Monthly Archives: September 2005

You are browsing the site archives by month.

Ben, we met your Mother on the train

On the train eating lunch and of course I get into my “bore the other people at the table by talking geek talk” aka patching, security issues and what not…. and we start trying to describe what we are and why we’re going to Seattle and the lady across the table starts saying that her son was going to be up in Redmond starting Wednesday.


She says he doesn’t work at Microsoft, but he does a lot about Digital Media and helps online…. hmmmm we start to think….


Steve and I look at each other and say “will he be there Wednesday through Saturday?”  Yes.  We look at each other even more….. “What’s his name?”


Ben Waggoner, Microsoft MVP for digital media… Steve Foster and I had lunch with your Mum on the Amtrak to Seattle… hope to meet you in person!


Wouldn’t it be funny if he ends up in the same hotel as we do?


 

The ‘other store’

We walked into the “other’ store in San Francisco.  The Apple store.  And while one could argue that the tack that Microsoft has taken with it’s ‘open’ platform that allows anyone to upgrade and build on the Windows platform, man could Microsoft take a page or two or three or four out of Apple’s marketing playbook.


Young, hip.  With a presentation section that had a young woman talking about ‘using’ the Mac to the “Genius bar” that allowed you to book expertise to help you migrate data from one Mac to another Mac or… uh… migrate from a PC to a Mac. 


And with displays that are pleasing, uncluttered….not like the glaring, noisy, jarring Best Buy with the absolute information overload of varieties of Personal computers and laptops.  


Designs of systems that just are clean and stylish.  Don’t tell Steve Foster this, but even challenges his Acer Ferrari laptop up for a coolness award.


Training …education…not just shoving stuff and warranties at you with blaring rock music in the background.


Mac, I have to give you guys hands down credit…. in the marketing and buzz department you kick…. you majorly kick.

Next stop Seattle

Sitting in the Emeryville train station waiting for the 10:12 Amtrak from Emeryville to Seattle…and Steve Foster and I are sharing out the Sony Ericsson Aircard between my laptop connection …. so the two of us are sitting here …me blogging him IMing to folks asking Steve …why in the world is he taking the train when he could drive or fly there faster.. well mainly because I asked him to. 


I find that train travel is very relaxing and some of the routes even have WiFi…and well.. with the Aircard, we’re sort of bringing our own.


Now if we could just figure out how to do streaming video of the season premier of Desparate Housewives we’d be all set……

SF and Internet access

Walking along the streets of San Francisco and seeing the Internet cafe’s always brings up the issue of security and keystroke loggers.  Steve Foster suggested that you turn on the accessibility keyboard so that you aren’t ‘typing’ in your password but using the mouse to enter in your password instead of a keystrokes.


I never thought of that one….


In my office, our policy is to not use Internet kiosks for access back to the corporate network.


<btw I titled this wireless first and I renamed it Internet access as wireless had nothing to do with the post… too much wind in the brain hanging off the edge of the Cable Car,,,what can I say>

The checklist

Geek clothes….


…more geek clothes….


… Blogging T Shirt…..


Power cords……


Cell phone power…. [and btw you would think that a cigarette lighter that’s supposed to be a mini usb would fit my Audiovox but it didn’t and Steve and I were in Yosemite today with my dead cell phone… cut off… no email…no IM… no…oh yeah we were taking the day off weren’t we?


Check the weather report ……


Get maps to San Francisco and Frys….


Print out PDF with full detailed info on where we ‘think’ we will be.


I know I’m going to forget something….


oh..yeah….


Don’t forget the train tickets…..

PEAP, WPA and …..uh what?

From the mailbag the other day….


 


Susan,


 


Okay, so I’m pretty sure that WEP has been “dead” as a viable wireless security option for at least 3 years, right?  I mean, sure, there’s plenty of home users using WEP or WPA because it’s easy, but I think even in the SMB community, we’re not advocating WEP, or even WPA anymore.


 


About 4 years ago I had a few clients fired-up about 802.11b; secured with 128-bit WEP keys. did a few implementations, and then interest seemed to dry-up in the SMB market that I served.  Well now, finally. in 2005 I’m starting to see some renewed interest.  Not just among the “let’s replace our Ethernet infrastructure with wireless” crowd, but among customers who actually generate revenue.  


 


What I’m seeing that they want 1 of 2 things – sometimes both.


 


1)         Internet-only WLAN for use by guests/contractors/etc., where ease-of-use is paramount, but with the capability of accessing the corporate LAN for employees via some secured means.


2)         A “really-reliable” and “really-secure” wireless infrastructure to co-exist with the Ethernet infrastructure (everyone complains that the WLAN drops occasionally, but I have very little confidence that any solution will be notably “better”).


 


(Granted, for the life of me, I can’t figure out why everyone insists on sitting at their desks and using the WLAN, when they have an Ethernet port on the wall that they can plug into, but I digress.).


 


In working up a technical overview, I’m coming up with the options, and wanted to run them by you, and get your take.


 


Goal: WLAN for guests.


Option A: Build a solution with an open AP and some solution to redirect all traffic to a given gateway/registration web address.  Then offer a PPTP or IPSEC VPN tunnel into the company LAN for employees. 


Option B: Buy an out-of-the-box solution like a Sonicwall TZ170 which purports to support all that stuff. 


 


Goal: Secure, corporate LAN for SMB:


Option A: RADUIS backed 802.1x WLAN solution. Cons:  Need some infrastructure improvements (switches, services, etc), and owner buyoff on time commitment.


Option B:  WEP-enabled AP on the outside of the LAN; require VPN access through RRAS to access LAN.  Or, any other suggestions?


 


I haven’t done anything with 802.1x yet for any SMB customers, so there’s going to be a learning curve.  I’d really like to do this, because it would add value, and be a good learning experience, but I don’t think I’m going to get owner-buyoff on this right now.  Have you done much with wireless lately, and if so, what’s your take?


 




 


Uh…. Mr. Mailbag… I’m right behind you.  I don’t have wireless on the “inside” of my networks either…they are still ‘outside’.  Now they are running WPA these days and not WEP [as WEP should be shot dead], but I’ve yet to take the time to read the SBS Admin book [Charlie Russel/Jason Gerand] and go through their excellent guide on how to do that.  I’m not quite ready [nor truly have a need yet] at my office, but truly should do it here at home.  For example, poor Steve Foster who is staying here this week has no access to printers or anything else even though he’s able to get to the Internet.


 


What I’d really like is like what we get to see when we go to Microsoft… smart card deployment that unless you have the magic card, you cannot get on their network period, and you REALLY can’t get on their wireless.  Fire up the netstumbler and you can see the poor device go crazy with MSLAN way before you see the true campus off the freeway.  But they are just that…secured… and you can’t get on them.


 


So Nick?  After I get back from my trip to the Mothership Redmond, I’ll be cracking open that Russel/Gerand book myself.


 


I’ll let you know how I go…

Who’s on first?

From the mailbag comes this question….

How in the heck do you know who’s on first (let alone second and third)?

I am sitting here reading your blog, and checking out several of my clients’ server via remote desktop and I need to reboot one of them. You know, it used to be a simple thing, but now, with RWW, Sharepoint, VPN, GoToMyPC, et al, how do we know who is logged on and working and using the network when it appears to be in a restful state? I always go to the Computer Management console and look at open files under Shared files, but that really doesn’t cut it either. Any tools to do this, or just close your eyes and hit the button???


Also, one other thing, have you heard of any way to audit actual logins and logouts? Not those 100’s of 1000’s of login entries in the security event log. Just, Freddie logged in at 8:45AM and out at 5:02PM and then logged in at 7:30 from home and out at 3:02AM. That kind of thing. You know, for all the emphasis on security, actually tracking who is doing what to whom is woefully inadequate in Microsoft’s world.


 


Data.  I will agree with you that audit logs throw off a lot of data.  And it’s data that we need a filter for all this data, don’t we?  Too much information, unfiltered is just that… information. 


 


I’ll answer the easy one first on how I do it.  I know in my office I have a way that i can tell if someone is logged in… I have Live Communicaiton Server because I had SA on SBS 2000.  When I remote in to do patching, in addition to doing exactly what you do, I have a better check…. I can fire up Live Communication Service [aka the internal lunch menu instant messaging system] and I can see if anyone has a ‘live’ IM.  If they are I can ping them and send a message to them saying I’m patching. 


 


The other way to do it is to set aside a maintenance window.  “Between the hours of # and # your systems may be rebooted“ or something like that. 


 


As far as tracking logins and logoffs, I know that Dana does centralized logging with third party auditing tools and the guys from PSS Security use some specialized tools to filter out auditing.  I know that I just use the native filtering when I analyze the logs, but I agree it could be easier.


 


I’ll leave it to the folks that suffer the ‘captcha’ to comment, and anyone else feel free to ping me with ideas at sbradcpa – at – pacbell.net.


 


P.S. …if someone is using gotomypc inside a SBS network… go ahead a reboot…. I truly can’t find a reason why you would need that inside your network anyway….

What’s the catch?

Many times there are two camps of folks learning about SBS….


Camp A – aka ‘what’s the catch’ when they find out about the pricing of SBS


Camp B – aka ‘do we have to use the wizards?


This download is for a bit of both worlds….


The slide deck and questions/answers from the Web cast address some of the common myths in Windows Small Business Server environments.

You DO know about the TS2 blogs don’t you?

I hope you are following the TS2 blogs…..because if you did you’d find out the following….


Also, we’ve received word that PSS will support the hosting of the SBA database on a SBS 2003 Standard Server!


Hoooraay!!

You may receive a stop error if you are running PcAnywhere with A/V

You may receive a “Stop 0x00000020″ error message on a computer that is running Windows Small Business Server 2003 or Windows Server 2003:
http://support.microsoft.com/?kbid=905539


This problem is known to occur on servers that are running Symantec pcAnywhere 11.5 with Symantec AntiVirus 8.x or with Symantec AntiVirus 9.0. An updated version of the Symantec Event Handler driver (Symevent.sys) causes this problem. The Symevent.sys driver is installed with pcAnywhere 11.5. The Symevent.sys driver causes the Symantec real-time protection drivers to generate the “Stop 0x00000020″ error.


To resolve this problem, download and install the latest Symevent.sys driver.


My comment… what the heck are you doing running PCAnywhere on SBS when you have practically forty trilllion ways to connect to that box without using a third party program.  If your vendor demands that they have to have PCAnywhere… get a new vendor!


P.S.  Okay so forty trillion is an overstatement…but still…