Grabbing the Throttle; Tool Time; Attachment Security; and more
Grab the Throttle
I must say that Keith Ward’s editorial in the January issue, “Grab the
Throttle,” hits home with me. I was always told that if you want something,
you have to go get it, because no one is going to give you anything! Here’s
an example: Working as a heavy equipment operator for over 20 years, I
wanted to do something different and provide a better living for my family.
I started taking night classes to get an MCSE in Windows NT 4.0. Many
of the other students were head and shoulders better than I was at this
stuff. I decided that if I wanted to get better at computers, I needed
to be doing it eight hours a day and not just eight hours a week. I took
an almost-$5 per hour paycut and started working as a support tech. After
a year, the company saw my commitment, and I was offered a training position
and a chance to launch Windows XP. I’m currently an MCSE and MCSA in Windows
2000 and working at a help desk. I still have dreams of being a network
administrator. If you aren’t qualified, how do you get qualified? You
have to be willing to grab the throttle!
—Jeff Wallen, via online
Arizona
I have a private pilot’s license, too. Nothing is better than buzzing
the “padi fields” and coconut trees! My initial PPL was on a Cessna 172,
and I loved every minute of it. Anyway, I think this new “Take Control”
technique in the magazine is to help one improve, be more responsible,
more alert, look at all options and always choose the best one. Everybody
wants to move up, and here we’re being shown how. We all start as tech
support or on a help desk and want to move to administrator, engineer
or architect/consultant. So this new concept—and the articles—might help.
Of course, there’s a lot of other stuff one needs to do before taking
the big leap (such as specializing in a specific field, like security).
—Gill, via online
Singapore, Southeast Asia
Tool Time
I’m just beginning to look into auditing and policy management tools.
I’ve heard of FAZAM, but are there other tools I should look at?
—Amy Bremer
Newton, Massachusetts
We’ve done a lot of work with both policy and auditing tools. In
fact, we recently wrote a review of multiple policy and auditing tools,
“12 Mighty Labors of Active Directory Management,” in the September 2003
issue. We also describe in-depth how you can perform these 12 mighty labors
without commercial tools (online at: http://mcpmag.com/Features/article.asp?EditorialsID=361).
Both articles will give you a better idea of what you need to do to manage
an Active Directory.
As far as Fazam is concerned, it’s now integrated with NetIQ’s Security
Administration Suite, which provides much more functionality than Fazam
alone. You can also start by using the Microsoft Group Policy Management
Console. The GPMC is free at www.microsoft. com/downloads and provides
great support for Group Policy Management in AD.
Active Administrator from Small Wonders Software/ScriptLogic is also
a useful tool in the arena of audit and policy management. It wasn’t included
in our original review, but we think it bears a closer look if you want
a commercial tool, because it seems to address both of your areas of concern.
It depends on the size of your network or the number of users and
systems you need to manage, but our advice is this: Take a look at the
GPMC first. It’s free and may well do most of what you need. If that doesn’t
do it, move on to Active Administrator and/or Fazam.
—Nelson and Danielle Ruest
Attachment Security
If someone sends an e-mail attachment such as a text file using Yahoo
e-mail, what are the security risks? Where is encryption initiated? If
the file had been initiated from and received by machines with Windows
XP, Outlook 2000 or later, and Internet Explorer 6.0 with all the latest
service packs, does the attachment get encrypted? What is a good operating
procedure for security of e-mail attachments?
—Wayne Henegar, MCP
Mt. Carmel, Illinois
By default, attachments aren’t ever encrypted, and most free e-mail
Services, like Yahoo, don’t handle S/MIME, which is required for encryption.
At best, you could ZIP and encrypt a file at the sender, in which case,
it would remain encrypted until decrypted on the destination machine.
But, you’re not sending a text file attachment at that point.
If you’re using Yahoo, the only way to ensure nobody can eavesdrop
is to encrypt the file—using something like WinZIP or Windows XP’s own
built-in compressed folders feature—on the sending machine, and then have
the recipient decrypt it. You’ll need to provide the recipient with the
ZIP file’s password to do so. Then everything in the ZIP will be encrypted
through the entire process, even when sitting in Yahoo.
At best, what Yahoo does is employ SSL/TLS to encrypt the connection
between your browser and the Yahoo servers. That means the data is encrypted
while physically in transit, but not encrypted while sitting on Yahoo’s
servers. Using something like WinZIP can offer a workaround.
—Don Jones
Taking Control
In reference to the January 2004 feature, “Taking Control of Your Users,”
by Mark Wingard: very good article. I know because I can speak from experience.
Our help desk calls have dropped significantly because we use a single
image for computers and have also implemented a common operating environment.
Using Windows XP with Group Policy Objects, we give users the tools needed
to do their job, yet prevent them from shooting themselves in the foot.
Standardization is the key to a smooth-running company and IT department.
—Houston Admin, via online
Houston, Texas
Wireless Tips
Thanks for the informative article in your January “Tips & Tricks”
column, “Little-Known Wireless Facts.” You seem to be just
the person to clarify a few questions my organization has concerning wireless.
I work on the Tech Support Team at The Summit Country Day School in Cincinnati.
We have approximately 1000 students, faculty and staff of about 200 and
around 700 computers. Of the 700 computers, we have 15 laptop carts of
16 to 20 machines and a laptop for each faculty member. The carts each
have an access point and are wireless running 802.11b. We have about 10
other access points on campus (802.11b). Due to some major construction,
several of our desktop labs are temporarily running on the wireless network,
also.
Our problem and, I guess my question, concerns the use of 802.11g access
points and the potential for improved throughput in real world usage.
Currently we’re having fairly good success with wireless when users
are just using the computers to read e-mail or surf (research). However,
we’ve had some serious bottlenecks during times when many users
are logging on for the first few times (getting new profiles) or when
an entire class pushes print in order to submit a paper to a teacher just
as class ends. When 16 users are all logging on at once, we have issues
where the users’ mapped drives, and so on don’t always load
properly, and the actual boot time is very long due to the battle for
bandwidth the machines are waging. Similar problems occur when a lot of
users print or try to access bandwidth intensive Web sites.
Would upgrading the laptop cart access points to 802.11g help to alleviate
the bottleneck from the machines to the access point during the peak though
put times? We really don’t have a problem with the network once
the data gets past the access point. I understand that some APs slow down
to 802.11 when used with the 802.11b cards. If this is correct, can they
still handle the wireless data coming though the air at the wider bandwidth?
—Kevin Ross, MCSE, A+
Cincinnati, Ohio
802.11g would definitely help. All of the users are sharing one wireless
“pipe.” By making that pipe bigger, they’ll be able
to work more quickly.
The trick is that if there are any 802.11b clients within range of the
802.11g AP, then all 802.11g devices will operate at a slower, “mixed-mode”
speed. It’s faster than b, but much slower than full g. The only
way around that is to eliminate all b clients within range of the AP.
Glad you enjoyed the article!
—Don Jones
NTFS and Encryption
Thanks for pointing out the presence of the CvtArea option in Chris Brooke’s
January’s “Scripting for MCSEs” column, “Build
a Better NTFS Converter. I was unaware of that.
A minor nitpick, though... Without specifically enabling encryption for
files, they won’t be more secure than on FAT32. ACLs are enforced
by Windows, not the file system. With an NTFS-aware boot disk or a Linux
boot disk, the file system is bare, and all security—except encryption—ineffective.
If physical access to the drive is possible (like a stolen laptop) and
you’re not using encryption, don’t depend on NTFS security
features to protect that data. This goes for any unencrypted file system.
Encrypt those documents and spreadsheets if you want them secure—this
is very important. If you’re not familiar with this, give it a try.
Download that NTFS boot disk (not the Windows XP install disk; it enforces
those permissions). You won’t need the admin password to mount the
volume and you can read any file on the system. Any modern Linux CD should
be able to do this, too.
—Phil, via online
Columbia, Missouri
Thanks, Phil. Actually, I did mention encryption in the column,
but it was sort-of "in passing." Indeed, you’re correct:
EFS is the only effective way to protect files in the event that someone
gains physical access to the computer. Oh sure, you could enforce BIOS
passwords and configure your BIOS to disable the floppy and CD-ROM. Of
course, then all they need is a small screwdriver to remove the drive
and place it in an external enclosure and they would once again have access.
Thanks for pushing us to give EFS its due!
—Chris Brooke