Reporting new and dormant computer accounts

Colleagues just asked me to list Windows servers that have been just commissioned, and also those that might not have been decommissioned properly. I have multiple sources of information – Active Directory, CMDB, SCCM, monitoring systems (ideally, the numbers in all of those should match). So I have used Powershell to report out of AD. The idea is simple: whenCreated attribute indicates system commissioning date; pwdLastSet is computer password timestamp – and it changes every 30 days, so those older than 90 days ago are probably accounts of computers that no longer exist (or are non-Windows clients that don’t change passwords regularly, or are Windows cluster computer accounts); and operatingSystem attribute can be used to tell servers from workstations. The script is quite self-explanatory and doesn’t require Powershell modules:


 


# Based on: RemoveInactiveADUsers_v1.0.ps1 (http://gallery.technet.microsoft.com/scriptcenter/Remove-Inactive-user-2caf199a)


#——– Config – change $adPath to report on different domains, no privilege required
$adPath=”LDAP://DC=corp,DC=tailspintoys,DC=com
$thirtyDaysAgo = -30
$ninetyDaysAgo = -90


$objDomain=New-Object System.DirectoryServices.DirectoryEntry($adPath)
$objSearch=New-Object System.DirectoryServices.DirectorySearcher($objDomain)


#——– New computer objects (created in last 30 days)
$timestamp = “{0:yyyyMMddHHmmss}.0Z” -f (get-date).adddays($thirtyDaysAgo)


$ObjSearch.Filter = “(&(objectCategory=Computer)(objectClass=computer)(whenCreated>=”+$timestamp+”)(operatingSystem=*Server*))”
$allSearchResult = $ObjSearch.FindAll()
write-host “Created in the last 30 days: “, $allSearchResult.Count
foreach ($objSearchResult in $allSearchResult) { $objSearchResult.properties.name }


#——– Dormant computer objects (password not changed for 90 days)
$datetime =  ((get-date).adddays($ninetyDaysAgo)).ToFileTime()


$ObjSearch.Filter = “(&(objectCategory=Computer)(objectClass=computer)(pwdLastSet<=”+$datetime+”)(operatingSystem=*Server*))”
$allSearchResult = $ObjSearch.FindAll()
write-host “Possible zombie acconts: “, $allSearchResult.Count
foreach ($objSearchResult in $allSearchResult) { $objSearchResult.properties.name }


 


As always with Powershell, you can use search results with variety of cmdlets, such as Get-ADComputer or Test-Connection.


 

What’s the fastest supercomputer in the world?

It’s probably not what we think it is. Top 500 is the most widely publicised top performing supercomputer list but apparently it’s missing some of the world’s top most computing powerhouses. Here’s what Jeff Wierer, who is currently director of HPC at Microsoft, said in an interview last year:


I don’t think there’s much financial incentive for private sector firms to get visibility on that website.
For example, if you’re a large investment bank, the time required to take down that system and run the benchmarks to get into the top 500 is prohibitive, especially in the current economic climate.
We have a customer running 32,000 servers in a cluster. Running the benchmark on that would make them number one, but as I said there’s no financial incentive for them to do that.


There’s quite a bit of competition in the HPC space, so Microsoft wouldn’t be the only vendor helping to build amazing number crunchers about which general public has little or no knowledge.


 

Offline root CA is an outdated concept

My first experience with PKI was back in 1997. We (Andy Khomenko, currently with Caspio, and I) have been developing a business-to-business e-commerce site. We decided to use client certificates for authentication, as just-released IIS 2.0 on Windows NT 4.0 was supporting them. There was no Microsoft CA back then – so I have written a CGI wrapper around SSLeay (now OpenSSL) that managed client requests, certificate issuance process and kept the relevant logs in Microsoft SQL Server database. Looking back, the whole setup wasn’t very secure – and not only because of the endless vulnerabilities in the technologies that we used. But in the end we had a working product using then-leading edge technologies, and cut our teeth in the e-commerce technology and Internet security.


In early 2000s I have seen transition of internal PKI from a test facility running from a floppy in a guy’s desktop to an enterprise service with countless applications depending on it. At the same time, the certificate authority key migrated from the floppy to HSM, the hardware security module. HSMs are amazing devices: they can require multiple people with smart cards to perform an operation (based on the policy, even basic tasks like signing certificate request or CRL may require multiple custodians present), and can drop keys is the device is shaken or temperature changes. The whole idea is to have private keys stored more securely than anywhere on the commodity hardware and operating systems.


Amazingly, while HSMs prevailed in enterprise environments, design decisions are made as if the CA keys are stored in the Inetpub folder on a Windows NT 4.0 SP1 system. That’s the rationale behind implementation of the offline root CA.


In Deploying and Managing PKI inside Microsoft (a must-read), under MS PKI Security Requirements, Microsoft guys say: “Even though Microsoft internal hierarchy no longer had the previous intermediate CAs, Microsoft IT did not lower any of the existing security controls. The root and the new intermediate CA were offline and never exposed to network traffic, thereby minimizing the chance of a compromise“. But hang on: what is the compromise of CA?


There are two common fault scenarios: issuance of certificates to unintended recipients; and losing ownership of the CA keys. The first scenario is not mitigated by the offline root: you revoke the certificates and possibly review the process. That’s happened with Verisign and other commercial CAs. The second scenario – total loss of the CA keys – is mitigated by the use of HSM. Even if you own the system connected to the HSM, you can’t get the keys out.


One might say – what if you compromise a system that can connect to the HSM and use that as a base to exploit vulnerability in the HSM? That assumes that the infrastructure is already owned by someone else – hardly they will need to spend time running the research project that is finding a vulnerability in HSM. And the trivial solution is keeping the HSM, not the client system, offline.


Technology evolves. Offline root CA is just one of those obsolete ideas that are labeled the “best practice” in hope that there will be no critical analysis.

IPv6: back to basics

Recently I have enabled IPv6 on my home network. My ISP – Internode – supports IPv6 for some time now, and I finally got around to purchase new router with IPv6 support. Most operating systems that I run at home (including Maemo on Nokia N810) support IPv6 too. Fast forward few weeks to the World IPv6 Day – as it happens, I have found a problem with my setup on the day when the whole world makes an effort to prove IPv6 maturity:


C:\Users\spadmin>ping ipv6.google.com
Ping request could not find host ipv6.google.com. Please check the name and try again.

C:\Users\spadmin>nslookup ipv6.google.com
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
        primary name server = 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
        responsible mail addr = (root)
        serial  = 0
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)
Server:  UnKnown
Address:  ::1

Non-authoritative answer:
Name:    ipv6.l.google.com
Address:  2404:6800:4006:802::1010
Aliases:  ipv6.google.com


C:\Users\spadmin>ping 2404:6800:4006:802::1010

Pinging 2404:6800:4006:802::1010 from 2001:44b8:78e1:1320:2d10:241c:5668:2f6a with 32 bytes of data:
Reply from 2404:6800:4006:802::1010: time=53ms
Reply from 2404:6800:4006:802::1010: time=51ms
Reply from 2404:6800:4006:802::1010: time=52ms
Reply from 2404:6800:4006:802::1010: time=53ms

Ping statistics for 2404:6800:4006:802::1010:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 51ms, Maximum = 53ms, Average = 52ms

C:\Users\spadmin>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ACE
   Primary Dns Suffix  . . . . . . . : example.net
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : example.net

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network

Connection
   Physical Address. . . . . . . . . : 00-1C-25-E7-B0-75
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:44b8:78e1:1320:2d10:241c:5668:2f6a(Deprecated)
   Link-local IPv6 Address . . . . . : fe80::2d10:241c:5668:2f6a%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.1.200(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IPv4 Address. . . . . . . . . . . : 192.168.178.254(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::be05:43ff:fea6:127b%10
                                       10.1.1.1
   DHCPv6 IAID . . . . . . . . . . . : 167779365
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-3D-2B-1A-00-1C-25-E7-B0-75
   DNS Servers . . . . . . . . . . . : ::1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled





After disabling and re-enabling the NIC everything works:



C:\Users\spadmin>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ACE
   Primary Dns Suffix  . . . . . . . : example.net
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : example.net

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 PL Network

Connection
   Physical Address. . . . . . . . . : 00-1C-25-E7-B0-75
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:44b8:78e1:1320:2d10:241c:5668:2f6a(Preferred)
   Link-local IPv6 Address . . . . . : fe80::2d10:241c:5668:2f6a%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.1.200(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   IPv4 Address. . . . . . . . . . . : 192.168.178.254(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::be05:43ff:fea6:127b%10
                                       10.1.1.1
   DHCPv6 IAID . . . . . . . . . . . : 167779365
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-3D-2B-1A-00-1C-25-E7-B0-75
   DNS Servers . . . . . . . . . . . : ::1
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Users\spadmin>ping ipv6.google.com

Pinging ipv6.l.google.com [2404:6800:4006:802::1011] from 2001:44b8:78e1:1320:2d10:241c:5668:2f6a with 32 bytes of data:
Reply from 2404:6800:4006:802::1011: time=53ms
Reply from 2404:6800:4006:802::1011: time=51ms
Reply from 2404:6800:4006:802::1011: time=51ms
Reply from 2404:6800:4006:802::1011: time=51ms

Ping statistics for 2404:6800:4006:802::1011:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),


Approximate round trip times in milli-seconds:


    Minimum = 51ms, Maximum = 53ms, Average = 51ms


 


Evidently the IPv6 protocol stack is left semi-functional. I admit I haven’t spent a lot of time configuring the network but for my home autoconfiguration features of the protocol are sufficient (and I was getting 10/10 scopr in the IPv6 test)


So why the global IPv6 address gets deprecated? An Internode engineer thought it was a Windows 7 bug (How to report IPv6 bug to Microsoft – Vista and 7 won’t “undeprecate” a prefix) but AVM, the makers of the router that I use apparently released a firmware update that addresses this issue (W7 ignores ICMPv6 Router Advertisments setting an IPv6 prefix from invalid to valid). Details of this issue are also discussed on Whirlpool. I’m on a test firmware that is addressing another issue with the router, so will have to report, wait and see.


I guess my point is this: the protocols are quite robust but it will take some time to shake down some implementation issues. It’s been four years since I have posted my view on the IPv6 enterprise. I stand by it.


And yes – my home network is on the Internet, without firewalls, gateways or any other masquerade.


UPDATE: Microsoft recognised irreversible IPv6 address deprecation a bug in Windows Vist, 7, Server 2008 and 2008 R2 and will release a hotfix. I have the prerelease code and tested it successfully.

More ping goodness

Strange problems with the corporate WAN? Welcome to my world. I’m a big enthusiast of ICMP diagnostics with ping (see Let there be ping!), and traceroute and pathping as well. One particular issue is quickly identifiable with stock-standard ICMP ping. Look at this output, for example:


C:\Users\spadmin>ping -n 25 dc-0001.asia.example.net

Pinging dc-0001.asia.example.net [172.25.7.71] with 32 bytes of data:
Reply from 172.25.7.71: bytes=32 time=38ms TTL=115
Reply from 172.25.7.71: bytes=32 time=20ms TTL=115
Reply from 172.25.7.71: bytes=32 time=42ms TTL=115
Reply from 172.25.7.71: bytes=32 time=48ms TTL=115
Reply from 172.25.7.71: bytes=32 time=124ms TTL=115
Reply from 172.25.7.71: bytes=32 time=33ms TTL=115
Reply from 172.25.7.71: bytes=32 time=80ms TTL=115
Reply from 172.25.7.71: bytes=32 time=31ms TTL=115
Reply from 172.25.7.71: bytes=32 time=33ms TTL=115
Reply from 172.25.7.71: bytes=32 time=32ms TTL=115
Reply from 172.25.7.71: bytes=32 time=20ms TTL=115
Reply from 172.25.7.71: bytes=32 time=22ms TTL=114
Reply from 172.25.7.71: bytes=32 time=20ms TTL=115
Reply from 172.25.7.71: bytes=32 time=21ms TTL=115
Reply from 172.25.7.71: bytes=32 time=22ms TTL=115
Reply from 172.25.7.71: bytes=32 time=23ms TTL=115
Reply from 172.25.7.71: bytes=32 time=26ms TTL=115
Reply from 172.25.7.71: bytes=32 time=25ms TTL=115
Reply from 172.25.7.71: bytes=32 time=21ms TTL=115
Request timed out.
Reply from 172.25.7.71: bytes=32 time=21ms TTL=115
Reply from 172.25.7.71: bytes=32 time=20ms TTL=115
Reply from 172.25.7.71: bytes=32 time=35ms TTL=115
Reply from 172.25.7.71: bytes=32 time=36ms TTL=115
Reply from 172.25.7.71: bytes=32 time=26ms TTL=115


Obviously there’s packet loss, not a good sign ever. But the other line is out of ordinary and signifies not just congested link or faulty cable. That’s the line where the return TTL is different from any other TTL. That means that ICMP echo response took different route, not the same as the other 23 packets that were returned. Which, in turn, signifies a problem with WAN routing infrastructure. Although IP, the Internet Protocol, was designed to sustain full scale attack affecting communication lines and changing routes are standard, that shouldn’t occur on a normal day on your corporate network.


There’s one more thing. Check out Smokeping. It’s ping monitor on steroids – something you really need in very dynamic and partially stable environments. And it’s free, as in free beer.

Checking server SSL/TLS certificates – any service

With all kinds of services using TLS encryption, and many more using SSL wrappers like stunnel, the usual approach of using a Web browser, or service-specifc client, doesn’t work. This is where OpenSSL comes handy. Its SSL client functionality is great for troubleshooring and discovery:


C:\OpenSSL\bin>openssl s_client -connect sip.microsoft.com:5061 -showcerts


CONNECTED(000000E4)

Certificate chain
 0 s:/C=US/ST=WA/L=Redmond/O=MS/OU=RTC/CN=sip.microsoft.com
   i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
—–BEGIN CERTIFICATE—–
MIIGLjCCBRagAwIBAgIKFyZtNAAFAAF1UzANBgkqhkiG9w0BAQUFADCBizETMBEG
CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG
CgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYD
VQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMTAwMzE3
MTc1NDU4WhcNMTEwMjE5MTgyNDUzWjBjMQswCQYDVQQGEwJVUzELMAkGA1UECBMC
V0ExEDAOBgNVBAcTB1JlZG1vbmQxCzAJBgNVBAoTAk1TMQwwCgYDVQQLEwNSVEMx
GjAYBgNVBAMTEXNpcC5taWNyb3NvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQC9pnKFxSqxKr6kAh3z6R47neNSf8QWRgYWwQlKySl6lfgruF+mZcpT
lsrzLcDEUtIZInAlvrvaQPmLp/wL6PLKZLpXlCoqQIMIxiPsac0tCgVSsjWVk1Nx
EYdxfdCKdwUyNIrxi60QxkOIofbbMffkYH7QiECSfiUs5CPchbDr/wIDAQABo4ID
PTCCAzkwCwYDVR0PBAQDAgSwMEQGCSqGSIb3DQEJDwQ3MDUwDgYIKoZIhvcNAwIC
AgCAMA4GCCqGSIb3DQMEAgIAgDAHBgUrDgMCBzAKBggqhkiG9w0DBzAdBgNVHQ4E
FgQUwQ0gtoURfJDzvYQvGSXDZKYH2eEwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
AQUFBwMBMEsGA1UdEQEB/wRBMD+CEXNpcC5taWNyb3NvZnQuY29tghRzaXBhbHQu
bWljcm9zb2Z0LmNvbYIUc2lwZmVkLm1pY3Jvc29mdC5jb20wHwYDVR0jBBgwFoAU
FFXEOeA9LtFVLkiWsNh+FCIGk7wwggEKBgNVHR8EggEBMIH+MIH7oIH4oIH1hlho
dHRwOi8vbXNjcmwubWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NaWNyb3Nv
ZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoNSkuY3JshlZodHRwOi8v
Y3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwvTWljcm9zb2Z0JTIwU2Vj
dXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDUpLmNybIZBaHR0cDovL2NvcnBwa2kv
Y3JsL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg1KS5j
cmwwgb8GCCsGAQUFBwEBBIGyMIGvMF4GCCsGAQUFBzAChlJodHRwOi8vd3d3Lm1p
Y3Jvc29mdC5jb20vcGtpL21zY29ycC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2
ZXIlMjBBdXRob3JpdHkoNSkuY3J0ME0GCCsGAQUFBzAChkFodHRwOi8vY29ycHBr
aS9haWEvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDUp
LmNydDA/BgkrBgEEAYI3FQcEMjAwBigrBgEEAYI3FQiDz4lNrfIChaGfDIL6yn2B
4ft0gU+Dwu2FCI6p0oVjAgFkAgEGMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUH
AwIwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAD1jaUKuhvqTVlya/3ye
We7PGRULROU2YAI9RFfpQ2Dbb3CHMYhps9KVKwDXbSPEehyLxElvz3Jqv5zevI4s
+MvF+6b/6K8kVbNI/w9FfgkFWJstTeaRPts8oI9961C6hMyivJKQxVz9v3hORtB8
N/K2EozhshauY0kBhOAlYwnmHe1nqfiY8gfMzIvaspCdyYPrPzqENRRp2BuJVZvM
7VNnVh27L09TvWM9r1rN+X1ViE1+kpYBfw10kUSgie6kBl9vKbXwMjq5VcVrsY+V
ABYCrM6Cs3JTPhs8gj325cCqdJ42w5KTjg62rOGCrxcKwynjJOZpEWCDfC3mv00Q
M9k=
—–END CERTIFICATE—–
 1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
   i:/CN=Microsoft Internet Authority
—–BEGIN CERTIFICATE—–
MIIGEzCCA/ugAwIBAgIKYRZtLwAEAAAAIDANBgkqhkiG9w0BAQUFADAnMSUwIwYD
VQQDExxNaWNyb3NvZnQgSW50ZXJuZXQgQXV0aG9yaXR5MB4XDTA4MDQwOTIxMzc1
NFoXDTExMDIxOTE4MjQ1M1owgYsxEzARBgoJkiaJk/IsZAEZFgNjb20xGTAXBgoJ
kiaJk/IsZAEZFgltaWNyb3NvZnQxFDASBgoJkiaJk/IsZAEZFgRjb3JwMRcwFQYK
CZImiZPyLGQBGRYHcmVkbW9uZDEqMCgGA1UEAxMhTWljcm9zb2Z0IFNlY3VyZSBT
ZXJ2ZXIgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
kYTz6fKXvrdfIr5o3Ue4CRIzhTE+8JE4hrLTQki3emjYn/CfHRPb7hmMiOZmWBdE
DUEymyXOyZ7Sy2tC6WaBC4onVYotPoSsaOZJv6EJeHPk64RiWTfX+XqufRndYOEC
DUmotYQNPV/8InioIBf9+gOSsAMdmyGZF6C1PkJqvPZTRxNv6hxuMMb6uOQIPoFX
/ceQvAOZcJx2qGsAVKsJHylYkC0GgVyFVhOI0vcZZBcP5T+NtOmyjVBWdxS413HL
D+8w+3wG0bOP8EyOeRnuf0KLXGBangte0ZFIRd28GXpo5UrcA/r5000e2RTHmhC4
8YPMIoi+q9XZoF5R0Z069QIDAQABo4IB2jCCAdYwEgYDVR0TAQH/BAgwBgEB/wIB
ADAdBgNVHQ4EFgQUFFXEOeA9LtFVLkiWsNh+FCIGk7wwCwYDVR0PBAQDAgGGMBIG
CSsGAQQBgjcVAQQFAgMFAAUwIwYJKwYBBAGCNxUCBBYEFM7FoL4P/nlmdZEP8PeS
WzWYqBWzMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMB8GA1UdIwQYMBaAFMbb
u8DYIBmS8WD8iPFYf7wbTo8aMIGjBgNVHR8EgZswgZgwgZWggZKggY+GNmh0dHA6
Ly9tc2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL21zd3d3KDQpLmNy
bIY0aHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL21zd3d3
KDQpLmNybIYfaHR0cDovL2NvcnBwa2kvY3JsL21zd3d3KDQpLmNybDB5BggrBgEF
BQcBAQRtMGswPAYIKwYBBQUHMAKGMGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9w
a2kvbXNjb3JwL21zd3d3KDQpLmNydDArBggrBgEFBQcwAoYfaHR0cDovL2NvcnBw
a2kvYWlhL21zd3d3KDQpLmNydDANBgkqhkiG9w0BAQUFAAOCAgEAempuzk/VLM4N
H9TAbFtCjKc95iGmyx2bHbEk9m2cbGxXjBre+N4cJoIYYmhLrZ6L712ov1NjM73b
m8fb2Fy8Yw8Cmwc8VtarPZT2yzGr8MhNUDVuZswaKfjCY3H7RYv/XKc7AOMd25WP
/M0WTT4Bna6hl9dUaDGwv5SZFFIJ17FLo4FR2H7IkOOI/WcUPAHeDXUewp4qRPE/
560xZrLSeNH2lKnOAwwXxwnXSo5WOF5AQXh1nRdbBV9Nu7yI6jH1QV6fKf6oFU2Y
IOjpnJ0FihVB6XoZ0wNOUMzPEEQcTfIoVoc+t0iK02wcmTLgBgbYU703dHvvPTcn
IfdI2mscx8l9MjUOdklIIve0FhCxRPqHpEeKjM95gllbXmWgQxAXiog+A62fEo5d
M7nfeEyiweSlhj1cv+2dyhzyS5saKYkk3ocCnOMCyD0M+4gJx4n4b/zT3rcujyN+
7m20PbBTjcdTT1+AxOs75rON2hhKUqqrk2MDCpnEJsNK4TuRyDUtm9r+AxaZ4XRK
MT8InY1Xl9hzrIK6MVERYH46kxg6odwpzJ8Urn4dREBiMy6Gzq8mtyXvpYEcmeGL
zz1aT7qNNbQ0qqbPb6RpOMHlUWOIhVWJC71T5WK1pynAc3P9zOm8BkUYvIyJvCbR
bufCGVng4FAtVZ1advxSVRoa4GyuFZ8=
—–END CERTIFICATE—–
 2 s:/CN=Microsoft Internet Authority
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
—–BEGIN CERTIFICATE—–
MIIFCjCCBHOgAwIBAgIEBycWdTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
b2JhbCBSb290MB4XDTA4MDIxOTE4MjcwMloXDTExMDIxOTE4MjQ1M1owJzElMCMG
A1UEAxMcTWljcm9zb2Z0IEludGVybmV0IEF1dGhvcml0eTCCAiIwDQYJKoZIhvcN
AQEBBQADggIPADCCAgoCggIBAKiloatvDehDG/rQriel2AC9qmSJdvjKb2fmJf30
K7SaC3zQu8kGQxENUEFsHsH0jmBejJ9vvn9tHZ8hGL+kORvWUVBskdMzP65rC0V0
VeVgUYzPZ7MvrLfhh9+v3yJ7qRuf1aNgmzJg5t1AA91X+aRrFT4lRzl9BFWhQ1VS
XaD7l6qoiyhD8FbrdLRAe61swsRmzWeXoy6NJpOBsGXaCSG1Jooylro+zkWxt97c
NkNf/wYqoYcIXo02YpFbwreveejW9a0Lh/1z9+e9aiMtC5QnPT57GTqNINt5R0rp
Iz4g3GJhmjXVoVF/tev5DMJuhRgPoz0W0aA3UnSmTWh2RFvgqawLqSRrKUhVjySi
/m5s62uG5xxIftO7/6ljzS061CFoV/RBl/I3WghYp04sr4cSXWa/rL449YhBT8BJ
jltefWCYAOcT1nA4oFXwXbl1qCUIkZ0bqwju2FGW5vl2qh6vmzcQjc3XxD0m2UqC
yJNFa9SUgVXtUCqeOI+KqgLW01tpqZteG10byWKmppTVAvdPwHoGE0bl6wBwXldE
f7Pn4lqu6Yp4bedP3Qv1sfp2H7D98cxSwYRt3UcXN2kjTPv+pby2fEHm9GWf3iE/
7OtzUI7LYhP7+rGyuCYTtZKH1jDWHrTZBpnAPmrAQQHCI8/4TjF9ZQ1mqRi6x9I9
9XGfAgMBAAGjggFvMIIBazASBgNVHRMBAf8ECDAGAQH/AgEBMFMGA1UdIARMMEow
SAYJKwYBBAGxPgEAMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly9jeWJlcnRydXN0Lm9t
bmlyb290LmNvbS9yZXBvc2l0b3J5LmNmbTAOBgNVHQ8BAf8EBAMCAYYwgYkGA1Ud
IwSBgTB/oXmkdzB1MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPR1RFIENvcnBvcmF0
aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJUcnVzdCBTb2x1dGlvbnMsIEluYy4xIzAh
BgNVBAMTGkdURSBDeWJlclRydXN0IEdsb2JhbCBSb290ggIBpTBFBgNVHR8EPjA8
MDqgOKA2hjRodHRwOi8vd3d3LnB1YmxpYy10cnVzdC5jb20vY2dpLWJpbi9DUkwv
MjAxOC9jZHAuY3JsMB0GA1UdDgQWBBTG27vA2CAZkvFg/IjxWH+8G06PGjANBgkq
hkiG9w0BAQUFAAOBgQBnSDXCyiqGmHTAEJOtZYVm/IbzGtzCY423NF6/yuccYZkm
spJnDoh8nq3nx3P2KBEyPAqoQ1MEFC+ByQjV4AAQ9dMQALUGNRfHhFUhBeeIybYd
bzvKOxSlIYSwO2T56+oXyDlkbQWKmHec5qzCE0lwGHslsRU/CHwhuFu2nH+CxQ==
—–END CERTIFICATE—–

Server certificate
subject=/C=US/ST=WA/L=Redmond/O=MS/OU=RTC/CN=sip.microsoft.com
issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority

Acceptable client certificate CA names
/CN=MSIT TPM Root
/emailAddress=pkit@microsoft.com/C=US/ST=WA/L=Redmond/O=Microsoft/OU=ITG/CN=Microsoft Corporate Root Authority
/O=Microsoft Corporation/CN=Microsoft Corporate Root CA
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority – G2/OU=(c) 1998 VeriSign, Inc. – For authorized use only/OU=VeriSign Trust Network
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority – G2/OU=(c) 1998 VeriSign, Inc. – For authorized use only/OU=VeriSign Trust Network
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Premium CA/emailAddress=personal-premium@thawte.com
/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates Inc. Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Basic CA/emailAddress=personal-basic@thawte.com
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority – G2/OU=(c) 1998 VeriSign, Inc. – For authorized use only/OU=VeriSign Trust Network
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Uzleti (Class B) Tanusitvanykiado
/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
/C=HU/ST=Hungary/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority – G2/OU=(c) 1998 VeriSign, Inc. – For authorized use only/OU=VeriSign Trust Network
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Root
/C=HU/L=Budapest/O=NetLock Halozatbiztonsagi Kft./OU=Tanusitvanykiadok/CN=NetLock Expressz (Class C) Tanusitvanykiado
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft Corporation/CN=Microsoft Root Authority
/DC=com/DC=microsoft/CN=Microsoft Root Certificate Authority

SSL handshake has read 7942 bytes and written 404 bytes

New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: 6622000040A4EDB48846EE407E969CD2D11D8359C05C702EB825524450A47A23
    Session-ID-ctx:
    Master-Key: E08629D601E2F9FD0F773F01C2A5063ADFD766F48A03A003D9FFC89947E303CECEB0C5D1ED0523D93AC933436B875D52
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1292923998
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)


This allows fast and easy checking of SSL/TLS configuration for all services – HTTP, SIP, IMAP, and anything using SSL wrappers. It would be good to have TLS discovery functionality integrated into a tool like nmap.


A toolset note: Win32 OpenSSL is very handy for Windows administrators.

Open source takes on Active Directory

Coming out of RedHat ecosystem is FreeIPA,  a self-styled integrated security information management solution. IPA stands for Identity, Policy, Audit. Make no mistake – there is no PaidIPA, and FreeIPA is a take on Active Directory, combining the OS, LDAP, Kerberos and integrating Web and certificate services, as well as other infrastructure services into the software stack. Detailed features:


Version 1 will focus on


  • Allowing an administrator to quickly install, setup, and administer one or more IPA servers for centralized authentication and user identity management.

Version 2 will focus on


  • Adding DNS and Certificate Authority to the IPA core
  • Allowing an admin to join a machine to an IPA realm
  • Providing kerberos principal and cert to the joined machine
  • Providing service keytabs and service certificates to services
  • Managing the keytabs and certificates once provided
  • Plug-in architecture for IPA extensibility. freeRADIUS as a first plugin.
  • IPA Client code for managing authentication, authorization, caching, connection
  • Policy. Centrally managed sudoers/netgroups, SELinux role based access
  • Audit. Centrally collected audit logs from IPA servers and from IPA clients

I assume there will be an easy way to integrate email and real-time communications system into the IPA.


We have had all of this (bar a mandatory access control system) in Active Directory for a long while now. UNIX and Linux integrate well into AD through Samba and Likewise Open. But integrated authentication and authorisation subsystem designed specifically for Linux was missing. Until now, there were bits and pieces that are hard to integrate. FreeIPA is an attempt to close that gap and create some competition to Active Directory, which is a good thing.


 


 


 

When security doesn’t work

A few days back, a hater named Umar Farouk Abdulmutallab tried to explode an airplane and kill 289 people aboard and maybe more on the ground. He was stopped by another passenger, Jasper Schuringa, a Dutch movie maker.


The US Department of Homeland Security and its Transportation Security Administration quickly issued statements. They introduced new security measures. The TSA doesn’t really say what those measures are, but various reports and airline Web sites mention stuff like this:


Air Canada said in a statement that new rules imposed by the Transportation Security Administration limit on-board activities by passengers and crew in U.S. airspace. The airline said that during the final hour of flight passengers must remain seated. They won’t be allowed access to carryon baggage or to have any items on their laps.

Flight attendants on some domestic flights are informing passengers of similar rules. Passengers on a flight from New York to Tampa Saturday morning were also told they must remain in their seats and couldn’t have items in their laps, including laptops and pillows.

Note this: if the rules were already in place and the passengers strictly followed those, Mr. Schuringa wouldn’t be able to subdue the terrorist: he had to leap over few seat rows to do that. Apparently, it’s no longer allowed. It doesn’t matter that explosives and flammable liquids were not allowed on the plane in the first place, and the TSA failed to enforce them. They issue a new ruling that doesn’t make sense (last hour, huh?) and is almost impossible to enforce. Reminds me of the TSA requirement not to congregate on a plane headed for the United States.

This is not security, this is damage control. Happens too often in the government, and in the corporate world as well.

Doing your job is hard but not impossible: analyse why security measures failed, and correct the problem. If the measures are wrong, try something new. Like, in case of transportation security, sedating all passengers.

It is okay to acknowledge your errors. But it is a definition of waste not to, and keep doing same. Take information security. Firewalls don’t work? Implement more firewalls. Intrusion detection systems don’t detect intrusions? Rename them intrusion prevention systems, and spend some more. Sounds familiar?

Quick test of a filesystem performance

This script is written by Geoff Baxter:



 


option explicit

‘ DiskPerfStats.vbs

‘  This script uses the SQLIO.exe utility to do a basic check
‘  of disk performance for all local disks.

‘  This script must be in the same folder as SQLIO.exe.

‘  Takes one (optional) parameter, which is the number of seconds that
‘  each SQLIO.exe test will run for, defaulting to 5.

‘  – Geoff Baxter
‘    24/07/2008



‘———————————————————————-
‘ constants

const OutputFile              = “DiskPerfStats”
const strSQLIOExe            = “SQLIO.exe”
dim  DataFileName           
const DriveType_LocalDisk     = 3
Const RUN_HIDDEN            = 0
Const RUN_NORMAL            = 1
Const RUN_MINIMISED            = 2
Const RUN_MAXIMISED            = 3
Const OpenFileForReading     = 1
Const OpenFileForWriting     = 2
Const OpenFileForAppending     = 8
Const WAIT_FOR_COMPLETION    = true
Const NO_WAIT_FOR_COMPLETION= false

‘———————————————————————-
‘ Local variables

dim DriveName (99)
dim ReadIOsPerSec (99)
dim ReadMBsPerSec (99)
dim WriteIOsPerSec (99)
dim WriteMBsPerSec (99)
dim DriveCnt
dim objShell, fso, i
dim TestDuration, Cmd, Line
dim objWMIService, colDisks, objDisk, objFile
dim OutputFile1

‘———————————————————————-
‘ Initialise & write welcome message…

DriveCnt = 0

wscript.echo “”
wscript.echo “DiskPerfStats.vbs: Using SQLIO.exe to check disk performance…”
wscript.echo “”

Set objShell = WScript.CreateObject(“WScript.Shell”)
Set fso = CreateObject(“Scripting.FileSystemObject”)

‘———————————————————————-
‘ Verify that SQLIO.exe exists in the current folder


if not fso.FileExists (strSQLIOExe) then
    wscript.echo “ERROR: ” & strSQLIOExe & ” not found in current folder.”
    wscript.echo “”
    wscript.quit(1)
end if

‘———————————————————————-
‘ Get (optional) parameter & verify


If wscript.Arguments.count = 0 Then
    TestDuration = 5
else
    TestDuration = wscript.Arguments(0)
    if not isnumeric(TestDuration) then
        wscript.echo “ERROR: Parameter 1 (test duration) of ‘” & TestDuration & “‘ is invalid.”
        wscript.echo ”       This must be an integer, specifying the number of seconds each “
        wscript.echo ”       SQLIO.exe test should run.”
        wscript.echo “”
        wscript.quit(1)
    end if
end if

If wscript.Arguments.count = 2 Then
    OutputFile1 = OutputFile & wscript.Arguments(1)
    DataFileName = “\sqlio” & wscript.Arguments(1) & “.dat”
else
    OutputFile1 = OutputFile
    DataFileName = “\sqlio.dat”
end if
wscript.echo “This will use SQLIO to run a read and a write test on each local disk”
wscript.echo “Each individual test will run for ” & TestDuration & ” seconds.”
wscript.echo “OutputFile: ” & OutputFile1
wscript.echo “”


‘———————————————————————-
‘ Here we go – loop through local disks


Set objWMIService = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2″)
Set colDisks = objWMIService.ExecQuery(“Select * from Win32_LogicalDisk”)

wscript.echo “Starting tests…”

For Each objDisk in colDisks
    if objDisk.DriveType = DriveType_LocalDisk then
        DriveCnt = DriveCnt + 1
        DriveName (DriveCnt) = objDisk.DeviceID
        ReadIOsPerSec (DriveCnt) = “”
        ReadMBsPerSec (DriveCnt) = “”
        WriteIOsPerSec (DriveCnt) = “”
        WriteMBsPerSec (DriveCnt) = “”

        wscript.echo “Processing disk ” & objDisk.DeviceID


        ‘———————————————————————-
        ‘ Get read performance stats for this disk
        ‘
        Cmd = “cmd /C “”” & strSQLIOExe & ” -kR -t5 -s” & TestDuration & ” -b8 -BN -f16 ” & objDisk.DeviceID & DataFileName & ” > ” & OutputFile1 & “.txt”” “

        wscript.echo “- Checking read  performance of disk ” & objDisk.DeviceID & ” for ” & TestDuration & ” seconds…”

        ‘  Run the test…
        objShell.Run Cmd, RUN_HIDDEN, WAIT_FOR_COMPLETION

        ‘ delete the temp file that was created
        if fso.FileExists (objDisk.DeviceID & DataFileName) then
            fso.DeleteFile objDisk.DeviceID & DataFileName, true
        end if

        ‘ get the output file & extract performance figures
        set objFile = fso.OpenTextFile (OutputFile1 & “.txt”, OpenFileForReading, false)
        while not objFile.AtEndOfStream
            Line = objFile.ReadLine
            if ucase(left(Line,8)) = ucase(“IOs/sec:”) then
                ReadIOsPerSec (DriveCnt) = mid(Line, 9, 99)
            end if
            if ucase(left(Line,8)) = ucase(“MBs/sec:”) then
                ReadMBsPerSec (DriveCnt) = mid(Line, 9, 99)
            end if
        wend
        objFile.close   
        set objFile = nothing


        ‘———————————————————————-
        ‘ Get write performance stats for this disk
        ‘
        Cmd = “cmd /C “”” & strSQLIOExe & ” -kW -t5 -s” & TestDuration & ” -b8 -BN -f16 ” & objDisk.DeviceID & DataFileName & ” > ” & OutputFile1 & “.txt”” “

        wscript.echo “- Checking write performance of disk ” & objDisk.DeviceID & ” for ” & TestDuration & ” seconds…”

        ‘  Run the test…
        objShell.Run Cmd, RUN_HIDDEN, WAIT_FOR_COMPLETION

        ‘ delete the temp file that was created
        if fso.FileExists (objDisk.DeviceID & DataFileName) then
            fso.DeleteFile objDisk.DeviceID & DataFileName, true
        end if

        ‘ get the output file & extract performance figures
        set objFile = fso.OpenTextFile (OutputFile1 & “.txt” , OpenFileForReading, false)
        while not objFile.AtEndOfStream
            Line = objFile.ReadLine
            if ucase(left(Line,8)) = ucase(“IOs/sec:”) then
                WriteIOsPerSec (DriveCnt) = mid(Line, 9, 99)
            end if
            if ucase(left(Line,8)) = ucase(“MBs/sec:”) then
                WriteMBsPerSec (DriveCnt) = mid(Line, 9, 99)
            end if
        wend
        objFile.close   
        set objFile = nothing

    end if
next

‘———————————————————————-
‘ All done.  Output the results.

wscript.echo “”

wscript.echo “Performance Summary by Disk:”
wscript.echo “”
wscript.echo “Drive  Read IOs/sec  Write IOs/sec  Read MB/sec  Write MB/sec”
wscript.echo “=====  ============  =============  ===========  ============”


for i = 1 to DriveCnt
    wscript.echo DriveName(i) & ”     ” & _
        right(”            ” & ReadIOsPerSec  (i),12) & ”  ” & _
        right(”            ” & WriteIOsPerSec (i),13) & ”  ” & _
        right(”            ” & ReadMBsPerSec (i),11) & ”  ” & _
        right(”            ” & WriteMBsPerSec (i),12)
next

wscript.echo “”
wscript.echo “Done. ” & DriveCnt & ” disks processed.”
wscript.echo “”


 


C:\tmp>cscript //nologo DiskPerfStats.vbs 5

DiskPerfStats.vbs: Using SQLIO.exe to check disk performance…

This will use SQLIO to run a read and a write test on each local disk
Each individual test will run for 5 seconds.
OutputFile: DiskPerfStats

Starting tests…
Processing disk C:
- Checking read  performance of disk C: for 5 seconds…
- Checking write performance of disk C: for 5 seconds…
Processing disk D:
- Checking read  performance of disk D: for 5 seconds…
- Checking write performance of disk D: for 5 seconds…

Performance Summary by Disk:

Drive  Read IOs/sec  Write IOs/sec  Read MB/sec  Write MB/sec
=====  ============  =============  ===========  ============
C:          7057.20        4578.60        55.13         35.77
D:          6938.60        6068.36        54.20         47.40

Done. 2 disks processed.


 


 


 

Windows file server performance optimization

Merge this into the registry, reboot and enjoy increased performance:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
“NtfsDisable8dot3NameCreation”=dword:00000001
“NtfsMemoryUsage”=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
“NumTcbTablePartitions”=dword:00000008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{INTERFACE NUMBER}]
“TcpAckFrequency”=dword:0000000d

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
“PagedPoolSize”=dword:ffffffff
“LargeSystemCache”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Executive]
“AdditionalDelayedWorkerThreads”=dword:00000020
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcXdr\Parameters]
“DefaultNumberOfWorkerThreads”=dword:00000040

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NfsSvr\Parameters]
“OptimalReads”=dword:00000001
“RdWrHandleLifeTime”=dword:0000000a
“RdWrNfsReadHandlesLifeTime”=dword:0000000a
“RdWrNfsHandleLifeTime”=dword:0000003c
“RdWrThreadSleepTime”=dword:0000003c
“SecureHandleLevel”=dword:00000000
“NfsHandlesCacheSizeLowWatermark”=dword:003d08ce
“NfsHandlesCacheSizeMax”=dword:003d0900
“NtfsHandlesCacheSizeLowWatermark”=dword:000249be
“NtfsHandlesCacheSizeMax”=dword:000249f0
“FileHandleCacheSizeInMB”=dword:3de00000
“LockFileHandleCacheInMemory”=dword:00000001
“MaxIcbNfsReadHandlesCacheSize”=dword:00001f40


 


Also, check the NTFS log size (chkdsk /l) and increase it to 65536 KB in case it isn’t already of that size. That covers Windows CIFS and NFS and was tested on 32-bit Windows 2003 (yet I believe W2K8 and 64-bit platforms also can be optimised this way, will test). This comes from the SPEC file server benchmarking results and configuration notes for HP ProLiant DL585 G2 Storage Server.


Check out other systems and results – some interesting information there.


It is a good idea to check the performance before and after changing the system parameters. You don’t need to purchase SPEC tests to do that – there are free tools available. Stay tuned for some details, or search away (if your OS of choice is Windows, use “sqlio” as the search criteria). 

Network-wide options by YD - Freelance Wordpress Developer