Technically Speaking

With April 1st approaching (Wednesday of this week) and an unknown potential payload coming to potentially millions of computers, I felt it a good idea to get a post about conficker out to IT Managers.

Conficker is a worm that is essentially a time bomb, waiting for instructions on its next move, which many think will be April 1 2009. At this time, the creator of the worm could issue some command that could steal information from all of the computers that it is infecting, or they could do nothing.

CNet describes Conficker as follows:

“What is Conficker and how does it work?
Conficker is a worm, also known as Kido or Downadup, that cropped up in November. It exploits a vulnerability in Windows that Microsoft patched in October.

Conficker.B, detected in February, added the ability to spread through network shares and via removable storage devices, like USB drives, through the AutoRun function in Windows.

Conficker.C, which surfaced earlier this month, shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It also reaches out to other infected computers via peer-to-peer networking and includes a list of 50,000 different domains, of which 500 will be contacted by the infected computer on April 1 to receive updated copies or other malware or instructions. Previous Conficker variants were written to connect to 250 domains a day. ”

Read more about Conficker on CNet

The Microsoft patch suggested for conficker can be downloaded here

The message of this post is not new or complex, but to simply remind everyone that conficker’s payload date is fast approaching and to make sure your organization’s systems are up to date with the latest malware protection.

Sometimes worms are big and problematic, but most outside of IT do not see them until they have a problem, conficker made 60 minutes this week.

In this post at Techrepublic.com I discuss the benefits of using Read only domain controllers in your Active Directory environment.  Check out the post for more details.

For any IT Manager and their staff, documentation can be a lifesaver. Keeping good documentation about problems that you have been presented with, or that arrive in the helpdesk email box can allow your co-workers to be empowered with the necessary tools to get back on their feet when the issue pops up in the future.

Writing and publishing the documentation is one thing, but you do not take the time to review the files and documents used to accomplish tasks, the documentation does little good. It is imperative that published documents are “living documents” to allow them to keep up with changes in procedure and technology.

Implement a documentation review

Take the time to sit down with your team and your co-workers (separately might be best) to review documents that you publish. This will help you and your team determine which documentation will best meet the needs of the organization and which documents need to be updated.

Sitting down with the employees who use the documents in small groups will also help ensure the usefulness of documents.

So we need to review documents… how often do we do it?

In my experience, the review process depends on the documentation. If you are sitting down with users to determine their needs, twice each year or when a process or technology changes might suffice. Working with your team to review and revise documents published should be much more regular and perhaps happen quarterly or even monthly.

This process will keep documentation top of mind and keep things from going stale. Working on documentation proactively can help keep fires from swelling out of control.

Hopefully this brief mention of documentation review sparks your interest. Please comment about your ideas and suggestions for making the documentation review process work.

TechNet is a great place to go for all things Microsoft. All the IT information about Microsoft products and services in one convenient location. But what about the other products and vendors out there?

Many IT shops are made up of some Microsoft and some other products. Since I have been working in IT, having many resources to use to locate different opinions about things and documentation to help make the best use of those products is a great help.

One such community is TechRepublic. A blog site owned by CBS Interactive providing product reviews and articles to aid in solving IT related issues in a clear and concise manner.

Note of Disclosure: In addition to blogging for TechNet, I post weekly for TechRepublic. They are not sponsoring this post in any way. It is my feeling that all resources available should be covered and reviewed for all who can make use of them.

TechRepublic is broken up into several blogs, each focusing on different areas. Some of these areas are:

• Network Administration
• Servers and Storage
• Career Management
• Product Reviews
• Windows Operating Systems
• Linux and Open Source
• User Support

In addition to blogging about various topics, TechRepublic also produces white papers, downloads, podcasts, and a community forum where blog posts are discussed and questions are asked. The forums are a great resource for things both Microsoft and other vendors products. TechRepublic also looks at challenges that are not product specific and the career management and leadership blogs have always been very well thought out and helpful.

Many authors who post at TechRepublic have 1 – 3 posts per week and the content changes regularly. Because the site is geared to the community, asking questions in the forums will sometimes yield posts on the blogs covering the topic. If there are certain issues that you would like addressed, post questions in the forums.

Note: I also encourage you to post in the IT Management forums on TechNet and explain some of the issues that you, as an IT Manager, are having. Not only will this help you get your questions answered, but it provides topics that may also help someone else with a similar item and worthwhile topics for blogs.

General membership, which includes access to the forums is free of charge. Other areas of the site and some downloads are available for a fee.

Working with this community has been a great experience and the site is very well organized. I hope you will give it a read and visit the forums, you may find that the community is very helpful and provides great information.

Please check out the poll at the bottom of this post and leave your thoughts in the comments.

Being an IT Manager, you will make mistakes, and this is a good thing. As long as these mistakes are treated more as learning opportunities than outright failures. I read an interesting post over at TechRepublic recently and thought it would be worth passing along.

Joey Smith discusses the 10 biggest mistakes IT managers make. I have made some of these and not realized the impact until quite a while later. Maybe this list will help you get off on the right foot.

Read the article here

Telecommuting and travel seem to be all the rage in business recently and in some organizations staff can work from home and save money for the company, this is still the case. The economy has dented many corporate budgets from mom and pop shops to huge organizations which may be a good case for using remote support to save some money.

The use of telecommuting is a great option if it is right for your business and will honestly serve the mission statement and benefit the bottom line, however, if there are telecommuters there needs to be a good, reliable way to support and assist these users. The experience, should be as close to a desk in the office as possible, but your mileage may vary.

Providing superb support remotely

Many applications exist to help with this, from PC Anywhere to Webex (now a Cisco product), and to some extent Microsoft Live Meeting, and these applications have varying price points as well. The application that I have found to work best for my situation is brand new as of February 2009, although the concept and similar products have been here awhile.

Goto Assist Express by Citrix Online

This product is similar to the corporate version of Goto Assist but is designed for single user use. It can manage up to eight sessions with co-workers or clients concurrently and has a rather modest price point.

The subscription options and costs for the service are:

Annual – $660.00

Monthly – $69.00

Day Pass – $9.95

The annual and monthly options also allow unattended support of systems which will allow after-hours support without the user being present. The day pass option might be best for environments where there is not a constant need for the service.

The express version of Goto Assist is more affordable per user than its corporate counter part, especially if your shop dedicate one user to remote support. Here is an example:

Suppose your department has 5 staff members. Using GTA Express you might sign up for an account and rotate the staff member who is working with remote support or even schedule its use to avoid overlap.

Features of note

The application also allows the technician using it to make notes about the session which are saved in the GTA Express account online. These can be viewed by logging into http://www.gotoassistexpress.com with your username and password.

Another thing I found nice about this application is the portability. Loading the technician portion on a laptop allows support to happen from anywhere there is Internet Access. The user is directed to a custom URL and enters a session ID to access the support session. Once in session, their computer is visible to the technician. The image below shows the desktop of a computer in session.

Figure 1

Not for all shops, but nice for small shops

I am not trying to replace the corporate version of Goto Assist or any other product, but to focus on the smaller shops needing to support remote users or office’s as if they were right down the hall. This was the best and most affordable solution I found for my environment, which is a single staff member shop.

To provide a more feature rich look at the application I will dive into the features in coming posts. First up, later this week, Unattended Support.

To give it a try visit the website and select free trial. This will get you 30 days to kick the tires and see if the application fits your needs.

Microsoft Active Directory is an amazing directory structure and is capable of managing networks containing three computers or 3000 computers. However many IT Managers think about these networks differently (3 vs. 3000), I know I sure do. Microsoft thought of that and has provided a tool to assist in finding objects within the directory based on their attributes. The best part? You can save these queries for later use.

Saved Queries in Active Directory

In Windows Server 2003 and later implementations the Active Directory Users and Computers tool will allow you to save queries to find objects.

The best example of its use for me at least is stale accounts. Using a query based on last logon date can assist in getting these accounts disabled to improve network security.

To create a saved query complete the following steps:

1. Open Active Directory Users and Computers

2. Click on the saved queries node

3. Right click the details pane and choose New

4. Select Query

From here you will define the query by entering the following in the New query dialog box (Figure 1)

Figure 1

Name – Provide a name for your query

Description – enter some informaiton about the query to help other administrators (and yourself down the road)

Query Root – this is the starting point for the query. If you select the OU for Accounting here, this OU and its contents will be the only area searched

Note: For wide sweeping queries select the domain node as the root

Click Define Query to choose the criteria for your saved search which will open the find common queries. The default query type to find is common queries which specifies specific items on each tab as shown in figure 2.

Figure 2

To complete the stale accounts query above select Common Queries and choose the users tab. Then select a value in the Days since last logon. This will return all of the accounts that have not logged on in the specified number of days.

Adding columns

When you have created a saved query you can change the view of the query to include different columns, adding the logon name to a query for users perhaps. When you add a column to a saved query, the column is also saved. If you try that in another area, like the view for an Organizational Unit, the added columns are removed when you refresh the view on the container.

Notice below that the initial columns for a saved query of users with names beginning with M are Name, Type, and Description in figure 3 however when email address is added in figure 4, it remains each time the query is viewed.

Figure 3

Figure 4

Once you have a few queries defined locating objects in Active Directory should be quite simplified.

Working to manage a team of individual staff members and manage the individual staff members is a day to day experience for the IT manager. Getting a bunch of new information out to your team is easier when done in a group setting rather than by talking to each individual staff member but some information should be handled in the one on one type situation.

Many organizations manage Active Directory in much the same fashion. Creating a group to provide access to a resource has been in practice since the pre-AD networks of Windows NT, but there are even better ways to manage these items and in this post I plan to look at using groups differently and how doing so might be an easier method.

Rules

All organizations have rules. Dress codes, smoking policies, hours of operation, all of these are rules that the employees must follow to comply with corporate policy. The same method can be used in managing network access. Use a rule to provide access of a specific type to a resource.

Consider the following:

An organization has a file server with two folders, Sales and Accounting, some employees need to see the contents of the sales folder while others need to change the contents of the folder. The users who need either of these are different from those who need access to items in the Accounting folder, however the Cheif Marketing Officer has been working on a project and needs read access to accounting. As you can see there is overlap in the area of who needs access to what and what kind of access they need.

The above example of providing needed access to resources isn’t too bad for a two folder organization, however what would happen if there were suddenly 500 folders and 1500 users needing some kind of access to those folders. That might be a bit more unwieldy.

So what can we do about it? Simple. Start thinking differently about the issue.

Determining how many types of access that you might need will get you off on the right path here. Typically there are the users who need to add, modify, or remove items from a folder and the users who need to see the items in the folder. Two access constraints for each folder doesnt seem so bad.

Creating a group in AD for each type fo access to each folder will help you by defining the rules. Using a Domain Local Group keeps the access to the resource within the AD domain in which the resource lives. Here’s and example:

With our sales and accounting folders we could create four groups, two groups for each folder, to handle the permissions on that folder. One for editing and one for reading.

Accounting: perm_accounting_edit and perm_accounting_read
Sales: perm_sales_edit and perm_sales_read

The names are short and descriptive

perm – what the group controls (permissions)

sales – which folder (or resource) the group acts on

edit/read – the type of access the group allows

This way the access to the resource is controlled by a group that handles that one task and lives in the domain of the resource, keeping things as simple as possible.

Once the groups are created, assigning the permissions to the folders will complete the process. For the accounting groups complete the following tasks:

1. Open the folder containing the accounting share

2. Right click the Accounting folder and select properties

3. Click the Security tab and click the Add button

4. Enter the name of the user or group to add permissions for and click Check Names. In this case you will add perm_accounting_read and perm_accounting_edit.

5. Click OK on the Select Users, Computers, or Groups dialog

6. Select the perm_accounting_edit item on the security tab

7. Click the advanced button

8. Select the newly added group in the Permission Entries list

9. Click the Edit button to modify the permissions for the group

10. Ensure that the List Folder/Read Data, Traverse Folder/Execute File, Create Files/Write Data, and Create Folders/Append Data choices all have the Allow box checked.

For the Read group you would assign allow permissions to List Folder/Read Data and Travers Folder/Execute File

11. Click OK on the Permission Entry dialog box and the Advanced Security Settings dialog box

12. Click OK on the Properties dialog for the resource.

For the sales folder in the above example, open the properties sheet for the Sales folder by right clicking the sales folder and choosing properties. Then complete steps 3-12 substituting the sales read and edit groups for the accounting read and edit groups.

Note: Since editing a folder really consists of writing objects to the folder, you will need to select the Read folder content to allow access to view items in a folder and write folder content to allow creation of items in the folder

This will allow you to individually select permissions for the selected security item, keeping the permissions assigned to the folder restricted to only the actions they need to accomplish their tasks.

Now that the rule groups have been created, placing the bevvy of user accounts in those groups is as easy as adding all the users and that should be it. While this is technically true, there is a method to the user accounts portion of this process too.

Roles

When an individual gets a job, they are assigned a role in an organization. The maintenance staff works to keep things like the air conditioner working when it is needed. The IT staff works to keep the servers running and the marketing interns help get all of the mailings out to customers as soon as policy.

The position encompasses the responsibilities the user is expected to complete as a part of their job. Access to resources will likely be tied to the positions of the employees. For example, the employees in the accounting department will need access to resources related to their position.

To manage the accounting employees as a single unit, you might create a group and make them all members of that group, perhaps empl_accounting to denote that the members of this group are user accounts in the accounting department and an empl_sales group to group the sales employees together.

This way managing the access to resources for accounting employees can be handled by assigning the needed rights to folders to the empl_accounting group. Easy as pie right, adding the group to the access control list for each resource it might need and assigning it appropriate permissions to the resource.

Putting it all together

Thus far, we have created groups to manage specific types of access to specific resources and different groups to manage user accounts with similar needs. This will help keep the access simplified and the management of employees simplified.

To provide the accounting employees with access to the accounting folder, simply add the empl_accounting group as a member in the perm_accounting_edit group. This will provide the employees in the accounting department the ability to edit the contents of the accounting folder.

For the Chief Marketing Officer, you could add his user account to the perm_accounting_read group, or depending on other employee groups and membership, add one of those groups to the perm_accounting_read group. This would provide a simplified management structure for both user accounts and access to resources.

Streamlining resource access and the users to which access is assigned can reduce the headaches and stress associated with managing Active Directory and improve IT productivity at the same time.