We are placing four computers in our new youth facility for web browsing, homework help, etc., and I’m looking at options for securing the computers.  The software I know of (but have never used) is called Faronics DeepFreeze.  I thought I heard about a better alternative to this software on the Casting From the Server Room podcast last Fall, but I can’t seem to locate that information.  I’m not sure if this is even the best way to lock down the systems.  I’ve considered lock-down via Group Policy, which I’ve done before and may still do to limit actual actions on the computer, but it’s not foolproof and it takes a lot of detail to lock down “just enough” but not “too much.”  And I don’t necessarily want these systems joined to the domain, either.

Any options anyone has successfully used to implement this functionality?  Anything I should be aware of or stay away from?  I’ve considered using thin clients and a terminal server, but I don’t have the time to research cost comparisons (computer and support cost vs. server cost…I may be getting some thin clients for free soon and if so, I have plenty of other uses for them anyway) and such (will audio work, will all possible future applications run in Terminal Services, and so on).  I’m probably going to grab some off-lease IBM NetVista machines for about $275 and add some RAM.

Well, this week I’m moving our Parent Pager Plus nursery check-in system to its location in our new building, to be up and running by Sunday.  We have six stations moving about half the distance across our building.  Each station is currently on a 4′ long folding table, with the computer, network switch, and battery backup underneath, and printer, label printer, proximity card reader, touch-screen monitor, and mouse/keyboard on top.  The table is covered by custom made tablecloths that hang down just to the floor (my mom made them…go mom!) and the last two times we’ve had to move the stations, it took a long time to re-straighten all the cables, organize them with cable ties, and do everything needed to get them back to their near-perfect state of existence (granted, they stay that way for less than a week until they’re actually used, but they’re better than they would be otherwise).  Ought to be fun this time.  And by fun, I mean, “I’d rather be writing a blog entry, so that’s why you’re reading this.”  Yes, the sarcasm’s so thick it’s palpable sometimes.  Now, what else on my to-do list have I been putting off for a while just for today…?  (Well, I’ll have to take a break for our Senior Pastor’s office birthday party this afternoon!)

I have a problem. Hardware hasn’t really been tracked here before, and I’d like to start doing that. At least at the level of desktop and/or LCD monitor, the two most costly and most likely to be “lost” items. I’ve never really found a solution for this that I like. For one, I like free, and I haven’t found a free option. I’ve tried Spiceworks, which is an excellent program, but I’ve run into enough issues with getting all machines entered in and tracking exceptions manually that it’s not a total solution. I’ve started making notes about new systems in an encrypted OneNote 2007 notebook, which does keep track of information well and is a good memory jog, but unless I create some templates (which are easy to create in OneNote), the information fields will vary, and it doesn’t fit the idea of a centralized store that I would prefer, although right now it’s just me. We’re working on our IT volunteer program, though, and I’d like whatever ends up being the final solution to scale well and function as a central repository. Trouble ticket tracking would be a good bonus, or at least a “system history” where a log of changes or issues encountered on each system can be centrally stored and associated with the system and/or user.

I’ve considered a Wiki, which is still an option, but other than the lack of being web-based and multi-user accessible, I like OneNote’s UI better and it seems similar. Did I mention easy-to-use and flexible is my number one requirement?

I’m still without a good, long-term solution.

We just put in a new core network with all-new switches, along with an extensive wireless network, as part of our new building addition program. In order to determine the best locations to place wireless access points (13 total), we needed to do a site survey. I researched several software tools, and most of them were expensive to the point of being out of our price range ($1500 or more in general). Eventually, I found a relatively new piece of software I found called VisiWave that fit the bill perfectly, and was inexpensive enough for our budget: $549 minus a 20% non-profit discount (contact them and ask for the discount code). It also integrates with the Wi-Spy spectrum analyzer (I didn’t find it through Jason Powell but he has two good posts I found recently about it: Part 1 and Part 2) if you purchase it, to map channel interference as well as its primary job of mapping existing access point strengths/weaknesses.

VisiWave is easy to use, even without the Pro version (the SO version, for Software Only, is the one we purchased, and is significantly less expensive). You need a floor plan of some sort for your facility (whatever area you’re going to survey). Import this into the survey half of the VisiWave software (the other half is a separate reporting application for creating a report from the data collected by the collection tool), and then walk around your facility clicking at key spots where you’re located on the map on the laptop you’re carrying with you (a Pocket PC is an option as well, but we used a laptop). A time-saving feature lets you switch to a mode where you can click on your current location, walk at a steady pace in a straight line, and click your ending location, and it will distribute the data points collected evenly over the line you walked. It sounds simple, but it saved me a lot of time! The VisiWave website has good instructions and example reports.

I’ll most more example of the survey report and such in the future (our initial survey was last October), but this has proved to be a very useful tool that we can use over and over again, rather than hiring someone to do a site survey once. I did the survey before placing new access points, but I haven’t had time to re-survey since we installed the new APs, and there are four I haven’t installed yet. We do have very good coverage based on the 9 that I have installed based on the original survey already, however! I’m looking forward to the final survey and report, and to fine-tuning based on those results. Our grand opening is the week after Easter next month. I may or may not have the public internet stuff set up by then (using a Nomadix AG 3000) but the equipment will be there for when I figure out the software and the filtering solution to use, so it should be ready shortly thereafter.

I’m contracted out to another office one day a week to work on their computers like I do at Lakeview. Usually I’m there on Thursdays, but this week it was today, Wednesday. As an IT guy, I’m used to hearing from people when things don’t work. I’ll get compliments on how well I’m doing after I’ve just fixed a problem (even general comments, not just about that problem) from people at both offices, but like sound guys and video guys, “if it’s going well, you’re doing your job.” Comes with the territory; how often do you think about things you don’t even notice usually? I’m fortunate to have bosses/managers/leaders that do notice what I do and are extremely understanding and satisfied and do vocalize their appreciation often, but it doesn’t always happen at the user level on a regular basis.

This morning, however, one of the people that works in this office stopped by my desk and said something to the effect of, “David, it’s been great ever since you started working here, I haven’t had any problems connecting to the server or getting to my stuff, it’s been great! We’re glad to have you here!” I must say, it’s good to be appreciated!

I think a large part of succeeding in a job involving technical support of end-users (or anyone, really) is not only being able to communicate at a technical level that they understand without using jargon (or explaining simpler jargon sometimes if it’s common and worth teaching for the future), but being responsive, positive, and helpful without being condescending. It’s the attitude, almost more than the act of fixing a problem (not that that isn’t important!), that gives people the positive experience and satisfaction with the service, whether they voice it or not. If they don’t voice it, that’s just fine, if they were unhappy they would certainly be voicing that, so silence is golden. But expressed appreciation; that’s platinum!

Most people think that when they use traditional VPN technologies, such as PPTP, L2TP, and/or IPSec, that they are opening their network to a full, unfiltered connection from a computer, which is especially bad for a home computer, with unknown anti-virus and anti-spyware status, connected to a work network. This is true. However, with a Microsoft ISA 2004 firewall (ISA 2006 likely supports this from everything I’ve read about it, I just haven’t tested it myself), which can terminate PPTP and L2TP VPN connections, VPN users are on a separate network controlled by the standard ISA firewall rules. You can set up user groups within ISA and assign certain groups of users certain network permissions, with the same granularity as firewall rules for another network segment, including the Internet.

This means users can connect using the standard Microsoft VPN clients, but they can only do what you allow via firewall rules. A network administrator could have full network access if needed, while users connecting to Terminal Services could be allowed to connect using only Remote Desktop (TCP port 3389), and only to the terminal server, based on their user name.

This is great! [sarcasm]It’s so great that we’ve started using LogMeIn services for some of our remote access.[/sarcasm>]Why? Well, configuring both the VPN connectoid (even with the CMAK) and Remote Desktop, not to mention actually using them, can be a bit of a chore for some users, especially if they’re setting it up at home where it’s harder to walk them through it. LogMeIn, on the other hand, has an excellent, web-based interface, very compatible remote control, and some easy options like remote printing and file transfer that are harder to set up with plain-vanilla VPN. LogMeIn has a free version, without file transfer or remote printing, which is excellent for proving basic remote support to people like family (I should know, that’s how I use it!), or connecting to your home computer remotely (yep, that I do, too). The Pro version is normally almost $13/month per remotely-controlled PC, which is a bit pricey. They have a special going on right now, however (unknown end date) where you get 5 computers for $20/month (or more at the same price, if needed) that makes it much attractive, and I’ve switched our two heaviest non-Terminal Services users over (it wouldn’t work for Terminal Services because of the multiple sessions issue), plus myself.

They also offer a service calls LogMeIn IT Reach, for the same price (and special price) as the LogMeIn Pro service, but it is targeted towards IT users managing servers remotely. The web interface to logs, shares, users, performance stats, and more is excellent! Better in some cases than the built-in Windows tools in some cases, in my opinion. And the price, at the moment, is excellent and worth every penny, if you need more than the basic features. Just a happy customer.

I’ve installed Microsoft Office 2007 on my personal laptop and desktop, because I get it for free as a student at the college where I’m taking classes. It’s taking me a little while to get used to some of the new stuff, especially the Ribbon, and I’ve had a few times where I know what I want to do but it takes me a while to figure it out. When I do, however, I’ve been impressed with how much easier it is to accomplish my goal. Many common settings are simply drop-down options on the ribbon, and they had to be manually configured from a properties screen before. I’ve primarily used Word, Excel, and Outlook so far. Oh yeah, and OneNote, which has become my nearly constant companion, keeping track of meeting notes and agendas, notes at home and for school, and basically as a replacement for post-it notes and one-off Word or Notepad files in general. I love OneNote’s free-form composition, easy shortcuts, and flexibility. Outlook 2007 has also been useful, I like some of the reminder differences, the new way of color-coding categories, reminders from multiple folders, and a few other things that I like, but won’t be able to take full advantage of until my work desktop is also running Outlook 2007.

My one complaint? Office 2007 is S-L-O-W. My laptop is a Centrino Duo 2.0 GHz machine with 1 GB of RAM (running XP Pro). Opening OneNote, Word, and Outlook 2007 along with Firefox and Thunderbird works, but it takes a while to get them all open. Or if all of that except for Word is running, and I open Word, it takes a while to get there. Office 2003, on the other hand, pops up and down very quickly for the most part. 2003 has its moments, to be sure, but 2007 is just consistently slow to get going, and sometimes slow to catch up. And it’s not just because I occasionally have over 100 tabs open in Firefox, either! (I try not to do that too often :-)

We likely won’t be deploying Office 2007 here at Lakeview for at least a year (Vista has at least a similar timeline). I’d hate to see how it will run on machines less capable than my laptop and home desktop, and there’s just no need for the added features right now, not to mention the training required to get everyone up to speed on the Ribbon interface. The one exception may be OneNote, which I can see purchasing individual licenses of (non-profit pricing is pretty good remembering back to some OneNote 2003 purchases made a while back) for a few people that take a lot of meeting notes. The ability to share workbooks and work on them collectively with all the synchronization happening automatically is powerful, especially when done as simply as OneNote makes it.

The official WordPress development blog is reporting that WordPress version 2.1.1 was compromised by a malicious hacker and anyone who downloaded that version in the past several days needs to upgrade immediately to version 2.1.2. Many more details at that link; I checked the two files they mentioned (feed.php and theme.php in the wp-includes folder) and I got one of the infected versions! If you do a “diff” and compare an infected file with one from the 2.1.2 download the infected line becomes obvious. The vulnerability, as far as I can tell, allows an attacker to easily execute any command on the system that’s allowed by the user PHP is running as by using a specially (but easily) crafted query string. Don’t try it on me, I just patched :-) The new version fixed a but I was getting in the administration area where I couldn’t add new categories on the fly while writing a post, which is a nice added bonus.

Thanks to a post from security blogger Martin McKeay that was my first warning!

Trace Pupke wonders about using DHCP or Static IPs on his network, especially in regards to DHCP security. We use DHCP, and I wouldn’t think about trying to manage static IPs, it would be a nightmare. Eventually my plan is to use the new HP ProCurve switches we just got (more coming about those sometime soon) to enforce either MAC-based port security, especially in publicly-accessible network ports, or to go all out and use 802.1x authentication just like I’ve partially implemented already on our wireless network so that only authorized users could connect to the port. Or even better, allow anyone to connect to the public network on a port, and if they authenticated with 802.1x as a staff member, give them staff level access instead. I know the switches we have now will do this, it’s just a bit complex to get set up, and moreso to make sure it’s reliable enough for real use, and that all clients are configured properly.

However, one thing that can be done easily if you are running DHCP on a Windows Server is to use DHCP User Classes set via a login script to only hand out valid IPs to computers that have been set correctly with the login script. This method could be worked around by someone who knew what to look for on an authorized computer (they could just examine the login script, in fact) and copied it on their own system, but it would keep casual users from having a usable IP address handed to them on a silver platter. If users are not local administrators, they would be unable to modify their domain-connected workstations and would be limited to the settings provided by the login script.

There used to be an excellent tutorial from an episode of the Casting from the Server Room podcast on their show notes wiki for that week showing how to set up a DHCP server and client with user classes, but they’ve had some issues with their ServerRoomWiki.com site and it’s currently down as I write this; I know they had to restore from a backup recently and I’m not sure if this is coming back or not. I did find some other references via the Google search in my last paragraph, including this (okay), this (better), or this (best of what I looked at).

There are a few technical steps to the setup of course, but it comes down to handing out bogus, or no, IP information by default unless a computer has a particular DHCP User Class set, which is configured via login and logout scripts so valid users, when they log in, are assigned a valid User Class and thus get the correct information from the DHCP server. Security goes as far as either forcing people to know what static IP range to use if they want an IP, or they could sniff the network (harder but doable with a switched network) for DHCP packets and look at the User Class that is being transmitted. Nothing like an air-gap, MAC-based access controls at the switch port level, 802.1x security with multiple VLANs, or, and air gap, but it might make the difference if you’re just choosing between static IPs and DHCP on a “trusted” network.

Another option, which could work alone or concurrently with DHCP User Classes, would be to use reservations for all DHCP clients. Then you would know what valid IPs were assigned and which were invalid because they didn’t have a reservation (or non-reserved IPs are excluded from the scope so the DHCP server can’t hand out a non-reserved IP), but you would still gain the benefits of centrally managing your IP addressing, making changes easier if necessary in the future. You would just need the MAC address of every authorized device, one time.

These are all things I’m considering to increase our security, alongside separate VLANs for public, staff, and some other sensitive networks (IP-based security cameras as well as our nursery check-in system get their own VLANs with firewalled routing from separate interfaces on our Microsoft ISA 2004 server). Although using all of these methods would be a helpful part of defense-in-depth, realistically I’m probably going to lean toward VLANs and firewalled routing to provide a lot of security, and use either MAC-based port access control and/or 802.1x authenticating to an IAS (Microsoft’s version of RADIUS) server for staff access security, especially for ports located in public areas.

Jason Powell’s blog was the “straw that broke the camel’s back” and convinced me to start this blog, which I’ve been thinking about for a while. His is so inspiring and informative that I had to add my two cents!