The SANS Internet Storm Center has been tracking a 0-day exploit out there compromising Windows DNS servers that are live on the Internet. I’d say this is a good reason to use Linux for such services, but that’s an argument for another day; there have certainly been DNS exploits on Linux DNS server software as well! But at Lakeview, we use an external service (in our case, DNS Made Easy) to host our DNS. They get to worry about it, fix it, keep the patches current…all we have to do is run our internal Windows Active Directory DNS services for our internal network, with recursive queries for outside domains. But our internal servers aren’t open to the internet. That way, as few ports as possible are open from the outside in. VPN and Exchange services (OWA, ActiveSync, HTTPS over RPC) are the only things open that I can think of off the top of my head (the fact that I’m not sure of all these means I need to double-check next week!) that are open from the outside, and those are published through our Microsoft ISA 2004 firewall, which inspects all this traffic to make sure it’s properly formed before letting it in as another security measure.

We’re even protected from external SMTP exploits against our Exchange server, because we use DefenderSoft Email Threat Center (an MXLogic reseller) to accept our incoming (and outgoing, for that matter) email. Our Exchange server’s SMTP service can only accept connections from their email servers, and nowhere else, so it’s not truly open to exploit, since external servers can only get to us through them. This cuts down on spam as well (which could otherwise come through to our server, bypassing the spam filtering), which is a good side benefit.

If you don’t already keep your firewall locked down as tight as possible, keep your eye on the SANS ISC for a while. It’ll scare some sense into you :-)

At the end of last month, I posted about locking down the public computers in our new youth lobby. I’ve found a new possible software solution, that seems to be comparable to Faronics DeepFreeze in some respects, but may have some additional useful features. This one is from a company called Fortres Grand and there are three different pieces of software that might be useful in some combination:

• Clean Slate
  This appears to be comparable to Deep Freeze in its function, but from what I’ve read it gives you more flexibility about not having to lose all changes on reboot if you’re an administrator, rather than having to reboot to “unlock” the computer and then make changes that you want to keep. Fortres Grand also claims that Clean Slate will allow Windows Updates and anti-virus signatures to be updated while in a “locked-down” state, persisting across reboots.
• Fortres 101
  Rather than allowing all changes and discarding most of them during a reboot, Fortres 101 instead locks down the computer from having certain items changed in the first place. This would appear to be a complement to Clean Slate above if run together, but I don’t see an indication of whether this is a supported configuration on their site. I can see the benefits to this where a user might change the wallpaper to something inappropriate; with Deep Freeze or Clean Slate it would be there until a restart, but with Fortres 101 it could be prevented in the first place.
• Time Limit Manager (TLM)
  Fortres is promoting this heavily to libraries on their product pages, but I can see how it might be useful to us as well. It would keep students from using the computers for an extended period of time, displaying a countdown and enforcing log off at a certain time. That may not be enough reason to purchase it in and of itself, but I do like the ability to remotely view screen captures of what users are currently doing, see which computers are actively in use, and even send messages to users if needed to warn them about certain content or behavior. I also like the usage history logs and the auto-shutoff at the end of the day. It also integrates with Clean Slate to clear all traces of the prior user when a user logs off! My concerns are that we’d need to buy a printer for the “reservation tickets” and also that the solution might be overkill for our current setup, although the clear-prior-user functionality integrated with Clean Slate may make it a worthwhile solution.

This is just my first impression of this company’s programs. They offer demo versions of all three, and when time allows I will likely grab them and try them out now that the computers for this purpose have arrived. I still need to unbox and set them up, which will likely happen next week at some point. Fortres also offers a Central Control product to control their Fortres 101 and Clean Slate software remotely, which looks promising but is also probably overkill for our environment. Unlike Deep Freeze, which must be the Enterprise version to support central management, this solution appears to be an add-on purchase that we could buy down the road when we expand.

Do any readers have any past experience with Fortres Grand software to share?

Tony Dye has an excellent post that is along the lines of my own posts here and here regarding hardware inventory. His wish list seems to communicate even better than my posts what I’d like from the inventory side of things, but I still want a helpdesk to be integrated into the same system. Some of the software I’ve looked at, including Spiceworks which I’m currently re-testing since they released their Helpdesk feature (and the ability to add non-discovered devices manually), will do some of this already. Most of the software I’ve seen will do a lot, but Tony hit on some killer features that I haven’t seen. Maybe I’ve missed them, maybe I haven’t found the software and it does exist, or maybe it doesn’t exist.

One thing I’d like to see is the physical tracking to go along with the network tracking. What network port (assuming managed switches that the software knows about and can talk to) is connected to what wall outlet (obviously this match has to be input manually)? What are the MAC addresses (and from that, the rest of the inventory information) of the attached device(s), or is the port even active? What physical office is a machine associated with, at least primarily? (Laptops may roam, but most laptop users have an office they’re usually in.) What user?

Tony also brings up searching and historical information. Searching is the key here I think; if I want to know (to use Tony’s example) how much memory Bob Jones has on his machine, I want to locate this information without having to first find Bob’s machine, look it up, and then find the specs. I want to search for “‘Bob Jones’ RAM” and have the system know that obviously I’m talking about his machine, not the person. That’s an easy context, but add enough “easy” things and maybe some harder ones, and the software becomes a lot more user-friendly.

Same goes for the historical information, being able to track a machine from one office to another, from one user to another, or even tracking when RAM was added to a particular system would be helpful! Or when Windows was reinstalled. or other software added or removed. Or how about a history of what network ports a machine has been plugged into?

When we get new equipment, how about a New Equipment Wizard that lets us add basic info (office assignment, user assignment, MAC address, serial number, date of purchase, name of person who initially configured it, maybe more) and then, once it’s on the network (assuming it’s a network device, I’d like this for printers and other equipment that IT uses but may not be on the network) the software would see its MAC address, notice we’d already added it, and tie in scan results with the manually entered data. Having this pre-deployment wizard would help make sure a routine was followed of recording all of this information rather than having it tracked down later, if ever.

I see a lot of good things in Spiceworks, and that’s just because that’s what I’m playing with now. I’ve seen some other good information out there as well. There are plenty of features above that I haven’t seen in any of the limited number of software choices I’ve seen. And the ones that have more than others, don’t seem to integrate everything or make it as easy to use as I’d like. Because ease of use and cost are the two biggest factors. Spiceworks is free, supported by Google ads. That’s okay with me, the ads are unobtrusive and with my current budget (or any budget, really), free is as good as it gets :-) Regardless of the cost, I just want the kitchen sink (as described above) to come with it.

Next week is the second Church IT Roundtable in Houston, TX. Unfortunately, for a variety of reasons I’m unable to attend this one, but I guess that just means that while all the other Church IT bloggers are hanging out in person, I get to TAKE OVER THE CHURCH IT BLOGOSPHERE! For a few days, anyway. What am I going to do with all this temporary concentrated power? I have no idea. I’ll make sure to use it for good, and not evil. It could even get taken away should the Roundtable attendees manage to pull themselves away from the other humans around them long enough to post updates to their blogs. Which is actually likely, considering these people are IT folks! And I hear wi-fi will be available during most of the Roundtable.

And, come to think of it, the first part of next week is going to be busy with some new house design selections, plus some time off after our new building Grand Opening and Dedication services this Sunday!

We’ll see.

I’ve been looking for a good hardware inventory and helpdesk ticket solution. I got two suggestions, OCSInventory and ManageEngine OpManager. I also found a post by Jason Powell about switching to ManageEngine Service Desk Plus. I have a huge amount of respect for Jason and his team, so I’ve tried out the free trial of Service Desk Plus. Here are my thoughts so far after trying some, but not all, solutions:

Service Desk Plus is actually excellent! The free version only allows one administrator and 25 network devices to be tracked for inventory and ticket purchases. However, running with my desktop as the server, it was a bit on the slow side as far as responsiveness. I would need to test that it ran faster on a server, and also have that server available. I also think that while we may grow into it, it might be a bit too complex and high-end for our needs right now.

Most of the features really need multiple administrative users to take advantage of the full power, even if those users are just volunteers for us right now. I like the help desk with the user-created ticket submission interfaces via web or email. The ability to link logins to Active Directory, have a dedicated, fully-tracked helpdesk email conversation is awesome, along with the option to link requests with the hardware assigned to the submitting user (their workstation or laptop, for example) makes this a top-notch operation in my book. I also really like the software license and support agreement tracker, and the purchase order creation and generation tools for working with vendors! But the limited inventory items makes this hardware tie-in useless for our network in the free version. And free is all the money I have to spend at the moment. Plus the time required to enter details for our existing agreements and hardware we buy to create quotes is more than I have time for right now. Maybe down the road.

OpManager, also from ManageEngine, I haven’t tried yet, but it appears to either connect to or overlap some Service Desk functionality, and is limited to 20 nodes in the free version, also too few to be useful.

I have not tried OCSInventory yet, but I intend to when I find the time. I’ll report back then. I realize that an integrated helpdesk is a real key here, and I need to find out if OCSInventory does this–from my last visit to their site they may integrate with another package, but I’ll have to do some more research.

Currently, I’m trying out Spiceworks. Again. I’ve been using Spiceworks since it was early Beta months ago, and I was impressed with a lot of what it did at the time but it has been improving, and in its most recent incarnation has also added a helpdesk, more limited than Service Desk Plus to be sure, but a helpdesk nonetheless. Or at least a ticket system. Mark Bailey even mentioned Spiceworks with OpManager in his comment on my original post. I’ve had mixd results with Spiceworks; at Lakeview I haven’t really had any WMI issues with scanning the network, including Windows machines. On the other network I work on one day a week, I can’t get any of the Windows machines on the domain to work with WMI scanning, after extensive troubleshooting and some posts in the Spiceworks forums trying to resolve the issue. I ran out of time and haven’t revisited it at that office

But the new helpdesk features are simple, user-friendly, and do support email tickets. I don’t know if it tracks full email conversations, but my guess is not yet. It ties tickets to specific hardware, which is great, but I don’t see a huge focus on helpdesk statistics over time (unless I’m missing it) and it looks like most tickets are meant to be opened by the technician directly, after a problem is reported or discovered. No web-based submission interface for users For a one-man shop, this might work fine. I’m trying it out now, and we’ll see how fruitful it becomes. It does now support multiple technicians, and each tech can claim tickets that they are working on, and save public and/or private responses (does public mean it’s emailed to the owner of the affected equipment? I don’t know, I haven’t had time to play in enough detail yet). The newest version of Spiceworks also allows manual entry of assets that aren’t on the network or aren’t found via scanning, one of my prior complaints!

The search continues. But my original post on this topic is my top result people find on search engines, so it appears to be a popular topic others are working to solve. Anything I’ve missed? Are you successfully using these or better tools? Should I stay away from anything other than Track-It, which Jason has already warned me away from? Do Excel spreadsheets work fine for you and you wonder why this is so important, anyway? :-) Just wait ’til I start talking about network mapping and documentation!! It’s coming…

I haven’t written a personal post yet, so if you’ve followed this blog, you probably think I’m going to talk about “building God’s house” or something church related.  Actually, I haven’t talked about religion either — I created this blog to talk about technology, and I plan to stick to that.  Mostly.  From what I’ve read, blogging about personal details helps you to connect to readers and keep them reading.  But really, I’m just excited!

Last night, my wife and I signed the paperwork to build a new house!  We’ve been looking at houses for several months, but when we looked in a community recently at a couple of houses, we stopped by the sales office and discovered that for the same price as some of the homes in the community that were already built, we could build a bigger home the way we wanted it!  This is because they were running a spring special to kick off the sales season.  We liked the model, which was of exactly the house we could afford, that we went back yesterday (Monday was our initial visit) and signed the deal!  Around six months from now we should have a new house!  We know we’ll get the mortgage, we already have an approval from when we were searching and bid on a HUD house at one point.  We’ll use the builder’s mortgage company because they give us 6 points for doing so (for upgrades/closing costs/etc.), and we can use the extra boost.

Gotta run, busy Saturday! But I’m excited!

Jason and his team have been having some trouble with their network and phantom traffic. There’s a good discussion going on about various networking products, including some ups and downs with 3Com switches among others. I was going to comment over there, but I’ve been meaning to post about our network infrastructure anyway.

When I was looking for switches and wireless in the Sept-Oct timeframe last year, I was strongly advised to stay away from 3Com switches from a quality perspective by a friend or two with experience in some high-end consulting firms. Of course everyone likes Cisco, esp. the consultants that work with it all the time and know it inside and out, but what attracted me to HP ProCurve was that for the price, we’d get plenty of commercial-grade features with a lifetime warranty (with next business day replacement) and software upgrades included in the initial price. I also liked that the 2524 model switch (which we already had two of from a year or two ago to support the fiber line connecting the two ends of our building together) was selected to go to the International Space Station as the first true Fast Ethernet switch approved to go there, after being tested for reliability with particle accelerators and stuff along with Cisco and other switches. No, it wasn’t the primary deciding factor, but it was cool :-)

We have had one failure so far; the Wireless EDGE Controller in our 5300xl switch, the brains of our wireless network, failed on a Friday a couple of months ago. I called for support, sent them the switch logs showing the module wasn’t recognized, and on Monday I had a new one waiting when I got to the office, which I popped in and was back up and running! (We would have been up faster if I’d backed up the wirelss module’s config :-) This Wireless module is basically a mini computer; you can see the processor and memory stick and all that good stuff on it when it’s not in the switch, so I can see how it might be open to failure, but it still has a lifetime warranty. And, if you want to buy a backup, it will fail over to the backup controller if the primary dies.

The ProCurve switches themselves have been rock-solid, and I like the four configuration options (CLI (SSH, telnet, or console), menu in the CLI for common options, a nice web-based interface with Java (works in Firefox just fine), and of course SNMP. However, we did get two of the 1800 series switches due to needing gigabit in three locations outside of the network closets (Visual Arts/Communications Studio, The Shire (our sound studio), and the sanctuary control booth). Two 8-ports and one 24-port from that line. I haven’t had any issues with them yet, but they are configured in an entirely different way than their other managed switches. It’s all web-based, no SNMP or CLI support, and the web interface is significantly different. I am impressed by the variety of options for a gigabit switch this low-cost, especially since it is manageable and still has the same warranty. It doesn’t fit as well with the network management/monitoring tools though. I can’t recall, but it may have read-only SNMP so it isn’t completely invisible from that angle.

I’ll post again about the rest of our network and how it’s set up. I will mention that we’re trying to color code our network closet cables. Yellow for 10/100 links, green for gigabit links at this point, with red for “special” links (to the internet router, etc.). Most gigabit links are also uplinks between the switches, so it works well from that angle as well.

I’m learning switch management as I go, as these switches are the first managed switches I’ve been exposed to (our network was completely flat with all unmanaged switches until the two 2524 units came along!), and it’s quite a learning experience!

Today (Tue) I drove up to Granger, IN with my family to hang out with Jason Powell, Ed Buford, and Kyle Sagarsee at Granger Community Church for the afternoon! We had a blast, I learned a ton of stuff and got to see their digs first hand. Jason and the gang are one of the friendliest bunches of geeks you could want to meet, and they have some cool toys to play with. They’re level of technical excellence is a step above where I want to be at Lakeview, even though they don’t have everything figured out either (who does?).

Tomorrow, a friend (and Lakeview volunteer) and I are going to the Network World LIVE Conference in Chicago, IL. We’re both staying at a nearby hotel in Chicago tonight with our families. This has been planned for a while, but the trip to Granger was an added bonus that struck me as a good on-the-way stop. The conference will have to be pretty good to equal the benefit and experience of visiting GCC; I’m not holding my breath. It sounds very good, but visiting with other church IT folks seems to be extra special compared to “general” IT, not to knock them of course. Geeks are geeks to some extent!

Gotta get to bed ASAP now so I can make it to the conference…it’s 7:30 am to after 6 pm, so it should be a long day!

(For current known solutions to this problem, see the Updates below! Thanks for visiting and making this my most popular post ever, even over a year later!)

If you’re running Outlook 2007, you’ve likely noticed that you can’t preview PDF files sent to you as attachments, while you can preview most images and Office documents. Fortunately, Ryan Gregg, someone who works on the Outlook team at Microsoft, has released an add-in on his blog to let you preview those PDFs! It uses Adobe’s Reader ActiveX control, so it’s genuine Adobe doing the previewing. I’ve installed this and it seems to work well; I get quotes from our primary supplier as PDF attachments all the time and this will come in very handy indeed. I installed the add-in while Outlook 2007 was still running and was able to preview a PDF attachment as soon as the install completed, no restarts. YMMV.

Update in August 2007: Adobe Reader 8.1 has PDF Previewing built-in, so Ryan Gregg has pulled the add-in down off his site.

Update in April 2008: This post is still very popular, so here’s an update: If you don’t want to install Adobe Reader 8.1 to get Outlook 2007 PDF Preview support, there is also the free Foxit PDF Preview Handler which uses the very lightweight and fast Foxit Reader software to preview PDFs in Outlook 2007. The original version is for Office on Windows Vista only, but last month the author wrote a Foxit Preview version for Windows XP as well! I use the Foxit Previewer myself as well as the full Foxit Reader for reading PDF files, and I am able to keep Adobe Reader from being installed on my two main computers! Foxit opens much faster than Adobe Reader in my experience, and has caused much fewer browser crashes as well! Thanks to Jason Powell for his excellent writeup and pointer to the Foxit Previewer, I may have gotten my original link to it from him (not sure right now).

You may know that Microsoft offered a free or discounted upgrade to Windows Vista for computers purchased between October 26th, 2006 and March 15, 2007. The exact terms were set by each manufacturer for each of their systems sold with Windows XP, with different Vista versions available based on whether you got Windows XP Home or Professional. We purchased two computers at Lakeview and two computers at the other office I work at, all four Lenovo machines, and I tried this week to request the free Vista update based on the procedure posted by Lenovo. The Leonvo page is very clear and I have no problems with their site. The rebate request page, however, is provided by Moduslink, who appears to do the Vista Express fulfillment for Microsoft. Hang on for the ride, this is a bit long, or bail out now if you’re short on time.

I don’t know who Moduslink is, but Microsoft made an extremely poor choice of partners to work with for this project. Their website has to refresh after each form field selection. After typing in my two model numbers, COA (Certificate of Authenticity) numbers, dates of purchase, etc. for my other office two days ago, putting in shipping and billing addresses, and the credit card information (for the almost $12 shipping charges), rather than a confirmation page I receive an error saying, “An unrecoverable error has occurred, please try again later.” This wasn’t a one-time event, either, I re-typed all the pages in the multi-step process again, just to receive the same message. How about a descriptive error message if you must display one? They keep adding insult to injury here, and it’s taken at least 15 minutes of my time if not more, including gathering all the needed information together. But it gets worse.

I email their customer service after trying to find a phone number for five minutes, unsuccessfully. I explain in detail the steps I took, as above, with the error message. I even thank them in advance for their help. Their reply that evening, which I receive the next day: “Thank you for your interest in the Upgrade Redemption Program. We are unable to process the credit card used for your order. Please contact us at (800) 817-5602 or (801) 431-1504 to resolve the issue.” Finally! A phone number! I call the toll-free one (do they think I’m going to pay long distance given the option?) and try the menu option that sounds like what I’m trying to do (redeem the Vista Upgrade or some such). After a long-winded message that basically consisted of them saying “visit our website to do this” over and over ad nauseam, they politely told me I could have the message repeated (“press 0”), or they’d helpfully hang up. I try again. Different menu option, same result. Quite a waste of time, no human still. Third time I try yet a different option, which has another long-winded message but finally says, “if you need further help, press 8,” at which point I proceeded to hurt my finger pressing eight so hard and fast (not really, but I thought that would sound good).

After an impressively short time on hold, I was able to speak with a woman without an Indian accent. But still located in some other foreign country with English as a second language. After telling her my problem (twice), she wanted me to give her the information so she could try it. Whatever. She proceeded to ask me for the information for each form field, and I could picture her typing it into the same website because it was in the same order and everything. Only it took about 20 minutes for me to spell out Every. Single. Word. I know my last name’s a bit tough, but how many stinking times do I (and she) have to spell “Indianapolis” phonetically only for her to discover that she’d typed ID instead of IN in the state field to cause the error?

Result? Same as mine. I was so shocked I had a heart attack. Or maybe that was from having to sit still through this phone call rather than being up and about getting some exercise to keep my heart strong. (Ha! If you believe I would have been exercising if I hadn’t had to be on the phone, you don’t know me too well! I sit at the computer, too!) After recovering from my “shock” I heard her saying something about writing down my information to submit manually, and that someone would call me for my billing information (credit card number) later. I left my cell phone rather than office phone for this purpose, and was finally done with that ridiculous phone call. But have a heard back from anyone yet? Nope. If I do get a call back, I might end up with a real heart attack from the surprise. But I’ve done my part, and they’d better send me the upgrade at some point, because I submitted my rebate before the March 31st deadline. The only problem might be contacting them to make sure they keep up their end of the bargain.

Fortunately, I did the two Lakeview rebate submissions today, and besides the user interface on the submission site still better fit for website purgatory than human use, it did give me a confirmation page and ask me to mail or fax my receipts to confirm the upgrade, which I have no problem with. At least writing this rant has helped a bit, emotionally if not in substance. And I’m not in a hurry for the upgrades, I just want them to save money when we eventually go to Vista, which is not for a while!