|RSS | MY PROFILE | PRIVACY|
Vol. 17, #27 - July 2, 2012 - Issue #886
SAVE THIS NEWSLETTER so you can refer back to it later for tips, tools and other resources you might need to do your job or troubleshoot some problem you're dealing with. And please feel free to FORWARD IT TO A COLLEAGUE who you think might find it useful. Thanks!
Let's start with some reader feedback from our June 18 newsletter Password Practices. A reader named Scott voiced the following complaint about password policies having short age requirements:
One of my pet peeves with passwords is short age requirements. One security expert, Ex-CIA too, who I heard at a security conference said that 30-day, even 90-day passwords are less secure than a 1 year password. Why? Because people write them down more often when they have to change them more often. Makes a lot of sense to me, especially since I've witnessed this occurring. So I support only strong passwords, but no less than a 12-month life. We also need to keep in mind that as computer professionals, our first job is people not computers. We must cater to the human factor long before we consider the machines. Else we would be out of a job.
I have to say that I pretty much agree with Scott on this matter. The reason is because if you can train your users to memorize passphrases instead of passwords, such passphrases can be sufficiently long and complex enough (yet easy to remember) as to be basically uncrackable in millions of years, which would seem to preclude the need for frequently changing the user's password. What do you think? Email me at firstname.lastname@example.org if you have more to say on this matter, and see the Tip of the Week section of this newsletter for some recommendations on how to create strong passphrases.
A reader named David pointed out the frustration that can happen when organizations fail to harmonize multiple password policies:
I know that we need passwords and security to protect our data. However I sometimes wonder if the people who define the policies in a company communicate with each other and/or consider that the individuals who have to use the passwords may have issues if the policies vary from system to system. I was in a situation at one time where I seem to remember that I had to keep track of fourteen (that's 14) different passwords. It might not have been too bad if they had similar requirements for the number and type of characters in each and they had the same aging policy. It might also not have been too bad if I could have asked to change a password when I was triggered by one of them aging. In reality the aging was different, some I could say I wanted to change, others would only allow me to change when they aged. Net result was that I had no option but to keep a record of them somewhere otherwise I would never have been able to keep track and therefore would not have been able to do my job.
Until somebody produced a really good single sign on mechanism into a large organization the upper management must realize that individuals cannot keep track of a multiplicity of passwords and if they consider that passwords need to be held securely they really need to think about giving everybody a password safe. Oh, I've just remembered, in addition to the passwords mentioned above I had to have a BIOS password for my notebook.
I agree, managing multiple different passwords for many different applications and platforms can be a real pain--see the Admin Tools section of this newsletter for a free product that might help. What do other readers do to alleviate this problem? Let me know at email@example.com
Another issue is that strong password policies simply don't work in some environments as Bob from the UK points out:
In a school environment with some pupils only 8 years old, it is difficult enough to get them to remember their dog's name (and spell it correctly) for a password, let alone imposing complexity, or frequent change policies. This is a real problem, as of course it is important that staff ARE properly secure.
So maybe we should just issue smart cards to all elementary school children? Or implant RFID chips in their underwear?
Craig from Australia took issue with my recommending you "Don't forget to select the User Must Change Password At Next Logon checkbox when you reset someone's password" and says:
This can have one unintended consequence. We have a client that has users who use nothing but Outlook Web Access. OWA indeed allows users to change their password – once they have logged in. If you say user must change password on next logon then the logon process won't be completed until they change their password, which they can't change until… All that happens is users can't log into OWA anymore and the helpdesk gets another call.
So it looks like you're darned if you do and darned if you don't!
Finally, an anonymous reader who works in a DoD environment shared the following:
In DOD password policy is mandated and cannot be changed at the local level. All products must use PKI where possible, and if they cannot, must provide compliance with DOD prescribed password policies. Web facing products must use PKI only. Lockout aggravates users but is very useful. In DOD its 3 strikes and you are out with admin intervention required. I always set Minimum age to 14 days since a user who stays that long on a password will never try to loop around - it's too much trouble - especially if password memory is set appropriately (24 is a good number).
Yes, things are usually stricter whenever PKI is involved. Which reminds me of the following bit of reader feedback to our June 4 issue PKI Potpourri which I had forgotten to share:
Great stuff. Keep it coming. As someone who supports PKI and domain controllers for Microsoft's Premier business I cringe when I find a CA on a DC.
Thanks for the encouragement :-)
You'd think that "server dudes" like many of our newsletter readers are would only be interested in big metal stuff like 64-core systems, SANs and similar stuff. But what about the human-computer interface a.k.a. the lowly keyboard? A lot of IT pros who have very strong opinions about what the best keyboards are and would "rather fight than switch" when push comes to shove concerning keyboards. Hey, is that a mixed metaphor?
Anyways, if a particular brand of keyboard is your secret fetish, then more power to you. But the fact is, as the following XKCD comic unequivocally demonstrates, KEYBOARDS ARE DISGUSTING:
My own personal preference
I spend a lot of time on the computer and most of it involves typing on the keyboard, so you'd think that I'd be a perfect candidate for someone who has a keyboard fetish.
Well, I used to have one. There was a time a few years back when I bought a whole box full of old IBM AT keyboards at 5 bucks a pop from a Russian guy who ran a computer repair shop in a seedy part of town. I loved those old keyboards because you actually FELT the keys when you typed on them, they pushed back when you pressed on them and gave a reassuring CLICK to let you know you had succeeded in eking out another character of input. It was reminiscent of the 70s when I bought my first HP calculator, the revolutionary HP 35 with its tactile response keys and Reverse Polish Notation data entry format.
Then the day came when I decided to try out some of those newfangled keyboards that had all sorts of fancy features but felt like mush beneath my fingers. My SPELELING and OTHROGAPHRY went south pretty fast at that point, but eventually I got used to mushy keys and nifty single keypress actions that launched stuff like Internet Explorer and Windows Media Player.
Fast forward to today and now I just use whatever keyboard I happen to find laying around the office. And I usually have a couple of boxes of them around because I tend to purchase refurbished systems that usually have a keyboard or two thrown in with them.
What's the best keyboard for an IT pro?
So as you can see, I'm actually not one of those keyboard fanatics, or at least I'm no longer in that category. But many of my colleagues in the IT business are quite fanatical, and sometimes even obsessive, about the merits and faults of different types or brands of keyboards. Below is a smattering of recommendations culled from a number of different sources, all of whom have very strong opinions on this subject, and if you have others to recommend then email me at firstname.lastname@example.org
Microsoft Natural Keyboard Pro:
Find it on eBay:
Microsoft Natural Ergonomic 4000:
Gaming keyboards like the Microsoft Sidewinder X6:
Rosewill Mechanical Keyboard RK-9000BR with Cherry MX Brown Switch
Customizing your keyboard
Finally, what keyboard lover wouldn't want to customize their keyboard to make it even better? Here is the top keyboard mod I've heard from my colleagues:
Got any keyboard mods of your own to suggest? Email me at email@example.com
Passphrases can be easier to remember than passwords and can be much harder to crack as well. Here's a tip from Microsoft on how to create a strong passphrase:
Create an acronym from an easy-to-remember piece of information. For example, pick a phrase that is meaningful to you, such as My son's birthday is 12 December, 2004. Using that phrase as your guide, you might use Msbi12/Dec,4 for your password.
For more tips on creating a good passphrase, see the full Help & How-to article on this topic at:
These two titles from No Starch Press have absolutely nothing to do with computers but they were a lot of fun to read!
Lego Heavy Weapons walks you step by step through the steps of building working (yikes!) replicas of four of the world's most impressive guns: Desert Eagle, Jungle Carbine, RKS-74U and SPRS 12. Just don't take one of these things out onto the street!
Want more? Check out the video "Lego Black Ops" on YouTube:
The Manga Guide to Linear Algebra teaches you matrix algebra, determinants, linear transformations and even eigenvalues, all with the help of some engaging manga cartoons. You may not become an expert in Linear Algebra after reading this, but if you feel intimidated by higher math then a book like this can be a lot of help:
Other titles in this series cover calculus, physics, relativity and more.
"Prior to my breakdown, it was normal for me to work 70- or 90-hour weeks... Working as much as I did is more than the human body is designed to take continuously. If you drive yourself that hard, you'll eventually begin to run on fumes before you shut down entirely. Being firm about creating and maintaining a healthy work/life balance is no more selfish than prioritizing happiness--in this case, it's about simple self-preservation! And if you're still skeptical, remember this: no one looks back on their lives at age 80 and says, Gee I wish I'd spent less time with my family and friends and more time at the office."
--Todd Patkin, from an interview with him in Exercise and Health Magazine
I mentioned Todd a few issues back. Todd is the author of "Finding Happiness: One Man's Quest to Beat Depression and Anxiety and--Finally--Let the Sunshine In" and this morning I happened to be re-reading the back issue of Exercise and Health Magazine in which Todd was interviewed concerning his book.
If you've ever run your own business, you can probably relate to what Todd says above. I know I can. IT pros, especially the self-employed consulting kind, tend to work 70+ hour weeks, and after a few years of doing that you begin to wonder why "the thrill is gone" as Chet Baker used to sing so poignantly.
Todd has lots of great advice in his book. If you're a workaholic like I tend to be, it might be worth your while to pick up Todd's book and read what he has to say:
Until next week,
Using Microsoft Hyper-V? Altaro Hyper-V Backup Freeware Edition is an easy to use Hyper-V aware backup solution. Watch YouTube Video.
Free business process modeler for Microsoft Visio:
Use this free open source password manager to safely store all your passwords:
Use this HOSTS file to block adware, spyware and other nasty stuff:
Pismo is a virtual file system that lets you mount .zip files so you can access them like a standard file system folder:
Contact Michael Vella at firstname.lastname@example.org to get your conference or other event listed in our Events Calendar.
Thursday 5 July - This session focuses on the enhancements of SQL 2012 including AlwaysOn, ColumnStore Index, Power View and PowerPivot, BI Semantic Model and Data Quality Services, and more.
Contact Michael Vella at email@example.com to get your webcast listed in our Webcasts Calendar.
The Mayans were wrong--the world won't end on December 21, 2012, but Windows XP support does end on April 8, 2014. Will you be ready? From the Canadian IT Pro Connection blog:
The Team Blog of MCS @ Middle East and Africa shows you how easy it is to implement fine-grained password policies in Windows Server 2012:
Channel 9 now has 26 hours of recorded video sessions from TechEd 2012 covering Hyper-V enhancements in Windows Server 2012. Here's one of them:
Aidan Finn accidentally downloads the release candidate for the standalone Hyper-V Server 2012 product and compares it to VMware ESXi free edition:
The Infrastructure Planning and Design team is working on a new guide: System Center 2012 - Virtual Machine Manager. Get the beta by visiting the Microsoft Connect website:
A short video introducing vCloud Director from the VMware vCloud Blog:
While you may be eager to take advantage of the centralized management benefits that VDI offers, it's critical to consider how server-hosted virtual desktops affect your network infrastructure. Access this resource to explore common VDI network issues and tips that can help you overcome them.
While the benefits of thin client devices are well-known, with so many options available, how do you determine which ones are right for your desktop virtualization project? In this resource, learn how to effectively sort through the saturated market by considering essential evaluation factors.
Although bring your own device (BYOD) programs can substantially boost end-user productivity, they can introduce new security challenges as well. Take advantage of this resource to review how to prevent these issues from impacting the benefits of your BYOD programs.
If you think server consolidation is the only cost benefit of virtualization, you could be missing out as virtualization power-management can save you a bundle as well. Learn how to utilize this valuable tactic to cut expenses and discover how it can also help support green initiatives – an added bonus!
What can you accomplish in 360 hours? The Chinese sustainable building company, Broad Group, has achieved another impossible feat - building a 30-story tall hotel in 360 hours:
Matt Harding is back with a new "Where In The World is Matt?" - 2012 edition. It is his best one so far:
Sixteen Spitfires flying in formation and then breaking off for some tail chasing. Awesome sight and sound:
Richart Sowa lives on an island that that he made himself, using 100,000 discarded plastic bottles as a floating support structure:
Watch Formula 1 legend David Coulthard catch a golf ball flying through the air using a Mercedes SLS Roadster.
If imitation is the sincerest form of flattery, then during Microsoft's announcement of their newest tablet the 'Surface', Apple must have been very flattered:
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also Head of Research for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.