Blog Archives
-
Syndication
-
August 2, 2011
Microsoft Windows Enterprise: Microsoft Desktop Optimization Pack 2011 R2 Released
By Reed WiedowerIt’s taken a few months since we began to test Microsoft Desktop Optimization Pack 2011 R2 in production, but the latest version of Microsoft’s grab back of enterprise management goodies, MDOP 2011 R2, has been released to Technet, the volume licensing site and MSDN.
Some of the new features in this version are:
- Microsoft BitLocker Administration and Monitoring (MBAM)
- Microsoft Diagnostic and Recovery Toolkit 7.0 (DaRT)
- Asset Inventory Service 2.0 (AIS)
The rest of the suite, including Microsoft Advanced Group Policy Management (AGPM), Microsoft Enterprise Desktop Virtualization (MED-V) and Microsoft Application Virtualization (App-V) continues to shine, but let’s focus on the three new products to get retweaked.
MBAM was first detailed by us in a series of posts earlier this year. It’s a bitlocker management tool that allows centralized management, key recovery and speedier deployment for Microsoft’s enterprise-class encrypted security system for disk storage of all sizes. With the full release, organizations can finally standardize on one management suite.
DaRT 7.0 includes numerous new features to the legendary troubleshooting disk system, including two of the most powerful features: remote deployment via PXE (and local drive images) instead of the old cd/dvd method, as well as access control to ensure that end-users aren’t able to access powerful remote tools while enabling support staff to have full access, even when remote! All of these new features should reduce support times and enable higher levels of service for helpdesks around the world.
Finally, AIS 2.0 is the latest version of Microsoft’s cloud-based inventory service. For customer with Windows Intune, AIS 2.0 won’t provide many new features, but for organizations that haven’t deployed a robust inventory service that extends beyond their corporate network to managed machines in the field, AIS 2.0 is a boon. It will allow full inventorying of app-v applications as well as local installations, and now can scale up to 100,000 seats with options for localizations across the globe.
Whether you’re purchasing MDOP as an add-on to Windows Intune, or simply adding it to an existing SA agreement, it’s well worth the small cost (around $1 in each case, per month). Talk to us at New Signature on how you can reduce your operational costs, increase customer service and speed automation through MDOP today!
-
Book Review: Practical Packet Analysis, 2nd Edition — Using Wireshark to Solve Real-World Network Problems
By Peter Day
The 2nd edition of “Practical Packet Analysis” by Chris Sanders provides a thorough introduction to the subject of reviewing and protecting traffic on your network. It shows how to analyze your own network traffic and in the process demonstrates how a malicious attacker might try to snoop on your network, thus enabling you to proactively protect it.The first few chapters cover the basics of packet analysis and show that it is not easy for someone to spy on your network, even a wireless network. However, “security through obscurity” is not a valid data protection method, so read on to learn more of what is possible.
The next few chapters introduce you to the open source Wireshark software and give the basics of how to install, configure and use it to analyze data traffic on your network. The explanations are clear, and while technical, they are not too complicated to follow. The best way to learn is to follow the instructions and install Wireshark on a machine attached to your own network and have a go yourself.
Chapters 6 and 7 go into more detail about network protocols and you might consider these informational or optional depending on how deep you want to delve into the subject.
The remaining chapters provide practical scenarios where you might use packet analysis to solve real world problems such as a slow network or analyzing the effects of social media traffic . Chapter 10 focuses on the beginning steps of using packet analysis to help improve the security of your network.
Overall the book is written in a very readable style and is certainly informative in a very practical way. Be warned, in some parts it does assume professional experience with network concepts and operations.
Need help with your network? Call New Signature today–we can help you design, build or improve your network, or troubleshoot those pesky network problems.
-
August 1, 2011
TCP + ADSL + Uplink Oversubscription = BAD
By Thomas WestNew Signature recently had a customer who voiced concerns over very poor download performance on their 6Mb/768Kb ADSL link. Most users were unable to attain download speeds in excess of 10Kb/s.
After contacting the ISP we were able to determine that the uplink side of their connection was being saturated at near 100% capacity during most of the workday while the download half of their circuit was on average only about 25-50% utilized.
In addition the customer had recently moved to a larger location and had begun offering collocation of office facilities to 3rd parties within their space. This did not substantially impact download bandwidth; however it did dramatically increase the number of open sessions traversing the ADSL link at any given time. This becomes especially problematic when collocated tenets are leveraging cloud services for their IT needs as much more traffic and associated session maintenance must traverse the public internet (email, collaboration, etc) rather than being largely constrained to the facility LAN as would be the case in a client-server model.
So the question becomes: How can a saturated uplink create issues with download speeds when there is plenty of capacity left in theory?
Counter-intuitively saturating the upload half of an ADSL link can have a significant detrimental impact on download speeds as experienced by the client because of the way that TCP congestion avoidance algorithms handle link oversubscription at the session layer; TCP windowing specifically.
The long and short of it is that TCP always assumes a synchronous connection – if session control flow is impeded on either side of the link the other side of the link will be affected as well.
In a normal home or (small) SMB environment an asynchronous connection is a viable solution for internet connectivity needs because the usage pattern of these customers are inherently asynchronous and heavily slanted towards download traffic; the upload side of the link effectively only ends up handling basic TCP session control traffic (ACK/NACK, etc) and the occasional HTTP GET request or email.
The key here is that outbound TCP session control flow remains unimpeded regardless of the asynchronous connectivity in this type of usage pattern. (more…)
-
July 28, 2011
SCSM Customizing Views / XML / View Logic
By Kevin WongHere at New Signature we’ve been using System Center Service Manager (SCSM) for months, enabling us to more quickly automate common tasks and increase our adherence to ITIL best practices. We love the product and the way it helps us achieve our goals, but with any relatively new Microsoft release, there are some quirks to overcome.
Currently the stock user interface of SCSM SP1 is fairly limited, and there are many things that you aren’t able to accomplish without cracking open a management pack (MP) and tinkering around with the XML inside. With the latest version of SCSM 2012 scheduled to be released in 4-5 months, the situation will not improve anytime soon…which is why you should learn how to mod your own views.
In this post, I will focus on customizing views in SCSM – the simple example I will use revolves around changing the view logic.
EXPORTING YOUR MP
To get to the XML that defines your MP (in which your view is stored), you have to first export it. Whether you are trying to customize a view or attempting to change the UI of the input forms for a class, you’ll want to first figure out which MP is associated with the task you’re trying to accomplish. For example, if we’re trying to modify an existing view:
1. Right-click the view –> Edit View –> General –> Management pack
If you’re trying to make a custom view from scratch, you’ll already know what management pack you placed the view inside.2. Administration –> Management Packs –> Search for your MP –> Export (more…)
-
Forefront Online Protection for Exchange and the “Junk Folder” in a Microsoft Exchange Server 2007 Environment
By Rohan BlackYou might run into the scenario where your employer wants all SPAM directed to the junk folder in Outlook. If you’re using Forefront Online Protection for Exchange (FOPE) and not an Microsoft Exchange Edge Transport Server, you will need to set up some extra settings in your admin console and your Microsoft Exchange Server to allow these pesky emails to go through.
FOPE defaults to sending email to a quarantine mailbox that a user will have to log into. It does not tie into the users outlook profile. You will need to change the settings so that it will mark the spam, and pass it on to the exchange filters. To start this process go to your domain, and under Service Settings – Spam Action: modify the subject to include something identifiable (such as [SPAM]), or Add the X-Header: X-EHS-MARKED-SPAM. This setting will take about 3-4 hours to propagate.
On the Exchange side, Microsoft recommends using a the Edge transport role to have access to its content filtering tools. Unfortunately, the Edge transport rule cannot be hosted on the same exchange server as the hub transport rule. This means another copy of Exchange and Microsoft Windows Server 2008 will be required. You can get around this by using transport rules on the hub server in the following way.
Open a command shell and enter the following commands:
- Set-OrganizationConfig –SCLJunkThreshold 5
- Set-ContentFilterConfig –SCLDeleteEnabled $False
- Set-ContentFilterConfig –SCLRejectEnabled $False
- Set-ContentFilterConfig –SCLQuarantineEnabled $False
This turns off all the actions except forwarding spam to the junkmail folder. The SCLRejectEnabled defaults to True, so definitely make sure this is turned off.
NOTE: if these settings aren’t working for you, you will need to install the antispam agents. There is a useful guide, “Install Anti-spam Agents on the Hub Transport server“, on how to do that.
Create a transport rule that will do the following:
- Apply the rule to messages
- When the Subject field contains SPAM
- Set the spam confidence level to 9
9 is the highest spam confidence, which would usually mean it will be deleted, since you’ve got everything turned off except the junk mail, it’ll go straight there.
Start your testing! Make sure you’re sending email from an external domain, internal emails are set to a default SCL of -1 which bypasses the local spam filters.
Give New Signature a call today if you are looking for a team that has a deep bench of Microsoft Exchange experts to help plan, build, manage or maintain your Microsoft Exchange messaging environment.
-
July 26, 2011
Windows Phone Mango Coming to a Phone Near You!
By Christopher Hertz
Microsoft just announced that Windows Phone Mango has been released to manufacture. This means that the the latest version of the Windows Phone operating system is being sent to handset manufacturers and mobile operators and will soon be in the hands of customers.We have been using the Windows Phone operating system for some time now and have been incredibly impressed by its features, ease of use and versatility (not to mention from an enterprise perspective its ease of management). At Microsoft WPC 2011 we got a sneak peak at Mango and were impressed by many of the new features (there are more than 500 improvements in Mango). Early reviews on Mango have been extremely positive and have praised the attention to detail in the new operating system. Steve Clayton says he loves, “The little things like groups in contacts, faster access to apps with intelligent searching and history of all my actions with people (or groups).”
It is a shame that many salespeople at mobile phone stores are steering customers to the iOS and Android devices and away from trying out the Windows Phone experience. I recently was in a local Verizon Wireless store and went to look at the HTC Trophy, only to be approach by a salesman who tried to push the iPhone 4 on me. Worst of all he didn’t seem to know anything about the device that he was telling me not to consider.
If you have the time, I highly recommend checking out the Windows Phones currently being sold by the likes of Verizon and AT&T. Even if you aren’t in the market for a new phone you might be pleasantly surprised by the intuitive and fresh approach to the user interface. If you are interested in making a change at a corporate level give New Signature a call. Windows Phones are a great way to upgrade an aging fleet of Blackberries (not to mention RIM just laid off 2,000) to a device that has more features, better performance and is easier to manage.
-
Don’t Forget Antivirus for Mac OS X at Work (or at Home)
By Peter DayMany Apple users believe that OS X does not suffer from security vulnerabilities. However, as the MACDefender malware attach demonstrated this is simply not true. As the Mac OS X install base grows larger, and more businesses adopt Mac OS X workstations and laptops, the volume, velocity and danger of OS X targeted malware will increase. New Signature recommends that all of our clients protect their business computers running OS X with enterprise grade anti-virus/anti-malware software. At present, we recommend the Sophos endpoint security product suite as the best option to protect against the latest threats for OS X computers. For Microsoft Windows PCs and laptops we recommend either the cloud-based Windows Intune or on-premises Microsoft Forefront.
We also try to educate our client’s staff to install anti-virus/anti-malware on their home computers as well. This is especially true for Mac OS X users, many of whom don’t realize that they could be at risk. The great news is that Sophos Anti-Virus for Mac Home Edition is completely free for home use.
Sophos Anti-Virus for Mac Home Edition is easy to install and places a shield icon on the menu bar. By default it will then start protecting your Mac by monitoring files as they are used in real time. You get high quality anti-virus protection with daily updates for a price that’s hard to beat (free)! You can also define a custom manual scan to do a full scan of specific folders, however the default option to scan all local drives should suffice for most situations.
Users who like to keep current will be pleased that Sophos Anti-Virus for Mac Home Edition is already compatible with Apple’s newest realease, OS X 10.7 Lion.
For folks who use Windows at home and are looking for robust anti-virus/anti-malware protection we recommend using the Microsoft Security Essentials. Microsoft Security Essentials is a free download from Microsoft that is simple to install, easy to use, and is automatically updated to protect your PC with the latest technology. It provides real-time protection for your home PC against viruses, spyware, and other malicious software.
-
July 25, 2011
Microsoft Windows Intune – Cloud Based PC Management and Security (and a Perpetual License for Windows 7 Enterprise)
By Rohan BlackThere has been a lot of hype about cloud services recently; everybody is touting the ability to stream music and videos over the Internet, giving people the ability to have a central store for all their media. Microsoft has been one of the biggest proponents of cloud services, releasing cloud-based versions of many of their most popular productivity software packages through Office 365. Less well known, but equally exciting and important is Microsoft Windows Intune.
Computer management is one of the necessary evils of IT service. Companies often struggle to keep PCs up to date, ensure proper operating system and application licensing, and deploy IT policies. Medium and large organizations can use Microsoft’s System Center product line, but even for these organizations this required some heavy lifting and TLC after deployment.
Enter Microsoft Windows Intune, which costs only $11 per month per PC and for an additional $1 per month per PC you can also get the Microsoft Desktop Optimization Pack (MDOP) add-on. Intune is taking the essence of enterprise level computer management tools and providing them over the cloud. Its current version provides robust anti-virus, patch management, and license management tools with active alert and report functions.
Included with Intune are upgrade rights to Windows 7 Enterprise, which provides a huge advantage to companies that are looking to improve productivity, control, manageability and security. For example, your end-users can take advantage of advanced search capabilities or use BitLocker drive encryption to protect confidential data.
At New Signature, we recommend that all of our clients select the $12 per month per PC version of Intune that includes MDOP. MDOP is a set of six on-site advanced desktop management tools. MDOP can help further enhance security and control and help you resolve critical issues that could not be addressed by the cloud service, such as diagnosing and recovering unbootable PCs.
In subsequent releases, Intune will also handle full hardware and software inventories, application deployment, and many more exciting additional features (many of these are available in the beta already released).
Most importantly, Windows Intune can provide incredible value to small, medium and large companies. Firms of all sizes can use Windows Intune and can typically achieve at least a few of the following advantages:
- Eliminate Capital Expenditures
- Reduce Complexity
- Increase Staff Productivity and Collaboration
- Achieve Robust Business Continuity
- Gain Enterprise-class Security
- Acquire IT Agility and Scalability
- Improve IT Control and Efficiency
If Windows Intune sounds interesting to you give New Signature a call today. New Signature is the perfect partner to help you understand cloud computing, develop strategy and take advantage of the reliability, flexibility and security of the cloud.
-
July 22, 2011
Excitement Builds for Microsoft System Center Application Controller and Windows Server 8
By Reed WiedowerWe’ve been incredibly excited about Microsoft’s Concero product for several months now because of the ability to manage applications across the public and private cloud infrastructure.
At Microsoft’s Worldwide Partner Conference we were given the opportunity to see codename Concero feature complete and with a final product name: Microsoft System Center Application Controller (SCAC). Additionally, Windows Server 8 was officially announced.
The full presentation covers the key feature strength of the product. Much like the relationship between Microsoft Hyper-V (Microsoft’s free hypervisor) and System Center Virtual Machine Manager (Microsoft’s enterprise-grade virtualization management software), the relationship between the yet-to-be-released Windows Server 8 and System Center Application Controller will be a strong one.
Out of the box, Windows Server 8 is projected to support greater application-as-a-service functionality for private clouds. In concert with SCAC, once applications have been made “cloud-friendly” they can be transferred to the public cloud for greater availability and scaling, or to the private cloud for more granular control. Currently, SCAC is only setup to manage cloud workloads on Windows Azure (public) and Windows Server 8 (private) but if the platform is as extensible as System Center Virtual Machine Manager, we anticipate future expansion.
For these reasons and many more, we are extremely excited about Microsoft System Center Application Controller and Windows Server 8 and can’t wait to test drive them later this year.
Is your company considering moving services or applications into the cloud? If so, New Signature is the perfect partner to help you understand cloud computing, develop strategy and take advantage of the reliability, flexibility and security of the cloud. Call us today to get started.
-
Gaining Better Insight, Management and Security (and lower TCO) with Microsoft System Center Configuration Manager
By Matthew GustkeMicrosoft System Center Configuration Manager (SCCM) and the former Systems Management Server suite have always been known for their powerful capabilities to collect information, distribute software and help control the configuration of an enterprise Microsoft Windows environment. New Signature deploys SCCM to help IT departments comprehensively assess, deploy, and update servers, client computers, and devices-across physical, virtual, distributed, and mobile environments.
Two great examples of the benefits of SCCM deployment come from one of my recent implementations for “Company A”.
Example 1: We were testing the deployment of the SCCM client to workstations when the process unexpectedly failed. While troubleshooting this failure we discovered the root cause was that the intrusion detection software Company A had installed on their workstations was five versions behind and the intrusion detection server was several revisions behind as well. Newer releases of the intrusion detection product had been updated to accommodate SCCM, but the older version installed had blocked installation. This discovery helped Company A’s IT leadership realize that their network, comprised of several thousand workstations, was not as secure as they had expected. They were also able to achieve this valuable insight by simply going through the SCCM installation process.
Example 2: At Company A, we now had the SCCM client installed and reporting on all workstations and servers. The inventory information was collected and eventually a request came in from the CIO, wanting to know how many computers were running the version of anti-virus software that they owned and managed. We generated the report and found out that only 25% of the total amount of workstations and servers had the anti-virus software installed. When we brought this information to him, he told us that the SCCM report could not be correct and that there must be something wrong with the data. This reminded me of the famous quote from the movie “A Few Good Men” that states, “You can’t handle the truth!” After showing him detailed inventory information for specific computers that were missing anti-virus that showed all other installed software we were able to demonstrate that the problem wasn’t SCCM—it was failed policy, procedure and configuration management. Since the implementation of SCCM at Company A, they have leveraged SCCM to raise their antivirus levels to nearly 100% and implement Microsoft Updates for the first time in their environment. Fortunately for them, the SCCM implementation came before they were caught off-guard by a major malware attack or other exploit of their former vulnerabilities.
For Company A, SCCM delivered enhanced insight into and control over their IT systems and is now a vital part of their day-to-day operations.
When an organization decides to implement a configuration management software like SCCM, or through the use of an appliance such as the Dell KACE Systems Management appliances, they must remember that the information collected along the way and afterwards may expose weaknesses, but these need to be viewed as important opportunities. This is the exact reason why these software products and appliances are so important as they provide a level of insight into an enterprise computing environment that can be entirely overlooked through status quo approaches and processes.
Do you know the status of your enterprise computing environment? Are you 100% sure of your software patch/update and anti-virus compliance levels? New Signature can help your organization improve insight, management, and security and reduce total cost of ownership through the use of the Microsoft System Center line of products. Please call us today for a consultation, we would love to help you gain insight into the operations and configuration of your computing environment.