latest Pro version, along with the corresponding Missing Manual book for the version you’ve bought. Plan on spending a couple of weekends, BEFORE you’ve launched your business, doing nothing but studying the financial software. Better yet, obtain assistance from an accountant or certified QuickBooks professional to set up your initial Chart of Accounts. A little extra time taken on the front end to ensure the software’s configured properly for your business will save you tons of time on the backend. I promise.

#6: Backend systems will make or break youSpeaking of backend, backend systems are a pain in the you-know-what. And by backend, I mean all your back office chores, from marketing services to billing to vendor management and fulfillment. Add call management to the list, too.

Just as when you’re stuck in traffic driving between service calls, you don’t make any money when you’re up to your elbows in paper or processing tasks. It’s frustrating. Clients want you to order a new server box, two desktops, and a new laptop. They don’t want to pay a markup, either. But they’re happy to pay you for your time to install the new equipment.

Sound good? It’s not.

Consider the facts. You have to form a relationship with the vendor. It will need your bank account information, maybe proof of insurance (expect to carry one million dollars of general liability), your state sales tax exemption ID, your federal employer ID, a list of references, and a host of other information that takes a day to collect. Granted, you have to do that only once (with each vendor, and you’ll need about 10), but then you still have to wade through their catalogs, select the models you need, and configure them with the appropriate tape arrays, software packages, etc. That takes an hour alone. And again, you’re typically not getting paid for this research. Even if you mark hardware sales up 15 percent, don’t plan on any Hawaiian vacation as a result.

Add in similar trials and tribulations with your marketing efforts, billing systems, vendor maintenance, channel resellers, management issues, etc., and you can see why many consultants keep a full-time office manager on staff. It’s no great revelation of my business strategy to say that’s why I went with a franchise group. I have a world of backend support ready and waiting when I need it. I can’t imagine negotiating favorable or competitive pricing with computer manufacturers, antivirus vendors, or Microsoft if I operated on my own.

Before you open your doors, make sure that you know how you’ll tackle these wide-ranging back office chores. You’ll be challenged with completing them on an almost daily basis.

#7: Vendor relationships will determine your successThis is one of those business facets I didn’t fully appreciate until I was operating on my own. Everyone wants you to sell their stuff, right? How hard can it be for the two of you to hook up?

Well, it’s hard, as it turns out, to obtain products configured exactly as your client needs quickly and at a competitive price if you don’t have strong vendor relationships. That means you’ll need to spend time at trade shows and on the telephone developing business relationships with everyone from software manufacturers and hardware distributors to local computer store owners who keep life-saving SATA disks and patch 5 cables in stock when you can’t wait five days for them to show up via UPS.

Different vendors have their own processes, so be prepared to learn myriad ways of signing up and jumping through hoops. Some have online registrations; others prefer faxes and notarized affidavits. Either way, they all take time to launch, so plan on beginning vendor discussions, and establishing your channel relationships, months in advance of opening your consultancy.

#8: You must know what you do (and explain it in 10 seconds or less)All the start-your-own-business books emphasize writing your 50-page business plan. Yes, I did that. And do you know how many times I’ve referred to it since I opened my business? Right; not once.

The written business plan is essential. Don’t get me wrong. It’s important because it gets you thinking about all those topics (target markets, capitalization, sales and marketing, cash flow requirements, etc.) you must master to be successful.

But here’s what you really need to include in your business plan: a succinct and articulate explanation of what your business does, how the services you provide help other businesses succeed, and how you’re different. Oh, and you need to be able to explain all that in 10 seconds or less.

Really. I’m not kidding.

Business Network International (plan on joining the chapter in your area) is on to something when it allots members just 30 seconds or so to explain what they do and the nature of their competitive advantage. Many times I’ve been approached in elevators, at stoplights (with the windows down), and just entering my car in a parking lot by prospective customers. Sometimes they have a quick question, other times they need IT help right now. Here’s the best part; they don’t always know it.

The ability to quickly communicate the value of the services you provide is paramount to success. Ensure that you can rattle off a sincere description of what you do and how you do it in 10 seconds and without having to think about it. It must be a natural reaction you develop to specific stimuli. You’ll cash more checks if you do.

#9: It’s all about the brandingWhy have I been approached by customers at stoplights, in parking lots, and in elevators? I believe in branding. And unlike many pop business books that broach the subject of branding but don’t leave you with any specifics, here’s what I mean by that.

People know what I do. Give me 10 seconds and I can fill in any knowledge gaps quickly. My “brand” does much of the ice breaking for me. I travel virtually nowhere without it. My company’s logo and telephone number are on shirts. Long sleeve, short sleeve, polos, and dress shirts; they all feature my logo. Both my cars are emblazoned with logos, telephone numbers, and simple marketing messages (which I keep consistent with my Yellow Pages and other advertising).

I have baseball hats for casual trips to Home Depot. My attaché features my company logo. My wife wears shirts displaying the company logo when grocery shopping. After I visit clients, even their PC bears a shiny silver sticker with my logo and telephone number.

Does it work? You better believe it. Hang out a shingle and a few people will call. Plaster a consistent but tasteful logo and simple message on your cars, clothing, ads, Web site, etc., and the calls begin stacking up.

Do you have to live, eat, and breathe the brand? No. But it helps. And let’s face it. After polishing off a burrito and a beer, I don’t mind someone asking if they can give me their laptop to repair when I approach my car in a parking lot. Just in case they have questions, I keep brochures, business cards and notepads (again, all featuring my logo and telephone number) in my glove box. You’d be surprised how quickly I go through them. I am.

#10: A niche is essentialThe business plan books touch on this, but they rarely focus on technology consultants directly. You need to know your market niche. I’m talking about your target market here.

Will you service only small businesses? If so, you better familiarize yourself with the software they use. Or are you targeting physicians? In that case, you better know all things HIPAA, Intergy, and Medisoft (among others).

Know up front that you’re not going to be able to master everything. I choose to manage most Windows server, desktop, and network issues. When I encounter issues with specific medical software, dental systems, or client relationship software platforms, I call in an expert trained on those platforms. We work alongside to iron out the issue together.

Over time, that strategy provides me with greater penetration into more markets than if I concentrated solely on mastering medical systems, for example. Plus, clients respect you when you tell them you’re outside your area of expertise. It builds trust, believe it or not.

Whatever you choose to focus on, ensure that you know your niche. Do all you can to research your target market thoroughly and understand the challenges such clients battle daily. Otherwise, you’ll go crazy trying to develop expertise with Medisoft databases at the same time Intel’s rolling out new dual-core chips and Microsoft’s releasing a drastically new version of Office.

10 fundamental differences between Linux and Windows

2008-10-07T05:48:00.000-07:00

have been around the Linux community for more than 10 years now. From the very beginning, I have known that there are basic differences between Linux and Windows that will always set them apart. This is not, in the least, to say one is better than the other. It’s just to say that they are fundamentally different. Many people, looking from the view of one operating system or the other, don’t quite get the differences between these two powerhouses. So I decided it might serve the public well to list 10 of the primary differences between Linux and Windows.

#1: Full access vs. no accessHaving access to the source code is probably the single most significant difference between Linux and Windows. The fact that Linux belongs to the GNU Public License ensures that users (of all sorts) can access (and alter) the code to the very kernel that serves as the foundation of the Linux operating system. You want to peer at the Windows code? Good luck. Unless you are a member of a very select (and elite, to many) group, you will never lay eyes on code making up the Windows operating system.

You can look at this from both sides of the fence. Some say giving the public access to the code opens the operating system (and the software that runs on top of it) to malicious developers who will take advantage of any weakness they find. Others say that having full access to the code helps bring about faster improvements and bug fixes to keep those malicious developers from being able to bring the system down. I have, on occasion, dipped into the code of one Linux application or another, and when all was said and done, was happy with the results. Could I have done that with a closed-source Windows application? No.

#2: Licensing freedom vs. licensing restrictionsAlong with access comes the difference between the licenses. I’m sure that every IT professional could go on and on about licensing of PC software. But let’s just look at the key aspect of the licenses (without getting into legalese). With a Linux GPL-licensed operating system, you are free to modify that software and use and even republish or sell it (so long as you make the code available). Also, with the GPL, you can download a single copy of a Linux distribution (or application) and install it on as many machines as you like. With the Microsoft license, you can do none of the above. You are bound to the number of licenses you purchase, so if you purchase 10 licenses, you can legally install that operating system (or application) on only 10 machines.

#3: Online peer support vs. paid help-desk supportThis is one issue where most companies turn their backs on Linux. But it’s really not necessary. With Linux, you have the support of a huge community via forums, online search, and plenty of dedicated Web sites. And of course, if you feel the need, you can purchase support contracts from some of the bigger Linux companies (Red Hat and Novell for instance).

However, when you use the peer support inherent in Linux, you do fall prey to time. You could have an issue with something, send out e-mail to a mailing list or post on a forum, and within 10 minutes be flooded with suggestions. Or these suggestions could take hours of days to come in. It seems all up to chance sometimes. Still, generally speaking, most problems with Linux have been encountered and documented. So chances are good you’ll find your solution fairly quickly.

On the other side of the coin is support for Windows. Yes, you can go the same route with Microsoft and depend upon your peers for solutions. There are just as many help sites/lists/forums for Windows as there are for Linux. And you can purchase support from Microsoft itself. Most corporate higher-ups easily fall victim to the safety net that having a support contract brings. But most higher-ups haven’t had to depend up on said support contract. Of the various people I know who have used either a Linux paid support contract or a Microsoft paid support contract, I can’t say one was more pleased than the other. This of course begs the question “Why do so many say that Microsoft support is superior to Linux paid support?”

#4: Full vs. partial hardware supportOne issue that is slowly becoming nonexistent is hardware support. Years ago, if you wanted to install Linux on a machine you had to make sure you hand-picked each piece of hardware or your installation would not work 100 percent. I can remember, back in 1997-ish, trying to figure out why I couldn’t get Caldera Linux or Red Hat Linux to see my modem. After much looking around, I found I was the proud owner of a Winmodem. So I had to go out and purchase a US Robotics external modem because that was the one modem I knew would work. This is not so much the case now. You can grab a PC (or laptop) and most likely get one or more Linux distributions to install and work nearly 100 percent. But there are still some exceptions. For instance, hibernate/suspend remains a problem with many laptops, although it has come a long way.

With Windows, you know that most every piece of hardware will work with the operating system. Of course, there are times (and I have experienced this over and over) when you will wind up spending much of the day searching for the correct drivers for that piece of hardware you no longer have the install disk for. But you can go out and buy that 10-cent Ethernet card and know it’ll work on your machine (so long as you have, or can find, the drivers). You also can rest assured that when you purchase that insanely powerful graphics card, you will probably be able to take full advantage of its power.

#5: Command line vs. no command lineNo matter how far the Linux operating system has come and how amazing the desktop environment becomes, the command line will always be an invaluable tool for administration purposes. Nothing will ever replace my favorite text-based editor, ssh, and any given command-line tool. I can’t imagine administering a Linux machine without the command line. But for the end user — not so much. You could use a Linux machine for years and never touch the command line. Same with Windows. You can still use the command line with Windows, but not nearly to the extent as with Linux. And Microsoft tends to obfuscate the command prompt from users. Without going to Run and entering cmd (or command, or whichever it is these days), the user won’t even know the command-line tool exists. And if a user does get the Windows command line up and running, how useful is it really?

#6: Centralized vs. noncentralized application installationThe heading for this point might have thrown you for a loop. But let’s think about this for a second. With Linux you have (with nearly every distribution) a centralized location where you can search for, add, or remove software. I’m talking about package management systems, such as Synaptic. With Synaptic, you can open up one tool, search for an application (or group of applications), and install that application without having to do any Web searching (or purchasing).

Windows has nothing like this. With Windows, you must know where to find the software you want to install, download the software (or put the CD into your machine), and run setup.exe or install.exe with a simple double-click. For many years, it was thought that installing applications on Windows was far easier than on Linux. And for many years, that thought was right on target. Not so much now. Installation under Linux is simple, painless, and centralized.

#7: Flexibility vs. rigidityI always compare Linux (especially the desktop) and Windows to a room where the floor and ceiling are either movable or not. With Linux, you have a room where the floor and ceiling can be raised or lowered, at will, as high or low as you want to make them. With Windows, that floor and ceiling are immovable. You can’t go further than Microsoft has deemed it necessary to go.

Take, for instance, the desktop. Unless you are willing to pay for and install a third-party application that can alter the desktop appearance, with Windows you are stuck with what Microsoft has declared is the ideal desktop for you. With Linux, you can pretty much make your desktop look and feel exactly how you want/need. You can have as much or as little on your desktop as you want. From simple flat Fluxbox to a full-blown 3D Compiz experience, the Linux desktop is as flexible an environment as there is on a computer.

#8: Fanboys vs. corporate typesI wanted to add this because even though Linux has reached well beyond its school-project roots, Linux users tend to be soapbox-dwelling fanatics who are quick to spout off about why you should be choosing Linux over Windows. I am guilty of this on a daily basis (I try hard to recruit new fanboys/girls), and it’s a badge I wear proudly. Of course, this is seen as less than professional by some. After all, why would something worthy of a corporate environment have or need cheerleaders? Shouldn’t the software sell itself? Because of the open source nature of Linux, it has to make do without the help of the marketing budgets and deep pockets of Microsoft. With that comes the need for fans to help spread the word. And word of mouth is the best friend of Linux.

Some see the fanaticism as the same college-level hoorah that keeps Linux in the basements for LUG meetings and science projects. But I beg to differ. Another company, thanks to the phenomenon of a simple music player and phone, has fallen into the same fanboy fanaticism, and yet that company’s image has not been besmirched because of that fanaticism. Windows does not have these same fans. Instead, Windows has a league of paper-certified administrators who believe the hype when they hear the misrepresented market share numbers reassuring them they will be employable until the end of time.

#9: Automated vs. nonautomated removable mediaI remember the days of old when you had to mount your floppy to use it and unmount it to remove it. Well, those times are drawing to a close — but not completely. One issue that plagues new Linux users is how removable media is used. The idea of having to manually “mount” a CD drive to access the contents of a CD is completely foreign to new users. There is a reason this is the way it is. Because Linux has always been a multiuser platform, it was thought that forcing a user to mount a media to use it would keep the user’s files from being overwritten by another user. Think about it: On a multiuser system, if everyone had instant access to a disk that had been inserted, what would stop them from deleting or overwriting a file you had just added to the media? Things have now evolved to the point where Linux subsystems are set up so that you can use a removable device in the same way you use them in Windows. But it’s not the norm. And besides, who doesn’t want to manually edit the /etc/fstab fle?

#10: Multilayered run levels vs. a single-layered run levelI couldn’t figure out how best to title this point, so I went with a description. What I’m talking about is Linux’ inherent ability to stop at different run levels. With this, you can work from either the command line (run level 3) or the GUI (run level 5). This can really save your socks when X Windows is fubared and you need to figure out the problem. You can do this by booting into run level 3, logging in as root, and finding/fixing the problem.

With Windows, you’re lucky to get to a command line via safe mode — and then you may or may not have the tools you need to fix the problem. In Linux, even in run level 3, you can still get and install a tool to help you out (hello apt-get install APPLICATION via the command line). Having different run levels is helpful in another way. Say the machine in question is a Web or mail server. You want to give it all the memory you have, so you don’t want the machine to boot into run level 5. However, there are times when you do want the GUI for administrative purposes (even though you can fully administer a Linux server from the command line). Because you can run the startx command from the command line at run level 3, you can still start up X Windows and have your GUI as well. With Windows, you are stuck at the Graphical run level unless you hit a serious problem.

Your call…Those are 10 fundamental differences between Linux and Windows. You can decide for yourself whether you think those differences give the advantage to one operating system or the other. Me? Well I think my reputation (and opinion) precedes me, so I probably don’t need to say I feel strongly that the advantage leans toward Linux.

10 tips for implementing green IT

2008-10-07T05:45:00.000-07:00

Going green” is the hot new trend in the business world, and that naturally filters down to the IT department. Implemented correctly, eco-friendly tactics can make your operations more efficient and save you money.

The goals of green IT include minimizing the use of hazardous materials, maximizing energy efficiency, and encouraging recycling and/or use of biodegradable products — without negatively affecting productivity. In this article, we’ll look at 10 ways to implement green IT practices in your organization.

#1: Buy energy efficient hardwareNew offerings from major hardware vendors include notebooks, workstations, and servers that meet the EPA’s Energy Star guidelines for lower power consumption. Look for systems that have good EPEAT ratings (www.epeat.net). The ratings use standards set by the IEEE to measure “environmental performance.” All EPEAT-registered products must meet Energy Star 4.0 criteria.

Multicore processors increase processing output without substantially increasing energy usage. Also look for high efficiency (80%) power supplies, variable speed temperature controlled fans, small form factor hard drives, and low voltage processors.

#2: Use power management technology and best practicesModern operating systems running on Advanced Configuration and Power Interface (ACPI)-enabled systems incorporate power-saving features that allow you to configure monitors and hard disks to power down after a specified period of inactivity. Systems can be set to hibernate when not in use, thus powering down the CPU and RAM as well.

Hardware vendors have their own power management software, which they load on their systems or offer as options. For example, HP’s Power Manager provides real-time reporting that shows how the settings you have configured affect the energy used by the computer.

There are also many third-party power management products that can provide further flexibility and control over computers’ energy consumption. Some programs make it possible to manually reduce the power voltage to the CPU. Others can handle it automatically on systems with Intel SpeedStep or AMD Cool’n'Quiet technologies.

Other technologies, such as Intel’s vPro, allow you to turn computers on and off remotely, thus saving energy because you don’t have to leave systems on if you want, for example, to schedule a patch deployment at 2:00 A.M.

#3: Use virtualization technology to consolidate serversYou can reduce the number of physical servers, and thus the energy consumption, by using virtualization technology to run multiple virtual machines on a single physical server. Because many servers are severely underutilized (in many cases, in use only 10 to 15 percent of the time they’re running), the savings can be dramatic. VMWare claims that its virtualized infrastructure can decrease energy costs by as much as 80 percent.

The same type of benefits can be realized with Microsoft’s Hyper-V virtualization technology, which is an integrated operating system feature of Windows Server 2008.

#4: Consolidate storage with SAN/NAS solutionsJust as server consolidation saves energy, so does consolidation of storage using storage area networks and network attached storage solutions. The Storage Networking Industry Association (SNIA) proposes such practices as powering down selected drives, using slower drives where possible, and not overbuilding power/cooling equipment based on peak power requirements shown in label ratings.

#5: Optimize data center designData centers are huge consumers of energy, and cooling all the equipment is a big issue. Data center design that incorporates hot aisle and cold aisle layout, coupled cooling (placing cooling systems closer to heat sources), and liquid cooling can tremendously reduce the energy needed to run the data center.

Another way to “green” the data center is to use low-powered blade servers and more energy-efficient uninterruptible power supplies, which can use 70 percent less power than a legacy UPS.

Optimum data center design for saving energy should also take into account the big picture, by considering the use of alternative energy technologies (photovoltaics, evaporative cooling, etc.) and catalytic converters on backup generators, and from the ground up, by minimizing the footprints of the buildings themselves. Energy-monitoring systems provide the information you need to measure efficiency. This Microsoft TechNet article discusses various ways to build a green data center.

#6: Use thin clients to reduce GPU power usageAnother way to reduce the amount of energy consumed by computers is to deploy thin clients. Because most of the processing is done on the server, the thin clients use very little energy. In fact, a typical thin client uses less power while up and running applications than an Energy Star compliant PC uses in sleep mode. Thin clients are also ecologically friendly because they generate less e-waste. There’s no hard drive, less memory, and fewer components to be dealt with at the end of their lifecycles.

Last year, a Verizon spokesman said the company had decreased energy consumption by 30 percent by replacing PCs with thin clients, saving about $1 million per year.

#7: Use more efficient displaysIf you have old CRT monitors still in use, replacing them with LCD displays can save up to 70 percent in energy costs. However, not all LCD monitors are created equal when it comes to power consumption. High efficiency LCDs are available from several vendors.

LG recently released what it claims is the world’s most energy efficient LCD monitor, the Flatron W2252TE. Tests have shown that it uses less than half the power of conventional 22-inch monitors.

#8: Recycle systems and suppliesTo reduce the load on already overtaxed landfills and to avoid sending hazardous materials to those landfills (where they can leach into the environment and cause harm), old systems and supplies can be reused, repurposed, and/or recycled. You can start by repurposing items within the company; for example, in many cases, when a graphics designer or engineer needs a new high end workstation to run resource-hungry programs, the old computer is perfectly adequate for use by someone doing word processing, spreadsheets, or other less intensive tasks. This hand-me-down method allows two workers to get better systems than they had, while requiring the purchase of only one new machine (thus saving money and avoiding unnecessary e-waste).

Old electronics devices can also be reused by those outside the company. You can donate old computers and other devices still in working order to schools and nonprofit organizations, which can still get a lot of use out of them. Finally, much electronic waste can be recycled, the parts used to make new items. Things like old printer cartridges, old cell phones, and paper can all be recycled. Some computer vendors, such as Dell, have programs to take back computers and peripherals for recycling.

#9: Reduce paper consumptionAnother way to save money while reducing your company’s impact on the environment is to reduce your consumption of paper. You can do this by switching from a paper-based to an electronic workflow: creating, editing, viewing, and delivering documents in digital rather than printed form. Send documents as e-mail attachments rather than faxing.

And when printing is unavoidable, you can still reduce waste and save money by setting your printers to use duplex (double-sided) printing. An internal study conducted by HP showed that a Fortune 500 company can save 800 tons of paper per year (a savings of over $7 million) by printing on both sides.

#10: Encourage telecommutingThe ultimate way to have a greener office to have less office. By encouraging as many workers as possible to telecommute, you can reduce the amount of office space that needs to be heated and cooled, the number of computers required on site, and the number of miles driven by employees to get to and from work. Telecommuting reduces costs for both employers and employees and can also reduce the spread of contagious diseases.

10 surprising things about Windows Server 2008

2008-10-07T05:44:00.000-07:00

Windows Server 2003 felt like a refresh of Windows Server 2000. There were few radical changes, and most of the improvements were fairly under the surface. Windows Server 2008, on the other hand, is a full-size helping of “new and improved.” While the overall package is quite good, there are a few surprises, “gotchas,” and hidden delights you will want to know about before deciding if you will be moving to Windows Server 2008 any time soon.

#1: The 64-bit revolution is not completeThere have been 64-bit editions of Windows Server for years now, and Microsoft has made it quite clear that it wants all of its customers to move to 64-bit operating systems. That does not mean that you can throw away your 32-bit Windows Server 2008 CD, though! Over the last few months, I have been shocked on more than one occasion by the pieces of Microsoft software that not only do not have 64-bit versions, but will not run under a 64-bit OS at all. This list includes Team Foundation Server and ISA Server. If you are planning on moving to 64-bit Windows Server 2008, be prepared to have a 32-bit server or two around, whether it be on physical hardware or in a VM.

#2: Who moved my cheese?While the UI changes in Windows Server 2008 are not nearly as sweeping as the Aero interface in Vista, it has undergone a dramatic rearrangement and renaming of the various applets around the system. In retrospect, the organization of these items is much more sensible, but that hardly matters when you have years of experience going to a particular area to find something, only to have it suddenly change. Expect to be a bit frustrated in the Control Panel until you get used to it.

#3: Windows Workstation 2008 might catch onIn an odd turn of events, Microsoft has provided the ability to bring the “Vista Desktop Experience” into Windows Server 2008. I doubt that many server administrators were asking for this, but the unusual result is that a number of people are modifying Windows Server 2008 to be as close to a desktop OS as possible. There have always been a few people who use the server edition of Windows as a desktop, but this makes it much easier and friendlier. These home-brewed efforts are generally called “Windows Workstation 2008,” in case you’re interested in trying it out on your own.

#4: Hyper-V is good, but…Hyper-V was one of the most anticipated features of Windows Server 2008, and it’s surprisingly good, particularly for a version 1 release from Microsoft. It is stable, easy to install and configure, and does not seem to have any major problems. For those of us who have been beaten into the “wait until the third version” or “don’t install until SP1″ mentality, this is a refreshing surprise.

#5: …Hyper-V is limitedHyper-V, while of high quality, is sorely lacking features. Considering that it was billed as a real alternative to VMWare and other existing solutions, it is a disappointment (to say the least) that it does not seem to include any utilities for importing VMs from products other than Virtual PC and Virtual Server. Even those imports are not workaround-free. Another real surprise here is the lack of a physical-to-virtual conversion utility. Hyper-V may be a good system, but make sure that you fully try it out before you commit to using it.

#6: NT 4 domain migration — it’s not happeningIf you have been putting off the painful migration from your NT 4 domain until Windows Server 2008 was released, don’t keep waiting. The older version (3.0) Active Directory Migration Tool (ADMT) supports migrations from NT 4, but not to Windows Server 2008. The latest version (3.1) support migrations to Windows Server 2008, but not from NT 4. Either migrate from NT 4 before changing your domain to be a Windows 2008 domain or get your NT 4 domain upgraded first.

#7: The ashtrays are now optionalIn prior versions of Windows Server, a lot of applications came installed by default. No one ever uninstalled them because they did not cause any harm, even if you didn’t use them or installed an alternative. Now, even the “throwaway” applications, like Windows Backup, are not installed by default. After installation, you need to add “features” to get the full Windows Server suite of applications. This can be frustrating if you are in a hurry, but the reduced clutter and resource overhead are worth it.

#8: Licensing is bewilderingContinuing a hallowed Microsoft tradition, trying to understand the licensing terms of Windows Server 2008 feels like hammering nails with your forehead. So maybe this isn’t so much a surprise as a gotcha. The Standard Edition makes sense, but when you get into the issues around virtualization in Enterprise and Datacenter Editions, things can be a bit confusing. Depending upon your need for virtual machines and the number of physical CPUs (not CPU cores, thankfully) in your server, Enterprise Edition may be cheaper — or it may be more expensive than Datacenter Edition. One thing to keep in mind is that once you start using virtual machines, you start to like them a lot more that you thought you would. It’s easy to find yourself using a lot more of them than originally expected.

#9: There’s no bloatMaybe it’s because Vista set expectations of pain, or because hardware has gotten so much cheaper, but Windows Server 2008 does not feel bloated or slow at all. Microsoft has done a pretty good job at minimizing the installed feature set to the bare minimum, and Server Core can take that even further. Depending upon your needs, it can be quite possible to upgrade even older equipment to Windows Server 2008 without needing to beef up the hardware.

#10: Quality beats expectationsMicrosoft customers have developed low expectations of quality over the years, unfortunately, with good reason. While its track record for initial releases, in terms of security holes and bug counts, seems to be improving customers are still howling about Vista. As a result, it has come as a real surprise that the overall reaction to Windows Server 2008 has been muted, to say the least. The horror stories just are not flying around like they were with Vista. Maybe it’s the extra year they spent working on it, or different expectations of the people who work with servers, but Windows Server 2008 has had a pretty warm reception so far. And that speaks a lot to its quality. There is nothing particularly flashy or standout about it. But at the same time, it is a solid, high quality product. And that is exactly what system administrators need.

10 ways to get maximum value from a professional development class

2008-10-07T05:40:00.000-07:00

From time to time you will find yourself taking a professional development class. It could cover communications, conflict management, business writing, or some other area. It might be a class that’s internal to your company, or it might be a class you attend outside, with people from other companies. In any case, your company (or you personally) made a substantial investment in this training. Here are pointers for management — and for you — to ensure both of you gain maximum value from the class.

#1: Management should attend
I wish I had a dollar for every time, during a session I teach, a non-management attendee said to me, “Calvin, your material is great, but you need to be saying this to our bosses.” On the other hand, lest I become too vain, maybe there are others who said to themselves, “This was a waste of time, so our managers should suffer as well.”

In either case, management increases its credibility among staff by attending the same training. Unless it does so, the chances are great the management may undercut the philosophy that the class is attempting to impart.

By the way, if you hold to the “waste of time” view, please see point 5 below.

#2: Separate managers from subordinates
It’s generally inadvisable to have managers in the same entire class with direct subordinates. The presence of the former could inhibit the latter from speaking up, particularly when organizational issues and policies are being discussed.

Two alternatives address this concern. First, management can attend its own separate session. Second, management can attend the same session as direct subordinates, but 30 to 45 minutes from the end, can be excused. At that point, staff attendees who have issues can raise them. In other words, that’s the time attendees can start saying, “Calvin, you’re right in what you’re saying, but that won’t work here because…”

#3: Management must respect class time
If management is sending staff to training, it has to respect that time. The “tap on the shoulder” to handle an issue that takes “just a second” of course never takes that long. It ends up taking that attendee out of class completely. When that happens, it defeats the purpose of having that person attend class. Management needs to respect the time that the attendee is in class.

#4: Distribute attendance among many departments
Given the choice of having many attendees from one (or only a few departments) vs. having only a few attendees from many departments, I choose the latter. From a practical standpoint, this strategy reduces the burden on those who aren’t attending class but still must support business operations. From an organizational standpoint, the latter approach can help build morale by giving an attendee exposure to other departments and department workers.

#5: Recognize the value of the training
From time to time, when I talk about skills in communicating with customers, I see people with rolling eyes and folded arms. No doubt they’re saying to themselves, “Why am I wasting my time here? I could be writing a program / configuring a router / completing a problem ticket.”

That’s why I often open with a quiz: what do Operating System/2, Betamax, and the Dvorak keyboard all have in common? Answer: They were technically superior to their competition but nonetheless became obsolete. In the same way, technical people who rely only on their technical skills for career success could be in for a shock, because skill in working with others is at least as important, if not more so.

Try to keep an open mind. Will some training turn out to be a “bomb”? I hope not, but even in that case, you can still benefit. Sit down and analyze why you thought the session failed. Then, before your next session, resolve to discuss those concerns with the instructor if you can.

#6: Make sure your job is covered during your absence
You can do your part to avoid getting the aforementioned tap on the shoulder by the boss. Make sure your co-workers and customers are aware of your absence. Adjust your voicemail greeting and set an e-mail or instant message autorespond, if you can. Make sure they know of any open items or issues and how they should be handled.

#7: Have specific personal objectives
Your time in class will be far more meaningful if you set personal objectives for yourself beforehand. Read up on any class descriptions and syllabi or topic list. Then, go over mentally the areas where you believe you most need improvement. When you set your objectives, make sure they are measurable — and more important, that they’re realistic.

#8: Speak up
The biggest shock to many would-be law students is the total irrelevance of class participation in one’s final grade. Nonetheless, I still remember Professor Woodward’s advice in contracts class. He said that we still should speak in class, because doing so forces us to master the material. In other words, we may think we know the material, but having to articulate it is the acid test.

You probably won’t get a grade for your professional development class. However, you probably will pick up the concepts more quickly, and retain them better, if you speak up.

#9: Apply exercises and activities to your job
Those exercises where you walk the maze, build the toothpick tower, or sequence the 15 items to help you survive the desert aren’t there just for the heck of it. They’re there because they deal with some skill that’s important to your job. The instructor or facilitator, in discussing the exercise afterward, should be making that association. If not, make it yourself. Write a note to yourself about the lessons you learned from the exercise. In particular, ask yourself how these lessons apply to your job and how you might act differently having gained the insights you did.

#10: Write a letter to yourself
At the end of sessions I lead, I ask attendees to write a letter to themselves about what they learned. I then take those letters and simply hold them for about three months, after which I return them to their respective authors. I do so because many attendees remember clearly the material immediately after class. However, in the weeks that follow, their memories may dim. Seeing the letter refreshes their memory and reinforces the class session.

If the leader of your session doesn’t follow this practice, consider doing it on your own. Write a letter, seal it, and just put it somewhere that it won’t get lost. Maybe write a note on the outside, such as, “Open on [date three months from now].”

10 reasons why you should use the Opera browser

2008-10-07T05:35:00.001-07:00

I have gone through many browsers in my lifetime of IT. From Lynx to Mosaic to Mozilla to Netscape to Firefox to Internet Explorer to Safari to Flock. But there’s another browser that peeks its head in and out of that cycle — Opera. Opera is a browser that gets little press in the battle for Internet supremacy. But it’s a browser that is making huge waves in other arenas (Can you say “mobile”?) and is always a steady player in the browser market.

But why would you want to use a browser that gets little love in the market? I will give you 10 good reasons.

#1: SpeedIt seems no matter how many leaps and bounds Firefox and Internet Explorer make, Opera is always able to render pages faster. In both cold and warm starts, Opera beats both Firefox and Internet explorer. We’re not talking about a difference the naked eye is incapable of seeing. The speed difference is actually noticeable. So if you are a speed junky, and most of you are, you should be using Opera for this reason alone.

#2: Speed DialSpeed Dial is one of those features that generally steals the show with browsers. It’s basically a set of visual bookmarks on one page. To add a page to Speed Dial, you simply click on an empty slot in the Speed Dial page and enter the information.When you have a full page of Speed Dial bookmarks, you can quickly go to the page you want by clicking the related image. For even faster browsing, you can click the Ctrl + * key combination (Where * is the number 1-9 associated with your page as assigned in Speed Dial).

#3: WidgetsOpera Widgets are like Firefox extensions on steroids. Widgets are what the evolution of the Web is all about — little Web-based applications you can run from inside (or, in some cases, outside) your browser. Some of the widgets are useful (such as the Touch The Sky international weather applet) and some are just fun (such as the Sim Aquarium.) They are just as easy to install as Firefox extensions.

#4: WandSave form information and/or passwords with this handy tool. Every time you fill out a form or a password, the Wand will ask you if you want to save the information. When you save information (say a form), a yellow border will appear around the form. The next time you need to fill out that form, click on the Wand button or click Ctrl + Enter, and the information will automatically be filled out for you.

#5: NotesHave you ever been browsing and wanted to take notes on a page or site (or about something totally unrelated to your Web browsing)? Opera comes complete with a small Notes application that allows you to jot down whatever you need to jot down. To access Note, click on the Tools menu and then click on Notes. The tool itself is incredibly simple to use and equally as handy.

#6: BitTorrentYes it is true, Opera has a built-in BitTorrent protocol. And the built-in BitTorrent client is simple to use: Click on a Torrent link, and a dialog will open asking you where you want to download the file. The Torrent client is enabled by default, so if your company doesn’t allow Torrenting, you should probably disable this feature. Note: When downloading Torrents, you will continue to share content until you either stop the download or close the browser.

#7: Display modesAnother unique-to-Opera feature is its display modes, which allows you to quickly switch between Fit To Width and Full Screen mode. Fit To Width mode adjusts the page size to the available screen space while using flexible reformatting. Full Screen mode gives over the entire screen space to browsing. In this mode, you drop all menus and toolbars, leaving only context menus, mouse gestures, and keyboard shortcuts. The latter mode is especially good for smaller screens.

#8: Quick PreferencesThe Quick Preferences menu is one of those features the power user will really appreciate. I am quite often using it to enable/disable various features, and not having to open up the Preferences window makes for a much quicker experience. From this menu, you can alter preferences for pop-ups, images, Java/JavaScript, plug-ins, cookies, and proxies. This is perfect when you are one of those users who block cookies all the time, until a site comes along where you want to enable cookies.

#9: Mouse GesturesThis feature tends to bother most keyboard junkies (those who can’t stand to move their fingers from the keyboard.) But Mouse Gestures is a built-in feature that applies certain actions to specific mouse movements (or actions). For example, you can go back a page by holding down the right mouse button and clicking the left mouse button. This is pretty handy on a laptop, where using the track pad can take more time than you probably want to spend on navigation. But even for those who prefer to keep their hands on the keys and not the mouse, the feature can still save time. Instead of having to get to the mouse, move the mouse to the toolbar, and click a button, you simply have to get your hands to the mouse and make the gesture for the action to take place. Of course, this does require the memorization of the gestures.

#10: Session savingI love this feature. All too many times, I have needed to close a browser window but didn’t want to lose a page. To keep from losing the page, I would keep a temporary bookmark file where I could house these bookmarks. But with Opera, that’s history. If you have a page (or number of pages) you want to save, you just go to the File menu and then the Sessions submenu and click Save This Session. The next time you open Opera, the same tabs will open. You can also manage your saved sessions so that you can save multiple sessions and delete selected sessions.

The upshotWith just the above list, you can see how easily Opera separates itself from the rest of the crowd. It’s a different beast in the Web browsing space. It’s fast, stable, and cross platform, and it contains many features other browsers can’t touch.

10 things Linux does better than Windows

2008-10-07T05:31:00.000-07:00

Throughout my 10+ years of using Linux, I have heard about everything that Windows does better than Linux. So I thought it time to shoot back and remind everyone of what Linux does better than Windows. Of course, being the zealot that I am, I could list far more than 10 items. But I will stick with the theme and list only what I deem to be the 10 areas where Linux not only does better than Windows but blows it out of the water.

#1: TCOThis can o’ worms has been, and will be, debated until both operating systems are no more. But let’s face it — the cost of a per-seat Windows license for a large company far outweighs having to bank on IT learning Linux. This is so for a couple of reasons.

First, most IT pros already know a thing or two about Linux. Second, today’s Linux is not your mother’s Linux. Linux has come a long, long way from where it was when I first started. Ten years ago, I would have said, hands down, Windows wins the TCO battle. But that was before KDE and GNOME brought their desktops to the point where any given group of monkeys could type Hamlet on a Linux box as quickly as they could type it on a Windows box. I bet any IT department could roll out Linux and do it in such a way that the end users would hardly know the difference. With KDE 4.1 leaps and bounds beyond 4.0, it’s already apparent where the Linux desktop is going — straight into the end users’ hands. So with all the FUD and rhetoric aside, Windows can’t compete with Linux in TCO. Add to that the cost of software prices (including antivirus and spyware protection) for Windows vs. Linux, and your IT budget just fell deeply into the red.

#2: DesktopYou can’t keep a straight face and say the Linux desktop is more difficult to use than the Windows desktop. If you can, you might want to check the release number of the Linux distribution you are using. Both GNOME and KDE have outpaced Windows for user-friendliness. Even KDE 4, which has altered the path of KDE quite a bit, will make any given user at home with the interface. But the Linux desktop beats the Windows desktop for more reasons than just user-friendliness. It’s far more flexible than anything Microsoft has ever released. If you don’t like the way the Linux desktop looks or behaves, change it. If you don’t like the desktop included with your distribution, add another. And what if, on rare occasion, the desktop locks up? Well, Windows might require a hard restart. Linux? Hit Ctrl + Alt + Backspace to force a logout of X Windows. Or you can always drop into a virtual console and kill the application that caused your desktop to freeze. It’s all about flexibility… something the Windows desktop does not enjoy.

#3: ServerFor anyone who thinks Windows has the server market cornered, I would ask you to wake up and join the 21st century. Linux can, and does, serve up anything and everything and does it easily and well. It’s fast, secure, easy to configure, and very scalable. And let’s say you don’t happen to be fond of Sendmail. If that’s the case you have plenty of alternatives to choose from. Even with serving up Web pages. There are plenty of alternatives to Apache, some of which are incredibly lightweight.

#4: SecurityRecently, there was a scare in the IT world known as Phalanx 2. It actually hit Linux. But the real issue was that it hit Linux servers that hadn’t been updated. It was poor administration that caused this little gem to get noticed. The patch, as usual in the Linux world, came nearly as soon as word got out. And that’s the rub. Security issues plague Windows for a couple of reasons: The operating system comes complete with plenty of security holes and Microsoft is slow to release patches for the holes. Of course, this is not to say that Linux is immune. It isn’t. But it is less susceptible to attacks and faster to fix problems.

#5: FlexibilityThis stems from the desktop but, because Linux is such an amazingly adaptable operating system, it’s wrong to confine flexibility to the desktop alone. Here’s the thing: With Linux, there is always more than one way to handle a task. Add to that the ability to get really creative with your problem solving, and you have the makings of a far superior system. Windows is about as inflexible as an operating system can be. Think about it this way: Out of the box, what can you do with Windows? You can surf the Web and get e-mail. Out of the box, what can you do with Linux? I think the better question is what can you NOT do with Linux? Linux is to Legos like Windows is to Lincoln Logs. With Lincoln Logs, you have the pieces to make fine log cabins. With Legos, you have the pieces to make, well, anything. And then you have all the fanboys making Star Wars Legos and Legos video games. Just where did all those Lincoln Logs fanboys go?

#6: Package managementReally, all I should have to say about this is that Windows does no package management. Sure, you can always install an application with a single click. But what if you don’t know which package you’re looking for? Where is the repository to search? Where are the various means of installing applications? Where are the dependency checks? Where are the md5 checks? What about not needing root access to install any application in Windows? Safety? Security? Sanity?

#7: CommunityAbout the only community for Windows is the flock of MCSEs, the denizens at the Microsoft campus, and the countless third-party software companies preying on those who can’t figure out what to do when Windows goes down for the count. Linux has always been and always will be about community. It was built by a community and for a community. And this Linux community is there to help those in need. From mailing lists to LUGs (Linux user groups) to forums to developers to Linus Torvalds himself (the creator of Linux), the Linux operating system is a community strong with users of all types, ages, nationalities, and social anxieties.

#8: InteroperabilityWindows plays REALLY well with Windows. Linux plays well with everyone. I’ve never met a system I couldn’t connect Linux to. That includes OS X, Windows, various Linux distributions, OS/2, Playstations… the list goes on and on. Without the help of third-party software, Windows isn’t nearly as interoperable. And we haven’t even touched on formats. With OpenOffice, you can open/save in nearly any format (regardless of release date). Have you come across that docx format yet? Had fun getting it to open in anything but MS Word >=2007?

#9: Command lineThis is another item where I shouldn’t have to say much more than the title. The Linux command line can do nearly anything you need to work in the Linux operating system. Yes, you need a bit of knowledge to do this, but the same holds true for the Windows command line. The biggest difference is the amount you can do when met with only the command line. If you had to administer two machines through the command line only (one Linux box and one Windows box), you would quickly understand just how superior the Linux CLI is to the vastly underpowered Windows CLI.

#10: EvolutionFor most users, Vista was a step backward. And that step backward took a long time (five years) to come to fruition. With most Linux distributions, new releases are made available every six months. And some of them are major jumps in technological advancement. Linux also listens to its community. What are they saying and what are they needing? From the kernel to the desktop, the Linux developer community is in sync with its users. Microsoft? Not so much. Microsoft takes its time to release what may or may not be an improvement. And, generally speaking, those Microsoft release dates are as far from set in stone as something can be. It should go without saying that Microsoft is not an agile developer. In fact, I would say Microsoft, in its arrogance, insists companies, users, and third-party developers evolve around it.

That’s my short list of big-ticket items that Linux does better than Windows. There will be those naysayers who feel differently, but I think most people will agree with these points. Of course, I am not so closed-minded as to think that there is nothing that Windows does better than Linux. I can think of a few off the top of my head: PR, marketing, FUD, games, crash, and USB scanners.

10 ways to learn new skills on the cheap

2008-10-07T05:29:00.000-07:00

The one thing we know for sure about IT is that the technology is constantly changing. Staying current with that technology, and acquiring the skills to support it, is a career necessity. Whether you simply need to learn the latest techniques or you want to completely retool, if your employer or client does not fund the training, it could be very expensive for you. Fortunately, there are some low/no-cost alternatives to conventional training programs that might even be more effective and be a better fit for your learning style.

#1: Public libraryAs obvious as this resource is, I am always surprised at how many people never think of it. Though some of the material may not be the latest, you might be surprised, especially if you have access to a fairly large metropolitan library. Do not forget about videos and DVDs either, especially for training on less technical, common applications, such as QuickBooks or Microsoft Access. If you are looking for business or methodology training, you may also want to look for audio books. You may not be able to find detailed information on the Rational Unified Process (RUP), but Six Sigma and other initiatives in which your company or client may be involved may well be there. Audio books also enable you to convert idle drive time, or exercise time, into a value-add for you and your client.

If you are stuck in a small town with limited resources, consider approaching a larger library system to become a guest patron. Many times this is available to the public for a fee, but your local library may also have a reciprocal agreement with them, in which case access to the other library system may be free. Also, if you do teaching at a school of any type, you may be granted access to a library system if you can show proof of your status as a teacher.

University libraries are another rich store of material from which you can learn new skills. But unless you are a student at the school, it may be less than straightforward to check out materials. If the university is state-funded, you might be permitted to check out material if you are a resident of the state. If the university you approach does not permit you to check out material, you can always make a routine of camping out there for a couple of hours each week and learning on the premises.

#2: Company library/resourcesMany companies have their own libraries and training that are available for the asking. Training is usually a part of human resources, so you might start there if the company doesn’t have a formal training department. If you are an independent consultant, does your client have a library you could tap into? It has been my experience that clients are generally quite willing to open up their training to outside consultants, especially if the training makes the consultants more effective in working with them.

If there is a cost associated with the training, however, reimbursement can be complicated, as clients usually lack a process for accepting that type of payment. Very large companies have particularly difficult time accepting money for training, but do not give up. Your client’s department may still be willing to carry your training if they see a material benefit.

#3: Vendor trainingIt is to a vendor’s advantage to have you use their product, and use it effectively. To that end, many vendors offer training for little or no cost. This training is made available in a variety of formats, including:

Training sessions at conferences and trade fairs
White papers
Online tutorials
Online/on-demand videos
Special training events
You will not find a five-day intensive training session available for free, but you can still learn quite a bit from these free vendor resources. The more prepared you go into a vendor’s event, including being armed with questions, the more you will gain from the experience.

#4: PodcastsPodcasts are becoming increasingly popular among the typical channel of technical media and vendors. They include product information or interviews with experts in a particular field and tend to cover fairly narrow topics, such as the software quality topics offered by StickyMinds. There are also a number of resources from more public sources, such as iPod and YouTube. These may come from a number of academic sources, or they may be the product of someone who simply has a passion for the subject.

#5: Webinars/webcasts and virtual trade showsOne of the greatest developments for people who actually have to work for a living, webinars and virtual trade shows offer a no-travel way to accomplish in an hour what used to take an entire day. Virtual trade shows are not as well attended by vendors as live trade shows, but as vendors figure out how to use the new venue, I expect more will start to join in. Advantages, besides the obvious lack of travel and enormous time savings, include having a fairly narrow topic focus and relatively easy access to representatives. There are also some pretty awesome networking opportunities, as well.

Webinars usually consist of an industry expert providing general information, followed by product information from the sponsoring vendor. The product typically has some tie to the overall topic, and many times, the product information portion of the webinar may be as informative as the general topic portion. If the sponsor has a broader interest in the industry, such as an association or a publisher, the entire webinar may be information-oriented, with no product application.

Various webcasts can be found at TechRepublic, as well as at other publishers.

#6: Associations and user groupsNational organizations typically have a number of resources that you, as a member, can participate in. These may include online libraries, peer forums, and training courses. There may be a cost associated with some of this training, and access to some of the resources may require a paid, or premium (read: more expensive), membership. But when you consider that a membership to the Association of Computing Machinery, for example, can give you access to more than 1,100 books online, in addition to their journals and proceedings, it might well be worth the annual membership fee.

User groups, or other local groups that share your interest in a particular topic, offer a great forum to learn and share information for little or no cost. Special interest groups (SIGs) within the user group offer further topic specialization and can be a tremendous way to learn or be mentored. Check with vendors that interest you, as they may maintain a list of user groups in your area that relate to your product. Microsoft, for example, has a site with user group information, as do other major manufacturers. Consider, also, simple word of mouth and the “community calendar” section of your local paper to find out about upcoming meetings of groups that may interest you.

#7: VolunteeringThe best way to learn is by doing. However, most companies are not willing to pay you while you learn. If you have all of the books and tutorials, but just need to get your hands dirty, why not volunteer to do a project for someone for free? Churches and nonprofits might need some work done that you can help with. A new Web site, a donor tracking system, or automation of monthly billing are all things that might benefit them and can give you the hands-on experience you need to approach a prospective employer or client. This is an especially good approach if you are trying to retool yourself with some new technology, or least a technology that is new to you.

This same approach can be applied in an incremental fashion with existing work you may be doing. Can you work a little beyond your current job description? If you are working within an old development methodology, for example, but want to try what you have learned about RUP, redo a portion of your work in the style of the new methodology, such as use cases. There is nothing like trying a skill on a real project to give you a real sense of the process, and sometimes a real sense of how much you still need to learn. Who knows — besides getting some great experience, you might even start to convert your team to the new process (but don’t get your hopes up).

#8: The InternetWho has not Googled to learn more on a topic or to clear up an office dispute on the origins of some phrase or song lyric? This same resource is a great learning tool. A simple topic search can produce content from college courses, vendor training, and government information sites. Don’t be surprised if some of this content offers better explanations than some text books.

Online publishers are another great source for information to enhance your skills. Consider dropping a topic that interests you into the search field at a site such as DevX, and you may be surprised how much detail you will find.

#9: Continuing educationContinuing education programs, also called adult education or community outreach, offer nondegree classes that are generally conducted in the evening for a modest fee. Besides the stereotypic class on how to weave a basket, many programs also offer database, networking, and a number of other technology classes. Many of these programs are run through high schools and colleges, so if you are not aware of any programs in your area, start by checking with your local high school, career center, or university for contact information.

#10: Community collegeState-run community colleges generally offer a number of affordable classes you can take without seeking a degree. Many of these colleges offer technology and programming classes. Because you have probably not taken the prerequisites for the class, you may need the permission of the instructor, but that should not be a problem if you are already a professional in the field. These programs are usually far less expensive than your typical week-long vendor training and are usually scheduled during the evening to minimize the impact on your workday. There may also be for-profit community colleges in your area. But since they may lack public subsidies, be prepared to pay substantially more for their course offerings.

One less hurdleLimited time, family demands, and travel may still keep you from dedicating to learning a new skill, but if you’re creative, cost doesn’t have to be an obstacle. In fact, the nature of some of these suggested training alternatives lend themselves nicely to working around the time and travel constraints that are so often a barrier. Take advantage of as many of these training approaches as you can, and you will have one less hurdle to moving your career forward.

10+ tips for combating Computer Vision Syndrome

2008-10-07T05:18:00.000-07:00

If you spend two or more hours a day in front of a computer, you might suffer from Computer Vision Syndrome (CVS). Symptoms include headache, inability to focus, burning or tired eyes, double or blurred vision, and neck and shoulder pain.

Computer screens are the culprit. Our eyes don’t process screen characters as well as they do traditional print. Printed materials have well-defined edges and screen characters don’t. Our eyes work hard to remain focused on screen characters and to temporarily relieve stress, our eyes drift and then strain to refocus. The constant muscle flexing causes fatigue. Keep in mind that computer screens aren’t the only screens that matter — most of your electronic toys, such as cell phones and PDAs, also cause eyestrain.

Fortunately, there are a number of simple (and mostly free) things you can do to alleviate CVS. Don’t wait until you’re suffering. Make these adjustments now.

#1: Use proper lightingMost office settings use bright, often harsh lighting. The more light the better, right? Unfortunately, that’s not true, but the solution to harsh bright lights is simple. Knowing that the bright lights are hurting you is often the bigger problem.

If you have a window, use blinds or curtains to limit the amount of sunlight beaming in. Use lower intensity bulbs and tubes inside. If you have both, turn off the indoor lights and open your blinds or curtains until you’re comfortable.

If you’re used to working in bright light, you might feel a bit out of sorts at first. Give yourself some time to adjust to the softer lighting. If you can’t control the lighting, consider wearing tinted glasses.

#2: Reduce environmental glareGlare is reflected light that bounces off surfaces such as walls and computer screens. Often, you don’t even realize you’re compensating for it, so finding glare might take a bit of effort. There are a few things that you can do to reduce the glare:

Paint bright walls a darker color and use paint with a matte finish.
Install an anti-glare screen and/or a glare hood on your monitor.
If you wear glasses, consider applying an anti-reflective coating to the lenses.
Glare screens help only part of the problem. They cut down on glare from the computer screen. Unfortunately, they won’t help your eyes focus better.

#3: Use proper computer settingsOne of the simplest ways to reduce eyestrain is to adjust your monitor’s brightness and contrast settings. There’s no right or wrong setting. Just experiment until you’re comfortable.

If the background gives off a lot of light, reduce the brightness. In addition, keep the contrast between the background and characters high. Generally speaking, your settings are probably too bright, but a setting that’s too dark is just as tiring.

#4: Maximize comfort by adjusting text size and colorAdjusting the on-screen text’s size and color can provide relief. First, try enlarging the text. You’re probably using the smallest size you can to view more text on the screen, but that compounds the problem. Instead, enlarge the text to two to three times the smallest size you can read. Almost all software and most browsers will let you adjust text size. When possible, use black text on a white background. And avoid busy backgrounds. Sometimes, you have no control, but do so when you can.

#5: Take a break!

The AOA also suggests you follow their 20/20 rule when regular breaks just aren’t possible. Every 20 minutes or so, look away from the screen and focus on something in the distance for about 20 seconds.

(Breaks can be a touchy subject in the workplace, so discuss your needs with a supervisor. Don’t get yourself into trouble.)

#6: Clean your screenThe easiest tip of all is to clean your screen frequently. Dust, fingerprints, and other smears are distracting and make reading more difficult. Often, you don’t even see the dust; you just look right past it. Make it a habit to wipe off your screen frequently. Every morning isn’t too often and is easy to work into your routine.

#7: Position copy correctlyGlancing back and forth between a printed copy and your computer screen causes eyestrain. To ease discomfort, place the printed copy as close to your monitor as possible. In addition, use a copy stand if possible to keep the copy upright.

This is the one time you might want more light. A small desk lamp will suit your needs, but position it carefully so that it sheds light on the printed page but doesn’t shine into your face or reflect off your monitor. Remember to use soft light.

#8: Position yourself correctlyKeep your distance from the monitor; most people sit too close. Position your computer monitor about 20 to 24 inches from your eyes. Your screen’s center should be about 10 to 15 degrees below your eyes. This arrangement provides the best support.

If you can’t change the distance between you and the monitor, adjust the text accordingly. For instance, if you’re sitting farther away than you should, increase the text size. It’s not the best solution, but it’s better than straining to see something that’s too far away.

#9: Get computer glassesIf you just can’t get relief, you might need special glasses you can wear just for working at the computer. You can’t pick these at your favorite discount store. You’ll need a prescription from an eye doctor.

Don’t depend on prescription reading glasses to negate CVS either. Reading glasses help with distances of 16 to 21 inches. In contrast, computer glasses work for distances of 18 to 28 inches. It’s unlikely that the same pair of glasses will accommodate reading printed material and working at your computer.

#10: Seek alternative helpIf all else fails, try something a little different, like yoga. In an Indian study of 291 people, half practiced yoga daily for an hour, five days a week, and noticed an improvement after 60 days. The other half, those not practicing yoga, saw no improvement. If your eyestrain doesn’t disappear, at least you’ll have fun and feel better in general.

10 ways to survive office politics

2008-10-07T05:07:00.000-07:00

Office politics will never go away. It’s a fact of company life. However, destructive office politics can demoralize an organization, hamper productivity, and increase turnover. Here are some tips, applicable for both staff and management, on dealing with office politics.

#1: Live at peace with othersThe easiest way to avoid problems with politics is to get along with people. I’m not saying you need to hug everyone and sing songs, and I’m not saying you have to be a pushover for everyone. You can be pleasant and professional, while at the same time being assertive when necessary. If you have a concern, focus only on the issue, not on the person. If you have to refuse a request, explain why and try to come up with alternative solutions.

Living at peace with others also means being careful about choosing sides during office power struggles. Aligning yourself with one faction or the other will prevent you from working effectively with people from the “other” side, thereby hampering your productivity and thus your performance. It’s even worse if “your” faction loses out. Instead, try to focus on your tasks, dealing with people in either faction on the basis of the tasks alone, and avoid talk on the political issue that separates the groups.

#2: Don’t talk out of school

Does your organization have issues? Have people told you things in confidence? Then keep those matters to yourself. Talking to outsiders about issues within your organization makes all of you look bad to that outsider. Furthermore, your boss or your boss’s boss will not appreciate that behavior. People will find out that you spoke about what they told you, and they’ll lose confidence in you and respect for you.

#3: Be helpfulWe all have responsibilities and objectives, and those things should receive priority. Nonetheless, if it doesn’t take too much time, being helpful to others can reap benefits for you. Does someone need a ride in the direction you live? Did your co-worker leave headlights on in the parking lot? Is someone having trouble building an Excel macro? If you can help that person, especially if you can do so without taking too much of your time, you benefit yourself as well as the other person. By doing these things, you’re building political capital and loyalty. In doing so, you reduce the chances that you will be the victim of political intrigue.

#4: Stay away from gossip

Nothing destroys the dynamics of an office more than gossip. Stay away from it, because nothing good comes from it. Just be sure you avoid the “holier than thou” attitude of lecturing your co-workers on the evils of gossip. You’ll make them lose face, and they’ll resent you. Instead, try subtly changing the subject. For example, suppose the group is talking about Jane’s problems with her child, and of course Jane is absent from the group. Do some free association and try to come up with some topic that’s related to Jane or her child, but won’t involve gossip. Then, make a comment about that topic.

For instance, suppose you know that Jane’s child is involved in a sports league. Mention this fact, thereby linking the child and the league. Then, shift the conversation so that you’re now talking about the league rather than Jane’s child. You could ask when schedules will be published, or if they need parent volunteers. If you do it right, no one will even notice that you’ve moved them away from the gossip.

#5: Stay out of those talk-down-the-boss sessionsSuppose your co-workers start complaining about the boss. If you join in, it makes you look disloyal to the boss. If you don’t, it looks awkward in the group. What can you do? As with the situation of gossip, try changing the subject by linking the boss to another topic, then talking about that topic instead. Or you could simply respond to your co-workers with a smile and a tongue-in-cheek, “Come on, aren’t we exaggerating? [name of boss] really isn’t THAT bad.” Be careful, though, because it could be taken as an admission by you that the boss is bad.

#6: Be a straight arrowThe best way to keep out of trouble politically is to be seen as someone who doesn’t play office politics — in other words, a straight arrow. Do what you say you’re going to do, alert people to problems, and admit your mistakes. Others will respect you, even if they don’t always agree with you. More important, you have a lower chance of being a victim of politics.

#7: Address the “politics” issue openly when appropriateMany times, when I do organizational assessments, I sense anxiety on the part of client staff. To address this anxiety, I tell people I interview that I’m not there to get people fired. I’m there to help the organization function better. It might not completely allay their fears and suspicions, but at least I’ve brought up the issue and addressed it.

Think about doing the same thing if you believe politics is an underlying theme at your company. Tell people you’re not interested in scoring political points but only in getting the job done. It might not work, but unless you bring the matter up, there’s no chance at all that they will believe you. So if a co-worker is unavailable, and you have to act on that person’s behalf, consider saying to that person, “I had to act because of your absence. I wasn’t trying to go behind your back and I wasn’t trying to show you up.”

#8: Document thingsNothing saves a job or career more than having a written record. If you believe a matter will come back to haunt you, make sure you keep a record of the matter, either via e-mail or document. Documentation is also an effective way to highlight of your own accomplishments, which can help you when your performance evaluation is conducted.

#9: Set incentives to foster teamworkIf you’re a manager or senior executive, take a close look at your incentives. Are you unwittingly setting up your staff to work against each other? Do your metrics address only individual departments, or do they also address how departments could benefit the larger organization?

For example, suppose the hardware department of Sears reduced all its prices by half. If you measured only profitability of the department, you would conclude that it is performing horribly. However, that measurement would neglect to account for increased volume in all other departments because of the hardware department.

If you reward employees in a department based only on how well that department does, you may inadvertently cause destructive competition among departments. Each one will be competing against every other one, and all the departments could end up in a worse position. To minimize this possibility, give employees incentives based not only on department results but on organization results as well. That way, employees from different departments have more motivation to work together and less motivation to engage in destructive politics.

#10: Set an example for your staffPeople in an organization look to leadership to see how to act. Do you want your staff to refrain from negative politics? Do you want to see collaboration and teamwork instead of petty rivalries, jealousy, and back-stabbing? Act the way you want your staff to act, and they will follow you.

Five good security reads

2008-07-29T08:39:00.000-07:00

Novels
The first part of the list is of novels I have read in the last year that have a strong IT security focus, are well written, and can teach the security interested IT professional something about security. If you haven’t read them yet, they should definitely be on your reading list.

They’re listed in the order I read them, which is conveniently also alphabetical order.

Cryptonomicon
This Neal Stephenson novel is a trifle unique in that it is actually two tales, each with its own plot, in one. The narrative switches between these tales regularly, one set during World War II, the other in the modern world. Specific modern technologies are often fictionalized (e.g. Finux, a thinly veiled reference to Linux, and Ordo, an encryption system that doesn’t exist in the real world but very well could), while more general technologies (e.g. cryptographic technologies in general) are entirely real.

The story introduces the reader to concepts that, for most of us, may be new. It ends up being kind of accidentally educational in that respect, presenting ideas about cryptographic currencies, principles of cryptographic technology, and some of the history of modern computing and modern cryptography in forms easily digestible for the technically inclined reader. It even presents a rather unique demonstration of basic cryptographic principles in action in the form of the Solitaire cipher, a cryptographic system invented by Bruce Schneier specifically for Cryptonomicon that can be employed without a computer, via a normal deck of playing cards. It’s not a trivial, toy cryptographic system, however: it is meant to be a form of strong cryptography and, in fact, when Cryptonomicon was published with the Solitaire cipher algorithm printed within its pages in the form of a Perl script, saving that script in a file on a computer in the US and emailing it to someone in another country would have violated US munitions export laws because it qualifies as “strong encryption”.

Halting State
Probably the least directly educational of the three, this novel by Charles Stross is most interesting for its speculations on virtual currencies, virtual realities in meatspace, cyber-terrorism, and the social implications of all of the above. The primary characters are involved in the investigation of what starts out looking like the “robbery” of a virtual bank in a near-future MMORPG, but quickly spins out of control as they discover that all is not as it at first seems.

It is written primarily in the second person, reminiscent of old text based adventure games, which I found a little difficult to get into at first — especially with the switching between perspective characters in different chapters. It’s an engrossing tale, with a well constructed plot, however.

Little Brother
Cory Doctorow set out to write this novel for “young adults” (i.e. teenagers), with an intentionally educational thread throughout. The main character, a high school student with a perhaps more than healthy interest in learning what others don’t want him to know (and using that knowledge), is a hacker in the original sense who, written in the first person perspective, spends a fair bit of time explaining matters of IT security to the reader.

Little Brother is probably the best-written work of fiction that doubles as an educational text I have ever read, in part because it presents basic concepts within the context of the story and encourages the reader to pursue further knowledge on his or her own. If you read the entire novel and don’t find yourself inspired to read more on the subjects and concepts presented, you may just not be cut out to be a technologist at all. It’s the kind of book I wish I had in my hands when I was thirteen — but even now, about two decades older, it was a thoroughly enjoyable and inspiring read.

The plot surrounds the events following a terrorist attack on the Bay Bridge in San Francisco, in a future so near it was quite a while before I was sure it wasn’t written to basically take place in the present. Politically, it looks like it may take place around 2011 some time, though it is flexible enough that it might believably take place any time in the next decade. The technologies are essentially the technologies we know today, with a few specific additions that could well arise in the next few years.

Like usual, Doctorow’s challenges to the dominant paradigm go beyond the content of his fiction: this novel is not only available at bookstores and libraries, but also as a free download under the terms of a Creative Commons license. If you like reading full-length novels in digital file formats, you can get it there as a plain text, PDF, or HTML formatted file. I personally prefer having a physical book in my hands, so that’s the form of the novel I read.

For a more personal take on Little Brother, check out my brief review in my personal Weblog.

Related reading
The second part of the list is works that aren’t novels — in one case, a book-length essay on the development of operating systems, and in the other a collection of short stories.

In the Beginning was the Command Line
People who enjoy Cryptonomicon may also want to read Stephenson’s In the Beginning was the Command Line, a lengthy essay examining the history of operating systems. It was written in the late 1990s, and is a little dated now, but the lessons it conveys are no less valuable. While it doesn’t directly address security, it does provide some insights into the design philosophies and necessities of operating systems, the collective mindset of their users, and other matters that provide a basis for understanding the security characteristics of systems incorporating various OSes and real-life end users. It has been published as a short book, but is also available for download as a Mac Stuffit or Zip compressed plain text file, free of charge. Among the rest of the works in this list, this is the only one I read for the first time before 17 July 2007. I have read it several times, however, the most recent being a few months ago. It’s not only worth reading once — it’s worth revisiting.

Overclocked: Stores of the Future Present
Doctorow’s Overclocked: Stories of the Future Present is a collection of short stories by the author of Little Brother. Many of them, individually, seem tailor-made to challenge the comfortable preconceptions of the modern technologist, illustrating in science fiction prose the possible consequences of contemporary technology policy. Like Little Brother, and most if not all the rest of Doctorow’s fiction, it is available as a free download as well as in dead-tree hardcopy editions.

Recommendations
If you’re a technology enthusiast, and there’s anything in the above list of works that you haven’t read, you should rectify that oversight soon. They’re all well written, informative, and often inspiring. Three of them are even available for free online, so the excuses for failing to read them lie somewhere between slim and none.

Bignum arithmetic and premature optimization

2008-07-29T08:31:00.000-07:00

Donald Knuth, the patron saint of algorithm analysis, once famously said “We should forget about small efficiencies, say about 97% of the time: premature optimization is the root of all evil.” Programmers of a thoughtful bent constantly argue over what this means, and at times whether it is even true. Mostly, they ignore its effect on security.

As new programming languages become ever-more “high level” and dynamic, they get further and further from forcing the programmer to cater to the way computers “think”. This provides significant advantages for developing software swiftly and easily, sometimes at significant costs to the efficiency of the code itself. Moore’s Law, however, ensures that for many (if not most) cases those efficiency costs are absorbed by the hardware so thoroughly that users never see the difference, at least in a one-to-one comparison of general software functionality. In fact, for the same general functionality, software written in a higher level language will often outperform software written in a lower level language, if each is run on hardware contemporary with the language’s inception.

Of course, featuritis — a separate phenomenon entirely — often adds far greater weight to an application that combines with the greater resource usage of higher level dynamic languages to slow things down to the point where we start noticing something is wrong. That, however, is an entirely separate matter.

There are those who will argue that choosing a language based on the comparative performance characteristics of programs written in that language is a case of premature optimization. When all you need is a command line utility that will complete its task in under half a second, and Ruby can fill that need, resorting to assembly language to eke maximum performance out of the program certainly seems like a bad trade, if the tendency of Ruby programs to be much easier to write and maintain is considered.

There is certainly a case to be made for lower level languages contributing to greater security. Knowing assembly language, or even a higher level “portable assembly” language such as C, helps the programmer wrap his brain around the concepts of von Neumann architecture computation. Even if you write all your software in a very high level language like Ruby, knowing what’s going on “under the hood”, as it were, can yield great rewards when some careful, precise tinkering is necessary — and in understanding the implications of what you’re doing with all those high level language constructs. This applies to security implications as much as to performance, portability, and stability implications.

Don’t take anything said here as dissuading you from learning lower level, static languages such as C or assembly. Even if you never use them in earnest, knowing these languages will help you really understand what you’re doing with higher level, dynamic languages, and may help you make your code more secure.

On the other hand, high level dynamic languages such as Ruby provide a lot of time saving linguistic constructs that, often as a happy accident, actually improve the security of your code without any effort on your part. An example is “bignum” handling.

In programming languages such as C, integers have limits to how big they can get. For instance, an unsigned integer variable might be limited to 16 bits — between 0 and 216-1 (i.e. 0 to 65535). In unsigned 16 bit integer arithmetic, usually 65535 + 1 = 0, because the short integer type is incapable of representing a numeric value outside the range of 0-65535. In some cases, trying to stick a larger value than a data type can handle into a variable of that data type can crash the program, provide improper access to memory, or cause any of a number of other potential security issues. For this reason, programmers in languages like C need to be careful about how they use limited precision data types.

Arbitrary precision arithmetic, also known as “bignum arithmetic”, is an arithmetic technique implemented in a programming language whereby the extent of an integer’s value is limited only by the restrictions of the hardware itself — essentially, by how much RAM the system has. This can, for instance, take the form of an automatic extension of the value that can be handled by the data type as it is needed, rather than limiting the value to an extent defined before a value is entered into a variable or otherwise handled by the program. As this greatly reduces the inherent danger of accepting overly large inputs, bignum arithmetic can prove a great boon to the security of a program.

Such arbitrary precision arithmetic capabilities can be had with languages such as C, via libraries like BigDigits, the GNU MPL, and CLN, but this is not the default behavior of the language and requires explicit use by the programmer. Languages such as Ruby, on the other hand, employ bignum arithmetic by default, as it is needed, without requiring any intervention on the part of the programmer to specify that extensibility of the values that can be handled by numeric data types. It’s important to understand concepts like fixed integer arithmetic, of course, but it’s not important to use it all the time — or even most of the time.

There are programmers who would complain at this implication, because arbitrary precision arithmetic generally imposes an efficiency penalty on programs that make use of it. In most cases, however, such concerns constitute a case of Knuth’s “premature optimization”, because unnecessary use of fixed precision arithmetic can lead to surprising behavior from your software if you make a mistake in development and some unexpected input overflows an integer.

For security purposes, it’s generally the case that Ruby’s way of doing this is the right way to do it: default to avoiding the all too common dangers of fixed precision arithmetic altogether. The only fly in the ointment is the rare occasion where the performance penalties of arbitrary precision arithmetic really matters — or the rare field of endeavor where it matters often.

When the importance of a nanosecond improvement in runtime is not needed, choose the tools that will make it easy to write more secure code.

Five ways to show business value of M-F authentication

2008-07-29T08:24:00.000-07:00

There’s more to selecting an enterprise second-factor authentication method than meets the retina scanner. As with any IT project, each dollar spent must produce business value. With M-F authentication, this translates to value beyond simply verifying an employee’s identity.

Too often, security professionals are mesmerized by regulatory or best practice multi-factor (M-F) authentication mantras. They don’t see that selling M-F solutions to management requires more than a strategically placed HIPAA, SOX, or CoBIT two-by-four. Besides, using regulatory requirements to squeeze additional security dollars out of the IT budget is an argument with diminishing returns.

There are five basic characteristics of an M-F solution that affect its potential for showing business value: an acceptable probability of success in verifying identity, easy enrollment, enhanced productivity, enables single sign on (SSO), and user acceptance.

1. Achieves business-defined probability of success in verifying identity – This is the obvious function of an M-F solution. It should supplement the primary authentication method, usually password-based, by meeting a business-defined threshold for positive verification.Expecting an M-F method to produce 100 percent accuracy is the first mistake of many security managers. Even the effectiveness of finger-print recognition is determined by its error rate. Unless you’re guarding the crown jewels or defense department secrets, the cost of solutions that achieve zero errors is usually higher than necessary to achieve reasonable and appropriate protection. The level of success necessary depends on the strength of your passwords, business tolerance for risk, and the existence and effectiveness of other access controls.

2. Easy enrollment – Enrollment should take less than two minutes and be easily integrated into the new-hire process. Presenting a solution to management that requires employees to juggle three balls while whistling Dixie is not going to help your cause. For example, I just looked at a solution last week that required users to answer over 60 questions to get set up. The solution, currently an academic exercise only, achieved a probability of success that was high enough, but enrollment challenges make it almost impossible to gain management acceptance.

3. Enhances productivity – The user experience should be improved, eliminating existing authentication challenges that go beyond regulatory compliance. In fact, selling a solution to management might require demonstrating how it can solve other issues. For example, many health care organizations deploy shared computers to nurses stations. Several nurses use these devices, logging in many times, during each shift. Their ability to provide care might be enhanced by an M-F solution that quickly verifies their identity and performs fast user switching, eliminating lost time dealing with system authentication issues. Proximity detection can make this happen before the nurse even gets to the keyboard.Another enhancement is SSO-like functionality. Although users have to authenticate to each application, the use of M-F technology can often eliminate the need to enter a user ID and password every time.

4. Enables SSO – The M-F solution should be compatible with future SSO implementations. Selecting an M-F technology without considering SSO is a big mistake. The cost of M-F solutions can be high, and ripping it out if it isn’t compatible with the SSO technology you choose is a career-limiting exercise. According to Forrester, the best approach is selecting an SSO solution first, even if implementation is two to three years in the future. Implementation of an M-F solution should be within the context of your SSO vision. Share that vision with management, positioning your biometrics or smart-card solution as an incremental step toward an improved user experience.

5. Acceptable to users – The solution must be easy to use and actually improve the way users see the security that protects information assets. Nothing kills an M-F rollout faster than user revolt. User resistance is often based on one or more of the following,

- Fear that the company stores unique personal information

- Fear that the company is collecting personal health information (retinal scans look at patterns that are also used to determine certain health conditions) for insurance purposes

- Fear that the red light in retinal scanning sensors is physically harmful

- Fear of contracting diseases through contact with publicly used sensors

- High error rate, without an easy alternative to logging in

The first four bullets under the fifth business value characteristic can be assuaged with pre-rollout discussions with users or user representatives, helping them understand the actual facts about the M-F technology selected. The last item is a technology challenge.

As I wrote early in this post, M-F technology isn’t perfect. There will be errors. One error that frustrates users is a rejection of authorized login attempts. Frustration levels can be controlled by ensuring your solution includes an easy way to deal with these issues as they arise. Remember, this is supposed to improve user experience

Use tcpdump for traffic analysis

2008-07-29T08:18:00.000-07:00

The tcpdump tool is an old mainstay of network debugging and security monitoring, and security experts all over the world swear by its usefulness. It is a command line tool that eschews all the makeup and jewelry of other traffic analysis tools such as Ettercap and Wireshark, both of which provide packet sniffing functionality with a convenient captive interface. In contrast to such tools, tcpdump takes a command at the shell, with options specified at that time, and dumps the results to standard output. This may seem primitive to some users, but it provides power and flexibility that isn’t available with the common captive interface alternatives.

Options
The tcpdump utility provides dozens of options, but I’ll just cover a few of them here:

-A: Print each packet in ASCII.
-c N: Where the letter N is a number, this option tells tcpdump to exit after N packets.
-i interface: Capture packets on the specified network interface.
-n: Don’t resolve addresses to names.
-q: Provide less verbose (”quiet”) output so output lines are shorter.
-r filename: Read packets from the specified file rather than a network interface. This is usually used after raw packets have been logged to a file with the -w option.
-t: Don’t print a timestamp on each line of output.
-v: Provide more verbose output. Verbosity can be increased more with -vv, and even more than that with -vvv.
-w filename: Write raw packets to the specified file.

Expressions
The tcpdump utility also supports command-line expressions, used to define filtering rules so that you get exactly the traffic you want to see, ignoring “uninteresting” packets. Expressions consist of a number of primitives and, optionally, modifier terms. The following primitives and modifiers do not constitute a comprehensive list, but they are among the most commonly useful.

Primitives
dst foo: Specify an address or hostname to limit captured packets to traffic sent to a particular host.
host foo: Specify an address or hostname to limit captured packets to traffic to and from a particular host.
net foo: Specify a network or network segment using CIDR notation to limit packet capture.
proto foo: Specify a protocol to limit captured packets to network traffic using that protocol.
src foo: Specify an address or hostname to limit captured packets to traffic sent by a particular host.

Modifiers
and: Use this to chain together primitives when you want to limit captured packets to those that meet the requirements of the expressions on both sides of the and.
not: Use this modifier just before a primitive when you want to limit captured packets to those that do not meet the requirements of the following expresssion.
or: Use this to chain together primitives when you want to limit captured packets to those that meet the requirements of one or more of the expressions on either side of the or.

Examples
All of these options and expression primitives and modifiers, along with others listed in the tcpdump manpage, can be used to construct very specific commands that produce very precise output.

tcpdump -c 50 dst foo can give you information that may help identify the source of heavy incoming traffic targeting an overloaded server with hostname “foo”, dumping the first 50 packets as output.

tcpdump -c 500 -w `date +"%Y%j%T"`.log dumps 500 packets to a file named with a current time/date stamp (e.g. 200820715:16:31.log) so that they can later be filtered according to the information you want to see. I have the command date +"%Y %j%T" aliased to stamp in my shell’s rc file, so I can shorten a command like this to tcpdump -c 500 -w `stamp`.log, saving me from having to remember all the formatting options for the date command off the top of my head.

tcpdump proto ssh src or dst foo and src and dst not bar produces ongoing output that shows all SSH activity originating from or targeting host “foo” unless it is originating from or targeting host “bar”. If foo is only supposed to be accessed via SSH by bar, this command will allow ongoing monitoring of unauthorized SSH traffic to and from foo. You could even start a number of persistent monitoring processes with tcpdump like this within a tmux session on a dedicated monitoring server.

As you can no doubt see, tcpdump’s expressions capabilities are roughly equivalent to a simple domain specific programming language that is extremely easy to understand. With that kind of power and flexibility at my fingertips, there’s little need to use anything else for general traffic analysis tasks.

Computer Use 101: Rule number one

2008-06-28T05:51:00.000-07:00

What’s the first rule of using a computer? I’d wager that nine out of ten support staff would agree on this one. We might all think it’s a no-brainer, but for as long as I’ve been in this business (20+ years), rule number one was to save often. I’m amazed at how many people don’t. Here are some of the things I see.

I recently upgraded a bunch of computers in the office, and to accommodate busy work demands, I would swap the boxes after hours. More times than not, I would find that people went home for the day leaving any number of files open. Of course, when I closed them, I was asked if I wanted to save the changes. That can only mean that it wasn’t saved before that person went home. Some of them didn’t even have a proper file name, since I was asked if I wanted to save Document1, or Workbook1, or some other default name. Personally speaking, I never even walk away from my computer without saving, much less go home for the night without doing it. In fact, I seldom leave anything open when I leave for the day.

Someone approached me recently with a gripe about how Microsoft will sometimes automatically reboot his computer after an upgrade. I have these computers scheduled to check for upgrades late at night so people aren’t interrupted with it during the day. Of course, his gripe wasn’t really about the automatic reboot, but rather how he lost some work because of the files he left open — without saving. One question will put an abrupt end to that gripe: Didn’t you save your work before you went home?

Another person called me over not too long ago because, for some unknown reason, our primary application software, AutoCAD, threw a rare hissy fit and displayed an unrecoverable error message. Nothing was responding, and the only way to proceed was to end the task. Of course, this meant the file couldn’t be saved. When was your last save, I asked? The three-hours-ago answer she gave was a tough one to hear. However, all might not have been lost, I thought, since AutoCAD has a nice auto-save feature. But for some reason, the file created by that auto-save was incomplete. I’m not sure why, but it probably has something to do with how AutoCAD references different files and such. But for whatever reason, it just wasn’t there.

Okay, maybe this is all a minor rant, but after repeating rule number one — save often — over and over (probably into the thousands of times over the years), it’s still something a good number of people obviously don’t do. I have to wonder why, but the answer remains elusive.

Okay, one more minor rant: Someone asked me today why his e-mail was not getting out of his outbox. Just a hunch, I said, but perhaps it’s the 47 MB file attachment you’re trying to send!

P.S. I’ll be on vacation for the next week, so I’ll look forward to replying to any comments after I get back.

Fixing the fault, fixing the customer

2008-06-28T05:48:00.000-07:00

Let’s face it, we all deal with the fault on a PC or network as a matter of routine, but how often do we consider that we also need to fix the customer? It may be that their confidence in the equipment/service/company has been strained and maybe even broken, and it may be that some work may be needed to restore the customer’s faith in your work.

Is it enough to mend a fault and leave? It may be that the customer has concerns that a few words and a minute or two of listening might make the difference between leaving a happy customer and leaving somebody considering a move to another support service. A few nods and an “I see” or two and some other empathetic noises can make all the difference. One of my worst failings is to listen to the customer, right up to the point where I think I know what the problem is, then I switch off as I start the fix. There may be more to the problem than I’ve heard from the user, and I have often had to backtrack and hear the rest of the story.

In my keenness to get on and fix the fault, I often forget about the customer and get too involved in the technicalities. I recall an incident when the customer had been reporting some minor fault or other on an almost daily basis. After a couple of “no fault found” callouts, I began to wonder if the problem was with the equipment or with the user, so I decided to get them to show me the fault instead of just describing it. It very soon became obvious that the problem lay with a lack of training, and I was able to sort out the problems quite quickly.

I seem to spend a lot of my time banging on about people skills or soft skills, as they are often referred to. Sometimes you can win with soft skills where you fail on the technical fix. Sometimes we have to give bad news, or maybe we can’t fix the fault straightaway; we may have to wait for parts or get a problem fixed on a remote service. It is the way we communicate this kind of information to the customer that determines whether we leave them happy or anxious that we haven’t appreciated the seriousness of the situation.

How do we give bad news without annoying the customer? First, we have to understand that no matter how well you communicate a problem, you can’t always leave the customer happy. It is foolish to think otherwise and could lead to your suffering a lot of stress in the process. Give the news straight and tell the customer what you are going to do about it. If that isn’t good enough, ask what they would like you to do. If you have an idea that might provide a workaround to the problem, run it past them. You will nearly always be able to come to an agreement that will mollify both parties, but it is important to remember that, provided that you have done all you can, you can leave with a clear conscience. Above all else, don’t take the problem home with you.

What can support pros learn from their auto mechanics?

2008-06-28T05:45:00.000-07:00

When I was recently arranging a routine service appointment for my automobile, I was struck by the fact that, for once, the shoe was on the other foot. I’m used to being the expert who has to explain a complicated technical issue to a nontechnical customer. When it comes to repairing cars, I know just enough to make myself sound stupid. Suddenly, I find myself in the position where I have to have things explained to me, often more than once.

I have a great mechanic, so when I work with him, I’m seeing customer service done really well. My visit to the garage got me thinking about some of the practices of good auto service professionals, and I realized that the techniques that produce a positive car repair experience could serve as a guide for creating a positive support experience for my users. Here’s the list I jotted down while waiting for my car to come down off the lift.

Triage effectively. My mechanic, Jim, is great about making sure that emergency situations are given special attention. Engine threw a cylinder on the highway? He’ll immediately send a wrecker to pick you up. Just need your oil changed? If there are more pressing tasks, Jim will gracefully let you know he’s too busy and will ask you to drop off your car in a day or two. The takeaway here is that most customers don’t mind waiting for nonemergency service, as long as they’re given a firm date when they can expect attention.

Provide an estimate. When I work with Jim, his estimates usually have two parts: the cost and the timeframe in which the work will be done. Cost may not always be a factor when the help desk is serving a user, but there are other things to take into account. It may be necessary to order replacement parts, for instance. Providing your customers with estimates of what the work will entail and when it will be completed will manage their expectations and lower their stress level.

Offer alternate arrangements. In the auto-service industry, this takes the form of the courtesy car. Consider keeping a couple of serviceable machines on hand as cold spares that you can loan to users whose regular workstations may need significant repair. With a “courtesy computer,” at least the client can continue his or her work.

Update the customer. Mechanics revise their estimates; sometimes it’s necessary because the work required is more extensive. This can happen when a machine is on the repair bench, too. If the situation has changed — for the worse or for the better — make sure that the customer is informed.

Explain things clearly. Think of it this way: your customers won’t appreciate your work if they don’t understand your description of it. Avoid jargon as much as possible. Put the situation in terms that are easily understood, and contextualize things for the users. If they have an understanding of how you’ve helped, they’ll feel better about the experience.

Suggest future maintenance. Lots of car trouble can be avoided if the owner takes care of the vehicle. The same holds true for computers. If there’s a way that the user can avoid the inconvenience of future problems, share that knowledge with them.

I recommend my mechanic to anyone I overhear complaining about the last time their car had to be serviced. There may be a guy out there with more qualifications than Jim, but his work is solid, and his customer service is second-to-none. When I’m in a situation where I’m out of my depth, I appreciate working with a professional who is concerned about the quality of my experience. Your users will, too.

Supporting (installing) financial software: My most difficult install

2008-06-28T05:42:00.000-07:00

Over the years, other than providing basic computer technology support, I’ve had little responsibility for the financial software used by the company. Of course, I’d help the bookkeeper get the initial installation process going, and I helped her set up an adequate backup system (both on-site and off-site), but otherwise, I remained pretty much out of the financial software picture. (Privacy, confidentiality, and all that stuff, I suppose.)

However, the newest version of our financial software has me jumping through more hoops than I’ve ever had to endure. For one thing, while all past versions of the software could be installed on a stand-alone workstation, this one is for a server installation only; it can’t be installed on a domain controller, so I had to provide a dedicated server just for the application (not that I’d want to install it on my domain controller anyway), which meant we had to provide an additional computer and buy another Server OS with the appropriate CALs. It uses SQL database and Microsoft .NET Framework, neither of which are really within my area of expertise; and the software company doesn’t provide a DVD for the installation, but rather makes it available by Internet download only — a total of six files (two of which are large documentation files), whose sizes total a whopping 800MB, taking a long time to download.

The four downloaded installation files had to be executed in a particular order, which is understandable, I suppose, but I’m pretty sure they could have been integrated somehow to be run in the proper order by a simple installation routine. Nonetheless, executing the first installation file generated a CRC error about 30 minutes into its installation process (something about not matching the setup’s .cab file). We determined that the file became corrupted during download, so I had to download that one again (well over 100 MB and more download time). The second try was successful, but it took about 45 minutes to finish.

The second file started to install, but it stopped to inform me that I first had to install the required Microsoft .NET Framework (version 1.1). That was easy enough to find and download from Microsoft’s support site, and I decided it would be a good idea to download and install the accompanying SP1 while I was at it. That was about a two-hour detour by the time it was all said and done (and installed). After running the second installation file for the second time, it finally did finish after more than an hour.

The third installation file generated the same CRC error as the first one. Of course, I had to download that one again as well. The only difference was the file size and the time it took to download — twice the size and twice the time of the first file. Oh, there was another difference — this one crashed as well! After putting in a call to the software’s tech support folks, they directed me to a different FTP site from which I could download the file. The file on the initial site might have some problems, they said. (I think that might fall into the DUH! category.)

Was the third try with the third file a charm? It would have to wait until the next day. It was still downloading when I went home for the day. However, on my way home, it occurred to me that this might not be the installation files at all. While these are large files, it shouldn’t take that long to download over a business-class broadband connection. Before I proceed any further, I believe some testing of my Internet connection, modem, and firewall router is in order. The new financial software is a real pain, but the download time might be another issue entirely.

Funny, I was talking about one problem, and segued right into another.

Anyway, what are some of your challenging installations?

Lines in the sand: Three requests support techs should turn down

2008-06-28T05:37:00.000-07:00

One problem with running a service-oriented help desk is that people keep coming to you for help.

OK, that’s meant mostly as a joke. Mostly. In my experience I’ve found that creating strong relationships with one’s clients will lead to more service calls. It has something to do with inhibition and intimidation. If customers have a positive experience with a tech, they’ll feel reassured about the support process, and this will make them more inclined to ask for assistance in the future.

Creating comfortable clients is ideal for a freelance or contract technician, who gets paid by the call or by the hour. Every service request is money in one’s pocket. Comfortable clients can be less ideal for a standing in-house support team, though. Users’ inhibitions can become so low that they start asking the help desk to provide support that’s outside appropriate boundaries. This is especially likely in environments that don’t impose any checks on the urge to file a support request, like fees, departmental charge-backs, or ticket accounting.

Responsible IT departments should have published policies about what they’ll support. Even if those policies are out there, though, that won’t keep techs from getting requests for assistance that are beyond the help desk’s authority. Being aware of the types of inappropriate—and sometimes informal—support requests will let you anticipate them and will let you prepare your techs to handle such things, if and when they appear.

Project work or IT engineering tasks. The role of the help desk is, first and foremost, to provide incident-based support to the client. Many places, including my own office, economize by having support techs also work within project teams developing new services. Help desk issues should always trump project work, though. If an IT project or engineering task is important enough that it can’t be set aside in favor of addressing emergent support requests, then it’s important enough that the project’s manager should have dedicated personnel working on it, rather than counting on the help desk techs having slack time.

Requests not related to work. Whether it’s answering questions about problematic home computers or fielding requests to set up MP3 players on company-owned machines, there’s no reason for help desk techs to spend work time answering non-business requests. Let me be clear, I’m not an unfeeling robot. I’ll chat for a minute or two with colleagues about problems they may be having with machines at home, or I’ll provide shopping advice. That’s the extent of it, though. Our support policy excludes privately owned hardware and clearly outlines what’s supported on company-owned machines. That’s where the responsibility of our techs ends, and I’ve had to explain this to a number of users.

Shop talk during social events or off hours. There’s an old cliché that insists that doctors are always being solicited for professional advice at cocktail parties and the like. I don’t know about whether that’s actually true for M.D’.s or not, but it’s certainly true for IT pros. I’ve been at many an office social event, only to have a colleague bring up a problem that they’ve been having. Support pros deserve the opportunity to unplug from work responsibilities now and again. I don’t hesitate to let my users know when I’m “off the clock.”

Those are the three types of inappropriate inquiries I see most often as an office support tech. If you have any others to offer, let me know in the comments.

Wi-Fi security for the road warrior; revisited

2008-05-05T06:20:00.000-07:00

Defining public Wi-Fi

To make sure we’re all on the same page, let’s first define public Wi-Fi networks as those that allow unrestricted access. That’s a simplistic definition, but what’s typically available at venues like airports, hotels, and hotspots. Since unrestricted access eliminates the ability to encrypt Wi-Fi traffic, it also means there’s no real security.

Is there more risk at airports?

So, is there more risk to using public Wi-Fi access at an airport lounge when compared to an upscale hotel? I would say yes, but not for technical reasons. People who steal information and identities want to do so using the least amount of effort. That means airports, simply because there are more targets of opportunity. I certainly see this whenever I’m traveling. At any given airport, it’s very easy to capture copious amounts of unencrypted digital traffic.

I hope that explanation made sense, but I’m concerned that many people share DonnaKline’s viewpoint. With that in mind I would like to discuss some high level Wi-Fi security concepts. Theoretically, achieving information security and lowering risk is simple. If the information is undecipherable to everyone except the intended viewer, it’s secure. In real life information security is anything but simple. That’s why an informed Wi-Fi user is the most powerful security tool available.

Three distinct security zones

I find it helps to divide the path that digital traffic travels along into distinct security zones. By doing so, attention is focused on the entire connection, not just the initial Wi-Fi portion. To keep it simple, I use the three following zones:

Wi-Fi security zone: This zone is the one most people are aware of, as it is first step to gain access to the Internet.

Wired security zone: This zone is the in house infrastructure that acts as a go between for the Wi-Fi network and the Internet.

Internet security zone: This zone is the conglomeration of linked networks that can traverse significant geographical areas. OK, I should just say the Internet.

To many, realizing that all three zones are important for secure transmission of their information is a new concept. The following example clearly points this out. My financial adviser, who is near and dear to me, argues that Internet access at her favorite coffee shop is secure since she has to enter a new WPA passcode each time she visits. Using my security zone concept, we can see that the Wi-Fi security zone is covered, but how secure is my advisor’s information as it traverses the wired and Internet security zones?

To explain, that particular coffee shop could be capturing customer’s personal information as it passes through the wired security zone. I’m not saying that it’s being done, but it could be. It’s also possible for people who steal information and identities to setup capture equipment in the coffee shop without the owner’s permission. Now that my financial adviser understands that there are different security zones, it’s easier for her to make an informed decision about what security measures to use.

Proper tool for the job

Good news for road warriors is the availability of security tools that will protect information traveling across all three security zones or any combination thereof. From a security expert’s viewpoint, utopia would be everyone using an IPsec VPN (pdf) at all times. Nice, but let’s get back to the real world. Security does not come free and it’s the user that carries the additional burden created by increased security. Let’s continue using my financial adviser in the two following examples, which depict situations where both security and convenience are considered:

Highly sensitive traffic: My adviser needs to access the office database from the coffee shop. Since the data is very sensitive, the security tool used should produce the maximum amount of security. That would be some sort of VPN application. So she enables the computer’s VPN client, creating a digital tunnel that traverses all three security zones connecting to the VPN server at the office. Once the VPN tunnel is setup, digital traffic is encrypted and sent through the tunnel. If any of this traffic was captured by an attacker it would be complete gibberish and virtually impossible to decipher. That’s about as good as it gets and most security experts would be happy.

Anonymity and local security: Next, my adviser wants to surf the Internet. Checking out some vacations spots, now that April 15 has past. She’d rather not use the VPN, since it’s piped through the office’s Internet access and may create an unnecessary bottleneck. Only thing, there’s this rather odd looking guy using a notebook with a strange antenna attached to it sitting in the next booth. What if he’s snooping? Does he know the encryption pass-code? Wait a minute, I convinced her to get an “IronKey” for safe portable file storage. Luckily, it’s configured to connect to a SSL proxy server. Using that to access the Internet, my adviser has the Wi-Fi, wired, and a portion of the Internet security zones covered. No worries about that guy snooping and it’s simpler than a VPN connection to use.

Final thoughts

The two examples are only meant to show what’s possible, not to advocate specific devices or methodology. That’s unrealistic, since each encountered situation is unique. It is my goal to help enlighten and make it easier for road warriors to determine the best security option for a given situation. I hope that this post and the information in “10 Wi-Fi security tips for the road warrior” will be good additions to the road warrior’s security tool kit.

Treating users equally, but differently

2008-05-05T06:17:00.001-07:00

I try to treat all my users with equality, but sometimes equal doesn’t exactly mean equal. What I mean is that I treat them all equally depending on the level of support required. One type of person, for example, might approach me and describe a problem or issue, and I can simply tell them what I think and what I might try. Another person with exactly the same issue, however, might require more personal attention, where I would actually go and do it myself. It’s the same problem, but different users with different needs, and both requiring a different approach.

The first one I described might actually prefer to do it himself, but the second one might not. So in this case, equal means to give them what they require. The challenge lies in determining exactly what kind of attention is both necessary and appropriate. Another challenge is keeping my personal frustration level in check. I can’t get frustrated because User-A can’t understand something the same way User-B does. I simply have to be more patient and empathetic with some people.

I find that the timid user actually presents the greatest challenge. This is a person who does her job quite well and is very proficient with an application, but if just one little thing goes awry, she doesn’t know what to do; she’s totally lost. This is also the type of user who has a hard time understanding things over and above that norm. I might try to explain certain things, but some users just can’t seem to get it. Even more dangerous is when they might appear to get it, but they really don’t.

Then I might have the real hands-on user, one who would rather dig-in and do it himself, even though he might not be the best one suited to do it. I might have to find a non-offensive way to tell someone to move over to the co-pilot’s seat (or out of the cockpit all together), and that I need to have my own hands on the controls.

Another type of user is one who might automatically tell me the solution instead of articulating the problem. It might take a bit of finesse to take that bit of information, work backwards, and try to pull-out the real underlying problem. Often times that proposed solution isn’t the real solution at all. In this case, I have to resist the urge to simply tell them they’re wrong, but rather lead them into another way of thinking.

I’m here to try and provide what they might need, but peoples’ needs are all different. I have to adapt my style to their needs and personality, not the other way around. At least I try.

What are some of your biggest challenges in this regard? What kinds of users do you support? What kinds of approaches have you found successful?

Don’t waste your time supporting problems that don’t exist

2008-05-05T06:06:00.001-07:00

We’re moving some staff into a new suite of offices, which means that we’re shopping for new furniture. This is also a great opportunity for us to choose some new workstation equipment to standardize on, and I’ve been talking with a very competent sales rep that has been helping us pick out new keyboard trays and task seating.

I ran into a problem with the demo keyboard tray that our sales rep, Kurt, left for me to evaluate. I decided to leave him an email, even though I knew that he was going to be on vacation. Kurt’s really customer-focused, and even though he was out of the office, he saw my email and asked his OEM contact to give me a call.

The OEM’s rep, Jim, came out and replaced a worn part on the key tray that Kurt had left with me, and he must have smelled an opportunity. After getting some background on what our plans were for our new offices, Jim started up-selling me.

His company makes articulating display arms as well as keyboard decks and chairs, and Jim came on really strong about the ergonomic advantages of getting the computer’s display off of the desk. I told him that all of the LCDs that we have in our department already offer significant adjustability: height, tilt, pan — they’ll even rotate from a landscape orientation to operate in portrait mode. So, I told Jim that I think the equipment we have has been fitting my users pretty well. In response, Jim broke out one of his brochures. It showed how a display arm can let users reclaim their work surfaces for other purposes…laying out papers, and things like that. Well, Jim made a persuasive case, and I let him leave me a display arm to try out around the office.

Once I’d installed the display arm, I started inviting people into my office to try it out. I was expecting that a lot of my users would respond favorably to the setup, you know, because of all that space on my desk surface I had reclaimed. Quite the opposite occurred, surprisingly. Everyone was completely underwhelmed by the ‘advantages’ the display arm provided. After inquiring why they weren’t more excited by the demonstration, I realized that articulating display arms solve a problem that we don’t have.

No one has ever complained to me about their display cluttering their desk too much. In fact, my users seem to welcome even more clutter, as long as there’s a reason for it; to benefit from the increased productivity that comes with having a second display, for instance. I had bought into Jim’s hype, and thought that he could provide a solution to an actual problem, one that I was afraid I had missed. I’m glad I actually looked beyond the pitch and asked for feedback from my users. I was saved a lot of expense and installation headaches that would have come from an over-engineered solution to a non-existent problem.

It’s good to be out in front of things, and to try and anticipate your clients’ needs. Take a moment, though, and talk to a focus group of your users. This will help you make sure that you’re on target with your assessment of their situation, and keep you from buying a white elephant.

A primer on array-based and network-based replication

2008-03-29T06:17:00.000-07:00

Replication helps protect your data and files by producing a duplicate copy at a second site, server, or storage array. I covered host-based replication in a previous blog.

In this blog, I’ll cover two other types of replication — array-based replication and network (or fabric) based replication.

Array-based replication
Array-based replication requires a central data storage unit (SAN or NAS) and a partner unit. With array-based replication, the SAN or NAS processes the data and the commands to process and validate the data being replicated.

Advantages of array-based replication
The work is offloaded from the servers to the storage device.
You only need one location to control many replications of multiple servers.
Hosts (Servers) are not required at the second site or to be attached to the second SAN/NAS.
A central SQL server can be set up to replicate with the servers that actually present applications to users, such as order tracking applications.
The right software can queue databases to ensure that transactions and the database are in a recoverable state.
Disadvantages of array-based replication
Cost per device can be high, especially when you’re not replicating all of the data on the SAN.
Only SAN or NAS based data can be replicated or controlled.
A second SAN or NAS is required, increasing the cost for the solution.
There could be compatibility problems of replication technology/software between SAN/NAS hardware and vendors.
Examples of array-based replication software
HP StorageWorks XP
EMC SANCOPY - Supports EMC and some other vendor arrays
EMC MirrorView - EMC only replication
NetApp SnapMirror
Network-based replication
The last type of replication is network (or fabric) based replication. This type of replication works separately from the hosts (servers) and the storage devices. A device on the network intercepts packets being sent to and from hosts and arrays and copies them. These copies are replicated to a second device that then replays the packets at a second location. The devices are, in essence, splitters. The data goes in and then it’s split out to different sources.

Advantages of network-based replication
It’s a separate component from the SAN/NAS or the hosts.
Processing is independent to the host and SAN/NAS.
It allows replication between multi-vendor products.
Disadvantages of network-based replication
The cost of implementing devices to support this kind of replication is high.
Newer technology for the data center, standards, and process are still being worked out.
There are a limited number of “players” in this area of replication.

Five new developments in storage infrastructure solutions

2008-03-29T06:13:00.000-07:00

Rolling back device driver updates in Windows Server 2003’s Device Manager

2008-03-29T06:06:00.000-07:00

When updating a device driver to solve a problem or improve the performance of a device, there may be other things included with the new driver that produce unexpected results or cause other aspects of your Windows Server 2003 system to function differently than you expect.

Fortunately, there is a safeguard for situations where you have updated driver files that aren’t performing as needed: You can roll back the updates.

In this tip, we’ll take a look at the process for rolling back driver updates.

Note: You will only be able to roll back the driver file if the driver has been updated. If it has not yet been updated, there will be no driver available to revert back to.

Rolling back driver updates is simple. Follow these steps:

Open the Computer Management Console by right-clicking the My Computer icon on the Start menu and selecting Manage.
In the left pane of the console, select Device Manager.
Once loaded in the right pane, expand the category for the device whose drivers you wish to roll back.
Right-click the device in the list and select Properties.
On the device’s Property sheet, select the Driver tab.
Click the Rollback Driver button.
Note: If the Rollback Driver button is grayed out, the driver has not been updated and cannot be rolled back.

The driver will roll back to the previously installed version. You should also keep in mind that some drivers from Windows Update may need rolling back due to conflicts within a system. This may not happen often, but is a great tool for correcting problems with driver updates.

How do I… Add music and narration to a PowerPoint presentation?

2008-03-29T05:46:00.000-07:00

The best presentations engage the audience using a number of creative tools. Sound effects, such as music and voice recordings can mean the difference between a good presentation and an outstanding presentation. You can energize your audience with a quick tempo, play your company’s latest jingle, or add narration to an on-demand presentation. At the very least, you can play music at the beginning and ending of a presentation as the audience enters and leaves the room. The only limits are good taste and your imagination.

Microsoft PowerPoint supports media clips, which include sound and video files. The computer playing your presentation will need a sound card and speakers. That doesn’t mean just the system you use to create the presentation, but any system on which you might play the presentation. Today, most systems come with everything you need, but older systems might need an upgrade. (It’s highly unlikely that you’ll encounter such an old system, but don’t rely on that — check it out first!)

Table A lists the media files PowerPoint supports, although this article deals only with sound files.

Table A: Media support
File Explanation Attributes
MIDI Musical Instrument Digital Interface Sound
WAV Microsoft Windows audio format Sound
MPEG Motion Picture Exerts Group Standard video format with a frame per
second rate
AVI Microsoft Windows video format Video format with a constant frame rate per second
GIF Graphical Interface Format 256 color picture that supports animation.

Like most special effects, sound can catch the attention of your audience and convey a message or emotion in a way words or pictures can’t. On the other hand, used poorly, sound can be distracting or even annoying. As always, your purpose will determine how much, if any, sound your presentation needs.

The basics — inserting soundIncluding sound is as simple as selecting a file:

Use existing clips by double-clicking one of the Title, Text and Media Clip layouts from the Slide Layout task pane. Double-click the media clip icon shown in Figure A to launch the Media Clip dialog box.

Figure A

Choose a media slide from the Slide Layout task pane
When you double-click a WAV or MIDI file, PowerPoint displays the prompt shown in Figure B. The options Automatically and When Clicked are self-explanatory.

Figure B

PowerPoint will play the sound file when the slide is current, or you can click the icon to play it
Work with unique sound files by choosing Movies and Sound from the Insert menu and then selecting Sound From File or Sound From Clip Organizer. You can also record sound or play a track from a CD. After selecting a file, PowerPoint prompts you to specify how to execute the file (see Figure B).

If PowerPoint doesn’t support a clip’s format, choose Object from the Insert menu and choose the appropriate object type. Alternately, you can convert the file to a supported type. Use a search engine to search for “video file conversion.” However, don’t be surprised if the converted file is less than satisfactory. It’s difficult to maintain quality when converting media files.

In PowerPoint 2007, you’ll find the Sound option in the Media Clips group on the Insert tab.

PowerPoint displays a sound clip as a small icon, which shows during Slide Show view. When the presentation plays the clip automatically, you might want to hide the icon. There’s really no good reason to display it.

To hide the icon, right-click the icon and choose Edit Sound Object from the resulting submenu. In the Sound Options dialog box, shown in Figure C, check the Hide Sound Icon During Slide Show option, and click OK. Double-click the icon in PowerPoint 2007 to find these options.

Figure C

Edit the file’s attributes
If you choose the click option, it’s worth mentioning that clicking the icon a second time doesn’t disable the sound — the file plays from beginning to end once you click it. In PowerPoint 2007, clicking the icon restarts the file.

To learn just how long a file lasts, right-click the icon and choose Edit Sound Object. The file’s playing time is in the Information section at the bottom (see Figure C). If you want the file to play continuously, while the slide is current, check the Loop Until Stopped option. Moving to the next or previous slide will cancel the loop.

Narrating a presentationTo record a unique sound or message, you’ll need a microphone. Unfortunately, some microphones that come with today’s systems aren’t very sophisticated. If you record someone talking, it may sound distorted when played. Suddenly, you may have a lisp or an accent! Specialized software can clear up some problems, but they’re expensive and that’s just one more piece of software you’ll have to learn. It might be more efficient to invest in a better microphone.

PowerPoint makes it easy to narrate a presentation, which is a plus in a Web-based, automated, or on-demand presentation. You might also use this feature to include a statement from an individual, such as a celebrity or your company’s CEO.

Don’t jump right into recording. First, write a script and rehearse it. Once you’re comfortable with your speaking part, you can record your narration:

Choose Record Narration from the Slide Show menu to open the Record Narration dialog box. In PowerPoint 2007, this option is in the Set Up group on the Slide Show tab.
Click Set Microphone Level to check your microphone. Read the sentence that appears in the Microphone Check dialog and let the Microphone Wizard adjust your microphone automatically. Click OK.
If you need to adjust the quality to CD, radio, or telephone, click Change Quality to open the Sound Selection dialog box. Just remember that quality increases the file’s size. If file size is a concern, you may have to compromise quality just a bit.
By default, PowerPoint stores the narration with the presentation. To store the sound file in a separate WAV file (in the same folder) check Link Narrations In. Click Browse to change the location of the separate WAV file, but use caution when doing so — only store the two separately when you have a good reason for doing so. If a sound file is over 50MB, you must link it.
Click OK and start recording. As PowerPoint displays your presentation, you narrate just as you want the message played. Continue to narrate each slide until you’re done.
At the end of the presentation, PowerPoint will prompt you to save the timings with each slide. This can be helpful if you didn’t get each slide just right and you need more practice.
Step five mentions linked files. If you’re using the same system to both create and show the presentation, linked files are fine, but not necessary. Linked files are a good choice if the sound files are large or if you plan to change the source file. By default, PowerPoint automatically links sound files that are larger than 100KB.

To change this setting, choose Options from the Tools menu, and then click the General tab and update the Link Sounds With File Size Great Than option. PowerPoint 2007 users will find this option by clicking the Office button, clicking the PowerPoint options button (at the bottom right) and then choosing Advanced. The option is in the Save section.

Use the Package for CD (PowerPoint 2003) or Pack And Go Wizard (PowerPoint 2002) to make sure you save linked files with the presentation. Names can be problematic: A linked file’s path name must be 128 characters or less.

More optionsNarration is only one type of recoding you might consider. If you can record it, you can include it in your presentation. To record a single message or unique sound, choose Movies and Sound from the Insert menu and choose Record Sound. In PowerPoint 2007, this option is in the Sound option’s dropdown list, in the Media Clips group on the Insert tab.

In the resulting Record Sound dialog box shown in Figure D, enter a description and name. Click Record when you’re ready to begin. Click Stop when you’re done. Use Play to listen to the new recording. Click OK to save the sound with the presentation. Or, click Cancel to exit and try again. If you save a sound, it appears as an icon, which you can use anywhere in the presentation you like. Mix this capability with action settings for a unique effect. Just don’t over do it!

Figure D

You can record sounds inside PowerPoint
Playing a CDPlaying music is a great way to begin or end a presentation. However, the music doesn’t have to be a top 10 tune. It only needs to be appropriate. For example, you might play Mendelssohn’s Wedding March if your presentation is about catering receptions. Or, pleasing dinner music might be the way to go. It’s really up to you; just keep your audience in mind. To include a song from a CD, do the following:

Insert the CD.
From the Insert menu, choose Movies and Sound. Then, select Play CD Auto Track to open the Insert CD Audio dialog box. In PowerPoint 2007, choose Play CD Audio Track from the Sound option’s dropdown list. You’ll find this option in the Media Clips group on the Insert tab.
The Start At Time and End At Time fields let you capture just part of a track instead of using the entire track.
Use the Sound Volume button to control the audio’s volume.
Check the Hide While Not playing option in the Display Options section if you don’t want the audio’s icon to show when the music isn’t playing.
Click OK when you’re done. PowerPoint lets you play the track by clicking or displaying the slide.
Like other sound files, Power Point displays a CD icon on the current slide. Just be careful that you don’t violate any copyright laws when including someone else’s music in your presentation.

A word on animationYou can use custom animation to control sound files to add a unique and creative dimension to your presentation. To get started, select a sound icon and display the Custom Animation task pane. PowerPoint offers a ton of options, and does a good job of disabling inappropriate choices for the selected clip.

Creating custom animation can be complicated and the truth is most presentations won’t need that much energy. However, the feature’s there and you might as well learn a bit about it. There’s an entire tab dedicated to animation in PowerPoint 2007. Click the Custom Animations option in the Animations group to create custom effects.

Design for effectMultimedia files can liven up any presentation and sound is definitely part of that mix. You can play an appropriate tune or your company’s jingle. With one click, you can play your company’s latest radio ad for the head honchos. Whether you’re pitching a new product or sharing photos of your new baby, use sound to set the mood.

Securing end users’ pesky password problems

2008-03-08T05:24:00.000-08:00

This is the first of a three-part series introducing simple fixes to security breaches that your end users might be committing.

If you are anything like me, you have worked with varying degrees of security requirements for some time now. Regardless of what you do in technology, there is a requirement, spoken or otherwise that you have at least an awareness of what policies are in place.

In most HIPPA/GLBA/SOX/PCI shops, the policy is likely to be something that you sign off on when you begin working and possibly before you are allowed to have access to the network. In many companies, you are required to listen to a lecture, take a training course, or participate in a Webinar. Generally, it will cover such things as password requirements, acceptable use, and possibly a component on social engineering and how to avoid it. It will, or should, also tell you how you will maintain paper documents and dispose of them. If that policy is really good, it will include information on the classification of documents.

If business has gone through all the trouble of making all that information available to you, they must have some intention of enforcing the policies, right? The answer is “sometimes.”

Don’t get me wrong, business wants those policies adhered to. In many cases, there are audit standards that must be met and those audit standards require compliance. Business just may not have considered the step of how to communicate the policies in a way that the average user can be compliant and still get the job done. This is a place that IT can step in and help out.

Let’s look at password length and complexity. Generally, a password requires uppercase and/or lowercase, numerals, and special characters. The most common minimum length I have run across is eight. Today’s user is generally managing multiple passwords on multiple systems and in frustration may find it easier to just write them down. I even had a user who took to writing them on the monitor bezel! (Some things you just can’t make up!) Most will make some effort to keep them from becoming public knowledge but many will leave their written copies in an easily accessible location. That is where I can help.

One solution is to consider password vault software. A utility on my Mac is called Keychain. It stores and manages passwords in an encrypted state until I provide a master password on challenge. It is a simple and useful tool. Another good one is the open-source Password Safe. It works on a master PIN. There are also a variety of enterprise-level tools available.

If your environment is anything like where I have worked, getting a new piece of software to the end user is tough. It is at least a lengthy process. So try a couple of other ideas.

Most cubicles have an overhead bin or lockable drawer. I encourage end users to store their password file there. At least it is locked. For laptop users who don’t have a lockdown cable but DO have a lockable bin or drawer, I encourage them to put their laptops away nightly. I recall coming in to the office early one morning to find one of the cleaning staff struggling with a trash can with several laptops in it. I have been vigilant ever since.

If you don’t have a key for your desk or bin, ask your manager how to obtain one or ask Facilities for one. If your company has a Compliance Officer, that person will likely be able to help you out. While I am sure it can happen, I have never heard of a key request being turned down.

Because the solution is simple, most end users don’t have a problem with complying. And that is really what is at the heart of failure to comply with security requirements at the end user level. It needs to be simple.

Sometimes in IT we forget that the end user is there to do a very different kind of job than we are. What they care about most is their work product– the ability to turn out work that meets or exceeds business needs. Anything that they perceive is in the way of that effort is likely to meet with resistance. When we take the time to work through roadblocks with them, that resistance will go away.

What kinds of advice do you give end users on being more secure with their multiple passwords?

Using the Windows Server 2003 Computer Management Console’s Device Manager snap-in

2008-03-08T05:18:00.000-08:00

Windows Server 2003 supports devices large and small, both as internal cards and external USB devices, which can be cumbersome for admins. Fortunately, Device Manager is included as a snap-in to the Computer Management Console. I view Device Manager as one of the hidden gems in Windows Server 2003 system maintenance.

To access Device Manager, open the Computer Management Console and select the Device Manager object in the left pane. This will display the Device Manager in the right pane.

Once it’s open, Device Manager displays a list of the categories of devices detected in the local system. Expanding these categories will show each device of this type installed, both internal and external. (Note: If a device fits multiple categories, its name will appear in all relevant categories. For instance, a USB CD-ROM drive will appear in the USB devices category, as well as the CD/DVD ROM device category.)

You can also get to Device Manager from the system applet in Control Panel, grouped in Computer Management for ease of use.

Using Device Manager
If you expand a device’s category in the right pane, you will see a list of all of the devices in the category. Devices that are experiencing problems will have a yellow exclamation point on them. Devices that are disabled will typically appear with a red x in Device Manager.

To view a device’s Properties, expand its Category, right-click the device in the list, and then select Properties. This will display the Properties dialog box for the device. These tabs are available:

General: Contains a description of the device and displays any issues with the device. This tab is useful for identifying a problem between Windows Server 2003 and the device by showing a description of the error message — regardless of whether it concerns communication or drivers.
Driver: Displays the options available for managing device drivers.
Resources: Displays the resource usage information for the device.
By using the Driver tab, you can perform the following actions against the device’s driver:

Driver Details: View the details of the driver, including the publisher and installation date.
Update Driver: Update the existing device driver to a newer version.
Rollback Driver: Undo a driver update, rolling back to the previously installed version.
Uninstall Driver: Completely remove a device driver from the system.

How do I… Request and install SSL certificates in IIS 7.0?

2008-03-08T04:52:00.000-08:00

SSL (Secure Sockets Layer) certificates are perhaps the most common way to protect information being transmitted between a visitor Web browser and your Web site. SSL provides encryption services to information flowing between systems and can protect Web traffic, e-mail, instant messages and a host of other kinds of data transmittals.

I’m not going to go into great detail about the inner workings of SSL except to say that it is a critical infrastructure component for any organization that has a desire to protect customer or other confidential information. SSL is widely used by banks, e-commerce companies, and other Web entities that require transmission of sensitive information, such as passwords, social security numbers, etc.

I will show you how to obtain and install a third-party SSL certificate into Microsoft Internet Information Server 7.0 (IIS 7) running on Windows Server 2008. I am running the RC0 version of Windows Server 2008.

In the most simplistic view, there are four kinds of certificates to which you will be exposed during your SSL installation:

Self-signed SSL certificates: These are certificates that you generate and use to encrypt information passing between a client and your server. These certificates are good insofar as they do allow you to encrypt data, but since they are created on-site, the certificates have not been verified by a third party entity, meaning that the site can’t necessarily be trusted.
Third-party SSL certificate: A third-party SSL certificate provides the same encryption capabilities as a self-signed certificate. However, since the certificate is issued by a third party, it is considered a more trusted type of certificate, especially when the certificate chain extends to a trusted root certificate.
Intermediate certificate: Not all SSL certificate vendors are created equal. In order to be fully trusted, any certificate you obtain needs to eventually link to a root certificate that is trusted by your Web browser. However, not all vendors’ SSL certificates are natively trusted by root certificates. As such, with these vendors, you need to complete the SSL trust chain by (in addition to installing your SSL certificate) installing an intermediate certificate between a root certificate and your new SSL certificate. If you skip this step, users will continue to get certificate errors until this trust chain is established. The use of an intermediate SSL certificate requires a bit of additional network communication at the initial establishment of an SSL-secure session but beyond that, there is no performance penalty.
Trusted root certificate (or Trusted root certification authorities): A root certificate is the Grand PooBah of the certificate world. In order to complete the trust chain, your individual certificate must, in some way, link to a root certificate.
A third-party SSL certificate is generally considered more trusted than a self-signed certificate since the certificate information is verified by a third party and the certificate ultimately maps to what is called a trusted root certificate.

Note: I am assuming that you will be installing a brand new certificate that you do not yet own and not importing some kind of existing certificate. Further, I assume that you do not have a complex public key infrastructure in-house and that you need to get your certificate from a third party. Finally, I’m making the assumption that you have already installed IIS 7 on your Windows Server 2008 system.

Step 1: Prepare a Certificate Signing Request (CSR)Regardless of the SSL vendor you use, you first step in the process is to create a Certificate Signing Request (CSR) that will be sent to the SSL vendor of your choice. The CSR is a Base-64 encoded PKCS#10 message (this basically means it’s a bunch of gobbledygook that is unreadable by humans) that contains all of the information necessary to identify the person or company applying for the certificate. The request also includes the applicant’s public key. This key is the public portion of a combined public key/private key structure that, together, is able to effectively and securely encrypt information.

Choose Start | Administrative Tools | Internet Information Services (IIS) Manager
In the IIS Manager, choose your server name
In the Features pane (the middle pane), double-click the Server Certificates option (Figure A) located under the Security heading.

Figure A

Open the properties page for the site you want to protect
You will notice two default certificates already installed on this server. To begin the process of requesting a new certificate, from the Actions pane, choose the Create Certificate Request option as shown below in Figure B.

Figure B

Click the Server Certificate button to begin the process
The first screen of the wizard asks for details regarding the new site. The common name should match the fully-qualified domain name for the site. Otherwise, provide information about your site, making sure to spell out the name of your state. (Figure C)

Figure C

Provide information about your site
Click Next to continue.
The next screen of the wizard asks you to choose cryptography options. The default, Microsoft RSA SChannel Cryptography Provider is fine. A key length of 1,024 bits is the default option and is fine as well. (Figure D)

Figure D

Choose a cryptography provider and key length
Click Next to continue.
Finally, provide a filename to which to save the certificate request. You will need the contents of this file in the next step, so make sure you know where to find it. (Figure E)

Figure E

Save the CSR
Here’s some of the CSR mumbo jumbo associate with this certificate request:

Step 2: Request a certificate from a certificate vendorNow, with your CSR in hand, visit the Web site of your favorite SSL certificate provider and buy your new certificate. During the registration process, you need to provide the certificate company with information validating you or your company’s identity. Some consider this part a hassle, but it really is a vital part of the overall SSL chain. After all, you don’t want just anyone receiving a certificate that uses your company name!

The certificate request process varies by certificate company, so I can’t really provide the exact steps for the certificate request. What I can tell you is that, at some point, you’ll need to open up the text file that contains the certificate request in order to copy and paste the encrypted certificate request in the appropriate field on the order form.

Once you complete the vendor’s certificate request (Figure F) form and provide them with payment, you’ll need to wait for the SSL certificate to be delivered to you via e-mail.

Figure F

Provide the necessary information for the SSL certificate vendor
Step 3: Save the provided certificate somewhere accessibleWhat you get back from a certificate vendor depends on the vendor you choose. In the case of the company that I used to get my certificate, they sent back a zip file with three certificates. One of the certificates is named ssltest_westminster-mo_edu.crt. This is the certificate I need for the new Web site. The other two certificates are required if you need to chain the new certificate back to a root certificate. We will not be discussing them in this document.

The new certificate is nothing more than a text file, as was the case with the CSR. However, in this case, the information starts with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–. In the previous step, the terms were BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST. Extract the contents of this zip file to a location accessible from your Web server.

Step 4: Install the certificateAfter making sure that your Web server can access the certificate files, you need to install the new certificate so that it can be used by your Web site.

Choose Start | Administrative Tools | Internet Information Services (IIS) Manager.
In the IIS Manager, choose your server name.
In the Features pane (the middle pane), double-click the Server Certificates option located under the Security heading.
To complete the process of requesting a new certificate, from the Actions pane, choose the Complete Certificate Request option.
The Complete Certificate Request window opens and asks you to provide the location at which the certificate file can be located (Figure G). Provide this location and also indicate what friendly name you would like to use for the certificate.

Figure G

Tell the wizard where it can find the certificate file and provide a friendly name
The certificate is now installed and ready to be assigned to a Web site.

Step 5: Add an HTTPS binding to a Web siteNow, with the certificate installed, it’s time to put it to work. In IIS 7, you need to bind the HTTPS protocol to a Web site and then assign an installed certificate to be used to protect that Web site. Follow these steps:

Choose Start | Administrative Tools | Internet Information Services (IIS) Manager.
In the IIS Manager, browse to your server name | Sites | Your SSL-based site. You may need to create a new site. In Figure H below, notice that my site is named ssltest. The full Internet path to this site is ssltest.westminster-mo.edu. Since this Windows Server 2008 machine is running in a lab, you will see that it is a member of the Contoso domain, but I have added westminster-mo.edu sites to this server and appropriately configured DNS.

Figure H

A look at a site to which HTTPS will be bound
From the Actions pane, choose Bindings. This opens the Site Bindings window shown in Figure I.

Figure I

The Site Bindings window
In the Site Bindings window, choose Add. This opens the Add Site Binding window shown in Figure J.
From the Site Bindings window, provide the binding type (HTTP or HTTPS, but for this purpose use HTTPS), the IP address that will be used for this site (192.168.0.16 for me), and the port that will be used for SSL.
Next, choose the SSL certificate that you want to use to protect this site. Note that I have chosen ssltest.westminster-mo.edu. Use the Browse button to locate the right certificate.

Figure J

Provide the appropriate details for the Add Site Binding dialog box
Click the OK button. See Figure K for the result.

Figure K

The results of the new binding
Step 6: Test your certificateNow, test your certificate by browsing to the new site. You should not get any certificate errors. In Figure L note that I have successfully browsed to the new site and that there is a lock icon indicating that SSL is active. Figure M is a look at the certificate as detailed in the Web browser.

Figure L

The site is being protected by SSL

Figure M

The certificate is valid

Capturing SQL Server 2005 database file size information

2008-02-21T05:10:00.000-08:00

It’s very important to capture trends of the sizes of your SQL Server 2005 database because it allows you to plan for future space needs, notice types of problems, and plan for time periods of heavy volume. I’ll show you the simple method that I use to capture this information.

An exampleI will capture a snapshot of the information related to the sizes of my database files; in my next article, I will analyze the information to see when my data files and log files grow the most.

Each database on the SQL Server contains information regarding the size of the database files, along with some other related information. In order for me to get to this information, I need a method to retrieve the data from the individual databases one at a time. I have two available options:

sp_spaceused: This system stored procedure will return the size statistics for the current database context in which it is running. It is very useful for returning ad hoc information regarding database or table sizes within the database; however, it is not very friendly for reporting purposes. It is possible to capture the information for each database through a script, but it would require the use of a user-defined cursor.
sp_msforeachdb: This is a very useful system stored procedure that will execute any SQL script you pass to for in each of the databases on your SQL Server instance. The stored procedure just loops through the databases, which is simple to write, but it saves you from having to do it yourself. This is the method I will use for my code to capture database file size information.
The information I want to gather and store is available in the sys.database_files system view. This gives me the size of the database files, along with some other handy information such as the state of the database, the manner in which the files grow (size or percentage), and if it is read-only. I will need to capture this information for each database.

The script below creates a table named DatabaseFiles (if it does not already exist) based upon the structure of the system view sys.database_files; it also adds a new column to capture when the record was added to the table.

IF OBJECT_ID('DatabaseFiles') IS NULL
BEGIN
SELECT TOP 0 * INTO DatabaseFiles
FROM sys.database_files

ALTER TABLE DatabaseFiles
ADD CreationDate DATETIME DEFAULT(GETDATE())
ENDNow it is time to populate the DatabaseFiles table. This script uses the sp_msforeachdb stored procedure and passes a SQL script that inserts data from the sys.database_files view into the DatabaseFiles table that I created above. If you examine the script, you will notice that I am building in the database name for each database. This is subtle, and it’s accomplished by the [?] prefix to the sys.database_files view. This code is actually executed in each database on the instance, and the name of the database is used in place of the [?] marker. Information for each database is inserted into the DatabaseFiles table with one line of code, and it is a lot easier than writing a cursor to do the same. I also added a GETDATE() call to indicate when the records were inserted into the table.

Note: This example somewhat goes against two coding standards that I am typically strict about: using SELECT * and inserting into a table without a column list. I omitted them because the SQL string that I am building would have been a lot less desirable to view. If this was code that I put into a production environment, I would have made the necessary changes accordingly.

EXECUTE sp_msforeachdb 'INSERT INTO DatabaseFiles SELECT *, GETDATE() FROM [?].sys.database_files'To make sure that all of my data was captured correctly, I’ll look at what is in the table.

SELECT * FROM DatabaseFiles

Using the Computer Management Console’s Shared Folders snap-in

2008-02-21T05:08:00.001-08:00

Managing open files, active shares, and user sessions can take up quite a bit of time. The Computer Management Console’s Shared Folders snap-in can make your job easier by showing remote activity and resource access on a given system.

Shared Folders will not list the documents that you are working on locally; keep this in mind if you open one of these objects on a system, and the view is empty. As with other Computer Management Console snap-ins such as Event Viewer, Shared Folders is available on all versions of Windows 2000, Windows XP, Windows Server 2003, and Windows Vista.

Components of the Shared Folders snap-in
Shared Folders includes the following three objects, which allow you to monitor systems from the comfort of your office for any system on your network.

Shares: Shows the active shares (including all administrative shares) for the system to which you are connected.
Sessions: Shows all the user sessions that are connected to your system. If someone is accessing a Windows Server 2003 resource remotely, this snap-in will show you their session. You can disconnect sessions by right-clicking a session and choosing either Disconnect Selected Session or Disconnect All Sessions.
Open Files: Shows the files on the system that are currently open and shows you which users have the files or folders open; this can be helpful in tracking down why other users cannot open certain files. When using Open Files, you can close any file that any user has open simply by right-clicking the file’s entry in the list and choosing Close Open File.
Remote connections
When accessing the Computer Management Console, you can connect remotely to other systems to view their resources. (The remote systems must be running Windows 2000 or higher.)

To connect remotely to other systems, follow these steps:

Open the Computer Management Console by right-clicking My Computer from the Windows XP Start menu. (In Windows 2000, you right-click My Computer from the desktop. In Windows Vista, you right-click Computer or enter Computer Management in the Start Menu’s Search box.)
Right-click the computer object at the top of the left pane and select Connect To Another Computer. Or, click the Action menu and select Connect To Another Computer.
Enter the name of the computer you wish to connect to and click OK.
If the desired system is available, the Computer Management Console will display the resources as available on the remote system.

Next week, I will focus on the Computer Management Console’s Local Users and Groups snap-in.

Create your own special characters in Windows XP

2008-02-21T05:02:00.000-08:00

If you’ve ever wanted to create your own font or maybe just a special character — for example, a character showing your initials for when you wish to approve documents with your “signature” — you can easily create your own special characters using a hidden Windows XP tool called the Private Character Editor. Here’s how:

Press [Windows]R to open the Run dialog box.
Type eudcedit in the Open text box and click OK.
When the Private Character Editor launches, you’ll see the Select Code dialog box. Click OK.
A user interface that looks and works very much like Paint will appear. From this, you may use standard tools to create your characters.
When you finish, select the Save Character command on the Edit menu.
Once you save your new character, you can access it using the Character Map tool. Here’s how:

Press [Windows]R to open the Run dialog box.
Type charmap in the Open text box and click OK.
When the Character Map appears, select the Font drop-down list and select All Fonts (Private Characters).
Select your character, click the Select button, and then click the Copy button.
You can now paste your font character in any document that you want.

Enterprise considerations for Microsoft Network Access Protection

2008-02-10T04:10:00.000-08:00

Having a MS-NAP implementation in place will provide your network an extra level of protection at the entry point. There are certainly networks that need the maximum level of security for every point of connectivity; however, only the business or your technology situation can determine what you need from the perspective of network access protection. The MS-NAP implementation uses many different communication mechanisms if fully implemented. A strong point for MS-NAP is that the MS-NAP implementation can be utilized with some or all of the features and roles. In this article, we'll take a look at some of things you need to take into consideration from an enterprise perspective.

Enforcement types for MS-NAP
If you are considering MS-NAP for your environment, you cannot invest enough time in the planning and testing phases. Deciding on the best enforcement type for a policy is critically important. The means of enforcing MS-NAP are varied in their functionality and complexity.

Enforcement types
The MS-NAP implementation can enforce the compliance policy through these four mechanisms:

VPN: The VPN server relays the policy from the Network Policy Server (NPS) to the requesting client and performs the validation. This is not to be confused with Windows Server 2003's Network Access Quarantine Control feature.
DHCP: The DHCP server interacts with the policies from the NPS to determine the client's compliance.
IPSec: The IPSec enforcement of MS-NAP is Microsoft's strongest offering for network access protection. It enforces the policy and configures the systems out of compliance with a limited access local IP security policy for remediation.
802.1X: The MS-NAP client authenticates over an 802.1X authenticated network and is the best solution when integrating hardware from other vendors. Luckily, the 802.1X authentication protocol was developed jointly by Microsoft, Cisco, HP, Trapeze, and Enterasys.
Each enforcement type will direct the client that is out of compliance to the remediation network where a resolution should be able to occur before accessing the desired network. The remediation network should be given some thorough planning. Making the remediation network a place where clients (managed or unmanaged) can gain the requisite updates or programs without support staff intervention will be critical in making the entire MS-NAP implementation a success. Choosing an enforcement method is an important first step in a successful implementation.

Planning what can happen on the remediation network is very important as well. Question whether updates be accessed from this network; if anti-virus updates/installations be accessed there; and, most importantly, whether the users perform the required updates automatically or without involving the client support staff.

Network Policy Server (NPS) mastery
In planning a MS-NAP implementation, a deep-level understanding of the NPS role of Windows Server 2008 should be reached. This server role will determine where systems will go based on their configuration. This is especially important because this server role touches other server roles or equipment depending on the enforcement mechanism selected. The NPS role also acts as a RADIUS server for the MS-NAP clients.

Real-world administration effort and support
Many network administrators are overworked and can have a difficult time perceiving a time where they could allocate the time to properly plan a network access protection system much less fully test and implement such a solution. The common response from a quick, unscientific survey of network administrators is "It would be nice, but I don't have the time" for a network access protection solution. Regardless of it being a Microsoft or a networking company solution, the responses are fairly consistent.

From an ongoing support perspective, the MS-NAP implementation can go one way or the other. If the remediation network has a way for the users to become compliant and a robust, intuitive way of doing such, the support effort will be minimized for ongoing access to networks from systems that have dipped out of compliance.

Networking hardware support
If the 802.1X enforcement method is selected, a unique challenge is presented. This method is unique because it would require maintaining support for the MS-NAP implementation from a networking hardware and server operating system perspective. While the implementations offered by the networking hardware vendors offer 802.1X authentication for an individual port, it takes an additional administration effort to ensure end-to-end compatibility.

New services on clients and domain group policy objects
For the client elements using the MS-NAP implementation, there are new services and local configuration elements that are required to utilize the functionality. Pushing these configuration elements to managed systems through an Active Directory domain GPO is the best way to deploy to large numbers of existing systems. The new configuration elements for the MS-NAP implementation are not available in Active Directory domains running at Windows Server 2003 level, but are available for Windows Server 2008 level domains. There are other ways to configure the new services for clients, but it would be optimal to be native in the domain group policy editor and link the new GPO to an OU or a domain.

It is not clear what implementation configuration would be required for Windows XP clients since Service Pack 3 is not yet available; nor is it clear how a Windows XP MS-NAP client would be managed -- if at all possible -- from a Windows Server 2008 functionality level Active Directory domain.

Cisco's NAC hardware explained

2008-02-10T04:07:00.000-08:00

Cisco Network Admission Control (NAC) is a system to enforce the security policy of your company on all devices attempting network access. The Cisco NAC solution is made up of many different pieces of hardware, software, and services; this article will explain its many pieces.

What hardware makes up Cisco's NAC solution?
On Cisco's network security solutions Web page, you'll find the following list of Cisco technologies, all of which play a part in the complete Cisco NAC solution:

Advanced Services for Network Security
Cisco Security Agent (CSA)
Cisco Security Monitoring, Analysis and Response System (MARS)
Cisco Trust Agent 2.0 (CTA)
Cisco Secure Access Control Server for Windows (ACS)
Cisco Secure Access Control Server Solution Engine (ACS)
Cisco Works Interface Configuration Manager (ICM)
Cisco Works Security Information Management Solution (CW-SIMS)
NAC-enabled routers
Router security
Cisco VPN 3000 Series Concentrators
Cisco Unified Wireless Network
Cisco Catalyst switches
Let's discuss some of the more critical pieces of Cisco's NAC solution.

Cisco NAC-enabled routers
The recently released Cisco router NAT module enforces NAC at the remote branch locations or ancillary buildings of a campus. Apart from that, the NAC router module also improves the overall security of the network by making sure that all incoming users and devices comply with security policies.

Additionally, the Cisco NAC router module (part # NME-NAC-K9) brings the capabilities of Cisco NAC Appliance Server to Cisco 2800 and 3800 Series Integrated Services Routers. This module helps network administrators by not having to deploy NAC appliances across the board and it helps to consolidate the administrative tasks into fewer boxes.

Amazingly, this module is actually a 1 GHz Intel Celeron PC, with 512 MB RAM, 64 MB of Compact Flash, and an 80 GB SATA hard drive. All that fits onto a single 1 pound module that slides into a router and enforces your security policies. This module requires a 2800 or 3800 series router running IOS 12.4(11)T or later.

Cisco NAC Appliance
The single most popular piece of the Cisco NAC solution has been the Cisco NAC Appliance. As evident from the name itself, Cisco NAC Appliance is an appliance-based solution that offers fast deployment, policy management, and enforcement of security policies.

With the Cisco NAC Appliance, you can opt for an in-band or out-of-band solution. The in-band solution is for smaller deployments. As your network grows into a more campus environment, you may not be able to keep in the in-band design. In that case, you can move to the out-of-band deployment scenario.

Here are some advantages of the Cisco NAC Appliance:

Identity: At the point of authentication, the Cisco NAC Appliance recognizes users, as well as their devices and their responsibility in the network.
Compliance: Cisco NAC Appliance also takes into account whether machines are compliant with security policies or not. This includes enforcing operating system updates, antivirus definitions, firewall settings, and antispyware software definitions.
Quarantine: If the machines attempting to gain access don't meet the policies of the network, the Cisco NAC Appliance can quarantine these machines and bring them into compliance (by applying patches or changing settings), before releasing them onto the network.
For more information about the Cisco NAC Appliance, see the Cisco NAC Appliance datasheet.

Cisco Secure Access Control Server (ACS)
The Cisco ACS Server could be called the "brain" of the Cisco NAC solution. It is here that users' credentials are checked to see if they are valid, policies are sent back to be enforced, and activities are logged. The ACS server is called an AAA Server because it performs authentication, authorization, and accounting.

This server runs on an existing Windows server in your organization and can use other existing databases in your organization to verify users' credentials. For example, most companies have ACS point toward their Windows Active Directory (AD) system to look up credentials. If those credentials are valid, then ACS can enforce network authorization polices on those users, with the help of the network hardware: NAC Appliance, Router NAC module, or ASA/PIX firewalls.

Cisco Security Agent (CSA)
Cisco CSA is a software client that is run on every machine in an organization. These clients talk to a centralized policy server. Together, these software applications know what software and activities that occur on each PC in the organization are or are not "normal". The CSA agent may alert on or block certain activities that it sees as abnormal.

When compared to anti-virus software that depends on definition updates to stay current, Cisco touts that the CSA never needs updating because it is constantly "learning" and monitoring activities, not definitions of viruses.

For more information about the Cisco CSA solution, see the Cisco CSA datasheet.

Cisco Trust Agent (CTA)
You can think of the Cisco Trust Agent as the "NAC Client". The CTA runs on each PC in the organization. It talks to the NAC Appliance, for example, to tell it about the state of the device attempting to access the network. For example, the CTA reports the version of the OS, patch level, the AV definition level, the firewall status, and more. According to Cisco, the CTA "interrogates devices." You can obtain CTA free of charge from Cisco Systems.

Cisco Works Security Information Management Solution (CW-SIMS)
The Cisco Works Security Information Management Solution (CW-SIMS) in the centralized repository that all Cisco devices use for security logging and other information. According to Cisco, this application "integrates, correlates, and analyzes security event data from the enterprise network to improve visibility and provide actionable intelligence for strengthening an organization's security."

With so many security devices in your network, one application has to try to correlate all the logs and security information that is generated. According to Cisco, here are the features that the CW-SIMS offers:

Comprehensive Correlation: Statistical, rules-based, and vulnerability correlation of events as they happen, in real time, across all integrated Cisco network devices.
Threat Visualization: See a visual status and generate reports of all the security events as they happen across your network.
Incident Resolution Management: SIMs integrates with common helpdesk packages to track security events until resolution.
Integrated Knowledge Base: SIMS can be a source of knowledge about security issues and how they are resolved.
Real-Time Notification: SIMS can notify security admins, in real time, when events occur.
For more information about the Cisco CW-SIMS solution, see the Cisco SW-SIMS datasheet.

Cisco Security Monitoring, Analysis, and Response System (MARS)
While MARS may seem similar to CW-SIMS, it is quite different. MARS actually understands the configuration and topology of your network. You can think of MARS as a "virtual security admin" for your network -- working while you sleep.

MARS uses NetFlow data from Cisco routers to have a real-time understanding of network traffic. It knows what is considered normal and what is not; this is called behavioral analysis. With behavioral analysis, MARS can stop abnormal network traffic. MARS has over 150 audit compliance templates ,and will make recommendations on how to remediate threats to your network.

MARS is actually an appliance that you install on your network. This appliance comes in a variety of sizes and license levels based on the size of your network. Cisco Security MARS and Cisco Security Manager are part of the Cisco Security Management Suite.

In summary
To be a complete solution that can fulfill the Cisco Self-Defending Network framework, the hardware and software of Cisco's NAC solution must integrate well. With nine or more different pieces of hardware and software related to NAC, the challenge of acquiring (i.e., affording), learning to configure, deploying, and monitoring these solutions can be a large task for any organization. While having the centralized software applications like CW-SIMS and MARS can really bring it all together, those applications will take time, effort, and expertise to master. For this reason, I can relate to anyone who says that deploying a security solution is difficult.

In this article, I've attempted to clarify the purpose of the different NAC security solutions offered by Cisco today; with this information, I hope that your quest for strong network security can be realized.

Finding dependencies in SQL Server 2005

2008-02-10T04:03:00.000-08:00

Any time you need to modify objects in your SQL Server 2005 database, the objects that are dependent upon those objects are a concern. You don’t want to remove columns from tables, procedures, views, or tables if there are objects dependent upon them that are being used.

This tutorial will show how you can write a procedure that will look up all of the objects that are dependent upon other objects.

How to write the procedureTo start a dependency chain, I create a table and then create some objects that will depend upon that table. Below is a script to create my SalesHistory and load some data into it:

IF OBJECT_ID('SalesHistory')>0
DROP TABLE SalesHistory;
GO
CREATE TABLE [dbo].[SalesHistory]
(
[SaleID] [int] IDENTITY(1,1) NOT NULL PRIMARY KEY,
[Product] [char](150) NULL,
[SaleDate] [datetime] NULL,
[SalePrice] [money] NULL
)
GO

DECLARE @i SMALLINT
SET @i = 1
WHILE (@i <=100)
BEGIN
INSERT INTO SalesHistory
(Product, SaleDate, SalePrice)
VALUES
('Computer', DATEADD(mm, @i, '3/11/1919'), DATEPART(ms, GETDATE()) + (@i + 57))

INSERT INTO SalesHistory
(Product, SaleDate, SalePrice)
VALUES
('BigScreen', DATEADD(mm, @i, '3/11/1927'), DATEPART(ms, GETDATE()) + (@i + 13))

INSERT INTO SalesHistory
(Product, SaleDate, SalePrice)
VALUES
('PoolTable', DATEADD(mm, @i, '3/11/1908'), DATEPART(ms, GETDATE()) + (@i + 29))

SET @i = @i + 1

ENDI’ll create a couple of objects that are dependent upon the SalesHistory table. This view uses the DENSE_RANK ranking function to return the sales rank of each product based on when the product was entered into the table. This view is directly dependent upon the SalesHistory table.

CREATE VIEW vw_SalesHistory
AS
SELECT SaleRank = DENSE_RANK() OVER (PARTITION BY Product ORDER BY SaleID ASC), *
FROM SalesHistory
GOThe stored procedure returns the total sales for the Computer product group. This procedure uses the view that I just created, so it is dependent upon that view, which is dependent upon the SalesHistory table. In a sense, this creates a dependency chain.

CREATE PROCEDURE usp_GetTotalComputerSales
(
@TotalSales MONEY OUTPUT
)
AS
BEGIN
SELECT @TotalSales = SUM(SalePrice)
FROM vw_SalesHistory
WHERE Product = 'Computer'
END
GOHere is the code to create the system stored procedure for finding object dependencies:

USE master
GO
CREATE PROCEDURE sp_FindDependencies
(
@ObjectName SYSNAME,
@ObjectType VARCHAR(5) = NULL
)
AS
BEGIN
DECLARE @ObjectID AS BIGINT

SELECT TOP(1) @ObjectID = object_id
FROM sys.objects
WHERE name = @ObjectName
AND type = ISNULL(@ObjectType, type)

SET NOCOUNT ON ;

WITH DependentObjectCTE (DependentObjectID, DependentObjectName, ReferencedObjectName, ReferencedObjectID)
AS
(
SELECT DISTINCT
sd.object_id,
OBJECT_NAME(sd.object_id),
ReferencedObject = OBJECT_NAME(sd.referenced_major_id),
ReferencedObjectID = sd.referenced_major_id
FROM
sys.sql_dependencies sd
JOIN sys.objects so ON sd.referenced_major_id = so.object_id
WHERE
sd.referenced_major_id = @ObjectID
UNION ALL
SELECT
sd.object_id,
OBJECT_NAME(sd.object_id),
OBJECT_NAME(referenced_major_id),
object_id
FROM
sys.sql_dependencies sd
JOIN DependentObjectCTE do ON sd.referenced_major_id = do.DependentObjectID
WHERE
sd.referenced_major_id <> sd.object_id
)
SELECT DISTINCT
DependentObjectName
FROM
DependentObjectCTE c
ENDThis procedure uses a Common Table Expression (CTE) with recursion to walk down the dependency chain to get to all of the objects that are dependent on the object passed into the procedure. The main source of data comes from the system view sys.sql_dependencies, which contains dependency information for all of your objects in the database.

Note: There are exceptions to this table. SQL Server 2005 will only place data into the sys.sql_dependencies view if it is able to at the creation of the object. If the database is not able to add a dependency, it will let you know at the time the object is created.

I want to mark the stored procedure as a system stored procedure so I can call it for any object in any database.

EXECUTE sp_ms_marksystemobject 'sp_FindDependencies'Now I can call my new system stored procedure to find any objects that are dependent upon the SalesHistory table that I just created.

EXECUTE sp_FindDependencies 'SalesHistory'I get the results that I expect from the procedure. The following objects are returned:

usp_GetTotalComputerSales
vw_SalesHistoryThe view vw_SalesHistory is returned because it is directly dependent upon the SalesHistory table. The procedure usp_GetTotalComputerSales is returned because it is dependent upon the view vw_SalesHistory, which in turn is dependent upon the SalesHistory table.

Use with cautionThe ability to view objects that are dependent upon other objects (e.g., views that use tables, procedures that use views) is useful when you need to alter or remove certain objects. Be extra careful when you modify objects that other objects may depend on.