What’s in a Pop-Up?

Last week, I posted about how some of our strict group policy settings on our Terminal Services RemoteApp deployment were causing some difficulty using some web-based applications, like our time card application. As I continued to use the application through RemoteApp, I found another hiccup in the GPO settings – the lack of the application to be able to pop up additional windows for some special tasks.

I started with looking at all the GPO settings related to the Pop-up Blocker. There are several – Pop-up allow list, Turn off Managing Pop-up Allow list, Turn off pop-up management. After tweaking and disabling those, I still couldn’t get the new task window to appear.

In order to leave no stone unturned, I proceeded to look closely at every IE setting that was configured and came across “Disable Open in New Window menu option”, under User Config – Policies – Admin Templates – Windows Components – Internet Explorer – Browser Menus. The provided explanation leads one to believe that it only hides the option from the shortcut menu to prevent users from manually launching a new window from that browser session. However, it also prevents an application from launching the window as well.

Since the Pop-Up Blocker itself wasn’t the problem, I was curious about what the Pop-up Blocker actually blocks. MSDN has some in-depth explanations about how the Pop-up Blocker works, but it comes down to this: Pop-up blocking prevents new browser windows being opened automatically using a script. Pop-up Blocker doesn’t affect browser activities when they are initiated by a user action (such as clicking a button or hyperlink), when opened in the Trusted sites and Local intranet zones, or when opened by other applications running on the local computer.

It does block script methods that call the following:

window.open
window.showHelp
window.showModalDialog
window.showModelessDialog
window.external
window.NavigateAndFind

An interesting note was that pop-ups created with “window.createPopup” are unaffected by the Pop-up Blocker. That doesn’t make sense to me, but I’m not a developer and I’m sure there is something I’m missing.

In my case, changing the Pop-up settings were moot, because the specific policy blocking the “window.open” command trumped any attempt to open a new windows, specifically those initiated by users.

Access Control on College Networks

Recently, I acquired a September back-issue of the student newspaper from my old alma mater, The College of New Jersey. Technically, I attended Trenton State College, but let’s not digress.

As I was flipping through, one of the letters submitted to the editor entitled “Internet security measures vital to network health” caught my eye. It was in response to a opinion piece in the previous issue. I hopped online and found the original student opinion – NAC Restricting College Internet Use. There were two response letters, including one from the IT Manager.

The main complaints from the student was that he was worried about installing the necessary NAC client software because its purpose was not clear, and he did not believe he should be required to use anti-virus software. Finally, the restriction on personal router usage was inconvenient.

I recently posted about internet filtering, so the topic of these letters seemed to strike along the same vein. The responses to the student were clear and to the point, detailing how network access control provides overall network security by preventing access for computers that do not meet the basic network security requirements. I have to agree with with IT Manager on this one, hands down.

Based on the letters, it appears the TCNJ is using Impulse Safe-Connect “Policy Key”, a NAC system used by many colleges. Networks at education institutions are shared by many and it’s important to have measures in place to ensure some management of the variety of computer operating systems that can connect and dictate the basic requirements for using a critical resource. Network access control systems can be a valuable part of network management when direct control over the client machines is not available. For example, Microsoft’s Network Access Protection, can evaluate the “health status” of a Windows computer by checking up-to-date anti-virus software, Windows patch levels and firewall status.

In my opinion, TCNJ doesn’t seem to be asking students to do anything excessive in exchange for what is essentially “free” access to the web. Running a NAC supplicant to check for anti-virus software is a small concession to make for the average student needing average access to the Internet. The college even offers a free anti-virus software as a download. The outraged student needs to spend a little more time hitting the books and less time complaining that he can’t use his router to connect his Xbox.

Internet Monitoring – Good, Bad or just Ugly?

A good friend of mine works at an academic institution where she teaches literature. Her specialization revolves around romance literature. Research in that area often spans into topics that are considered to be NSFW and she’s often thwarted by internet filtering when doing research in her office. She objects to this and we shared an exchange about possible reasons for these type of restrictions. As a systems administrator, I can argue bits on both sides.

For me, intentions mean everything. First off, monitoring and filtering meet different needs. Most appliances and applications available today can do both functions and are adjustable to allow various exceptions. I define monitoring as simply logging sites visited, the length of time spent and the amount of bandwidth used. Filtering is when a site is restricted outright or portions of the site are prevented from loading.

I agree that in an academic institution, internet filtering should be kept to a minimum on the staff network. Education institutions thrive on the fact that professional staff produce new works and having unlimited access to the internet and even access to potentially taboo or questionable material could easily be justified. Being that most university professors have private offices, the risk of offending someone who walks by is minimal.

However, general monitoring is often needed to track bandwidth usage and some light filtering may be reasonable to reduce the impact of sites infiltrated with with malware. In a location where the general public or children use the Internet, clearly more strict monitoring and filtering is necessary to block age inappropriate content and prevent abuses. In either case, there needs to be a system that allows for users to request review of websites that are blocked, as most out-of-the-box filtering systems can categorize some sites strangely.

In the classic business world, internet access gets even more slippery. I stand behind my opinion that light filtering to reduce malware and basic monitoring (for bandwidth tracking) is an important part of keeping control of IT costs. Also, I understand that it’s helpful to block obvious non-work related or NSFW sites. Unless your business has a specific need to access gambling, online games or other clearly “entertainment” sites, I don’t fault management for asking IT to limit access.

Home banking, personal email, news and some social networking sites can be a gray area. I feel that employees work more effectively if they can access some personal conveniences from the office. I can quickly handle an urgent bill or respond to a family member online and then get back on my work task, instead of having to take out of office break time to visit the bank or run another errand that could be completed online faster. Also, many corporations now have identities on social networking sites that need to be maintained.

The big disconnects start to occur when managers start looking at internet usage as a way to determine employee productivity. Using amount of time an employee is online as a sole reason for a write-up, reprimand or worse is inappropriate. If an employee is not completing their required tasks, blaming internet usage shouldn’t be necessary. There should be clear areas of suffering in that employee’s work product that can be documented.

If an employee IS completing work tasks and still has time to surf the web, either a manager should look to assign additional tasks or examine ways to utilize that employee’s efficiency methods. Controlling some of what flows from the public networks to a private network is a necessary component of good IT practices. However, when those same controls start hampering employee’s ability to work or are used as poor indicator of productivity no one is gaining anything from the information available online.

Potentially Troublesome Windows 7 User Profiles

While at “the New Efficiency” event last week, I was tapped to see if I had some insight to a problem someone was having migrating and duplicating local user profiles on Windows 7. I’ll admit I haven’t much bothered with user profiles since my NT 4.0 days. Even at my current job, we doesn’t copy or use customized default profiles as a starting point for desktops. We distribute key icons and settings for users with group policies or scripts and don’t worry about maintaining any customizations that each user does for themselves.

My first recommendation was that for migrating existing desktop profiles from XP to Windows 7, Microsoft provides the User State Migration Tool (for large deployments) and Windows Easy Transfer (for a few computers) to move the local documents and settings for users from XP to Windows 7. These tools help ensure all the necessary files are getting moved to the proper locations.

However the question also involved issues copying existing profiles for other users. I didn’t have a good answer for someone having this type of problem in Windows 7, but I promised I’d see if I could come up with something.

After some research, I learned that others were having profile duplication issues with Windows 7 – specifically copying an existing profile to the default one. I found a quite extensive thread on the TechNet forums and an IronGeek.com posting which offered a workaround. I didn’t delve into experimenting with any of these things, but I did pass them along with the hopes that they might point the requester in the right direction.

The next day, I got an update thanking me for providing the information and that he’d been able to solve the majority of his profile related issues. He also mentioned a program called “Windows Enabler”, which I haven’t used myself but I suspect might have been recommended by someone contributing to the TechNet thread or another forum. We all know the web can lead you to many things.

So if you are struggling with an issue similar to this, perhaps those same links will lead you to the answer you need. As with anything on the Internet, your mileage may vary.
————————-
EDIT 10/30/09 – Here’s a link to a great blog post from the Springboard Series with the how/why for Windows 7 profiles work the way they do and the Microsoft recommended way to handle customized default profiles – Configuring Default User Settings, Full Update for Windows 7.

Restoring IIS 6.0

I love the Internet. I use it every day. But when it comes to making websites work, it’s just not one of my strong areas. I’ve gone through a good portion of last decade working for smaller companies where being the “network administrator” meant being a bit of a jack-of-all-trades. While I don’t mind having to search for solutions to issues with software that I don’t use often, I’ve also learn which bits of the tech realm I’d rather leave to someone else. One of those is IIS.

However, this isn’t all about me hating on Internet Information Services. Last week, I actually had a experience restoring IIS 6.0 that was remarkably smooth and successful – restoring our company intranet to a different machine.

In order for this to be successful, I needed to have a portable backup of the metabase, my web folders and ASP 2.0 (which we needed for some small web-based applications). I was missing the ASP 2.0 on the base installation of IIS on the new server, but that was easy enough to correct. The web folders were getting backed up nightly, but I was missing the metabase, which was key to making this all go well.

Microsoft Technet had a rundown of how to backup and restore the metabase and this post from IT Solutions KB even includes screenshots of the process. All in all, the whole process took less than 10 steps, including making the initial backup. I was pleasantly surprised, since I expected IIS to be far more complex. I understand that IIS 7.0 is even easier, but I doubt it’ll make me what to deal with IIS regularly!

24 Hours Offline – Connectivity is Addictive

I’m addicted to being connected. I admit it.

I went away with some friends for a couple days on a road trip to the Yosemite area this weekend. As soon as we left the major areas of civilization and began traveling through farmland, valleys and mountains my cellular signal became spotty and then abruptly failed.

My blackberry transformed from my link to friends, family and information into a pocket-sized camera, alarm clock and tip calculator. And while it was handy to have those things, I sorely missed my instant access to information about the sights we came across, sharing pictures and comments with friends near and far via Twitter and Facebook, and just “knowing” what was going on even though I wasn’t home making my way through my regular routine.

Instead, I enjoyed the informational displays provided by the park services about the places we visited. Shared my thoughts with those people directly around me. And much like the days before constant connectivity – I snapped photos of things to share with others later, though I wouldn’t have to wait a week to develop the film.

One of the friends joining us joked several times about my addiction to connectivity. Yet, he didn’t seem to mind when I found that 2 bars worth of the free wi-fi at our campsite trickled down to one of our cabins and I could schedule the DVR at home to record a football game he’d forgotten about out.

I went through phases of being relaxed about being cut off from the world, and phases of being frustrated by the “X” in the spot where my signal should have been. I’m glad to have had the chance to get away for this adventure, but you can bet I was thrilled when we broke out of the dead-zone and I was able watch 24 hours of emails and SMS messages flood my phone like a dam had been opened.

I think it’s okay that the stream of electronic data and the flow of the babbling brook outside our cabin door both have a place in my life. Though I think a few well-placed signs warning that “cellular coverage will end in 5 miles” would help me with the transition. Addicts can’t always go cold turkey, you know.