Vol. 17, #23 - June 4, 2012 - Issue #882 Image

PKI Potpourri

  1. Editor's Corner
    • From the Mailbag
    • PKI Potpourri
    • Tip of the Week
    • Recommended for Learning
    • Quote of the Week
  2. Admin Toolbox
    • Admin Tools We Think You Shouldn't Be Without
  3. Events Calendar
    • Americas
    • Europe
    • Asia/Pacific
  4. Webcast Calendar
    • Federal Cloud Integration: Getting from Here to Where You Want to Be
    • This Week's Webcasts
    • Register for Webcasts
  5. Tech Briefing
    • HP ProLiant Gen8 Tech Day 1 – Customer Inspired Innovation
    • Evolving the Start menu
    • Group Policy Settings Reference for Windows and Windows Server
    • Connect your Android device to SkyDrive with OneNote and other apps
    • Quick Rule Creation in Outlook 2010
    • DHCP, Dynamic DNS, and DCs: How about Some PowerShell to Spice Up a Mind-Numbing Topic?
    • How to Hold a Confidential Print Job at a Shared Printer
  6. Windows Server News
    • An open dialog on open source cloud
    • Getting users involved in VDI testing
    • VDI project pilot guide
    • Streamlining multi-hypervisor management with ease
  7. WServerNews FAVE Links
    • This Week's Links We Like. Fun Stuff.
  8. WServerNews - Product of the Week
    • Your dedicated spam filtering appliance in the cloud

Your dedicated spam filtering appliance in the cloud

SpamTitan on Demand offers all the benefits of SpamTitan coupled with the benefits of the cloud, including back up, redundancy and scalability. There are no shared resources typical of other cloud based email services. The solution includes double antivirus protection from Kaspersky Lab and Clam AV and blocks over 99.9% of spam. This unique deployment option gives you all the benefits of an appliance based solution but without having to utilise your own resources. We offer a single price for SpamTitan on Demand as there is no separate cloud supplier to manage, this award winning anti spam solution is available from $650.

Get more information on SpamTitan on Demand

Editor's Corner

SAVE THIS NEWSLETTER so you can refer back to it later for tips, tools and other resources you might need to do your job or troubleshoot some problem you're dealing with. And please feel free to FORWARD IT TO A COLLEAGUE who you think might find it useful. Thanks!

From the Mailbag

In the May 14 issue Printing Pitfalls we included a few tips about printing in mixed environments such as x64/x86, Win7/XP, etc. A reader named Ray sent us the following story that highlights the kind of difficulties administrators sometimes face in such situations:

We recently spend a great deal of time struggling with printing issues recently when we installed our first 64-bit Windows 7 workstations. As you said, there's no problem adding 64-bit drivers to 32-bit print servers with one caveat; printers for which the manufacturer does not provide 64-bit drivers. We ran into this issue specifically on many HP LaserJet printers—and not just old ones either. Even printers we'd only had for a year or two only offered the HP Universal Print driver as an option for 64-bit operating systems.

We dutifully followed the procedure to install the UPD for 64-bit on our print server and attempted to associate it with the printers but continually failed, receiving an error that an appropriate print driver for the x86 operating systems was not found. We finally, after much experimentation, were able to figure out that point-and-print only works for 32 and 64-bit drivers on the same printer if the driver identity is the same. This particular issue was not documented anywhere that I could find on Microsoft's or HPs websites. The solution was to assign the UPD to our printers for both 32 and 64-bit operating systems. This allowed us to install both drivers and now both 32 and 64-bit clients can install printers from the print server, after much frustration and cursing of course.

This issue illustrates a problem I run across frequently as a network administrator. I find that more and more these days, documentation is often lacking in changes and updates to software and hardware. Problems like the printing issue stated above must have been understood by the engineers writing the OS and the drivers but nowhere was it documented that the driver name had to be the same for both OS types. It was just assumed that administrators would know—which works great until two totally different driver options are available for the same printer and OS combination (32-bit). If it weren't for the Internet discussion/gripe sites I'd have dozens of similar issues that would still remain unsolved.

Got more tips, gotchas or stories about printing in Windows environments? Email us at [email protected] so we can share them with readers of WServerNews.

PKI Potpourri

Have you ever had to deal with digital certificate issues on Windows computers or deploy a Public Key Infrastructure (PKI) running on the Windows Server platform? This week's issue is a potpourri of different tips and gotchas centered around topics relating to Windows PKI. But before we begin, check out the following XKCD comic that explains WHY ALICE WAS JEALOUS CONCERNING BOB'S ALLEGED AFFAIR WITH EVE:
http://www.wservernews.com/go/1338460354465

Hint for infosec newbies: Eve = eavesdropper

;-)

Can you install an Enterprise CA on a DC?

Yes. Should you? No!! Here are some reasons why you should NEVER install your organization's Enterprise Certificate Authority on a domain controller in your environment:

Of course, if you're just building a small test network then it's probably OK to install your root CA on your DC.

Can you move an Enterprise CA between two forests?

Yes, but it's very complicated. The post below from the Windows PKI Blog explains some of what's involved, but your best bet is to engage Microsoft Support to walk you through the process:
http://www.wservernews.com/go/1338460360293

How should you secure and maintain an Offline CA?

Since the root CA is at the top of your PKI and is self-signed, you want to do everything you can to secure and maintain it. A good practice is to keep your root CA offline so it's never connected to your corporate network and follow best practices to secure and maintain it. Specifically, this article from the TechNet Wiki provides some guidance concerning securing Offline CAs:
http://www.wservernews.com/go/1338460365059

And this article explains how to properly maintain your Offline CAs:
http://www.wservernews.com/go/1338460367793

Can you deploy PKI using PowerShell?

Yep. Check out the following PowerShell script by Vadims Podans, a Microsoft Most Valuable Professional (MVP) based in Latvia:
http://www.wservernews.com/go/1338460376106

For more tips on how to manage Windows PKI using PowewrShell, see Decrypt My World, the blog of Alejandro Campos Magencio who works as an Escalation Engineer for Microsoft Customer Service & Support in Spain:
http://www.wservernews.com/go/1338460382075

And here's a link to the PKI PowerShell module on CodePlex:
http://www.wservernews.com/go/1338460386543

Where can I find root certificate updates?

Microsoft releases updates for root certificates for Windows operating systems on their Windows Update site and Windows Vista and later automatically download and install new root certificates with no user intervention needed, for example when an application you run is presented with a certificate issued by a CA that is not trusted by any of the installed root certificates on your computer. This automatic updating of root certificates can also be turned off using Group Policy as this TechNet page explains:
http://www.wservernews.com/go/1338806476286

If desired you can also download root certificates updates directly from the Microsoft Update Catalog site here:
http://www.wservernews.com/go/1338460395559

You might do choose to do this for a couple of reasons, for example:

To download root certificates updates from the Microsoft Update Catalog, simply go to the page linked to above, type root certificate updates in the Search box and press Enter, then click Add to add the update you want to download to your basket. When you're finished adding updates, click View Basket and then click Download. For more information about an update, click on it to display the Update Details page for the update, then click the support link under More Information to open the Microsoft Knowledge Base article for the update.

For help on how to apply an update to a Windows image using Dism, see this MSDN article:
http://www.wservernews.com/go/1338460402950

Also see Part 2 of my series Deploying Windows 7 on WindowsNetworking.com for more info on using Dism:
http://www.wservernews.com/go/1338460405419

Share your expertise!

Got any tips, gotchas or stories to share with our readers concerning deploying and managing a Windows Server PKI solution, managing root certificates on Windows computers, or any other related topics? Send them to us at [email protected]

Tip of the Week

Here's a quick tip on how to restart a service when a specific event is logged in the event logs. Let's say for example that you want to restart a service such as the SQL Server service when an event with a specific event ID is logged in the Windows event logs. You can do this as follows:

  1. Open Event Viewer and navigate to the log that contains the event you want to associate with a task.
  2. Right-click the event and select Attach Task To This Event.
  3. Walk through the Create Basic Task Wizard to create the new task.
  4. Create a simple batch file with sc stop service_name and sc start service_name.
  5. Open the task you just created and edit it to make the action performed by the task to be running the batch file.
  6. Edit the task to specify the event ID needed to trigger the task.
  7. Save the changes to the task.

Got any tips to recommend to our readers? Let us know at [email protected]

Recommended for Learning

This week we have a couple of books on Windows security forensics from Syngress:

Windows Forensic Analysis Toolkit: Advanced Analysis Techniques for Windows 7 (Syngress) is the third edition of this popular digital forensics book, which demonstrates in detail how you can extract user activity data from computers running Windows 7 and earlier versions. Unlike many books that have been updated for Windows 7, the author of this title has taken care to make sure new features of Windows 7 are thoroughly covered. The writing style is also lively and entertaining, which makes the book easy to learn from. Strong recommend for Windows security enthusiasts.
http://www.wservernews.com/go/1338460420372

Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry (Syngress) is a companion volume to the previous title and demonstrates how to find and analyze evidence within the registry using various tools and procedures. The book includes some detailed case studies plus a CD with some Perl scripts the author has written.
http://www.wservernews.com/go/1338460425372

Quote of the Week

"If you are not passionate about your work, every day will be a Monday." --Dana Epp, an IP pro based in Vancouver, Canada

That insightful quote was taken from Dana's Facebook page at:
http://www.wservernews.com/go/1338460759059

Dana is a partner at Scorpion Software, a company that provides robust password management, two-factor authentication (2FA) and single sign-on (SSO) solutions for IT Service Providers and IT departments of small to midsized businesses. I highly recommend their company blog, especially Dana's ongoing video series titled Crack the Cred:
http://www.wservernews.com/go/1338460761950

Until next week,

Cheers,
Mitch Tulloch

 

Admin Toolbox

Admin Tools We Think You Shouldn't Be Without

Register for a SpamTitan on-line demo, 99.97 % plus catch rate, double AV, affordable price.
http://www.wservernews.com/go/1338465578354

New Top 10 free tools for IT pros. Audit changes in AD, GPO, file servers and mailboxes; manage passwords and event log; monitor processes; etc.
http://www.wservernews.com/go/1338465605540

Download a free, fully functioning 30-day trial of Patch Manager from SolarWinds and leverage your existing WSUS and System Center Configuration Manager (SCCM) deployments.
http://www.wservernews.com/go/1338465614946

Using Microsoft Hyper-V? Altaro Hyper-V Backup Freeware Edition is an easy to use Hyper-V aware backup solution. Watch YouTube Video.
http://www.wservernews.com/go/1338465621822

Mount and analyze ISO, VHD and other files using this free tool:
http://www.wservernews.com/go/1338460770622

Mount downloaded ISOs of CD/DVD images using this free tool:
http://www.wservernews.com/go/1338460775044

 

Events Calendar

Americas

Europe

Asia/Pacific

Add your event

Contact Michael Vella at [email protected] to get your conference or other event listed in our Events Calendar.

 

Webcast Calendar

Federal Cloud Integration: Getting from Here to Where You Want to Be

In this session, attendees will learn how solutions such as VMware vCenter Operations, vCenter Orchestrator, and other solutions that enable Federal agencies to leverage existing investments in their evolution to the cloud.
http://www.wservernews.com/go/1338460803528

This Week's Webcasts

Register for Webcasts

 Add your Webcast

Contact Michael Vella at [email protected] to get your webcast listed in our Webcasts Calendar.

 

Tech Briefing

HP ProLiant Gen8 Tech Day 1 – Customer Inspired Innovation

From Hyper-V.NY comes some insights from HP for server and storage admins:
http://www.wservernews.com/go/1338460822341

Evolving the Start menu

Get used to it: the old Start menu isn't coming back. From the Building Windows 8 blog a few months back if you haven't read it yet:
http://www.wservernews.com/go/1338460827247

Group Policy Settings Reference for Windows and Windows Server

Now includes Windows Server 8 Beta and Windows 8 Consumer Preview:
http://www.wservernews.com/go/1338460832059

Connect your Android device to SkyDrive with OneNote and other apps

From the Windows Blog comes this walkthrough on how to make your files automatically available across Windows devices while also being accessible on Android devices:
http://www.wservernews.com/go/1338460837028

Quick Rule Creation in Outlook 2010

A quick tip from the Outlook Blog for heavy email users, especially if you subscribe to a lot of mailing lists:
http://www.wservernews.com/go/1338460842669

DHCP, Dynamic DNS, and DCs: How about Some PowerShell to Spice Up a Mind-Numbing Topic?

The Ask Premier Field Engineering (PFE) Platforms blog shows us how to use Windows PowerShell to configure Microsoft DHCP servers to dynamically register A and PTR records in DNS on behalf of DHCP clients:
http://www.wservernews.com/go/1338460847434

How to Hold a Confidential Print Job at a Shared Printer

An oldie but still a goodie: a printing tip from 404 Tech Support:
http://www.wservernews.com/go/1338460852622

 

Windows Server News

An open dialog on open source cloud

Open source cloud software has its share of advantages and downsides. In this expert tip hear from industry analyst Bill Claybrook as he discusses the market, what companies of all sizes should consider when looking to build an open source cloud and which vendors have the most influence at the moment.
http://www.wservernews.com/go/1338460872794

Getting users involved in VDI testing

Now that you have your VDI project under way, you need to test the deployment's performance. VDI testing should involve one of the most important parts of your project: the users who will actually be using the virtual desktops.
http://www.wservernews.com/go/1338460877575

VDI project pilot guide

There's a first time for everything. For your VDI pilot project, consider product options, know what to avoid and learn from the success -- and failure -- of others. Access this VDI project pilot guide to ensure a successful implementation.
http://www.wservernews.com/go/1338460882309

Streamlining multi-hypervisor management with ease

As the number of heterogeneous virtualization environments continues to rise, so does the need for multi-hypervisor management tools and skills. Now, more than ever, it would be wise for virtualization administrators to learn how to manage and troubleshoot multiple virtualization platforms. Learn how in this featured tip.
http://www.wservernews.com/go/1338460887075

 

WServerNews FAVE Links

This Week's Links We Like. Tips, Hints And Fun Stuff

Image

Got $259,500? How about an amphibious sports car:
http://www.wservernews.com/go/1338460893184

How to create infinite energy using the “Buttered Cat Paradox” - Toast always falls on the buttered side and cats always land on their feet:
http://www.wservernews.com/go/1338460897513

Don't watch this if you are afraid of heights! The bridge to Russky Island will be the world's largest cable-stayed bridge with a total length of 10,200 ft when it opens in June 2012:
http://www.wservernews.com/go/1338460902825

An entirely new way to interact with your computer - more accurate than a mouse, as reliable as a keyboard and more sensitive than a touchscreen:
http://www.wservernews.com/go/1338460921059

Honda re-invented the wheel with its battery-powered, two-wheeled mobility device that allows the rider to control speed, move in any direction, turn and stop, all simply by shifting his or her weight:
http://www.wservernews.com/go/1338460930700

The amazing "The Baronton Sisters" from France perform on The Ed Sullivan Show on February 2, 1969:
http://www.wservernews.com/go/1338460936575

 

WServerNews - Product of the Week

Your dedicated spam filtering appliance in the cloud

SpamTitan on Demand offers all the benefits of SpamTitan coupled with the benefits of the cloud, including back up, redundancy and scalability. There are no shared resources typical of other cloud based email services. The solution includes double antivirus protection from Kaspersky Lab and Clam AV and blocks over 99.9% of spam. This unique deployment option gives you all the benefits of an appliance based solution but without having to utilise your own resources. We offer a single price for SpamTitan on Demand as there is no separate cloud supplier to manage, this award winning anti spam solution is available from $650.

Get more information on SpamTitan on Demand

WServerNews - Editors

Mitch Tulloch is Senior Editor of WServerNews and is a widely recognized expert on Windows administration, deployment and virtualization. Mitch was lead author of the bestselling Windows 7 Resource Kit from Microsoft Press and has published hundreds of articles for IT pros. Mitch is also a seven-time recipient of Microsoft's Most Valuable Professional (MVP) award for his outstanding contributions in support of the global IT pro community. Mitch owns and runs an information technology content development business based in Winnipeg, Canada. For more information see www.mtit.com

Ingrid Tulloch is Associate Editor of WServerNews and was co-author of the Microsoft Encyclopedia of Networking from Microsoft Press. Ingrid is also Head of Research for our content development business and has co-developed university-level courses in Information Security Management for a Masters of Business Administration program.