January 1, 2035
Link to www.bloglines.com/blog/taplinb
-------- PLEASE READ --------
In 2005 I began playing with own blog options. I tried Telligent, maintained by ISP godaddy.com, then replaced it with free Web Wiz software from the U.K. Great tools, but I don't want my website pinned to one particular technology, so my latest iteration is at Bloglines. That's where you can find me in the near future.
Also, I will soon be employed elsewhere, after which I suspect this account may disappear.
May 25, 2005
SQL Server ideas from 2072A class
I sent this email to team-members of the Helpdesk/Inventory Project on Monday, after my first day of the Microsoft 2072A class on SQL Server 2000 Administration, taught by Jim Ferguson at New Horizons in Edina:
We just finished my first day of SQL Server class and I wanted to share some ideas about our Asset Nav server config to come. Please share any differences of opinion on this:
1. Use *hardware* RAID controls to create
three partitions: WINDOWS, DATA, TEMP;
Make WINDOWS at least 10-20 gig for all
anticipated patches etc., TEMP 5-10 gig
for all logs (only), the rest to DATA -
not just for Asset Nav but possibly for
other future databases, just in case
2. Install Win03 plus SQL Server on WINDOWS
(standalone, standard) and patch it all.
We should plan/discuss authentication
methods and administrative passwords
3. Setup all new dbs (just AN now) on DATA
partition, separate from the executables.
4. Setup the AN executables on C: (defaults)
and tweak IIS and Win security as needed
5. Use SQL Server Enterprise Manager to set
restrictions on how big the database can
grow (maybe the whole D: drive minus Y)
and where log files land (the E: drive)
6. Setup autoshrink to have SQL Server make
its own decisions about how and when to
"compact" things (sort of like defrags).
Microsoft claims that users won't see a
performance hit. We can always disable it
7. Periodically defrag partition WINDOWS but
almost never DATA - SQL Server can do its
own reallocations for database(s) on D:
and sometimes fragmentation isn't such a
terrible thing with something as random-
access as the typical OLTP database.
8. Periodically cleanup/backup the log files
or they may eventually fill that E: drive
I'm sure other thoughts will emerge over the
coming days, e.g. about backups and upgrades,
but I wanted your feedback on this before we
get the new server hardware and do anything
about allocating drive space or installing. I
think these tweaks will help performance over
time and help us avoid problems downthe road.
P.S. Good New Horizons class. The instructor,
Jim Ferguson, obviously knows his stuff and
holds about every Microsoft advanced cert you
can get. Gave a tip or two on what the book
says vs. what his real-world experience was.
May 24, 2005
Kerberos in Four Scenes
This is a great little blurb on Kerberos security, from MIT:
May 17, 2005
WinXP image doc template
Target __ Mac __ PC __ Staff __ Public
Description: Staff XP baseline image for [target hardware]
Start date/Date uploaded/Appr date/Appr by/Creator's initials
Who worked on the image?
What’s in this version?
--sample data --
Started on [brand/model] system with primary drive partitioned into a [size] C: and a somewhat larger D:, the D: drive formatted as FAT32 so that we can use a Win98-based boot disk to ghost from C: to D:. Onto that C: drive I installed WinXP Pro sp2 (mostly default settings) built from a campus-licensed ISO, downloaded from http://download.software.umn.edu. The product code, listed at that website and which one needs for each deployment of this image, is:
After the OS install I configured it for Biomedical Library staff and/or “Green” PCs as follows:
1. Administrator account (new password) renamed to [local admin acct]
2. Account xpuser (old password) member of Administrators and Users
3. Disabled DCOM (used by some viruses) with Start -> Run -> dcomcnfg
4. Network set to support TCP/IP only, enabled NetBIOS over TCP/IP
5. Enabled automatic Windows updates for every day at 4 pm
6. Applied all Windows Updates except a few optional ones like Journal Viewer
7. Simplified the interface a la Win2K and optimized it for performance
8. Reduced the size of the System Restore area to the minimum available
9. Removed MSN Explorer, Windows Messenger, Outlook Express, other baggage
10. In Internet Explorer, set history to one day, deleted cookies, set home page to Biomed’s, disabled automatic completion of passwords and forms, set to delete files upon closing
11. Installed campus-licensed Symantec Antivirus [version] with defaults, updated defs, tweaked to delete bad files it cannot clean and to skip network drives
12. Killed any ASP.NET or related user account(s) created in the optional .NET install
13. Installed Spybot [version] plus all available updates, immunized the system
14. Downloaded and installed FireFox [version] into its default directory
15. Downloaded and installed Acrobat Reader [version], updated to [version]
16. Downloaded and installed Macromedia Shockwave [version] player
17. Downloaded and installed Macromedia Flash [version] player
18. Changed FireFox preferences to make all cookies session cookies, to use pictures only in toolbar, to block most pop-ups, and to save neither passwords nor forms
19. Installed ActiveState Perl [version], mostly defaults
20. Installed standard plug-ins for Chime 2.6 sp5, CN3D 4, and Isis Draw 2.3
21. Installed Scifinder Scholar [version] plus U of MN file C:\SFSCHLR\ site.prf
22. Installed Beilstein Commander [version] with the latest Crossfire connection software
23. Installed UMCal 9 and tweaked settings per OIT advice
24. Installed WinSCP [version] for remote file access (uninstall where not needed)
25. Installed Office 2003 using CD from http://download.software.umn.edu - included Word, Excel, PowerPoint, and InfoPath, all run locally, but excluded Access, Outlook, Publisher to keep this image reasonably-sized and fairly clean. We can add those apps as needed
26. Updated Office 2003 and added the Remove Hidden Data util (to clean docs over time)
27. Created custom default profile based on [xpuser], to apply to all new users of this PC
28. Changed default IP address to DHCP, but left Advanced settings in place
29. Used Sysprep 2 (see k:\systools\wxptweak\sysprep) with all options except nosidgen
30. Booted from CDROM, ghosted from C: to D: with compression
31. Rebooted, let Sysprep run, set IP address (1-2 minutes to become active)
32. Joined PC to domain, rebooted, tested, copied image from D: to K:
Please share any questions or concerns…
Bootable DVD Image Deployment Instructions:
1. Enable target CMOS to boot CD/DVD disk before hard drive
2. Use bootable DVD to wipe target, create C: and D: partitions
3. Reboot, format D: /u/v:D, then xcopy E:\*.* D: (make image local)
4. Reboot with same bootable DVD, then ghost from D: to new C:
5. Remove DVD, reboot, walk away for 10 minutes as it Syspreps
6. Enter the WinXP campus license product code ** listed above **
7. After Sysprep is done login as xpuser (old password)
8. Set the IP address and DNS and give it a minute to take effect
9. Launch Windows Update to verify the IP works and get patches
10. Update Spybot and Symantec Antivirus definitions as needed
11. Setup printers, departmental apps, other local settings as needed
12. If on a public PC, remove xpuser from the Administrators group
If on a staff PC, ask Brad or Dan to join the PC to the domain
13. Login as xpuser (public) or a domain user (staff) to test
Aoccdrnig to a rscheearch...
I saw this in the sample pages of a demo server:
Aoccdrnig to a rscheearch at an Elingsh uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht frist and lsat
ltteer is at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae we do not raed ervey lteter by itslef but the wrod as a...
May 16, 2005
Brad goes Windows as Darth is born
Is it a coincidence that in this, the week Darth becomes Darth, I wiped my older GX100 at home and installed XP sp2? I was already running XP on my newer eMachines. This makes my basement a de facto Windows-only zone. My wife's iMac remains our email/surfing/iPhoto mainstay upstairs.
My old Dell has been a Linux/FreeBSD testbed for years, running everything from Red Hat to SuSE to Gentoo to Mandriva, but Friday night I finally decided to focus on what I/we actually use to get stuff done.
I am not against Linux. If all I wanted were Apache web services, MySQL or PostgreSQL or Oracle, and/or Samba file services, I'd pick FreeBSD or a major Linux (RH or SuSE) in a heartbeat. These are safe, reliable, cheap, run fast on affordable hardware, and for those server apps are very proven.
They do not, however, hold a candle to Microsoft or Apple on the desktop, particularly in games, nonlinear video editing, and Office productivity tools. Even Openffice looks and works better on Windows and OS X than on Linux. Most of my time is spent using or supporting desktops, so it makes more sense to build a deeper understanding of Windows and OS X.
Solaris I have to know because our web servers run it. We also run FreeBSD, but just for Samba and Amanda, and these require little daily support. I need to keep up to date on basic Solaris and FreeBSD skills,and on Apache and related technologies, but most of my time goes elsewhere.
From a technical perspective I much favor OS X. It's cleaner, safer, and more attractive than Windows. Most of the software on my Mac mini just works, and I never have to worry much about viruses and spyware. "Tiger" remains my main work environment, and I support a small OS X Server for local DHCP, Netboot, and possible (in time) FMPro Server services.
Windows by contrast demands babysitting. That's a blessing and curse. Despite many efforts by Microsoft to improve Windows security and reliability to the point that XP sp2 is adequate for most users - iff patches plus anti-virus and anti-spyware software are maintained - there is still enough support required to keep me employed for years to come.
If ever I start a "real" company, I may make it all-Mac. The labor I'd save with a Netboot environment and XServers at the core, not to mention free client licensing, would far outweigh the up-front hardware costs and limited software availability. No need for a full-time IT staff.
But as long as I have a mortgage I'll probably rely indirectly on Microsoft to pay bills. Apple may be the Maytag of PCs, but who wants to be that repairman? If not for Windows, what would I do all day? I also happen to love games, and whatever Microsoft's failings, they make it easy to build great apps. See an earlier posting for more about games and nonlinear video editing.
For all these reasons I might as well accept the sad fact that I'm a Microsoftie. Resistance was futile; Dark Side was strong; pick your analogy. Job security, my desire and ability to tinker with registries, and games and videos matter more to me than the elegance or security of the platform.
Sorry Linux, but if my experience is any indication you're doomed to remain even more niche than Apple on the desktop. Look at the metric system - better does not necessarily guarantee acceptance. People get entrenched. I may be retired long before Windows (inevitably) loses its dominant position.
AdminMe: raise and lower user rights
When the Bio-Medical Library staff first developed Windows 2000 configurations last year, we enabled two local accounts. w2kuser is the account housing user applications and settings. w2kuser was intended to be used mostly in User or Power User mode, to restrict what can be changed, but must become a local Administrator for many software changes to occur.
One of the more time-consuming aspects of maintaining our PCs involves adding w2kuser to the Administrators group before any significant change, and then removing w2kuser from Administrators afterwards. As student worker Haudy describes, there are about 13 steps that not only take time but also are easy to forget.
If we enable the Windows RunAs service and use a simple batch script Haudy developed, we can cut in half the time and trouble of this rights switch. When I first heard of this fix it sounded good, but I told Haudy that we had to look into the security implications of enabled the RunAs service.
The approach is similar in concept to running the “su” command in UNIX. Based on Haudy’s research and what I have seen, I see no good reason not to enable RunAs. It’s a few mouse-clicks per PC to enable, after which Haudy’s script could run from the K: drive. The script requires the Administrator's password - which is not embedded – and the script is based on the common Windows “net” executable, meaning we’re not exposing anything important by making it executable from a public account. No password, no go.
In short, let’s do this ASAP, and thereafter be more diligent about dropping the w2kuser account on public PCs back to User mode after each such change. This should make maintaining security much easier.
The notes below are largely Haudy's from a couple of years ago. Note that most of the Novell-specific stuff is no longer valid for most of our users since we switched in 2004 to Samba file services.
--- Haudy notes ---
Current method to give w2kuser admin level rights in order to make system and software configuration changes, starting from a logged-in w2kuser account:
2.Log out of w2kuser
3.Login as the local Administrator by changing the username on the Novell login screen and entering the local Administrator's password
4.Go to Users and Groups control panel
5.Add w2kuser to Administrators group
6.Logout of the local Administrator account
7.Login as w2kuser (who now has admin level rights)
8.Make necessary configuration changes
9.Apply the novell.reg registry patch that enables auto-logon
10.Apply the w2kpublic.reg registry patch that enables auto-logon
11.Go to Users and Groups control panel
12.Remove w2kuser from Administrators group
13.Reboot, which will auto-logon as w2kuser and auto re-enable WinSelect
Proposed way to give w2kuser admin level rights in order to make system and software configuration changes, starting from a logged-in w2kuser account:
2.Run adminme.bat and enter the local Administrator account password
3.Log out of w2kuser
4.Log in as w2kuser (no username changes on the Novell login screen)
5.Make necessary configuration changes
7.Reboot, which will auto-logon as w2kuser and auto re-enable WinSelect
Streamlines making changes to w2kuser account
Much easier and faster to make changes to w2kuser account
Eliminates problems caused by forgetting to re-apply registry patches after every configuration change
Improves security by making security easier to use
6 fewer steps to go thru; these were time-consuming steps.
RunAs service to be enabled in automatic startup mode.
RunAs security issues:
I found no security issues with RunAs in numerous searches of SANS, Google, or Google Groups. The only thing I found is a general security tip to turn off unneeded services. RunAs is needed to make the batch file adminme.bat work. The SANS Securing Windows 2000 Step-by-Step document considers RunAs to be a service that “need to be running on production systems”.
runas /user:[local Administrator] "net localgroup Administrators %username% /add"
@echo You must logout and log back in again for Admin rights to take effect.
net localgroup Administrators %username% /delete
@echo You must logout and log back in again for removal of Admin
@echo rights to take effect.
Two Tables into One using Office2K Pro
In July 2002, I used Access 2000 to merge some BIOM ORDER tables with thirteen columns and over 19,000 records. Access is easier to use and more accurate for this than any Excel formula I tried. Some steps might be automated if there were a need (not so far), but the process is fairly quick once you have done it a few times. It takes me about an hour or two on a fast PC, as in 2 gigahertz with lots of memory.
Here is how I did this:
1.Verify the the data is properly delimited in Excel 2000 in two separate XLS files, that each column has a good heading with no punctuation, and that some heading could become the primary field (e.g. Key) and has an entry for every record in both tables. The common column is later used to define a critical one-to-many relationship between tables.
2.Create a temporary c:\projects directory, and then in Access 2000 To create new database "combined.mdb" in that directory. Close the dialogue asking how to create a table so you can do this manually. Use Windows Explorer to copy the source Excel files there as well.
3.In Access 2000 with Tables highlighted under the Objects section of the "combined:Database" window and three "create table" selections on the right, Insert -> Table -> Import Table, select the first Excel file, check the "First Row Contains Column Headings" box, let Access store the data "In a New Table", go with all defaults for field names, and let Access select/create a primary key (you can change it later).
4.Repeat for the second spreadsheet/table. Then rename the tables if the resulting names do not reflect their purposes. Fortunately these did: BIOM ORDER EXTRACT and BIOM ORDER NOTES EXTRACT.
5.Right-click the "parent" table - that is, the one in which that common column ('Key" here) contains only unique entries and no null entries. In this case BIOM ORDER EXTRACT was that parent table.
6.Select Design View, right-click the little box to the left of the name of the common column (again "Key" here), and make it the primary field. Then highlight the former (Access-generated) primary key and use "Delete Rows" to kill it. Close the table (not Access), saving changes.
7.Click Tools -> Relationships and add both new tables to that view. Resize and move windows so all fields can be seen, some space exists between the two, and the parent table (with unique "keys") is on the left. Primary keys should appear in bold. Click and drag the left "key" to the same-named "key" on the right and release.
8.Verify that "key" is the field selected from both tables. If not, cancel. Check the box to "enforce referential integrity" and click Create. The result should show a line between those fields with a "1" above it on the left or "parent" side, and an infinity sign on the right or "child" side. This indicates a new "one-to-many" relationship between tables.
Note: These relationships are at the heart of any "relational" database. If they are missing or configured badly, expect many problems. In a larger system (like ALEPH) there may be hundreds.
9.Close, save your changes, click "Queries" in the list of Objects, and double-click "Create query by using Wizard". Click the double arrows (>>) to pick every field from the first table. Then under Tables/Queries pick the second table and use the double arrows again. You should see a list of every field from both tables on the right. Then click Next.
10.Leave the default "Detail" view because you'll fix it up in Excel. For now we just want the query to show the raw data. Note that tweaking such queries allows you to filter or combine data in many clever ways. For now we want everything. Click Next, then Finish (default name). The results of the query should appear in an Excel-like window.
11.From within the query results window, click File -> Export, select the target directory (usually the same as the sources), pick Excel 97-2000 from the "Save as type" drop-down list, and give the new file a sensible, short name reflecting the contents of this process. I named the results of this one BIOM_ORDER_Combined_Query.XLS.
12.Close Access 2000, open Excel 2000, and open the new file you made.
13.Create a new first column, move the "Key" contents there, and delete the empty column you left behind plus any (Access-generated) "ID" column.
14.From the menus click Data -> Sort -> and select a few useful criteria. In this case I chose "key" then "internal_note" and then "divnote". The users could do this, but it saves them some trouble. Now save the file.
15.Copy this modified Excel file to wherever the users expect to find the data, in this case O:\biomed\aleph\NOTIS Reports\06262002. This directory name is a reminder of when I started working with the source data. A new directory with new data may be created later this summer.
The SQL statement below, hidden within the wizard-generated query, is a VERY simple example of the power of Structured Query Language. With a few tweaks, we could limit the results by any number of criteria.
Even more impressive to some systems admins is how the SQL client and server can be so cleanly divided (client/server), so systems using pure SQL over TCP/IP with no direct file access are generally more secure, faster, and more reliable than any older low-end systems like Paradox. Properly implemented, a small SQL system can even work by modem.
Access 2000 can work as either a low-end traditional database or as a powerful client in a true client/server environment, with SQL Server or any other supported SQL database at the server end. For this reason alone I think it's a wonderful learning tool compared to other low-end databases.
*** SQL from that query ***
SELECT [BIOM ORDER EXTRACT].title, [BIOM ORDER EXTRACT].ordunit, [BIOM ORDER EXTRACT].scope, [BIOM ORDER EXTRACT].vendcode, [BIOM ORDER EXTRACT].action, [BIOM ORDER EXTRACT].vendnote, [BIOM ORDER EXTRACT].internal_note, [BIOM ORDER EXTRACT].divnote, [BIOM ORDER NOTES EXTRACT].ID, [BIOM ORDER NOTES EXTRACT].key, [BIOM ORDER NOTES EXTRACT].statement, [BIOM ORDER NOTES EXTRACT].type, [BIOM ORDER NOTES EXTRACT].[M Date], [BIOM ORDER NOTES EXTRACT].[A Date] FROM [BIOM ORDER EXTRACT] INNER JOIN [BIOM ORDER NOTES EXTRACT] ON [BIOM ORDER EXTRACT].key = [BIOM ORDER NOTES EXTRACT].key;
Wiping Hard Disks with AutoClave 0.3
This is about University of Washington's autoclave, as tested in 2003 on a test PC and on my own (then). It seems to work great, despite being beta. We looked at it based on a tip from another SysAdmin.
Autoclave is built on a stripped-down version of Linux that fits on a floppy and includes everything necessary to completely wipe a hard drive clean. More powerful than Windows format, and free.
Since 2003 we have used Autoclave when retiring old PCs at the Bio-Medical Library. To build this disk (for our Systems staff):
1. Copy directory k:\systools\software\autoclave to your C: drive
2. Put a blank, formatted floppy into your a: drive
3. Start -> Programs -> Accessories -> Command Prompt
4. Within the command prompt (not Windows) "CD \autoclave"
5. Enter the command "rawrite" from within that directory
6. Enter "clave03.img" for the image source file
7. Enter "a:" for the target, then press enter twice
8. In a minute or two the floppy is ready. Type "exit"
Rawrite is a very old and widespread standard tool for creating Linux floppies from a DOS command prompt. After the prompt is closed, remove the floppy and label it "Autoclave" or the like. You can then delete directory c:\autoclave or make more disks.
When using Autoclave here, option 2 (with one random pass) is probably adequate for old "public" PCs, but Autoclave also offers several more exhaustive (and much slower) choices.
I am impressed with how a complete (albeit stripped) Linux fits so nicely on a floppy. Other floppy Linux versions are listed at www.linuxlinks.com/Distributions/Floppy. They include routers, terminal servers, firewalls and toolkits. One should be careful with such freeware (likewise with commercial software).
Dialup Testing with Win2K at Biomed
These instructions assume that the target computer has been configured for dial-up testing by Systems. The preparation of a computer for this includes starting with a standard staff Windows image, installing a modem and its driver, connecting it t the analog phone port of one of the new phones, creating shortcuts for LAN and University dialup, and changing a group policy right (via gpedit.msc) so that all users of that computer can enable/disable LAN connections on the fly without being administrator. Also, for security reasons all server services (web, ftp, vnc) should be removed or disabled.
That said, here’s how I prefer that staff handle dial-up testing. While it may be possible to be use both the LAN (Local Area Network) and the modem simultaneously, please use only one at a time. This will be better for security, and you will only get a true end-user experience if you disable the LAN. Fortunately, there is no need to unplug or move any cables.
How to disable the LAN and connect the modem:
1. Ensure that the modem (to the right of the PC) is on.
2. Hang up the phone so the line is available for modem.
3. Login to the PC and network as you normally would.
4. Close all applications. Do NOT run email or anything.
5. In the tray at the bottom right of the screen, right-click
the LAN icon and then click "disable" to disconnect.
6. Prove to yourself that the LAN is off by trying to open
Internet Explorer. It should fail to find its home page.
7. Double click the new desktop icon for "dialup" and
enter your Internet/email user ID and password.
8. After the modem connects, restart Internet Explorer
and test whatever Internet stuff you like. Speeds in
three tests were around 41k. This is probably typical.
How to disable the modem and reconnect the LAN:
1. Close all applications. Do not run email or anything.
2. In the tray at the bottom right of the screen, right-click
the modem icon and then click "disconnect".
3. Double-click the new desktop icon labelled "LOCAL
AREA CONNECTION" and watch the corresponding
tray icon reappear below (the one you killed earlier).
4. If/as needed, Start -> Programs -> Novell -> Login
to reconnect to server(s) and get drives H:, O:, etc.
Please only use modems for end-user testing. Your mileage many vary. Follow these steps precisely. We tweaked the PC so that this should work for any user. Let me know if you have trouble with this.