Posted by Shane Corellian on Fri, Apr 30, 2010
Photo by sidereel
Some IT contracts end rather abruptly. I know 10 people (some of them actually intelligent) who were recently and unceremoniously removed from their long term contracts. What can we as IT Professionals (particularly those in contracting) learn from such experiences? Well we can, and should, be on the lookout for the signs that "Something is rotten in the state of Denmark". Be on the lookout for these 12 subtle events.
- You are excused from donating to the Sub-for-Santa bin.
- Your contract is with the government, i.e. you were TOO productive.
- Nobody complains when you miss a staff meeting.
- Next weeks action item to remotely deploy Adobe Reader suddenly appears on todays to-do list.
- Some socialist in your chain of command finds out from accounting what your billable is and goes apeshit.
- Co-workers suddenly take an interest in your life and career prospects.
- Managers avoid making eye contact with you in hall.
- You are asked, very nonchalantly, if you can bring in that one laptop you were given 2 years ago.
- Co-workers you don't know keep saying, "Good luck!" and "Hey, are you on facebook?"
- You are invited to your own going away luncheon.
- The opposing organizations that want to take over the kick-ass project you've been working on finally get control of the budget.
- A snippet of your code makes it onto The Daily WTF.
Of course the best way to tell your contract is coming to a close is if that not-so-insignificant End Date is closing in fast. For missing that one we have no one to blame but ourselves.
Posted by Adam Ruth on Wed, Apr 28, 2010
One of problems people run into when running any program written using Microsoft .NET is a corrupt .NET Framework (files missing or damaged.) We've seen this problem a number of times when administrators try to run Admin Arsenal (shameless plug.) Usually, it's difficult to tell exactly what went wrong, since the exact error conditions and error codes aren't always the same. One common error code is clr20r3, though this code may be related to other issues.
Repairing .NET is very easy, though, so it's the low hanging fruit you can try if you ever see strange errors related to .NET applications. How you repair .NET will depend on which version of Windows you are running.
On versions earlier than Vista, all you need to do is run the .NET installer, which can be accessed from the "Add or Remove Programs" control panel. You will see a repair option when you click the Change/Remove button:
On Windows Vista and later .NET is part of the operating system, so it doesn't have a separate installer. You'll need to run a command from an elevated command prompt:
sfc /scannow
This will replace any operating system files which are missing or corrupt (including .NET Framework files.) On the rare occasion that this doesn't make the repair, then you will need to perform a repair installation of Windows (run the Windows installer from the original installation disk but select Repair when prompted.)
I haven't yet seen a .NET corruption problem that isn't fixed by one of these techniques, so hopefully this should help you out.
Try Admin Arsenal to remotely run commands on computers. Free 30 day trial.
Posted by Adam Ruth on Mon, Apr 26, 2010
Photo by Fristle
A fascinating blog post by Keyboard Cowboy details his efforts to expose a flaw in the granting of SSL certificates. The summary of the story is that many CAs (Certificate Authorities) grant SSL certificates to domains by sending an e-mail to an administrator's e-mail account on that domain such as "administrator" or "postmaster." Some companies include "ssladmin" in the list of authoritative addresses and many free web mail services allow that particular address to be registered by anyone, making it possible to get yourself a certificate for the web mail domain.
This particular exploit strikes me as being almost social engineering. It's not, technically, because it doesn't involve interaction with a person but the hole exists because of a lack of communication between the web mail providers and the CAs. Imagine if CAs decided to add another address to the list of usable ones, such as "securityadmin?" Unless all web mail providers were informed, this would just re-open the hole.
It brings to mind the idea that all security systems are tradeoffs. Every system that increases security in one way reduces it in another. SSL certificates are certainly a boon to online security, they make web commerce possible. But the realities of issuing certificates makes it so that not all SSL certificates can be trusted. So that even if you are diligent in looking for the https: and a valid certificate, your trust may be misplaced and you'll be less secure than if you didn't trust any site.
It's important to keep this in mind when designing security solutions and policies. Always try to identify how this new policy will reduce security. Complex password requirements are more secure, but also more likely to be written down. Time consuming door entry procedures increase the likelihood of tail-gaters. Police radios help police to coordinate activities, but scanners let the criminals keep an eye on them. I would submit that if you are looking at a new security policy and haven't been able to identify the ways in which it harms security, then you haven't thought it through enough to implement.
Follow me on Twitter @AdamRuth
Posted by Adam Ruth on Fri, Apr 23, 2010
Photo by lautsu
I've just returned from the future where I spent my time playing with Windows Server 2045. I spent some time looking at other things, but I can't reveal them right now because I don't want to create a time causality loop (or whatever Star Trek called them) and I'll be keeping my stock tips to myself, thank you.
Let me just say that System Administration in 2054 is quite a bit different than today. (You read that right, 9 years after the release of Windows Server 2045 - some things never change.) All I can really tell you about is some of the improved tools Microsoft will be including.
1. Ping
It not only ensures that computers have a functioning network interface, but it will actually tell you when the interface will fail and why. Similar to "pre-crimes" in Minority Report this tool will display a red ball if the network interface is going to go down because a user changed something saving you having to ask the question when they call in.
2. Remote Desktop
Remote desktop now remotes the physical presence of the computer, allowing you to plug in peripherals, insert CDs, and apply asset tag stickers. It even works pretty well over slow terabit WAN connections.
3. Notepad
It's now also in C:\Windows\WINNT\Legacy\System256, making 15 copies.
4. Drive Mappings
Drive letter mappings have been extended from 26 letters to the entire Unicode character set.
5. Xcopy
The improved version of xcopy not only copies files from one location to another but now works with new DNA based files. It's not always free from mutation, however, and it spawned a new game where files copied back and forth between servers evolve into new formats. Particularly interesting results happen with certain *ahem* adult oriented image files.
6. Task Manager
Now displays bandwidth usage on psychic connections and includes physical as well as theoretical memory usage.
7. Windows Backup
The backup tool doesn't do anything, just to see if anyone would notice.
8. Firewall
Windows firewall can block connections based on the attitude of the user attempting to connect based on 7 configurable presets: Happy, Grumpy, Sleepy, Dopey, Bashful, Sneezy, and I always forget the 7th.
9. Windows Update
It has an option to install patches every 30 minutes, which will throttle down patches from the default "install when available."
10. Network Connection Diagnostic Tool
It works.
Follow me on Twitter @AdamRuth
Posted by Shawn Anderson on Wed, Apr 21, 2010
Photo by Jeff Tidwell
A March 2010 article by Arstechnica ellaborated on a beyondtrust report (.pdf) which underscored the wisdom (or necessity) of assigning users non-administrative rights. From the article:
After tabulating all the vulnerabilities published in Microsoft's 2009 Security Bulletins, it turns out 90 percent of the vulnerabilities can be mitigated by configuring users to operate without administrator rights...
For example, most organizations don't want their users installing software or making configuration changes. Simply wanting this prohibition isn't quite enough, though.
To ensure that the correct versions of software are installed (and nothing else) organizations have gone to great lengths to provide a remote software deployment strategy (our product) which ensures that the right software is installed by administrators.
When it comes to granting standard vs. admin rights, it's a two-way street - where IT administrators must weigh the balance of usability and effectivness. It's not as easy as it sounds, but it's getting easier. For this we can thank... Vista?
OK, that's a bold statement (and is just begging to be flamed), so please allow me to modify that statement slightly. It's not so much Vista as it is UAC.
As discussed on this blog in 2009, UAC was designed not so much for users as it was for developers (see more on UAC from Mark Russinovich). To recap, UAC was an effort to get developers to write their applications to run without administrative rights.
The unfortunate outcome of UAC was that screams of outrage which should have been directed to software vendors were instead misdirected to Microsoft.
All is not bleak, however. By the time Windows 7 appeared there were many developers who were churning out products that didn't require elevated rights.
The report from beyondtrust and the subsequent write-up from Arstechnica will hopefully keep the industry focused on security. When an application unnecessarily requires admin rights, the IT department should communicate this to the vendor and let them know that corporate security policy will not allow their application to be used unless the necessary changes are made.
Unfortunately sometimes it's easier to move to another location rather than start a needed revolution where you stand. Hopefully software vendors will continue to develop using best practices, and heres hoping that IT departments worldwide hold their feet to the fire.
Need to deploy software to all your users? Get more info from Adam Ruth's
Unplugging the Sneakernet White Paper.
Follow me on Twitter:
@ShawnAnderson
Posted by Adam Ruth, Shane Corellian, and Shawn Anderson on Mon, Apr 19, 2010
Photo by crosathorian
We've heard the screams of pain due to budget cuts in IT.
It's time to reverse that trend. So forget the bake sales or management dunking booths and let's go for some real coin.
Top 21 ways to raise money for IT.
- Help Desk line now a 1-900 number
$2.99/minute - Building Access Card works on first swipe
$115/month - Inbox size increase from 10MB (est. 2001) to 10GB
$25/year/inbox - Using 'Reply all' in email (per name in To:)
$0.25/instance - Using 'Reply all' in email (per name in cc:)
$1.25/instance - Using 'Reply all' in email where IT staff is in cc: or To:
$15/instance - Access to Marketing VP's 1.4 TB pr0n archive
$9.99/minute - Access to Marketing VP's pr0n archive (without IT watching through VNC)
$35/minute - Helpdesk having to ask "is it plugged in?"
$0.05/instance (estimated monthly revenue: $51,000) - Helpdesk sending someone down to actually plug it in.
$55/instance - Enable bcc: (per name)
$.10/recipient - Display bcc: recipients on email you received from your associates
Highest Bidder - Answer questions about home computers
$85/incident - Add URL to Proxy white list
$50/URL - Non-snide response to "but I didn't change a thing!"
$25/response - Discontinue remotely killing your solitaire games
$10/month - Discontinue remotely starting solitaire as your boss walks by
$49/month - Deploy software request fulfilled within 24 hrs.
$10/computer - Details of co-workers divorce wage garnishment
Highest bidder (plus a little something for HR) - Disable email Read Requests
Highest Bidder - My promise to NOT quote The Big Lebowski during help desk support request
Depends on mood
Perhaps Walter Mathau said it best:
"My doctor gave me six months to live, but when I couldn't pay the bill he gave me six months more."
We feel your pain out there. IT has long been the whipping child of the bean counters. Speaking of bean counters, if they start bugging you, wait until their manager is standing by their desk and then use Admin Arsenal remote commands to open a website. Have some fun. Open it to monster.com or the company that's not Amway.
Cheers,
Adam, Shane, and Shawn
Follow us on Twitter: @AdamRuth @ShaneCorellian @ShawnAnderson
Windows Administrator? Get all of your work done faster with Admin Arsenal. Get your free trial today.
Posted by Adam Ruth on Fri, Apr 16, 2010
Photo by *yasuhiro
I find myself having to deal with Windows services quite a lot, probably more than the average system administrator. The two most common tools administrators use are the services.msc MMC snap-in and net.exe (net start and net stop, in particular.) One more tool that I keep close is sc.exe because it gives capabilities that you can't find in the other tools.
It provides pretty much everything that a developer can do when programming directly to the Service Control Manager. The commands that I use most often are create and delete. These are particularly useful when I'm writing a service and I need to test it on one or more machines.
Creating a Service
The create command has the following syntax:
sc.exe <server> create [service name] [binPath= ] <option1> <option2>…
Run "sc.exe create" to see all of the options. The ones you'll use most are:
- start= (auto, manual, disabled)
- obj= (account name)
- password= (password)
- DisplayName= (friendly name)
There are some gotchas that you may run into (I know I have!):
- If using PowerShell you need to use sc.exe instead of just sc since sc is an alias for the built-in cmdlet Set-Content.
- If you get the syntax wrong you won't get an explanation of what why, you'll only get the usage description so it can be difficult to track down typos.
- All of the options follow the same syntax of "binPath= path." Note that there is no space before the equal sign and a space afterwards. That's caught me many times, the command will choke on "binPath = path" and "binPath=path."
- You'll most likely need quotes in the binPath= parameter. For example if the service path is "C:\Program Files\Company\Name\Service.exe" -service you'll need to escape the quotes. This is done differently if you're using PowerShell or cmd.exe:
- PowerShell: sc.exe create name binPath= '\"C:\Program Files\Company\Name\Service.exe\" -service'
Note the \ before the double-quotes and the whole thing is wrapped in single-quotes. - cmd.exe: sc.exe create name binPath= """"C:\Program Files\Company\Name\Service.exe""" -service"
Note that it's wrapped in double-quotes and the inner quotes are three sets of double-quotes.
Editing a Service
There is a config command that lets you change all of the service's settings without re-creating it. It has the same options as the create command.
Deleting a Service
Deleting a service is a lot simpler:
sc.exe <computer> delete [service name]
If the service is still running when you do this, it will be "marked for deletion" which is a kind of limbo state where the service can't be controlled any more (can't be stopped.) If that happens, most of the time you can flush the delete by killing the service's process. In the rare case where that doesn't work, a reboot will be required.
Services on Other Computers
In order to work with services remotely on other computers you need to have File Sharing turned on and opened through a firewall. If you can get to a file share on the computer, you'll be able to modify its services.
Posted by Shawn Anderson on Wed, Apr 14, 2010
While Adobe Reader is free, it can be a bit of a pain to get onto all of your computers. This is because Adobe requires each organization to enter into a separate license agreement. So it's not possible for you to just download the .msi and deploy (at least not without violating the Adobe EULA).
The process is actually fairly simple once you've gotten the hang of it. Simply go to www.adobe.com. Look for the familiar buttons and select Adobe Reader.
The next step will allow you to obtain a file for deploying rather than having Adobe attempt an installation to the specific machine that you are using. Your screen will look similar to this:
The key here is to select the "Distribute Adobe Reader" link.
The next pages and steps will require that you accept the Adobe EULA (End User License Agreement). You will need to provide your company information, including a guestimate of the number of systems that you will install the software on.
Be sure to sign up for Adobe security announcements (a separate choice from signing up for Adobe marketing announcements). For obvious reasons you should be informed when Adobe releases a new patch. (If you wait to learn about a patch release from Slashdot then it's probably too late.)
Once you receive the email from Adobe containing the download link you're about halfway home. Now it's time to do some customization.
Note: You don't need to customize, just remember that by default Adobe Reader will perform auto updates for patches from each system, as well as menu items for purchasing Adobe Acrobat, and other annoyances.
You'll need to download the Adobe Customization Wizard. You can obtain this file by doing a search within Adobe. The filename changes with each release, but as of this writing the most current is CustWiz90_en_US.msi. Install this file accepting all defaults. When completed you will need to run the Adobe Reader 9.3 (obtained from your EULA acceptance email from Adobe). The file is named AdbeRdr_930_en_US.exe.
To install this file you need to run it from a command prompt and provide the following argument:
c:\AdbeRdr_930_en_US.exe -nos_ne
This will extract the files required by the customization wizard.
Here is a video which demonstrates a quick customization. Note, when you customize Adobe Reader you are not customizing the .msi file that you downloaded, but you are creating an .mst (Transform) file that you will reference when you install the .msi.
Follow me on Twitter:
@ShawnAndersonDeploy Adobe Reader now using Admin Arsenal.
Posted by Adam Ruth on Mon, Apr 12, 2010
Photo by jpctalbot
Google has
recently announced that they are going to start incorporating site speed as part of their search ranking. Depending on how this is handled it could be either a good or a bad thing.
As a Google user, I would be happy if there are 10 sites with similar relevance to my search that the slower sites would be listed lower on the the page. Also, the pressure this would put on many sites to improve their speed would be good for me as a user of the Web in general. But, on the other hand, if speed becomes too important in the ranking then sites with high speed could push out slower sites with more relevant information.
As a web site owner, it means one more thing to worry about as part of SEO (Search Engine Optimization.) Something that is only slightly related to content. Performance is controlled as much by the web site host as anything else, so it does make cheaper hosting less attractive and will drive up the costs of running a web site somewhat.
I believe that Google's engineers are smart enough to take into consideration factors that could unfairly penalize a site such as brief periods of high activity, web analytic scripts and ads. While this does increase the cost (in time and money) for site owners, it really is inevitable. As the web grows, search engines need to ensure that they give users the best results for their search, and that means finding new and different ways to surface sites that users want. Relevance is the best and most important metric, but with so many sites that are relevant there has to be a way to sort them. I suppose the next step is to grade sites on spelling and aesthetics. That'd push half of Myspace out of search results.
Posted by Shawn Anderson on Fri, Apr 09, 2010
While playing with my iPad (it's still a toy to me until it supports Google Docs) I realized that Apple is very good at eliminating three obstacles that hamper innovation.
1. They remove unnecessary layers.
2. They question the status quo.
3. They don't second guess their decisions.
As a Windows administrator you can use the same approach to provide the best service to your organization.
Remove Unnecessary layers.
Let's consider martial arts. One of the benefits of using an actual instructor (versus videos or books) is that he or she can observe you directly and then help you see where you are making unnecessary movements which drain your energy and can otherwise hamper your ability to master a form.
Apple did this very well with the iPod. They set out to offer a product that would provide an excellent listening experience. Everything else (the unecesary movements) got cut. The result was a product which boasted far fewer features than its competitors, but which succeeded in providing a great listening experience.
Your practical application of reducing layers could be cutting the little activities in your daily routine that get in your way. They may seem like good routines to have, but are they getting in the way of your end goal of providing excellent support to your customers?
Question the status quo
With all of the breakthroughs in computing over the last thirty years, one area has seen very little in enhancements. Communication between a human and a computer. It's been pretty much limited to keyboard and mouse.
Apple changed that.
Multi-touch gesture, introduced in the iPhone, is nearly as revolutional as the graphical user interface. (Anything so simple that you don't need to be taught to do it is truly an amazing accomplishment.)
Questioning the status quo isn't about playing devil's advocate just for the sake of argument. It's simply an extension of number one. Isolate each move and determine if A) it is necessary, and B) it can be improved.
Don't second guess yourself
In January 2010 the world was screaming that Apple should allow Adobe Flash onto the iPad. This wasn't new, either. Since the launch of the iPhone customers have been begging for Adobe Flash support.
Apple said no.
(I feel a sports analogy coming on.)
A good basketball coach doesn't change the game plan simply because his homecourt fans are setting arena noise records after he substitutes his star player for a second string nobody.
Noise levels... negative reviews... sports announcers flying off the handle... yet through all of this the coach remains unphased. He knows the strengths of his players AS WELL as the those of the opposing team. His strategy is set and the fans can like it or not (with the obvious exception being World Cup fans, in which case the coach's life my well hinge on complete capitulation).
When it comes to Adobe Flash, Apple didn't want to compromise user experience with technology that they consider unstable and buggy. Doing so would jeopardize their ultimate goal.
When you carefully analyze each movement, remove the unnecessary and then enhance the rest, you will be confronted with screaming fans. Be prepared to stand your ground. It's okay to take a second look, but don't hit the brakes just because the sky seems to be falling. You may realize, just as
Truman Burbank did, that his sky was a farce and what lay beyond was a far better reality.
Follow me on Twitter
@ShawnAndersonWindows Admin? Run remote commands on all your computers with your domain credentials using
Admin Arsenal.
Posted by Shane Corellian on Wed, Apr 07, 2010
Microsoft is actually taking the plunge to offer stripped down versions of Microsoft Word and Excel free of charge. Notice that these are, in fact, going to be installed locally on your systems, not just available in the Cloud.
The new version will be called Microsoft Office 2010 Starter.
Read Ina Fried's CNET article here.
Unfortunately I haven't heard if Microsoft is planning on offering the Office 2010 Starter as a download. So far all the talk seems to be about having it pre-installed on new PC's. Mary Jo Foley wrote last December that users of Office 2010 could utilize a feature called "Office To Go" where Office 2010 Starter could be run from a USB device.
We will keep an eye out for a deployable version of Microsoft Office 2010 Starter and, assuming it exists, we will demonstrate how it can be deployed to your organization via Admin Arsenal. Click here to see how you can deploy Office 2007 across your enterprise.
Posted by Adam Ruth on Mon, Apr 05, 2010
Photo by mkis
Microsoft recently announced
Service Pack 1 for Windows 7 and Server 2008 R2. They didn't provide any dates, but they did say it was coming soon. There won't be many new features, mostly bug fixes, but that's what I've come to expect from service packs.
What I can see this meaning for most organizations is the removal of the last big objection to migrating to Windows 7. It is a prudent stance to wait for the first service pack before migrating to give time for any problems to be ironed out, but SP1 is usually the event that signals the end of that waiting period. With Windows 7 SP 1 available there really won't be many reasons left to not take that final step away from Windows XP.
One thing that I'm looking forward to trying is the new
RemoteFX remote desktop functionality in SP1 (pretty much the only new feature.) I don't think I'll have a lot of use for it myself since I mostly use remote desktop for administrative purposes, but I can see possibly using it for development work since the current remote desktop is a bit too sluggish for me to run Visual Studio on a regular basis. This may finally bring the potential of centralized computing to the masses.
Posted by Shawn Anderson on Fri, Apr 02, 2010
Admin Arsenal may encounter an error when invoking remote commands or software deployments on some systems running UAC on Windows Vista or Windows 7. As a result of this UAC feature, some processes cannot be invoked remotely, regardless of the permissions that the invoker may possess.
As a result of this UAC feature, we're changing the way that Admin Arsenal runs remote commands and software deployments. It's currently in beta testing, and if you've run into this problem you can send a request to support@adminarsenal.com and we'll send you the new software to try.
The new remote connection method isn't turned on by default. To enable it select Admin Arsenal > Preferences and choose Remote Service on the left tree. Ensure that the checkbox for "Use new remote service" is selected.
Here's a video showing the error 5 displayed on a Windows 7 UAC error and corresponding fix.
YouTube blocked? Try here.
Follow me on Twitter
@ShawnAndersonRemote Application Installation is a snap. Try it for free now.