Remote Assistance in Windows 7

Today I had a random reason to use the built-in Remote Assistance features of Windows 7. I was helping troubleshoot an issue with a vendor on a user’s machine, using the user’s session. Here are some things I noticed about the Remote Assistance that differs from a regular Remote Desktop session.

Remote Assistance will give you a view of all the users screens with the full screen resolution. In this case the end user had 3 monitors, so I had to expand my view the that machine across the majority of my 3 monitors in order for it to be usable. Normally when you do a simple remote desktop session, all the applications and desktop icons from multiple monitors are fitted to one screen. This may or may not annoy you, depending on how you like to work with remote systems.
Remote Assistance really assumes you have a person sitting at the computer. As the remote support person, it’s very easy to accidentally loose your rights to control the remote desktop by hitting Escape or Cntl-Escape. You need the end user to re-authorize your request for control. (My end user used this troubleshooting time as an excuse to get coffee, so I had to run back to the desk to authorize that a few times.)
Remote Assistance blocks your ability to send email using the users email application, in this case, Outlook 2007. While I can see how this is good from a security standpoint, it was a hurdle when I wanted to use the email account to send some log files to the vendor.

The Remote Assistance features can certainly be handy depending on what a remote support person needs to be able to do on a user’s workstation. I’ll probably use it again, but only when I’ve got someone sitting there to help with any control issues, since the whole point of using it is to save me from having to leave my desk!

Tackling Windows 2003 Server Space Issues

Got a Windows 2003 server with a small hard drive that keeps filling up? Make sure to check out these potential space hogs:

The Framework.log file in the %systemroot%\system32\wbem\logs folder. This file has the potential to grow out of control, but that problem can be easily remedied with a quick permissions change. Check out KB836605 for details.
Some auditing and logging applications might be making backups of your Event Logs, which often end up in your %systemroot%\system32\config folder. Check for .EVT files you no longer need so you can move or delete them.

Finally, not sure what taking up the most space? Check out the free tool called WinDirStat for a quick visual mapping of what’s taking up the most space.

IT Pros and Plastic: Being a Better Steward for the Environment

Last week for some of my “pleasure” reading, I read “Plastic: A Toxic Love Story”, by Susan Freinkel. It was a pretty enlightening read and you might be wondering how this topic applies to you as an IT Professional. I know we spend a lot of time dealing with intangible things in IT. Virtual machines, the “Cloud”, bits and bytes and software and the physical things always seemed very metal-centric – we even talk about installing things from “bare metal”.

But if you stop and look around for just a moment – it’s probably more plastic than anything else. Where are you reading this post from? Your desk? Your keyboard and monitor are plastic, your desk is probably even mostly plastic. Your laptop is mostly plastic, or if you are using an e-reader it’s plastic too. Just about any mobile device is in a plastic case these days. You might be surrounding by CDs/DVDs and their cases – plastic. Network cables – coated in plastic. Those swag items you have from that last conference – probably 99% plastic.

As IT Professionals, we rule a world of plastic. And we need to be better stewards of the plastic that is in our control. It’s so easy to see many of those plastic items as “throw away” – they’ve been designed that way. Cheap swag pens, demo CDs, mobile devices replaced annually with the newest model, the list is pretty endless once you start looking around. But really, plastic is for all practical purposes, forever.

So where to being? First, take advantage of e-waste recycling programs that are in your area. Make sure that the electronic items that are no longer in use in your office have the best opportunity to be repurposed. Second, consider your inventories of tech related “consumables” – make sure you are only buying what you need, so that items that have a shorter shelf-life don’t go into the trash unused. Printer cartridges and smaller capacity storage media are things that come to mind.

Third, think about what you are buying for yourself and your family when it comes to popular consumer items. I’m not saying you should deny yourself a new iPod or a better smart phone. But think about options for your older devices before they languish in the back of your closet – many organizations take working cell phones to be given to abuse victims, and while you might not want last year’s iPod, someone shopping at Goodwill or some other thrift store might.

As I finished up my reading on my first generation Kindle, I realized that even though some of the newer models are sleeker and faster, what I have is probably good for now.

Adventures with at&t

Here’s a story about how a company can have horrible customer service, yet have some wonderful customer service employees all at the same time. It started over 2 years ago when some at&t representative showed up at our office to review our accounts and help us with our contracts. Now, I’m no at&t contract expert. That’s why you have an account rep who does these things for you. Seriously, telecom contracts are worse that Microsoft licensing.

Anyway, over 2 years ago, it was suggested that we have an ABN account set up so we can get the most discounts, etc, based on our usage. As I understood it, this ABN was like an umbrella account over all our other accounts (PRI, Long Distance, Internet) and we got credit for how much we spend or use. There’s a penalty charge if you don’t use the amount of service you agree on in the contract. We sign all the necessary paperwork and the representative heads off to get all these goodies set up. We do our job by continuing to pay our at&t bills as usual.

A year later, I get a mysterious bill for $15,000. A phone call brings to light that we didn’t meet our “commitment” with the ABN contract, thus the penalty. I thought this was odd and more digging brought to light that our pre-existing accounts were never brought under that ABN account we signed up for the year before.

I called our representative and found out they were no longer assigned to us. A new representative, “Daniel”, showed up to our office, reviewed everything and promised to resolve the issue, since it clearly wasn’t our fault the accounts weren’t put under this umbrella. We were told not to pay the bill and we’d get credited as soon as it was sorted out. That was almost a year ago. Every few weeks, I attempt to follow up, only to be told “it’s being worked on.” I’ve been trusting in at&t to resolve this.

Moving on, last September we upgraded our Internet service, cancelling our old Frame Relay connection and putting in some nice fresh fiber. Little did I know, this new account was properly linked to the ABN account. An account that had a $15,000+ unpaid balance attached to it. (Can you see where this is going?)

I still haven’t heard anything definitive about our billing dispute and haven’t had a real interaction with our “official” account representative, Daniel, in a long while. All my contact was with a technical consultant, “Beth”, that was working with my rep, but I digress.

Then in early March, our Internet connection mysteriously dies – at&t cut our service due to the non-payment of the ABN account. Now, mind you, the account for the Internet service specifically has been paid for every month. A few calls later to Beth and our Internet was back up. Beth tells me not to worry, she’ll contact billing and we’ll get this resolved. It won’t happen again.

Then yesterday, it happens again. I called Beth and got voice mail. I left a message. I called Daniel, got voice mail and left a message. I called Daniel’s boss and got voice mail. Left a message. I called the 800 number for at&t customer service and got “Patrick”. Patrick rocked. He pulled up my account, looked at the ridiculous number of notes on it, muttered something under his breath about how crazy it was that I still had a ticket from June of 2010 and went to find a manager. About a half hour later, I got a call from “Laverne”, who managed to sort enough of it out to get our Internet turned back on. Laverne also rocks.

She couldn’t fix the whole billing issue, but told me that it really needed to be handled by our account team.
I told her I knew that. And that I’ve left several messages. Clearly the phone company loves their voice mail features.

I tweeted about this fine event yesterday. I got a response (and a nice phone call) from “Troy” on at&t’s team who’s monitoring people who vent about at&t on social media venues. Troy lso told me that he’d work on it and I’d have some more information by Monday. Troy also appears to rock, but that remains to be seen.

So while I appreaciate some of the great service and response I get from some at&t employees, I’m overall really annoyed with at&t in general. They have too many departments doing too many different things and no one appears to read any notes before they go throwing switches.

I guess I’ll go leave a few more voice mail messages now.

All Tied Up with Cables!

This month, one of our data center projects was to clean up the mess of cabling that had gotten out of hand after years of adds, moves and changes to switches and other equipment. I find it interesting that with so many wireless devices around and so much talk of using virtualization and the cloud, we still spend so much time tangled in cords and cables! Cable management can often be a challenge and this had become downright embarrassing. Here is a before picture:

We took on a pretty extensive list of tasks as part of this clean up, including replacing server older networking components with a single new Cisco ASA. While it’s usually not recommended to make several logical and physical changes at the same time so you can avoid troubleshooting nightmares later, we were taking advantage of a planned power outage and wanted to accomplish as much as we can while we had everything turned off – including rebalancing all our servers on our power circuits, updating our UPS firmware and recabling every server and workstation port in the data center.

Here is shot of the same racks after the project was nearly complete. It’s like night and day!

Everything is labled and color coded for ease of use. And we were lucky that all of our servers, appliances and services were powered on and returned to service without much trouble. This project also forced me to update several out-of-date diagrams and charts that are used for managing the network.

While it was a crazy weekend with our own version of a “spaghetti western”, the end result was well worth it!

Check out the Malware Response Guide

Microsoft recently published the new Malware Response Guide, officially known as the Infrastructure Planning and Design Guide for Malware Response.

I reviewed this guide in its beta stages a few months ago and it was a great read and a very useful guide. If you have limited “official” procedures in place for handling infections on workstations, this is a great way to start that discussion with team members and use some of the tools mentioned to develop a plan that is specific to your organization.

I think the structure is well thought out and very logical. One can easily switch to the course of action that fits the needs of the user and the organization, as well as follow the instructions for preparing an offline scanning kit. I also appreciate the recommendations for additional reading so that I can go more in depth for the products I’m using.

While this guide likely won’t change my organizations use of a third-party solution at this time, it greatly complements it by providing other tools from Microsoft that can support my existing tools, or give me an alternate set of tools if my vendor isn’t as quick to produce a particular solution for new malware.

I think this guide shows that Microsoft is willing to support systems in all types of scenarios and the information is not written to exclude organizations who aren’t committed to only Microsoft software. It provides great processes and talking points to bring any organization closer to having a more cohesive malware response plan. Take a moment to download it and check it out.

Google Calendar and the “Unsupported” Browser

A couple weeks ago, I started experiencing a curious problem with Google Calendar on my netbook. I’m running IE 8 (8.0.7601.16562 to be exact) and every time I loaded up my calendar I got a message alerting me about using and unsupported browser.

“Sorry, you are trying to use Google Calendar with a browser that isn’t currently supported…”

Since I’m also using IE8 at work (version 8.0.7600.16385) without any calendar issues, I did what many sysadmins do when stuff doesn’t work on their own computers – I ignored it for a while, hoping it would just resolve itself.

However, today I did a little looking around and found the issue, which ironically is caused by the Google ChromeFrame Add-In. I turned that off and the calendar now loads without any error messages. The version of the add-in I had installed was ChromeFrame 8.0.552.224.

Take Aways from the Data Connectors Tech-Security Conference

Last week, I attended a free one-day conference hosted by Data Connectors. Sometimes free conferences aren’t worth the time it takes to get there, but I was really happy with this one. While all the presentations were vendor sponsored, the majority were product neutral and really shared some decent content. In addition to the vendor presentations, there was a decent sized expo area with other security vendors to peruse.

Here are some of the stats and tidbits I left with. As some of the themes overlapped throughout the presentations, so I’m not going to attribute each bullet point to a specific presenter. However the presentations were sponsored by the following companies: WatchGuard, Axway, Sourcefire, Top Layer Security, JCS & Associates, Kaspersky Lab, Cyber-Ark, FaceTime and Arora / McAfee. You can learn more about the presentations specifics and download some of the slide decks here on the event agenda page.

End Users

End users in the workplace expect to have access to the web and popular web applications, however 25% of companies need to update their policies related to web use. Instead of addressing the policy issues, companies simply block access to web applications entirely.
End users need more education about threats like email scams, pop-ups offering anti-virus solutions, links sent via social media sites, tiny URLs, etc. End users are your biggest threat – often due to error or accidents.
The average employee spends 3 hours a day doing non-work items on their computer.

General Company Security and Policies

Consider reviewing and improving on your file transfer management practices. How do people share data within your organization and externally? Is it secure and managed?
Most companies feel secure, but aren’t really. Check out http://www.idtheftcenter.org/ for a list of companies that have experienced data breaches. Many companies simply rely on their vendors to declare that they are secure and protected.
Consider using different vendors to protect your data at different levels. Different vendors use different mechanisms to detect and deter threats.
As an administrator, you have to review logs on computers, firewalls, servers, etc. This way you are familiar with what is “normal” and can easily recognize potential breaches.
Consider data encryption as means to enable your company to meet regulation compliance. Encryption technology has evolved and it doesn’t have to be as painful as it has been in the past.
You should patch all your computer regularly – don’t forget that your printers, routers and switchers are computers too.

Browsers and the Internet

The top Internet search terms that are likely to lead you to site with malware on it are “screensavers” (51.9% chance of an exploit), “lyrics” (26.3%) and “free” (21.3%).
In 2009, the Firefox browser had the greatest number of patches and overall, vulnerabilities in applications exceeded operating system vulnerabilities.
The web browser is the #1 used application, but the patch cycle for browser add-ins is slower than for other applications and operating systems.
Drive-by downloads are still the #1 way to exploit computers.

Sometimes I leave conferences scared by the massive list of items that I feel I need to address, however, I left this conference with not only some tasks in mind, but some great leads on how to go about completing those projects. Check out the Data Connectors events list to see if there is a similar conference coming up in your area in 2011. They have well over two dozen other planned dates across the US, including Los Angeles in January and San Jose in February.

OfficeScan 10.5 – Installed, with some Oddities

I finally upgraded our office antivirus software to the lastest and greatest version from TrendMicro. This has been on my list since spring time, and well, you know how those things go. Because the server that was hosting our exisiting version is aging rapidly, I opted to install the new version on a new, virtual installation of a Windows 2008.

The installation went smoothly and lined up well with the installation guide instructions. Once that was running, I was easily able to move workstations and servers to the new service using the console from the OfficeScan 8 installation. Our OfficeScan 8 deployment had the built-in firewall feature enabled, which I opted to disable for OfficeScan 10. Because of this, the client machines were briefly disconnected from the network during the reconfiguration and this information lead me to wait until after hours to move any of our servers that were being protected to avoid loosing connectivity during the work day.

Keep in mind that OfficeScan 10.5 does not support any legacy versions of Windows, so a Windows 2000 Server that is still being used here had to retain its OfficeScan 8 installation, which I configured for “roaming” via some registry changes. This allows it to get updates from the Internet instead of the local OfficeScan 8 server. Once that was done, I was able to stop the OfficeScan 8 service.

Some other little quirky things:

You can’t use the remote install (push) feature from the server console on computers running any type of Home Edition of Windows. I also has a problem installing on a Windows 7 machine, so I opted for doing the web-based manual installation. Check out this esupport document from Trend that explains the reason – Remote install on Windows 7 fails even with Admin Account.
I wanted to run the Vulnerabilty Scanner to search my network via IP address range for any unprotected computers. However the documentation stated that scanning by range only supports a class B address range, where my office is using a class C range. I couldn’t believe that could actually be true, but after letting the scanner run a bit with my range specified and no results, I guess it is.

Overall, it was relatively quick and painless process. I wish there had been some improvements to the web management console, like the ability to create customized views. The “grouping” features seems a bit limited as well.

Next, I’ll probably see that the client installation gets packaged up as an MSI, so we can have that set to automatically deploy using group policy.

DNS Transitioning within AT&T

It took several months of emails, phone calls and coordination, but I finally managed to get our office Internet connection switched from the “legacy” (aka “PacBell”) frame relay to the newer AT&T fiber optic network. This also included an upgrade in our connection speed, which is always a win. Our IP address ranges were ported from the legacy account to the new service, so we had very little downtime during the cut over – it was a fantastic migration experience.

After letting our new service settle in for a few weeks and since email responses from AT&T reps are often spotty or non-existent, I called up the customer service number to request that the legacy account be cancelled so we are no longer billed. The representative I spoke to happily emailed me a “Letter of Authorization to Disconnect” that I would need to verify, sign and return. Seemed pretty easy to me.

As I reviewed the letter, I noticed a familiar account number referencing the Internet access, different than the billing account number. It was the same account number that I used to request changes to our external DNS registrations. Bells went off in my head. Certainly those DNS entries would be ported to the new service with the IP address ranges themselves, right? Right?

To confirm, I started off with the tech support email for my new service. They promptly replied, saying I needed to contact the DNS team and provided additional contact information. I called the DNS team and explained my situation. The representative confirmed, that no, they don’t have any of our DNS records in their systems. Our DNS records are with the legacy PBI group. I’d have to submit a request to add the DNS records with the new group so that they had them in their name servers prior to the disconnect of the legacy service. He was also nice enough to explain their system for requesting changes, which involved knowing a magic “CCI Number” for my account. This CCI number which was totally new and different than anything else I knew about and which I promptly wrote down as an addition to my runbook. (I swear, I learn something new about telecommunications every time I get off the phone with AT&T.)

Then I gathered up all the known external DNS records I had documented and sent an email to the legacy DNS group asking for a copy of my zone record so I could be sure I didn’t miss anything. Based on what I have on hand, it’ll be a great time to do some housecleaning with our external zone records. I will also need to update our domain registrars with the new name servers as well.

If all goes well, this will be sorted out in a few days and I’ll be free of my old circuits and billing by the end of November. If not, I’m sure I’ll have another story to tell.