Tuesday 6 July 2010

Administrator Privileges – Control and Monitoring

From Geoff Courts @macnamara_geoff

The reasons for limiting the administrator rights of users are numerous. Don’t let them install any old application they find (they can do that on their iPhone), but perhaps more importantly, don’t let them install the viruses and malware that arrive through ads and spoof e-mails, that require in some cases lengthy clean-up operations and the PC out of action for the duration.


But as an Administrator, how can you effectively monitor the administrator rights across all your machines and all your users?


At Macnamara, we developed some time ago the method of only assigning admin rights to users upon request from an authorised client contact, along with the stated reason. But, instead of assigning the user the rights to their machine, we add them to a security group in Active Directory called ‘Local PC Admins’.


The benefits of this approach are:

1. you can centrally manage the admin rights of all your users
2. you don’t need access to the user’s PC remotely to assign it
3. if their PC is off, you don’t risk them logging back on as Administrator before you can revoke their privileges
4. You can assign 1 user rights on all machines, and delegate software installs and updates (where Kaseya cannot do this) to them.


As always, however, monitoring is the key.


Monitor the local Administrator Group

We only ever have 4 members of the local Administrators group.

1. Domainname\Domain Admins (Domain Administrators Group – i.e. us!)
2. Domainname\Local PC Admins (Our group for assigning local PC administrator privileges)
3. Administrator (The local Administrator account – password protected, of course)
4. Lynx-admin (Our own fall-back local logon user account)


Since this will never change, all we have to do is to output the membership to a file on a regular basis, then use Kaseya to monitor that file for any changes. Any unauthorised additions to the account since the last hourly check will create an alert.


A Script is run every hour that runs the CMD “net localgroup administrators” and outputs the results to a text file on the PC. The same script then uses the ‘Get File’ command to upload the log to the Kaseya Server.


Under Alerts monitoring, we use the ‘Get File’ alert to call a second script if the file content has changed. This raises an alert, and sends us an e-mail with the contents of the file, and hence the membership of the local account. Any users not in the 4 listed above can be easily identified.


Monitor the Server ‘Local PC Admins’ Group


Similarly, we can monitor the membership of the group we use in Active Directory for central management of the Admin Rights of our clients. Because we assign these rights ourselves, through request, we can monitor the membership using our ticketing system. All users are requested to let us know when they can finished what they are doing so we can revoke their rights, and then a log off is requested.
We don’t therefore need to monitor membership hourly, but it is good to have a reminder at the end of the day if anyone has been added who has not been removed. We therefore check every 8 hours, starting at 08:30am, so that at 4:30pm we receive an alert if anyone has been added during the day but not yet removed.
The process is the same as for the local Administrators group, but the CMD is slightly different. At 08:30am, the first script runs ‘net group “local pc admins” /domain’ and outputs the user membership to a file, which is uploaded to the Kaseya Server using the ‘Get File’ command. This is then run again at 4:30 and any changes are seen and an alert e-mail is sent with the membership of the group.


Benefits


Since we implemented these controls on administrator rights, we have seen the number of Support calls drop substantially, since Users are just not in the same position that they were to break their machines. Without these rights they can install bad applications that ruin system performance, nor viruses and malware, nor change protected system files. The results are cleaner machines, and more time for real work.

Friday 11 June 2010

Using the SBS 2008 Connect Wizard when you have multiple subnets.

From Ciaran Kenny @CiaranJKenny

Back in the SBS 2003 days multiple subnets, most commonly to allow for site-to-site hardware VPNs, caused a bit of a problem when using the SBS 2003 ConnectComputer Wizard. In the case of SBS 2003 the reason for this was that the IIS ConnectComputer sub site had a default restriction to only allow connections from the subnet in which the SBS server was installed. To cater for additional sites/subnets you would add the relevant subnets to the ‘access granted’ list of subnets and - job done.


Like everything else, things are a little different with SBS 2008. There don’t seem to be any subnet restrictions on the ‘Connect’ sub site. Or, if there, I can’t see them anywhere. But when you try to run Connect from a VPN connected site using a different subnet you will find that you get a page cannot be displayed error. So you can then spend some time tearing your hair out trying to figure out how to add an extra subnet in IIS 7 – before realising that ‘Page Cannot Be Displayed’ is obviously a name resolution error.

Usually for a small branch office subnet without its own server you are going to set the IP addressing information manually on each PC – with the main office SBS server as the DNS server etc. (not DHCP of course)

The problem is that, without knowing what domain to add to a host name, the PC in the branch office has no way of resolving what it sees as a single host name – 'Connect'.

So, the key is to add the internal domain name as a dns suffix to the IP configuration of the network cards of the PCs in the branch office. This is a good idea anyway and will make your network run more smoothly.

Using connect.domain.local doesn’t work as this will send an http request with the wrong header information.

If anyone knows a better way do please let me know (apart from having a Windows DHCP server in the 2nd subnet).

Thursday 10 June 2010

Microsoft Office 2010: Briefly Explained (heavy on the details, light on the tech)

From @Macnamara_MB
Following my post last week, giving a brief overview of Office 2010, as promised here is the follow up for those who are less technical but still want their IT to work to its optimum.

To start, system requirements for running Office 2010 are as follows:
 Office 2010 will be available in both 32-bit and 64-bit versions

 Office 2010 will run on Windows XP SP3, Windows Vista and Windows 7

 You don’t need to replace hardware that is capable of running 2007, it will support Office 2010. Like Windows 7 has demonstrated, we realise that taking advantage of the hardware you already own is just as important as supporting all the new technology coming out.

Microsoft 2010 consists of 5 core programs; Word, Excel, PowerPoint, Access and Outlook.

Each of these core programs specializes in manipulating different data. Word manipulates words, sentences and paragraphs; Excel manipulates numbers; PowerPoint manipulates text and pictures to create a slideshow; Access manipulates data, such as inventories and Outlook manipulates personal information such as email addresses and phone numbers.

So what’s new?

1. You can embed videos in your presentations (PowerPoint).

2. Quick steps in Outlook (email) i.e reply & delete

3. Document printing made easy (no new window)

4. You can now save Office documents to the Cloud

5. Built in PDF writer (word)

6. Broadcast slideshows within PowerPoint (share option)

7. PowerPoint now includes powerful video editing features

8. Distribute your slides as video (option “share”, create “video”)

9. Built-in screen capture (word) (option “insert” then “screenshot”)

10. Outlook gets social (There’s a green add button that lets you “add that person to your online social networks from Outlook” but the service isn’t live yet)

Important: Before installing Office 2010

 If you are installing Office 2010 beta for the first time, the default settings will upgrade your existing copy of Microsoft Office. You can however, customise this setting and, install Office 2010 alongside an older version of Office.

 If you already have Office 2010 Technical Preview on your computer, make sure you completely uninstall this edition before attempting to install Office 14 beta. In case you still have trouble installing Office, use the clean-up utility tool to remove all traces of the previous version of Office from your system.

Tweet me @Macnamara_MB or comment on the blog. . . .

Monday 7 June 2010

Some minor SharePoint irritations solved

From Ciaran Kenny @CiaranJKenny

I’ve used SharePoint on and off for clients since it first appeared about 10 years ago but I have only really got into it myself recently as we have started to use it as the core repository for our client project documentation.


We’ve been using it in the office and at home and the degree of control over document development pretty much leaves everything else standing. We have been using SharePoint via the SBS 2K8 Remote web Workplace. It’s very nice but two things have been really irritating me about it when using it from home: 1) the constant password prompts (come on you know who I am by now) and 2) that supremely irritating security warning message

Do you want to view only the webpage content that was delivered securely? This webpage contains content that will not be delivered using a secure HTTPS connection, which could compromise the security of the entire webpage."

Though this warning message doesn’t quite compare to the brilliant error message pre SBS 2K8 Update Rollup 4 “This computer doesn’t meet the maximum operating system requirements … it is out of the same mould in that you have to really think before you respond. The response options are ‘Yes’ and ‘No’ – if you actually want to see the web page that prompted the warning then the correct response to ‘No’.

Anyway, the logic behind the warning is sound enough. It means that the page that is about to be displayed with an HTTPS address also contains some material from a location which is delivering its content without the protection of HTTPS.

In the case of SharePoint this is probably going to be some graphics on the page or something similar. Since Internet Explorer 8 the default setting has been to keep you safe by warning about stuff like this. Assuming you are happy to ignore best practice in order to avoid irritating messages here’s what you need to do:

To stop the warning from appearing go to:
Tools --> Internet Options --> Security
With the Internet zone highlighted click on Custom Level, scroll down to the Miscellaneous section and for the 'Display mixed content' option change from the default selection of 'Prompt' to 'Enable'
Click OK, accept the security warning and Click OK again - then restart the browser.
NB – this advice is offered with the clear caveat that strictly speaking you are introducing a security risk.
As an alternative you may prefer to click the 'Disable' option above. This will eliminate the problem with SharePoint and does not have any negative impact on the functionality of the site. However, some other HTTPS sites may not display or function correctly.
It should also be possible to achieve the same effect by adding the SharePoint site to the Trusted and/or Intranet zones and enabling the setting only for those zones. However, this option didn't work on testing.
This leaves the problem of the constant password prompts. To stop these all you have to do is add your SharePoint site (or Remote Web Workplace site) to the Intranet zone uner IE Tools --> Internet Options --> Security.

Any feedback on the security implications of either or both of the above changes (especially when taken together) would be very gratefully received. I can’t see a realistic problem but would be happy to told otherwise.

Thursday 3 June 2010

Microsoft Office 2010: Briefly Explained

From @Macnamara_MB


Microsoft Office 2010, codenamed Office 14, is a productivity suite for Microsoft Window’s and the successor to Microsoft Office 2007 for Microsoft Windows. Office 2010 includes extended file compatibility user interface updates and a refined user experience. It will be available for Windows XP SP3 (32-bit), Windows Vista SP1, and Windows 7. With the introduction of Office 2010, a 64-bit version of Office is available for the first time, although only for Windows Vista SP1, Windows Server 2008 SP1, Windows 7 and Windows Server 2008 R2 Neither the 32-bit edition of Office 2010 nor the 64-bit edition is supported on Windows XP Professional x64 Edition.

On April 15, 2010, Microsoft announced that Office 2010 had been released to manufacturing, with those Volume Licensing customers who have Software Assurance being able to download the software from April 27. It will be available in June in retail stores in the US and Europe.

Office 2010 marks the debut of free online versions of Word, Excel, PowerPoint, and OneNote, which will work in popular web browsers (Internet Explorer, Mozilla Firefox, Google Chrome and Apple Safari). A new edition of Office, Office Starter 2010, will replace the current low-end home productivity software, Microsoft Works.

Microsoft's update to its mobile productivity suite, Office Mobile 2010, will also be released for Windows Phones running Windows Mobile 6.5 and Windows Phone 7. In Office 2010, every application has the Ribbon, including OneNote 2010, Publisher 2010, InfoPath 2010, SharePoint Workspace 2010 (the new name for Microsoft Office Groove 2007) and the new Office Web Apps.

Tweet me @Macnamara_MB or comment on the blog.

Next Week: Microsoft Office 2010: Pros and Cons

I’ve worked in the tech industry for 4 years and have recently joined Macnamara and believe in giving credit where credit is due. As well as my own knowledge, for this rundown I gathered information from these articles:


diTii.com D'


http://www.ditii.com/2010/03/30/sharepoint-workspace-spw-2010-part-of-microsoft-office-2010-professional-plus-explained/


PCmag.com


http://www.pcmag.com/article2/0,2817,2350052,00.asp

The Hijacked Browser

From: Dan Shterev @Macnamara_Dan

Today I would like to share a issue which arose with one of our clients recently, and most importantly, the solution.

The problem was quite tricky - when internet explorer is opened a message pops up on the screen asking you to complete a survey otherwise will not let you browse the page.

Of course, if you click to start the survey you were automatically redirected to one of those silly websites where you can play poker, games etc.

The funny thing was that you could not get rid of this message in any way in Internet explorer.

It would be natural to assume that it could be easily fixed, however this was not the case.

I tried to reset Internet Explorer-which in most of the cases would solve your problem with Internet explorer. However, in this case the message kept appearing.

I tried logging on as administrator but the message continued to appear even when opening stable sites like bbc.co.uk or aol.com.

Interesting enough was that there wasn’t any information in Google about this message in particular which I was getting on the screen so I had to find my way to resolve this issue.

After running an antivirus scan I did not get any viruses detected, then I tried Malwarebytes but it was the same-the computer looked clean and not infected at all.

I checked the running processes but still I didn’t see anything suspicious but I decided to run one more check with Trojan Remover. The difference between Malwarebytes and Trojan remover is that TR checks all running processes and if some of them are infected it tries to clean and repair them. To my surprise TR detected infected file called infocard.exe, which I had noticed before with HijackThis but ignored because the description of the file says: "infocard.exe is a Windows CardSpace from Microsoft Corporation belonging to Microsoft® .NET Framework". This naturally made me think it was insignificant.

Basically the file was needed by Windows but it was infected and this was causing the browser to be hijacked-meaning that whatever you do when try to open page this process was trying to redirect you to certain web pages - potentially unsafe ones.

After rebooting the machine, TR had successfully cleaned the file and the problem was gone.

Problem:
Message popup in Internet Explorer could not let you access address bar or browse websites – instead trying to redirect you to unsafe websites.


Solution:
1. Run Trojan Remover – disinfecting “infocard.exe”
2. Reboot

Tuesday 1 June 2010

Blog update

From: Kate Coles @Macnamara_Kate


We now have 2 blogs.

For the tech savvy check out Our Technical Archive is a catalogue of technical help and support.

For clients and those with an interest in Macnamara Our Blog details business developments and interesting articles which we want to share our perspective on.

For a micro blogging Macnamara hit, check out our twitter.