Thursday, March 28, 2013

A reveiw of training guide: configuring windows 8

 

Are you an IT rookie or Pro looking to get a firm understanding of how to implement Windows 8 in the enterprise? Or are you a geek who just wants to know how Windows 8 works? If you're in any of the two mentioned groups you will get a firm understanding of Windows 8 due to the excellent writing, questions, and lab exercises in Training Guide: Configuring Windows 8. How does this book differ from other books on Windows 8? I think it differs in the  writing style and the structure of the book. I have read other books on Windows 8 that are focused on tips and tricks; focused on the expert IT pro; and one that covered every "bit" of Windows 8. Yes, those other books have their purpose and that's fine, but this book is aimed at "teaching" the reader Windows 8 from the "surface" level to the advanced level without going off on unnecessary tips and theory.

The authors clearly know their subject, but they don't beat you down with it. Also, the authors offer real-world examples and tell the reader what is necessary for learning Windows 8. I really like that. When I read a training guide, I only want to know how the hardware/software functions and how to make it work for my environment. When I want to read the theory of the technology I go to a different kind of book. I like that this book at the beginning of each lesson tells the reader what he or she should know by that point, what is required for the lesson suggestions and labs, and that at the end of each lesson is a lesson summary. Throughout each lesson there are real-world examples and quick hits of information related to the topic of the lesson.

Are there any cons to this book? I gave an honest consideration to this and I did think of a con. I think there could have been more questions at the end of each lesson. Each lesson ended with 2 to 5 questions. While there could have been more, I don't think this does any damage to the book. The amount of questions asked still help the reader to reflect on the lesson learned so it's not a con that takes away a rating star.

While this book lets you know in the beginning it's not intended as a sole source for the Windows 8 exam, it does cover some of the required topics for the Window 8 exam so this is a great addition to your study tools for the exam. I think the lab exercises will help you as well.

Anyway, rambling aside, grab this book to learn about Windows 8. In my mind it's currently the best book available to train you on how to use Windows 8. Hey, I bet you'll even have fun doing it.

Wednesday, March 27, 2013

Customize an RDP file for a Specific RDWeb user

Do you have some rdweb users who would like to rdp to their desktop from the rdweb portal, but are uncomfortable with the method used in the rdweb portal? It's kind of a long process to login to rdweb, mouse over to 'remote desktop' then plug in the desktop information, etc. What if the user had an rdp file that looked and acted like an app in the remoteapps list? That would be great you say? Then let's do it.

*There might be an easier way than this and if there is please let me know about it*

First, launch remote desktop connection.
Input the user specific information in the fields.

Second, save it as an rdp file.

Third, (only do this if your user's desktop has dual-monitors) open the rdp file in notepad to add some information.
If you user's desktop has dual monitors and the system is Windows 7 ultimate or enterprise then add the following to the end of the rdp file that is opened in notepad: use multimon:i:1

If the users' desktop has dual monitors and running pre-Windows 7 ultimate or enterprise (e.g., windows 7 pro or Windows Vista) then add the following to the end of the rdp file: span monitors:i:1

What is the difference between span and multimon?

From MSDN blog

"Span mode, introduced in Vista, allows the remote desktop to span across all monitors on the client as long as the monitors are arranged to form a rectangle. The remote session created when using span mode is still a single-monitor session. With multimon support, each monitor on the client machine is viewed as a distinct monitor in the remote session. Due to this fundamental difference, span mode has some restrictions that true multimon does not:
1. The primary monitor must be leftmost.
2. The set of monitors must form a rectangle (i.e. identical vertical resolution, and lined up in exact straight line).
3. The total of the resolutions must be below 4096x2048 (ex. 1600x1200+1600x1200 = 3200x1200)."

Multimon "...for Remote Desktop Services allows users to open a Remote Desktop connection expanded across all the monitors on the client computer regardless of the client monitor configuration. With this feature, the user can fully utilize all the monitors connected to the client computer for the Remote Desktop connection thereby providing extra desktop space and an almost seamless experience with the client desktop that is much improved over “Span mode”. "

Fourth, add the rdp file to the remoteapp programs list in your rdweb server.
Go to "remoteapp manger."
Click "add remoteapp programs."
Next.
Browse.
Make sure "all files (*.*)" is selected in the dropdown box. After you've found your custom rdp file select Open.
Next and finish.

Fifth, customize view permissions for the rdp file.
Under remoteapp programs in remoteapp manger, right click the rdp file then select properties. Select user assignment then select "specified domain users and domain groups." Click add. Since this is a specific user rdp file select the appropriate user profile for the rdp file.
OK it.
Then OK in remoteapp properties.

Now, say all of this was for Jane Austen. She will login to the RDWeb portal, see the file you've added to remoteapp programs for her profile, run it then have access to her work desktop. This is much easier compared to the default route.

Monday, March 25, 2013

Make file explorer available in RDWeb


I thought this was pretty cool. This may not be anything new for RDWeb pros, but I discovered this possibility the other day and thought, "Why not share this on my blog?"

First things first: I haven't found a way to make the file explorer match the logged in user's profile, e.g. if jausten logs in to RDWeb, runs file explorer then she will see all of the available folders instead of only seeing her own documents folder. Why? Because this file explorer is the file explorer on the RDWeb server instead of the file explorer that is in jausten's ad profile. Make sense?

Login to your RDWeb server.
Launch remoteapp manager. 

Click add remoteapp program. 
In the "choose programs to add to the..." window, click browse 
In the "choose a program" explorer window browser to c:\windows then choose explorer.exe
Next
Finish 

File explorer is now a part of the remoteapp programs on your RDWeb site. Cool. Just remember to tell your users not to treat the file explorer as their work drive for their own documents. Then why add the file explorer to the remoteapps list? Example: if your rdweb users are on a team then they can share their project files there.There are other examples I'm sure.

Please let me know if you are going to or have done anything with file explorer in rdweb beyond what I have done in this blog post. I would like to hear about it.

Tuesday, March 19, 2013

Are 3G and 4G USB modems a security threat?

According to researchers Nikita Tarakanov and Oleg Kupree they are.

From Network World:

"For one, it's easy to make an image of the USB modem's file system, modify it and write it on the modem again. There's a tool available from Huawei to do modem backup and restore, but there are also free tools that support modems from other manufacturers, Tarakanov said.

Malware running on the computer could detect the model and version of the active 3G modem and could write an image with malicious customizations to it using such tools. That modem would then compromise any computer it's used on.

The modem contains the installer for an application that gets installed on the computer, as well as the necessary drivers for different OSes. The application allows the user to stop, start and manage the Internet connection established through the modem.

The configuration files for the installed application, as well as those of the application installer stored on the modem, are in plain text and can be easily modified. One setting in the configuration files defines what DNS servers the modem should use for the Internet connection.

An attacker could change those entries to servers controlled by the attacker, Tarakanov said. This would give the attacker the ability to direct users to rogue websites when they're trying to visit legitimate ones using the modem connection.

While the application installer itself cannot be directly modified to load malware because it's a signed executable, there are some entries in its configuration file that can be used for this purpose.
For example, many configuration files had paths to antivirus installers and an option of whether to install those programs or not, Tarakanov said. The researcher said that he never found an antivirus installer shipped with the USB modems he tested, but the feature was there.

An attacker could create a custom image with a modified configuration file that enables this feature and installs a malicious file stored on the modem instead of an antivirus program. If the image is written on a USB modem, every time the user would install the modem application, the malware would also be installed, Tarakanov said.

The researchers also found a possible mass attack vector. Once installed on a computer, the modem application -- at least the one from Huawei -- checks periodically for updates from a single server, Tarakanov said. Software branded for a specific operator searchers for updates in a server directory specific to that operator.

An attacker who manages to compromise this update server, can launch mass attacks against users from many operators, Tarakanov said. Huawei 3G modems from several different Russian operators used the same server, but there might be other update servers for other countries, he said.

Tarakanov said that he didn't look for vulnerabilities in the actual modem drivers installed in the OS, but he expects them to have vulnerabilities. The vast majority of third-party drivers in general have vulnerabilities, he said.

Tarakanov specializes in exploit writing and finding vulnerabilities in the Windows kernel mode drivers. However, Oleg Kupreev was the leader for this particular research project concerning 3G/4G modems.
Research in this area is just at the beginning and there's more to investigate, Tarakanov said. Someone has to do it because many new laptops come with 3G/4G modems directly built in and people should know if they're a security threat"

Let's hope new models will be safe because I use a 3G usb modem on occasion.

Source: Network World

Monday, March 18, 2013

Hyper-V 3.0 Best Practices Checklist

The Ask PFE Platforms blog has an excellent post on Windows Server 2012 Hyper-V best practices and it's actually in-depth. I'm only sharing the "general" section for the host not the vms because there are many things to checkoff your roll-out list before you even get to the "deep" things of rolling out a Hyper-V environment.

Excerpt from the blog post:

GENERAL (HOST):
⎕ Use Server Core, if possible, to reduce OS overhead, reduce potential attack surface, and to minimize reboots (due to fewer software updates).

⎕ Ensure hosts are up-to-date with recommended Microsoft updates, to ensure critical patches and updates – addressing security concerns or fixes to the core OS – are applied.
⎕ Ensure all applicable Hyper-V hotfixes and Cluster hotfixes (if applicable) have been applied. Review the following sites and compare it to your environment, since not all hotfixes will be applicable:

· Update List for Windows Server 2012 Hyper-V: http://social.technet.microsoft.com/wiki/contents/articles/15576.hyper-v-update-list-for-windows-server-2012.aspx

· List of Failover Cluster Hotfixes: http://social.technet.microsoft.com/wiki/contents/articles/15577.list-of-failover-cluster-hotfixes-for-windows-server-2012.aspx
⎕ Ensure hosts have the latest BIOS version, as well as other hardware devices (such as Synthetic Fibre Channel, NIC’s, etc.), to address any known issues/supportability
⎕ Host should be domain joined, unless security standards dictate otherwise. Doing so makes it possible to centralize the management of policies for identity, security, and auditing. Additionally, hosts must be domain joined before you can create a Hyper-V High-Availability Cluster.

· For more information: http://technet.microsoft.com/en-us/library/ee941123(v=WS.10).aspx
⎕ RDP Printer Mapping should be disabled on hosts, to remove any chance of a printer driver causing instability issues on the host machine.

  • Preferred method: Use Group Policy with host servers in their own separate OU
    • Computer Configuration –> Policies –> Administrative Templates –> Windows Components –> Remote Desktop Services –> Remote Desktop Session Host –> Printer Redirection –> Do not allow client printer redirection –> Set to "Enabled
⎕ Do not install any other Roles on a host besides the Hyper-V role and the Remote Desktop Services roles (if VDI will be used on the host).

  • When the Hyper-V role is installed, the host OS becomes the "Parent Partition" (a quasi-virtual machine), and the Hypervisor partition is placed between the parent partition and the hardware. As a result, it is not recommended to install additional (non-Hyper-V and/or VDI related) roles.
⎕ The only Features that should be installed on the host are: Failover Cluster Manager (if host will become part of a cluster), Multipath I/O (if host will be connecting to an iSCSI SAN, Spaces and/or Fibre Channel), or Remote Desktop Services if VDI is being used. (See explanation above for reasons why installing additional features is not recommended.)
⎕ Anti-virus software should exclude Hyper-V specific files using the Hyper-V: Antivirus Exclusions for Hyper-V Hosts article, namely:

    • All folders containing VHD, VHDX, AVHD, VSV and ISO files
    • Default virtual machine configuration directory, if used (C:\ProgramData\Microsoft\Windows\Hyper-V)
    • Default snapshot files directory, if used (%systemdrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots)
    • Custom virtual machine configuration directories, if applicable
    • Default virtual hard disk drive directory
    • Custom virtual hard disk drive directories
    • Snapshot directories
    • Vmms.exe (Note: May need to be configured as process exclusions within the antivirus software)
    • Vmwp.exe (Note: May need to be configured as process exclusions within the antivirus software)
    • Additionally, when you use Cluster Shared Volumes, exclude the CSV path "C:\ClusterStorage" and all its subdirectories.
  • For more information: http://social.technet.microsoft.com/wiki/contents/articles/2179.hyper-v-anti-virus-exclusions-for-hyper-v-hosts.aspx
⎕ Default path for Virtual Hard Disks (VHD/VHDX) should be set to a non-system drive, due to this can cause disk latency as well as create the potential for the host running out of disk space.
⎕ If you choose to save the VM state as the Automatic Stop Action, the default virtual machine path should be set to a non-system drive, due to the creation of a .bin file is created that matches the size of memory reserved for the virtual machine.  A .vsv file may also be created in the same location as the .bin file, adding to disk space used for each VM. (The default path is: C:\ProgramData\Microsoft\Windows\Hyper-V.)

⎕ If you are using iSCSI: In Windows Firewall with Advanced Security, enable iSCSI Service (TCP-In) for Inbound and iSCSI Service (TCP-Out) for outbound in Firewall settings on each host, to allow iSCSI traffic to pass to and from host and SAN device. Not enabling these rules will prevent iSCSI communication.

To set the iSCSI firewall rules via netsh, you can use the following command:

Netsh advfirewall firewall set rule group=”iSCSI Service” new enable=yes

⎕ Periodically run performance counters against the host, to ensure optimal performance.

  • Recommend using the Hyper-V performance counter that can be extracted from the (free) Codeplex PAL application:
  • Install PAL on a workstation and open it, then click on the Threshold File tab.
    • Select "Microsoft Windows Server 2012 Hyper-V" from the Threshold file title, then choose Export to Perfmon template file. Save the XML file to a location accessible to the Hyper-V host.
  • Next, on the host, open Server Manager –> Tool –> Performance Monitor
  • In Performance Monitor, click on Data Collector Sets –> User Defined. Right click on User Defined and choose New –> Data Collector Set. Name the collector set "Hyper-V Performance Counter Set" and select Create from a template (Recommended) then choose Next. On the next screen, select Browse and then locate the XML file you exported from the PAL application. Once done, this will show up in your User Defined Data Collector Sets.
  • Run these counters in Performance Monitor for 30 minutes to 1 hour (during high usage times) and look for disk latency, memory and CPU issues, etc.
Check out the entire thing and bookmark it! :D Click here.

Monday, March 11, 2013

xPrintServer Office Edition Review


xPrintServer Office edition is an excellent product! A product that is definitely worth the money. It's easy to setup and easy to configure if needed. This is nearly plug-and-play. I say nearly because I did have to go into the admin panel of the device and run the "discover" feature two times. I'll get to the that. For right now, know this is an excellent product.

The product comes in very nice packaging that has a clean style design. When I unboxed it I was amazed at the size of the device. It's about the size of an iPhone! I had read that on the product specs sheet but being the skeptical guy I am and didn't think it would actually be that size. Also in the box is an ethernet cable, power supply with adapters, wall mount kit (bracket and 2 screws), and rubber feet for those who don't want to wall mount their xPrintServer. As you can see in the picture you can connect a usb printer to it. I must admit, this reviewer hasn't tried that option. I've read positive things about that option, but I haven't tried that myself. Yet. If I do I will update this review.

I connected the device to our network via an ethernet calbe to our main switch. After it was connected and powered on, the LED network lights flickered and the device light at first flickered very fast then flickered slowly; this is the discover phase. I grabbed an iPad that was connected to our network via wifi. I browsed to a page then went to the printer options for safari. Only one printer was available. There should have been 3 printers available. I went ahead and printed the page just for testing and it worked just as it should have worked. After that, I went into the admin panel of the xPrintServer device. After running the discover tool
two times all 3 printers were discovered. I checked with my iPad to find that all 3 printers were ready for printing.

Aside from the device not auto-disovering all the printers at once, this device has been great. Setup is a breeze. Even the "extra" stuff I had to do was super easy and fast. All of this happened in less than 10 minutes. How great is that? You can't ask for more than that right?

In addition to enabling your iOS and Mac OS devices to print without any software or app installation, xPrintServer Office admin panel also has cool stuff for admins like: job status and viewer, log viewer, network configuration for the device, manually add a printer, and driver installation.

I highly recommend xPrintServer Office edition to those offices in need of printing from iOS devices and don't want to have to purchase iPad and iPhone printing enabled printers.

Tuesday, March 5, 2013

Currently Reading Training Guide: Configuring Windows 8


 Training Guide: Configuring Windows 8

The authors clearly know their subject. I've learned a lot from this book on how to implement Windows 8 in the enterprise and SMB. Lessons, practices, and exercises are the model and the authors have worked this model in an excellent way. The writing is top notch as well. Tech books have an image (no pun intended) of bad writing, i.e., dry, only writing what's necessary, but that can't be said of this book. The writing keeps me interested.

I'm only about 1/4 of the way through the book and what's funny is I don't want it to be over. I actually look forward to studying this book and doing the exercises. I highly recommend this book for the IT professional wanting an understanding of how to roll out then maintain Windows 8 in the business level and for the geek who just wants to know how it works.

When I'm finished with the book I plan on writing a full review.

Monday, March 4, 2013

Resources on Installing and Configuring Exchange Server 2010


In preparation for the install and configuration of Exchange Server 2010, I was greatly helped by the list of links below, so I'm sharing. I hope these links help you as much as they helped me.

Enjoy!

Installing Exchange 2010 step-by-step http://www.enterprisenetworkingplanet.com/datacenter/Installing-Exchange-2010-Step-by-Step-3877601.htm

Understanding receive connectors in Exchange 2010 http://technet.microsoft.com/en-us/library/aa996395.aspx

Create an SMTP receive connector http://technet.microsoft.com/en-us/library/bb125159.aspx

Understanding Edge subscriptions http://technet.microsoft.com/en-us/library/aa997438.aspx

How to allow relaying in Exchange 2010...securely http://exchangepedia.com/2007/01/exchange-server-2007-how-to-allow-relaying.html

Anonymous Relay with Exchange 2010 http://blogs.catapultsystems.com/tharrington/archive/2010/07/20/anonymous-relay-with-exchange-20072010.aspx

Troubleshooting the client access server http://blogs.catapultsystems.com/tharrington/archive/2010/09/17/troubleshooting-the-client-access-server.aspx

SSL for outlook web app 2010 http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26160513.html

Security warning when you start outlook 2007 then connect it to Exchange 2010 http://support.microsoft.com/kb/940726

Troubleshoot Outlook Web Access problems http://www.techrepublic.com/article/get-it-done-troubleshoot-outlook-web-access-problems/5031583