Windows

Archived Posts from this Category

2007-10-16

Microsoft VS. Red Hat – Why did they go there?

Posted by Robert Auch under Business, Open Source Software, Windows
Leave a Comment 

I saw this post from Jeff Jones over at Microsoft today. He mentions that Red Hat Enterprise Linux 4 recently patched their 1000th vulnerability, and provides a quote from Truth Happens(direct link to post), which is a Red Hat blog. I suggest you at least read Jeff’s post, since he quotes the relevant point of the Truth article.

I read both of these blogs, and I’m frankly disgusted by the way both sides are treating the data. I understand that statistics are often more useful for what they hide, than what they show. In this case, the 2 competing ideas seem to be: “We fix more bugs, which means we’re working harder to protect you”, vs. “we fix fewer bugs because we have fewer bugs, so we’re working harder to protect you”. I think both of these arguments are invalid, so I hope both sides see this and pay attention.

  1. Jeff Jones: Jeff does a very interesting quarterly (or so) patch report – what OS’s have had the most patches applied in “xx” time frame (past quarter, past year, etc.). I get a lot of out this report, and he does very good trending. Find them on his blog and read them.To that end, he does a very good job selling Microsoft as a security company. By purely counting “number of patches submitted”, Microsoft will automatically look better, simply because “Windows (XP and 2003 combined)” has fewer features than “Red Hat Enterprise Linux” or “SUSE Enterprise Linux” or “Ubuntu Desktop Edition”.Jeff makes a point that Microsoft has only released patches for 649 security vulnerabilities across all Microsoft products in 7 years, but…What Windows does have that the GNU/Linux variants don’t have: .NET Framework, which is a HUGE project, but when it’s updated, you get a single update, so it counts as “1″ in Jeff’s analysis. Also, Microsoft doesn’t have conflicting software product lines – they have the Office team which has swallowed the “Works” team, but there are at least 3 “Office” suites in any GNU/Linux distro (OOo, koffice for KDE, and the suite including ABIWord for gnome).

    Then we can discuss kernels – when there is a driver update for a 3rd party product (Intel i810/845/945 motherboard, for example), it’s a module in the kernel, which requires an updated kernel package from the GNU/Linux distributors, but when there’s a driver update for a 3rd party application, Microsoft doesn’t even have to count it, since it’s “3rd party.” And on the subject of kernels, I don’t recall ever seeing an actual “kernel” update for Windows that wasn’t included in a service pack, or a box on a shelf.

  2. Truth Happens writers: Selling “look how many bugs we fix” to a corporation is a pretty crappy way of doing business, in my opinion. That I can put an appointment in my calendar for 3pm the 2nd Tuesday of each month to review patches, test them that afternoon, and start rolling them out to QA the next morning, is a fantastic way to work. When Red Hat comes out with an update, it’s at a random time, and I have to review each one individually against what I may have installed on my systems.Now, this isn’t a dig against any GNU/Linux distribution out there – free (Ubuntu) or enterprise (Novell / Red Hat) – they are forced into this disclosure/fix model by the fact that these packages are not maintained solely by the companies that are pushing the fixes. In fact, in these cases, the patches have to be done on a “per-report” basis because of how most open-source software vulnerabilities are reported.This is a great time to ask: why is OOo included in a server distro? There *has* to be some GPL or package management reason behind it, but I’d be really interested to know.

So here we see 2 points of view: MS’s (Jeff Jones’) “we’re great because we don’t have a lot of patches, which means we’re more secure;” and RH’s (Truth Happens’) “we’re great because we’ve patched all of the bugs that have been found, no matter how small.” In truth, I think the real point should be that they are 2 completely different companies with huge differences in their offerings in the “Operating System” category. To have both representatives of both companies post what amount to “nyah nyah, we’re better than you are” blogs, keeps the entire discourse of security at a childish level that helps nobody.

So, to both Jeff and the writers of “Truth Happens”: please, out of respect for your readers, look deeper into the numbers and provide some insight, don’t just knock your competition.

 

2007-10-08

How To: Change a Domain Controller IP address: Multi-DCs

Posted by Robert Auch under Domain Controllers, HowTo, Networking
[3] Comments 

First, reference back to my first post on Domain Controller IP/Subnet changes. The nice thing about changing IP addresses on DCs in a larger environment, is that it’s actually easier. I have to keep this one quick for now, but will expand based on comments, which you all seem pretty good at leaving (and thank you!). Please, PLEASE refer back to the first post – this one is only an expansion on that one.

  1. Same as before: why are you changing IPs? In larger environments, I do this because of a physical move of just one site. If the networking team doesn’t have the new subnet up and routing, don’t start!
  2. Make sure the new site (if required) is set up in AD. If I’m moving DCs from one physical location to another, I will build a new site, rather than re-using the old one, because the new site often has better connectivity, so the site link costs are changing.
  3. Add the new IP to the DC you’re moving (DC01 for this). Same as before: don’t remove the old one, just add the new.
  4. On DC01, do the following to verify registration worked:
    ipconfig /registerdns
    Wait a few minutes.
    nslookup
    server DC01
    set type=A
    DC01.foobar.local
    foobar.local
    server DC02
    DC01.foobar.local
    foobar.local
    The answers from DC01 and DC02 should be the same, with possibly different orders. The important thing is that the new IP address and the old IP address show up for both queries on both servers.
  5. Shut down DC01, pack it up and move it. (Or just plug it into the new network.)
  6. Boot up, verify that DC01 has network connectivity, and that other systems can see that it has the new IP.
  7. If you haven’t, make the new IP primary (change order in Network settings), make sure the DNS and WINS servers are correct and reachable (Remember that Windows 2003 DNS should point to itself).
  8. Once verifying that AD is replicating across sites properly (up to 15 minutes in my experience), remove the old IP, ipconfig /registerdns, and reboot.
  9. When it comes back up re-verify that AD is still replicating, and you should be set.

I would point out that when doing a change this big to your environment, reviewing your AD replication, DNS forwarding, and WINS topology is a good idea.

 

2007-09-08

Software Discovery: Centrify DirectControl

Posted by Robert Auch under Domain Controllers, Linux
Leave a Comment 

I just finished evaluating an excellent piece of software for Windows / Linux hybrid shops: Centrify Corporation’s DirectControl Suite. This is a fantastically well executed integration suite which allows administrators to bring their GNU/Linux and Unix boxes into the Windows ActiveDirectory domain. This brings centralized control of UID/GID (like NIS), the mutual authentication of Kerberos, and centralized Group Policy control to Linux/Unix.

First off, I’d like to mention that the software installs first on a Windows “console” system. That install has the option of extending the schema, but it is not required (the extensions allows administrators to use the Centrify Profile tab for users and computers without installing the Centrify Console locally).  All required pieces work with the standard out-of-the-box Windows 2003 AD schema.  Although the view extensions are well worth it, if you can get them approved by your AD administrative team.

I installed this on a Debian Etch system and a Red Hat Enterprise Linux 4 box.  They ship RPM and DEB installers, so installation is a snap, and shows up in your package manager.  Restarting the systems was not required, but a few systems may not pick up the new PAM settings without at least a reload (OpenSSH did fine).

One of the best parts of this software, however, is in their updated version of OpenSSH to support Windows Kerberos tickets for authentication of users.  Single-signon to any Linux box from Linux or Windows (customized Putty for the same reason) without having to copy RSA keys across your network every time you build a box.  Now my Oracle admins can log into the 10g databases seamlessly (yes, they support Oracle authenticating through AD as well).

Of course, no solution that integrates into AD would be complete without support for Group Policy.  As a huge user of Group Policy (I have 8 GPOs on my home domain), this is key for me.  The thing that makes it so spectacular, is that they just install new ADM files to your console system.  That’s it – no new trees needed, just new ADM files with settings specific to Linux like “SuDoers entries” and “SSH settings”.  Just like GPO on Windows, they’re applied every 90+-30 minutes, and when you remove the system from the policy, the settings get pulled.  For the Sudoers settings, they are appended to the end of the existing file.  Also, many of your security settings for Windows boxes are read directly by the Centrify systems as well, including password expiration notices, lockout policy handling, etc.

There are so many other little features that show how well thought-out the system is.  The client can be configured to cache logons similar to Windows, so you can control your Linux laptops, and still enable the users to log in when they’re on the road. There are several scripts and other tools to help “suck” the users out of /etc/passwd and NIS into AD, to help keep your UIDs in check if you’re installing the client into existing servers.

And that’s just the operating system.  JBoss, WebSphere, Apache and other applications and middleware can be AD-enabled, and anything that uses PAM is automatically AD-enabled, giving you the ability to set up true single sign-on everywhere in your network, if you so choose.

Needless to say, we purchased it, and I’ll be integrating this into all my deployments from this point forward.

 

2007-08-02

Domain Controller logon problem fixed

Posted by Robert Auch under Domain Controllers
1 Comment 

Tonight we fixed my friend’s network – see this post for history. It turns out that after changing IPs on the first server, the servers lost communication long enough for the password on one of the 2 of them to expire. This was causing replication to fail, which caused DNS to fail to update, and the 2nd DC stopped answering client requests.

Thanks to cyrilliano at Neowin Forums I was reminded of all the fun that is netdom.

I just had to run netdom resetpwd /server:dc2 /userd:FOOBAR\administrator /passwordd:admin_password and wait 15 minutes. His post suggests disabling the KDC service, but I found it unneccessary. However, the 10 minute wait was not quite enough in my situation. Yet another reminder that patience is the first requirement for DC troubleshooting.

 

2007-07-31

A devastating truth about retail computers

Posted by Paul under Windows
Leave a Comment 

Recently my neighbors came to me with performance problems on their new notebook computer.  I told them I would be happy to look at their computer and resolve the poor performance (figuring it was loaded with ’special’ software from the manufacture and spyware).  What I found was quite disturbing to me.

I powered up the computer and was pretty happy with the boot time.  I was at the login screen (XP Home) in under a minute.  Then I clicked on a username.  After 12 minutes the desktop had not completely loaded, and preloaded software was popping up everywhere.  I proceeded to kill unnecessary apps and removing them from the startup routine.

After we were in business I started disk management to defragment the hard drive.  To my amazement the disk was zero percent fragmented (I almost fell off my chair).  I then downloaded and installed a reputable spyware removal tool and updated the definitions.  After an hour of the scan, and only getting through about one third of the scan I stopped it and noticed that the only items found were not spyware, tracking cookies, trojans, or adware, but were MRU items (gee, do people open documents on their computer?  Of course, that’s what ALL of these items were).  I cleaned up the MRU items and reboot the computer.

An almost identical boot process followed, including the 12 minutes to start the user session.  Thinking I was crazy, I reboot and choose the other username that was on the machine.  Another 12 minutes later (and a snifter of brandy) I started looking at the little sticker on the wrist rest and became angry.  1.7GHz Intel CPU, 80 GB Hard drive, 256MB Memory and a 64MB video card.  It doesn’t sound that bad…HOWEVER, remember this is a notebook computer that I have spent already two to three hours on which after looking closer only has 192MB of memory after the video card takes it’s 64MB.  With all of the apps that started the physical memory that was ‘available’ was right around 24MB…the memory used was around 400MB.  This poor computer (and consumer) was paging ALL of the memory.  The page file recommended size was 213, and was automatically resized to 527 (wow).

I am amazed that computers are available with this little memory considering what Microsoft has put out for an Operating System.  Not to mention the fact that the video card was consuming one fourth of the system memory.  Most users that have a notebook don’t care about the video functionality; they care about portability…especially if they only buy a computer with 256 MB memory.

My temporary resolution was to change the video card down to 32Mb, which is much more responsive, but still incredibly slow.  Hopefully they will heed my advice and drop in a 1GB module for a mere $45.

Paul

 

« Previous PageNext Page »