SysAdmin Related Podcasts, Part 2

February 29, 2008


A couple new shows, and a couple updates on the shows I mentioned before but I hadn't really listened to all that much.

New: Casting from the Server Room: I think this is one of my new favorite shows. It's a group of guys, all admins for school systems, just chatting tech. They put a heavy focus on the deeper Sysadmin stuff, discussing things like SANs, backups (or lack thereof), servers, file shares, Active Directory, etc. It's very informal yet it flows and stays on track very well. I really enjoy this show and highly recommend it.

New: IT idiots: These guys do a video podcast where they discuss a focused topic (like for example, Windows 2008 Terminal Server or Active Directory Administration) and include screencasts of the product in action. I've only watched a couple of these episodes, but what I've seen is very informative (especially if you don't have the product at your testing disposal) and I look forward to watching the bulk of these episodes.

New: PaulDotCom Security Weekly: I had only downloaded one of their shows, but I found myself downloading more the first chance I got. Haven't gotten a chance to listen to more, but it's definitely going to be something that I do soon (as long as the rest of the shows are on the level as the one I listened to).

New: The SysAdminShow: These guys actually product (so it seems) an actual radio show on on 98.9 FM Radio Free Nashville called the SysAdmin Show. I listened to one show and turned it off half way through. To be fair, they were doing a live show at a local conference and were more focused on that than on any tech. I also hate live remote shows. I'll give them a chance and will listen to a couple other episodes before dismissing them. You can download the episodes via iTunes (where I'm getting ALL of these episodes).

Update: Microsoft TechNet Podcast: The couple I listened to were pretty informative, but very bland. It seems that the presenters are actually reading Microsoft whitepapers word for word, you even hear the paper shuffling and everything. The two episodes I heard were just about as boring as actually reading a MS whitepaper (or any whitepaper for that matter). I'll still listen for the information content.

Update: Realtime Community: Windows Server: I listened to three or four of these episodes. It seems the format focuses more on interviews with product/solution vendors discussing how their products can help. I feel sorta dirty listening to it due to the fact that I can't stand anything more than to listen to another vendor hawk their wares, but it is a good way to learn about some new products without having to cough up information or have to shake a vendor's salesman off your back.

Update: Realtime Community: IT Compliance: Discussion of legal topics bore me to death. Actually, I can use recorded legal talks as a sleep aid, but the couple episodes I listened to were extremely informative. I actually forwarded this one on to my boss, just as a "hey did you know half of this stuff??" type of thing. I really suggest that everyone listens to at least the Demystifying Privacy Laws: What You Need to Know to Protect Your Business episode.

Update: Run Your Own Server: First, I just wanted to point out that this podcast seems to have gone stale, last episode was Nov 07. Doesn't mean you shouldn't listen to the already recorded shows. I listened to quite a few and most are well done and pretty good. Some of the discussion seems pretty basic, maybe focused more on the beginner side of things, but there were a few good tidbits to be had. Also, Episode 16, One Admin, One Server, well, listen to it and let me know if you agree with me that the speaker is just plain nuts.

Encrypt Your Scripts

February 28, 2008


Need a quick and easy way to encrypt the contents of a vbs script to keep its contents safe (well, decently safe)? Microsoft has a tool called Script Encoder that does such a thing. The operation is pretty easy, just install the tool on your workstation, create a working script, and drop to a command prompt.

C:\Program Files\Windows Script Encoder>screnc.exe "c:\scripts\original.vbs" "c:\scripts\encrypted.vbe"

Didn't have to install anything on the client side, script ran just fine on Windows 2003 SP2.

For more info, including examples and syntax, check out the MSDN Script Encoder Overview. They also have info on encrypting JScript.

Lest We Remember: Cold Boot Attacks on Encryption Keys.

February 22, 2008


Wow. This is amazing and scary at the same time. Basically, some researchers figured out that in order to bypass harddrive encryption when you have physical control over the device, you can read the contents of the RAM chips to obtain the encryption key. This is not an attack on the encryption itself. It's like finding the key to the super-secure door under the welcome mat. Even if power is cut from the device, data stays in RAM for a certain amount of time (this time can be expanded by freezing the chips with a bottle of canned air). Booting the device to a special tool allows for the memory to be copied and analyzed. They can even remove the ram chip and put it in another laptop for analysis. The only secure way to protect yourself is to power the laptop down completely and guard it for a few minutes for the memory to finally clear.

Be sure to spend the 5 minutes watching the video in the article.

What's even more interesting is that most folks transport their laptops in a power saving mode, such as in standby or hibernation. Even I carry my laptop around in standby. All it takes is for someone to steal the laptop and the encryption won't matter.

This just proves that carrying information around is not safe. The approach I've been trying to take with my users is to give up the fat client laptops for a thin client laptop approach, such as offerings from Neoware or HP. The idea is to leave all information on the corporate network and require my traveling users to log in via secure VPN and RDP directly to their desktops. On top of not storing information, the thin clients are sturdy, don't have moving parts, run our VPN software just fine, easy to replace (no user specific information to transfer to another laptop), and are fairly cheap (approx a third of the cost of a regular laptop). I usually just keep a couple laying around for loaners; so if someone who doesn't travel much can check one out and I don't have to set up anything on it for them, only have to enable RDP on their desktops.

Account Lockouts and Password Resets Delegation Taskpad

February 21, 2008


So I've been struggling a little bit with delegation and taskpads. A little background: We're creating a new call center, eventually holding 200 users, and adding any additional support staff is out of the question. About every 20 users there will be a supervisor, and there will be 2 or 3 guys supervising them. They're also going to be working weekends, which would add a lot of headache on me and my crew (we don't have a weekend help desk, just one guy on call). So delegating password resets and account unlocks is pretty critical for our sanity (not to mention speedier service for the end user).

Following the articles I posted earlier, setting up a taskpad view and even setting up the unlock rights/password change rights wasn't too difficult. Getting the password task was also easy, but finding a way for the end user to unlock an account without having to go into the account's properties was more of a challenge. I tried numerous scripts, wrote some scripts, but couldn't get it to work for some reason. Finally, I found the article How can I add an "unlock user account" option to the Active Directory Users and Computers context menu? at the Petri IT Knowledgebase. I followed the instructions exactly step-by-step and I ended up with a nice (and working) Unlock User option when right-clicking on a user account. After that, adding it to the taskpad view was as easy as adding the Reset Password function.

A quick overview of how I set these up:

Set up delegation for account lockouts and password resets.

1. Create an AD group, populate with those folks whom you want to have delegation rights.
2. Right click the OU you want to delegate, click "Delegate Control".
3. Add your created group when prompted in the wizard.
4. Choose to create a custom task.
5. Choose ONLY user objects as the scope of what you want to delegate.
6. For permissions, choose only General and Property-specific. Check "Change password", "Reset password", "Read lockoutTime", and "Write lockoutTime".

Note: If you want to check who has what delegation rights, or if you want to edit an existing delegation, check the security of the OU in question. In Active Directory Users and Computers, click View, Advanced Features. Then right-click the OU and choose properties. Click the Security tab, then Advanced. There you should see who has what permissions on this OU.

Create a taskpad.

1. Open mmc.exe (Start, Run, mmc.exe).
2. Add Active Directory Users and Computers to your view.
3. Choose the OU you're delegating.
4. Right-click the OU and choose new window from here. This is the view you want your users to ONLY see.
5. Click Action, New Taskpad View.
6. Choose the style you like (I like the Vertical list, Text).
7. If you want them to be able to view the sub-OUs (child OUs) with the same view, select "All tree items that are the same type as the selected tree item" and "Make this the default taskpad".
8. To edit or add your tasks, right-click the OU and choose Edit Taskpad.
9. Choose the Tasks tab and click the New button.
10. To add the Reset Password task, choose Menu command.
11. Highlight a user account in the left window and choose Reset Password in the right window.
12. Put in a description, choose and icon, and you're set to go.
13. To add the Unlock User task, follow these instructions from the Petri IT Knowledgebase website. Do that first. Then repeat steps 9 - 12, but choosing the Unlock user task.

Lock it down.

To customize views, click the MMC icon next to the File menu. Choose Customize View. Select what you want your users to see. I personally remove everything except Console tree and Taskpad navigation tabs.

After you're ready to deploy, click File and choose Options. In Console mode, select User mode - limited access (I use single window). Uncheck Allow the user to customize views (this is optional depending on what you want your users to do). Then save. Your users shouldn't be able to do much more than reset passwords and unlock accounts.

To edit your saved .msc, right click it and choose Author. This will open it in editing mode.

SysAdmin Podcasts

February 16, 2008


Well, running out of the few Admin podcasts I have, I went on a search for more. Since I've already done the research, I'll share my findings:

A Couple of Admins: These guys are two (or three usually) guys who work in the Admin field. I've listened to quite a few of their shows and always finding myself coming back for more. There's more non-related banter than I would like, but it flows well and the focused content makes up for it. They also seem to do a good job at researching their topics, for example, episode 13 Code Of Ethics roundtable was excellent. Put this show on your podcast playlist.

In the Trenches: It is unfortunate when you come across something awesome only to find out that it's now over. Well, In the Trenches (ITT), was one of those something awesomes. Luckily you can still download and listen to the older podcasts, which is something completely awesome.

DABCC Radio: Virtualization Podcasts: This podcast is completely devoted to virtualization technologies, such as server virtualization, application virtualization, Citrix, VMWare, VDI, application deployment, and more. All the episodes I've listened to seem to follow an interview-type format and is very professional and well done.

Microsoft TechNet Podcast: This one looks extremely promising and as a Windows-focused SysAdmin, I'm really excited about this podcast. Lots of focused technical topics discussing specific Microsoft technologies.

Microsoft TechNet Raido: Don't know much about this one (found it while searching for TechNet Podcast website), looks interesting though.

The Microsoft IT Manager Podcast: I haven't listened to this yet, but some of the episode descriptions seem very promising.

Realtime Community: Windows Server: I haven't had a chance to listen to this podcast yet, but I'm excited by the show descriptions.

Realtime Community: IT Compliance: IT Compliance is usually better understood heard rather than read. Just subscribed today so I don't have much feedback on them yet.

Run Your Own Server: I JUST subscribed to their podcast, but all the topics seem very much Sysadmin oriented. Also it seems that the majority of topics seem to lean towards a focus on Linux. Reading some of the show notes this seems to be a very good podcast.

Windows IT Pro Radio: I just found out about this podcast, but Windows IT Pro magazine is top notch, so their podcast probably will be too.

Delegation Day

February 15, 2008


We have a new call center coming up and one of the projects I'm working on is Active Directory Delegation. This would allow me to give supervisors and call center managers the ability to reset the passwords and unlock the accounts of their users without calling me or my guys. Here's some resources:

Here's Microsoft's .doc guide regarding delegation:

Best Practices for Delegating Active Directory Administration

This Microsoft article tells you how to delegate the Unlock Account Right. (2003 users, skip the part about editing the Dssec.dat file; 2003 has that already enabled, and the setting isn't even there anyways):

How To Delegate the Unlock Account Right

This MS article is more of a collection of other MS articles regarding delegation:

How to Delegate Basic Server Administration To Junior Administrators

When looking at using Active Directory Delegation for those non-technical, look at using Taskpads:

Making use of Active Directory Taskpads

(I'm only linking to one page of a pretty decent article, so check out the rest of it as well.)

This is the best taskpad article I've found:

How can I easily perform management operations in AD from a customized Taskpad?

This is a quick article of someone whom needed to Delegate Unlock Account rights and describes his fun. He has some vbs script code that integrates into the taskpad that will take the highlighted user, unlock them, and log who unlocked whom on a domain controller. I'm currently looking at using this, but at the moment I'm getting errors:

WindowsITPro, Unlock User Accounts

lol 1 year hiatus

February 14, 2008


Seems that I took EXACTLY one year off of this blog. Well, maybe it's time to get back into it.. possibly make it less of a link dump and more personal... We'll see.

Here's a great tool:

MX Lookup Tool.

Do MX Lookups, Diagnostics, and test your mail server against 147 RBLs.