Archive

Posts Tagged ‘workstation’

First 10 things I do to a new computer

If you’re like me, anytime you get your hands on a new computer there are a handful of things you do to it. That could be if the computer is for your use or for someone else. Here is my top 10 things I do:

  1. If there is trialware software, I remove it – especially if it is anti-virus software! Clean up all of the unneeded software
  2. Run Microsoft Updates to ensure the operating system is fully patched. Even newly shipped computers can need 10’s to over 100 updates!
  3. Visit the hardware manufacture’s website such as the Dell Support Website and check for updates to the BIOS and other hardware. As with #2 above, the vast majority of computer shipped directly from the manufacture is running old software such as BIOS and firmware.
  4. Install a web browser of choice – for me I install both Chrome and Firefox.
  5. Install a handful of standard apps every user needs:
    1. Adobe Acrobat Reader
    2. Java for Desktop Computers
    3. Adobe Flash Player (but you’ll need to do this for each browser you use)
    4. Adobe Shockwave Player (old, but some sites still require it)
    5. Adobe AIR Player (used on some sites)
    6. VLC (plays just about any media)
    7. Open Office (if you don’t own a copy of Microsoft Office)
    8. Virtual Drive Clone (lets you mount ISO as if they were CDs)
  6. Install any purchased or commercial software
  7. Download and CCleaner, and run the registry cleanup utility – during the install, I uncheck virtually all of the install options. I like this tool hidden, not actively running, and not even viewable on the start menu. I will execute it from the “Program Files” directory manually. I prefer an un-cluttered Start menu, so many utilities, especially for other people, I keep un-linked in the start menu.
  8. Install Anti-virus software:
    1. I prefer commercial Anti-virus software, and never recommend a consumer grade AV software for anyone
    2. If you don’t have access to a commercial/business AV software, choose Microsoft Security Essentials – a lightweight, free, non-ad driven Anti-virus software
  9. Run a disk defragmentation software, either Microsoft’s built in utility, or Diskkeeper (highly recommend)
  10. Setup a non-administrative user account. If this is a domain based workstation, then this is likely already taken care of but for small work groups, friends or family personal computers, I always setup two accounts. Their “user” account and their “adminsitator account”. Both have passwords, typically the same password to make it easy for them. I have them always use the “user account”. And if appropraite setup the computer to auto login to that account.

In the next article I will discuss some of the software tools I install on my own workstations as an administrator and power user.

Enjoy!

Advertisements

Any user can unlock now with this custom GINA

From the folks over at Paralint, there is now a utility to help you with shared computered access. Often you will have a shared computer in an office space, and the problem is that you want each user to have their own username and password, however, that doesn’t always workout so well. Once you add a password locked screen saver, and that user forgets to logoff, that computer is now unusable to any other normal user.

What are your options…. Typically we have be forced into one of the following options:
1) Users know eachothers passwords;
2) Reduce the security by removing the password requirement or granting other users administrator permissions;
3) Users simply power off/on the machine to work around the issue;
4) Or they can use the windows based “winexit.scr” which will effectively forcefully logoff the user when the screen saver kicks on.

However, now with this custom GINA, you can now enable any user to logoff that offending user without requiring administrative permissions or changing your security routine. Aucun is a replacement GINA that wraps Microsoft’s own MSGINA.DLL to allow any given group of users to unlock or force logoff a locked session on a Windows machine, unless the currently loggon on user is a member of a group you specify.

I created this for a friend that needed an unlock feature. By popular demand, I added force logoff and warning display. Here is a more detailed feature list:

 

  • GUI provided by original MSGINA.DLL (no training of end user required)
  • Allows any member of a given group to force logoff a locked session
  • Allows any member of a given group to unlock a locked session
  • Support a exclusion group (to prevent unlocking administrators by regular users)
  • Allows to display a custom message when the workstation is locked
  • Supports 64 bits versions of Windows
  • Supports international versions of Windows
  • Allows chaining multiple Gina’s together

You can learn more about this and download here: http://www.paralint.com/projects/aucun/

Windows System Crash Analysis (BSOD)

You are all probably aware of the MEMORY.DMP files in the windows directory. You may also be aware of the Windows\MiniDump directory. These files are created when there is a critical system error usually resulting in an automated reboot or BSOD.

The Memory.DMP file contains debugging information plus the contents of your system’s RAM. This file is overwritten each time a crash occurs. The MiniDump directory contains the same debugging information as MEMORY.DMP but does not include the RAM contents. The MiniDumps are not overwritten so they can be used as a historical reference for identifying crash events.

So the question is how do you use these file???? There is a tool from Microsoft designed to do just that! It is called WinDbg and is part of the Debugging Tools for Windows. (http://www.microsoft.com/whdc/devtools/debugging/)

Download and install this tool. There is an x86 and an x64 version. Once the program is installed open it and choose the file menu then Symbol File Path.

Enter the following: http://msdl.microsoft.com/download/symbols/

This will download the necessary symbols as needed. Symbols are a link between the binary application code and programming language which generated the code.

Once this is done you can choose File – Open Crash Dump. This will open both Memory.DMP and MiniDumps. Once opened the program will begin some analysis.

Click on the !analyze –v link to do a verbose analysis. This may give more information as to the reason for the crash. The faulting application code is listed in the default analysis.

Enjoy!

PCI-DSS Compliance for RDP Connections

This is a common problem that you’ll see from PCI-DSS compliance audits for customers which process credit cards on their PC network. In many cases simply disabling external RDP access is the answer, but when external RDP access is required, here is the proper way to address the following two errors:

  • Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness (CVE-2005-1795)
  • Terminal Server Encryption Level is not FIPS-140 compliant

What I have seen other companies do is simply restrict RDP to a specifc set of WAN IP’s, which will appear solve the problem from the PCI audit report because they cannot access the RDP port open due to the firewall rules, however this is still a violation of PCI because the vulnerabilities still exist. The protocol needs to be properly secured, and the process is relatively simple.

1)      Create a self-signed SSL certificate (if one doesn’t already exist; of course a publicly signed SSL is better, but not needed for PCI compliance)

2)      Open Terminal Services Configuration

3)      Edit the properties of the RDP-Tcp  Connection

4)      Start from the bottom and work up

  1. Click Edit and add the self-signed SSL certificate
  2. Set the encryption level to FIPS compliant
  3. Click APPLY
  4. Set the Security layer to SSL (you will not see this as an option if the SSL cert is not configured and you haven’t applied the changes)
  5. Click APPLY again then OK

5)      Close all windows and all active RDP sessions

Simply have the PCI Compliance company run a new audit and you should be all set.

Faster Windows Defragement

Defragmenting your hard drive is one of the simplest and free ways to prevent performance slippage on your computer.  And while there are excellent tools available such as Diskkeeper which can automate the process, the built in Microsoft Windows Disk Defragmenting Tool (which incidentally is made by the same people at Diskkeeper, but just a “lite” version), can do a great job as well. There are (at least) two things which make the Windows Defrag tool unlikable: First, you must manually run the tool, unless you want to involve some sort of scripting, which is possible; and Second, it is much slower than the commerical tools available.

Today I’m going to point out one way to speed up your disk defragmentation task. And it is so simple, and obvious, your likely going to be wondering why you didn’t think of it sooner: Read more…

BitLocker to Go in Windows 7

Man lean on padlock. 3d rendered illustration.For the enterprise customer one of the greatest integrated features in Windows Vista was the new BitLocker technology. However it was limited to only encrypting the local hard drives. Now, in Windows 7, Microsoft has introduces BitLocker to Go, which is a form of BitLocker for mobile/removable media. It enables full drive encryption with either smartcard authentication or password protection. The password can be separate than your network logon credentials, and also can have their own password policies applied gia Group Policy. Even more, it is backward compatible with prior versions of Microsoft Windows, however the data is read-only. To write data to a BitLocker to Go disk, you must be running Windows 7.

And as with Encrypted File System (EFS) back in Windows 2000, you’ll need to carefully plan your data recovery system should a user forget their password. Just as with EFS you can utilize a recovery key, but you must configure and enforce this in advance. Otherwise, if you do not intentionally set this up the users can begin using BitLocker without a recovery key and risk loosing data if they forget their password for the drive. This is especially risky since you can enable your local computer to remember the password, so really the only time you’ll use the password is when attempting to access the drive from another system. From this standpoint, it may be a good idea to configure GPO now for the Windows 7 .admx files to prohibit BitLocker to Go until a formal policy can be established.

Enjoy!

Microsoft File Transfer Wizard

avoid the difficultiesI discovered another quick of Microsoft’s File Transfer Wizard, which is not surprising but can be an unexpected surprise for administrators who are using redirected folders. Basically when using File Transfer Wizard, one of the default settings is to capture the My Documents and Desktop folders. However it does not detect if these folders are network and/or redirected folders, and as such will copy their contents by default. This is not surprising, but can cause unneeded actions if the new computer will also be using the redirected folder for the My Documents.

I was recently performing this action for a user upgrading from Microsoft Windows 2000 to Vista, and they were connected to a Microsoft Active Directory 2003 network which we did not setup for them. Redirected folders were in use, which I knew in the back of my mind. When I began the File Transfer Wizard, I noticed it backing up the My Documents folder and the ETA was 45 minutes. Then I realized that I should need the My Documents folder, so I canceled the FTW, and ran it again against the same dataset except for the redirected folders – wizard completed in 90 seconds. What a faster way to accomplish this simple task.

Lesson learned – understand what your backing up on the workstation and how it is configured before simply relying upon the wizard. Also, as mentioned previously, some items such as Outlook POP/IMAP configurations are not migrates, as well as the PST file (or anything in the “Local Settings” folder).

Enjoy!