Vol. 17, #25 - June 18, 2012 - Issue #884
- Editor's Corner
- From the Mailbag
- Password Practices
- Tip of the Week
- Recommended for Learning
- Quote of the Week
- Admin Toolbox
- Admin Tools We Think You Shouldn't Be Without
- Events Calendar
- Webcast Calendar
- Optimizing Backup and Recovery for Oracle Applications in VMware Environments with EMC
- This Week's Webcasts
- Register for Webcasts
- Where’s The Windows “Start” Button?
- Whitepaper with some important Hyper-V best practices
- Hacking servers that are turned "off"
- Visual Basic is dead, long live Visual Basic!
- Whitepapers, podcasts and other configuration management resources
- Five common mistakes of constructing a cloud presence
- Why virtual server tools won’t work for VDI performance monitoring
- VDI pilot project guide
- A first look at Microsoft Office 15 features
- This Week's Links We Like. Fun Stuff.
- SolarWinds Log & Event Manager: No more complex Searches
SAVE THIS NEWSLETTER so you can refer back to it later for tips, tools and other resources you might need to do your job or troubleshoot some problem you're dealing with. And please feel free to FORWARD IT TO A COLLEAGUE who you think might find it useful. Thanks!
From the Mailbag
We're still getting a few hardware recommendations from readers in response to our May 28 issue Hardware Hints. This one is from Tony in the UK:
Few people are aware of the Belkin F5L009 – at around £50/$80 this is an Ethernet box with 10/100 and 5 USB2. It requires a client on each machine to access it. Not all devices work across it – TV tuners don’t but disks, printers and even my 3G dongle do.
It has a further use – the reason I have one – it is one of the few ways you can connect USB devices to Virtual Machines. There are other similar boxes around. In my case, it is the way to connect a FAX modem to my SBS2008 server which is running as a VM.
Another really odd one – my HP 8500 all in one has a USB socket and the 8500 itself has wired Ethernet. It certainly supports a USB memory stick as well as a Bluetooth dongle. Until now, I hadn’t thought of trying to see if it will support other USB devices over the network – I suspect not, but it is one of those things that is always worth experimenting with.
Here's a link to the Belkin F5L009 5-Port Network USB Hub:
Passwords are both the front line of computer security and the bane of helpdesk. "Help, I've lost my password!" is always a difficult support call to handle because of its social engineering implications as Kevin Mitnick so entertainingly describes in his classic book The Art of Deception:
Before we talk about some best practices relating to passwords (and what you can do if you can't remember your password) let's first see how the Dog House Diaries handles the problem of forgetting your password:
Password polices are a set of Group Policy settings that enforce password requirements for domain users in Active Directory environments. The six policy settings for passwords are:
- Enforce password history
- Maximum password age
- Minimum password age
- Minimum password length
- Password must meet complexity requirements
- Store passwords using reversible encryption
More on this in a moment.
Fine-grained password policies
For domains running Windows Server 2003 and earlier, you could only configure one set of password policies for your domain. Windows Server 2008 introduced fine-grained password policies which lets you specify different password policies for different sets of users in a domain, but to configure fine-grained password policies you had to do a bunch of fiddling around in Active Directory using ADSIEdit as described here:
Windows Server 2012 however now lets you configure fine-grained password policies through the GUI as shown in this blog post from the Team Blog of Microsoft Consulting Services for the Middle East and Africa:
That's a great blog by the way and well worth following in your newsreader...
So if you configure fine-grained password policies in your environment, do you still need to configure a regular password policy in your Default Domain Policy GPO? You probably should do so for the simple reason that if should you fail to assign a fine-grained password policy to certain users, then you likely want to make sure you have a strong "fall back" password policy in place to cover this eventuality. However, in Windows Server 2008 and later you also have the option of configuring fine-grained password policies so that no domain users can fall back to using the password policies defined in the Default Domain Policy GPO.
Password policies: some do's and dont's
Commonly recommended best practices for configuring password policies are such as those described in the following TechNet Magazine article:
But how good are these recommendations? When it comes to computer security, I always like to remember the following maxim:
"The more secure it is, the less secure it is."
What I mean by that is that there's always a tradeoff between security, manageability and usability in any IT environment, and this means two things:
- The more secure it is, the harder it will be to manage from an IT perspective, which means there's greater possibility of error, which means your environment potentially less secure not more secure.
- The more secure it is, the more frustrating it will be to the users who have to use it, which means users will likely try to find ways to circumvent the security controls, which means your environment is potentially less secure not more secure.
One thing you want to be careful of however is when making changes to the password policies for your domain. For example, let's say your maximum password age policy setting is currently configured as 90 days and for some reason the powers-that-be at your company have decided that this "isn't secure enough" or whatever. So you're told to change the maximum password age setting to 30 to "make it more secure" and so on. This change is then applied via Group Policy to all 5,000 users in your company, and the next morning thousands of users get a "your password has expired, you must change your password" message when they try to log on to their computer, so they all phone helpdesk to ask what's going on. I think you've just made some enemies in your helpdesk department!
Here's another gotcha regarding password polices. Let's say the minimum password age policy setting is configured as 3 days for your environment. Then one day, a user phones helpdesk and says they forgot their password and can't log on to the network using their computer. After verifying the user's identify (to guard against a social engineering attack) the helpdesk administrator resets the user's password but forgets to select the "User must change password at next logon" checkbox. Guess what? The user won't be able to change their password until three days from now. The moral of the story is: Don't forget to select the "User must change password at next logon" checkbox when you reset someone's password! And by the way, the value for minimum password age only needs to be greater than zero, so specifying 1 day is just as good as 3 days.
If you want more detailed information about password policy recommendations and other Windows security settings recommendations, a good place to start is the Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2:
What about account lockout?
But password policies are only one half of the policy settings found under Computer Configuration\Policies\Security Settings\Windows Settings\Account Policies. The other half are the Account Lockout policy settings, which are basically designed to help prevent brute force attacks on the passwords for user accounts from succeeding. The problem with account lockout policies however is that you can shoot yourself in the foot if you configure them because an attacker can simply use them to perform a denial-of-service attack against your user accounts to prevent users from being able to log on to their computers. Not only that, some legacy enterprise applications that don't utilize Windows integrated authentication will perform multiple authentication attempts when an incorrect password is specified by the user, and if you configure the account lockout limit to too low a value (say around 5 attempts) then these applications may end up inadvertently locking the user out of the network when the user enters only one incorrect password!
So my own feeling is that configuring account lockout policies generally does more harm than good, and if your password policies require sufficiently strong (long and complex) passwords then that should be enough to prevent potential DoS attacks against your Active Directory accounts.
What do you think?
Anyways, I'd be interested in hearing what our readers think are the best password policy settings for Active Directory environments and why, and also whether you think that account lockout policy settings have any value or not. Email me at [email protected] if you want to share your thoughts with the community.
PowerShell and passwords
Did you know you can change the password of a domain user account using Windows PowerShell? Ed Wilson (a.k.a. The Scripting Guy on TechNet) tells us how:
And here's a script from the Windows PowerShell forum on TechNet that explains how you can perform bulk password resets for users via a script:
I'm sure there are more elegant ways of doing this, but if it works, it works, as they say in IT...
What if you want to know when a particular user last changed his password and how many days are left until the user's password expires? Check this out:
By the way, you might want to point your end-users (and family members) to the following page on the Microsoft Safety & Security Center to make sure they understand the difference between strong and weak passwords:
Lost your password?
Finally, what can you do if you've lost the password for a local user account on your Windows computer? While there are lots of password crackers out there (and I'm sure you readers can recommend some favorites) my own recommendation (if you have an enterprise volume licensing agreement with Microsoft) is that you use Locksmith, an updated version of the Windows Sysinternals tool that is included in the Diagnostic and Recovery Toolset (DaRT), which is part of the Microsoft Desktop Optimization Pack (MDOP). For information about DaRT and how to create bootable DaRT media and use the DaRT tools, see my series of articles on WindowsNetworking.com:
Tip of the Week
Are you annoyed by how Windows 7 hides windows when you ALT+TAB between them? You could use Windows Logo key+TAB instead, but if you want to return ALT+TAB to the old behavior used by previous versions of Windows, create a DWORD value named AltTabSettings under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer and assign it the value of 1.
Got any tips to recommend to our readers? Let us know at [email protected]
Recommended for Learning
Microsoft SharePoint 2010: Deploying Cloud-Based Solutions from Microsoft Press covers a lot of ground including SharePoint Online, Office 365, creating a Private Cloud, and multi-tenancy in SharePoint 2010. The reality is that a lot that ground is shifting and not yet completely solid. But businesses can often benefit from cloud computing today instead of waiting for it to solidify tomorrow. Wow, that was some mixed metaphor... Anyways, the book is very good, especially in helping you think through the decision-making process involved in planning migration of your on-premises SharePoint infrastructure to SharePoint Online or to your own private cloud. Just be aware that the actual mechanics of some of the steps involved will likely change over time as new features and capabilities are introduced in SharePoint Online, and when System Center 2012 is fully released, and when Windows Server "8" Hyper-V becomes available. So buy this book but also supplement it with reading the latest stuff on Microsoft TechNet and other online sites.
PKI Uncovered: Certificate-Based Security Solutions for Next-Generation Networks from Cisco Press is basically a step-by-step how-to book about designing, implementing and troubleshooting public key infrastructure (PKI) authentication solutions using Cisco technologies. The book begins with a clear and concise review of basic PKI concepts and standards. Then it goes on to describe the building blocks of PKI such as certificates, keys and different types of CAs. PKI processes are covered next including enrollment, certificate verification and renewal/expiration, and so on. The focus quickly drops to the command shell using Cisco IOS commands to configure these things. The chapter on troubleshooting is probably worth the price of the book as far as your Cisco support staff are concerned.
MCITP 70-633 Exam Ref: Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010 from Microsoft Press is more than an exam prep guide, it's also a step-by-step guide to learning how to design and plan an Exchange Server 2010 deployment for your organization. The book is written at a fairly technical level and assumes several years familiarity with implementing and managing a previous version of Exchange Server. Instead of virtual machine labs, the book uses Thought Experiments that challenge you to think through planning issues when designing your Exchange deployment. I like that approach--these Thought Experiments really test whether you understand the basic concepts and operation of Exchange 2010 and they help you anticipate problems and issues that can arise if you don't design your deployment properly.
Quote of the Week
A couple of tips from my IT consultant friends concerning dealing with customers:
"It's easier to keep a customer you have than gain a new one."
"Fire your worst customer."
Are you in the IT consulting business? Got any pithy words of advice to share with similar readers? Email me at [email protected]
Win a Samsung Galaxy Tab 2 (10.1)!
Participate in the 2012 WServerNews.com site survey for a chance to win a Samsung Galaxy Tab 2 (10.1). Weighing 21 ounces and sporting a 10.1-inch touchscreen display, the Galaxy Tab 2 runs the Android 4.0 ("Ice Cream Sandwich") operating system and is powered by a 1.0 GHz dual-core processor to help you achieve maximum usage across various demanding applications.
The 2012 WserverNews.com survey will run throughout June and help us learn more about you and what you'd like to see in the newsletter in the future. The survey is estimated to take around 5 minutes to complete.
Participate today for your chance to win!
Until next week,
Admin Tools We Think You Shouldn't Be Without
Using Microsoft Hyper-V? Altaro Hyper-V Backup Freeware Edition is an easy to use Hyper-V aware backup solution. Watch YouTube Video.
Register for a SpamTitan on-line demo, 99.97% plus catch rate, double AV, affordable price
Use this free application to synchronize files and folders between locations:
Find out what files and folders consume the most space on your disk using this free tool:
- Microsoft Worldwide Partner Conference on July 8-12, 2012 in Toronto, Canada:
- VMworld 2012 on August 27-30, 2012 in San Francisco, USA:
- Microsoft SharePoint Conference 2012 on Nov 12-15, 2012 in Las Vegas, USA.
- Microsoft TechEd Europe 2012 on June 26-29, 2012 in Amsterdam, Netherlands:
- VMworld 2012 on October 9-11, 2012 in Barcelona, Spain:
- Microsoft Australia Partner Conference 2012 on Sept 4-6, 2012 in Brisbane, Australia:
Add your event
Contact Michael Vella at [email protected] to get your conference or other event listed in our Events Calendar.
Optimizing Backup and Recovery for Oracle Applications in VMware Environments with EMC
Tuesday, June 19, 2012 - Learn how EMC backup and recovery solutions can enable you to dramatically speed backup and recovery in VMware vSphere environments, reduce backup storage requirements, and efficiently replicate for fast DR.
This Week's Webcasts
- Monday June 18 - TechNet Webcast: Troubleshooting Single Sign-on for Office 365 while Implementing Directory Integration Services (Level 300)
- Monday June 18 - VMware Webcast: VMware vCenter Operations Manager 5 QuickStart Series Part 2: Custom User Interface
- Tuesday June 19 - TechNet Webcast: Bare Metal to Private Cloud (Part 5 of 8): Installing and Configuring System Center 2012 - Operations Manager (Level 200)
- Tuesday June 19 - VMware Webcast: Optimizing Backup and Recovery for Oracle Applications in VMware Environments with EMC
- Wednesday June 20 - VMware Webcast: VMware vFabric SQLFire - Fast Data that Spans the Globe
- Thursday June 21 - TechNet Webcast: Bare Metal to Private Cloud (Part 6 of 8): Installing and Configuring System Center 2012 - Service Manager (Level 200)
- Thursday June 21 - VMware Webcast: Technical Deep Dive: Configuration and Compliance Management with VMware vCenter Operations Management Suite 5.0
Register for Webcasts
Add your Webcast
Contact Michael Vella at [email protected] to get your webcast listed in our Webcasts Calendar.
Where's The Windows “Start” Button?
Read about a Microsoft employee's initial reaction and some helpful advice and resources for working with the Windows 8 consumer preview:
Whitepaper with some important Hyper-V best practices
Want some wisdom from the smartest, cutting edge Hyper-V administrators in the business? Download this whitepaper from this post on the Hyper-V.nu blog:
Hacking servers that are turned "off"
Is a server that's powered off immune from being attacked by hackers? Read this illuminating post from the Internet Storm Center diary:
Visual Basic is dead, long live Visual Basic!
Microsoft has formally extended “It Just Works” support for its Visual Basic 6 programming language through the full lifetime of the Windows Vista, Windows Server 2008, Windows 7 and Windows 8 OSes:
Whitepapers, podcasts and other configuration management resources
VKernel understands how configuration changes to VMs will continue to be an issue for VM administrators especially as environments get larger and more automated:
Windows Server News
Five common mistakes of constructing a cloud presence
Incorporating cloud services into an IT environment involves many tough decisions. The wrong move can affect your business success and future in the cloud. Avoid these five mistakes to develop your company’s cloud presence.
Why virtual server tools won’t work for VDI performance monitoring
You might be tempted to use the same tools to monitor both virtual servers and virtual desktops, but VDI performance monitoring is a whole different ballgame. Virtual desktops have more dynamic workloads and the end goal is not the same.
VDI pilot project guide
There's a first time for everything. For your VDI pilot project, consider product options, know what to avoid and learn from the success -- and failure -- of others. Learn more in this expert guide to VDI implementation success.
A first look at Microsoft Office 15 features
It's time for yet another version of Microsoft Office -- Microsoft Office 15. I know what you're thinking: We don't even use half the features available in Office 2010! But you should feel better about the Office upgrade after we explore some Office 15 features in this exclusive tip.
WServerNews FAVE Links
This Week's Links We Like. Tips, Hints And Fun Stuff
How close can five wingsuit flyers come to two glider planes cruising at 180 km/h 4,000 meters above the ground? A spectacular performance high in the skies above Austria well worthy of any James Bond film:
The Atlantic Ocean Road in Norway (ranked #1 of the World's Best Road Trips) is fantastically dramatic during stormy weather:
“Russian Dolls” - an amazing magic act by the winners of the World Championship of Illusionists:
Meanwhile, in China ...
People are awesome and they come from all corners of the world:
In celebration of the Queen's Diamond Jubilee, here is a re-mix of a famous T-Mobile clip with the music of the 'Jive Aces' - the UK's No.1 Jive and Swing Band:
WServerNews - Product of the Week
WServerNews - Editors
Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com
Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also Head of Research for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.