Archive for August, 2008
Can I have my Windows Mobile device wipe its memory after failed logons
Aug 28th
Did you know you can wipe a lost or stolen Windows Mobile device if you configure it before hand? As an Administrator using Microsoft Exchange Server 2003 (SP2), you now have tools with which to set and enforce your mobile device security policies. You can also control some of the features on the mobile devices by using provisioning tools. Check this out:
Excessive failed logon attempts may signal that a wireless device has been lost or stolen — a serious security risk. Find out how to configure your Windows Mobile 5 and 6 devices for local wiping, so they automatically destroy their data after a specified number of failed logons.
Most security policies for Windows Mobile devices are what I call “scorched-earth” policies. Essentially, an Exchange administrator remote wipes a mobile device to mitigate a specific security risk, such as a lost or stolen device. All Exchange Server data is completely erased when a wireless device is “wiped clean.”
You can trigger a remote wipe of a mobile device through Exchange Server 2007 and Outlook Web Access (OWA) 2007, but that presumes the wireless device will contact the Exchange server at some point.
It makes sense to allow mobile devices to wipe themselves when certain prerequisite conditions are met, such as a specified number of failed personal identification number (PIN) entries or incorrect password attempts. This mobile security feature is called a local wipe.
Windows Mobile 5 and 6 devices have provisions for performing local wipes. However, this setting is not enabled by default, and for good reason. Discovering that your Windows Mobile device has committed digital suicide after you messed up your fifth attempt to punch in your PIN can be aggravating — especially if you didn’t know such a policy was in place to begin with.
But if your organization wants to implement this additional layer of security around Windows Mobile devices, it can be done — with a little work.
* First, the Password Required Policy (security policy ID 4131), a Windows Mobile security policy setting, must be enabled for the device in question.
* Next, a registry entry has to be set on the mobile device to enable this feature. In HKLM\Comm\Security\Policy\LASSD, create the decimal key DeviceWipeThreshold and set it to any positive number. This number will be the number of incorrect password logon attempts to allow before the device’s memory is wiped. This setting is also available in the Device Security Settings dialog box in the Exchange Management Console.
NOTE: In Windows Mobile 4, this function did not erase any external memory on the device, such as an SD card or other plug-in memory device. However, Windows Mobile 6 devices will erase external memory cards as well.
About the author: Serdar Yegulalp is editor of Windows Insight, a newsletter devoted to hints, tips, tricks, news and goodies for all flavors of Windows users.
[Via TechTargetl]
Admin’s Arsenal: KeePass v1.x
Aug 27th
Someone asked me today what tool I would say helps me most in my day to day job duties. Man was that a tough question to answer! I have about 30-40 tools that I use on a daily (or at least every other day) basis, so to pick one is like having to choose what finger you like best (no snickering back there).
I guess what it all comes down to is what tool I use most. Hands down that tool is KeePass Password Safe.
It’s hard to cover everything that KeePass does, but this quote from the official site does a better job than I can:
KeePass is a free/open-source password manager or safe which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).
I use KeePass more than any other tool in my Arsenal simply because I have so many passwords to remember.
One of the features that makes KeePass better than other password managers is that you can attach files to entries, which are then encrypted with the KeePass Database. I personally use this to keep all of our VPN keys handy so that when a user complains that they are having problems with their VPN, I can log in as them and see if it is in fact an issue with their VPN tunnel or just user error.
My absolute favorite feature though is its portabliity. Here is a short list of all the different platforms that KeePass works on:
- Windows
- Linux
- Mac OSX
- BlackBerry (huge score here as I love being able to access all my passwords from my phone)
- PocketPC and Smart Devices (including Windows Mobile 6.0)
- Symbian
- PalmOS
- USB drives (specifically portableapps.com)
- USB drives (U3 platform)
- PE environments (WinPE and BARTPE)
Pretty much anywhere you are likely to need it from. I specifically call out the 1.x versions as the 2.x ALPHA versions require the DotNET framework, and are not as portable as a side effect. No need to worry though, 1.x is still in active development, and is open source, so even if the current devs stop work on it, development will continue.
KeePass also has quite an extensive plugin library, which further enhances it’s functionality. If you’re looking for a password manager that you can use anywhere, you would be hard pressed to find one better at it than KeePass.
Verizon FiOS Rocks!
Aug 26th
Take That TimeWarner!
Recently Commodore64 lamented that his ISP, TimeWarner cable had lowered his upload speed to 60k. Well sir, I hope Verizon will be rolling out fiber in your area soon. They were here today to install their FiOS service, and it rocks! As you can see, I am getting significantly faster uploads than TimeWarner provides.
The install was pretty quick and painless (mostly because I did a lot of the hard work ahead of time). The technician ran a molded and pre-cut piece of fiber from the pole to the house. The optical network terminal is mounted inside the house, usually in a basement or garage. He brought the fiber through the outside wall and into our laundry room near the electrical panel.
There were three separate pieces to mount on our cinder block wall, so he placed them all on a piece of plywood to make it easier. The small boxes at the bottom are the power supply (right) and a battery backup unit (left). The battery provides up to 8 hours of phone service during a power failure. He said it powered the phone only, but a simple test showed that it powered the Internet service also. Of course you would need to have your computer and the router on a UPS to maintain your connectivity, but it is technically possible.
The large box at the top contains a lower panel where he coiled the excess fiber. The upper panel is really the heart of the unit. There is a place to plug in the fiber, 4 spaces for phone lines, an Ethernet port for data and a coax port for the TV service.
On the right there are the four spaces for tradition POTS phone lines. The FiOS service is true POTS, not VOIP. That is a piece of Cat 5 running to the old phone NID which some rocket scientist decided to put in our attic. From there it feeds all the house phones. Next to that is an Ethernet port where he plugged in the Cat 6 which I had previously run to where the router was going to be. I decided to run the internal cables myself because the locations were a little complex and I was particular about how their install would look. Utilities tend to take the easiest, cheapest option that technically gets the job done, not necessarily the best looking one for the homeowner. The technician was very happy to use my wiring since it saved him A LOT of time and effort.
On the far right is a coax port for the TV service (which I didn’t get at this time). If you already have cable TV service they can use the existing wiring and simply connect it to that port.
After that was all done, it was just a matter of disconnecting our copper phone line and configuring the router. They provided a relatively powerful 4-port wireless G router. It has a lot more options that a typical consumer router including per-port blocking and parental controls, a firewall with an almost endless array of options, and full traffic and bandwidth monitoring.
One very odd thing is that the default wireless encryption is WEP. Get with the program Verizon, WEP has been cracked for years! Defaulting to WEP gives people a false sense of security. In their defense I will point out that the router does support WPA and WPA2, but I can guarantee you that the average user is never going to be able to figure out how to change it to use them. It is buried pretty deep in the interface.
I opened Firefox and you can see the results of the speedtest above. I downloaded a 200 Meg file from Microsoft.com in 5 minutes. With a connection this fast you do start to realize the limitations of other connections. I uploaded a file to our FTP server at the office and I was able to completely saturate our T1 (can you say DOS attack?)
The pricing for a 5/2 FiOS connection is the same as what I was paying for Verizon’s 3.0/768 DSL service. They offer a 15/2 service which you need to get if you want their TV service.
Overall, I’m very happy with it. The FiOS service is noticeably faster (especially uploads) then the DSL service. More speed for the same price, can’t go wrong there. Plus I get geek bragging rights and can say I’m one of the first people in the area to get it.
Some information about Windows Server 2008 aka R2 Windows Server 7
Aug 25th
This information comes from Mary Jo Foley on ZDNet.
After sending me a note that led me to believe that Microsoft had decided to veer from its original plan of an R2 update followed by a full-fledged Server update, a Microsoft spokeswoman called on August 18 to tell me that her note to me was misleading.
So, scratch that Friday evening post. Microsoft is still doing what it had led folks to believe up until this point: A release called Windows Server 2008 R2 is still on the books (now officially slated for 2010). And there will be some release two years after that which may or may not be called Windows 7 Server. (Microsoft currently won’t say anything about the planned naming for this release.)
And just to keep things extra confusing, the spokeswoman told me that if and when anyone hears references to “Windows 7 Server,” what they really mean is “Windows Server 2008 R2.” In other words, the codename for the Windows Server 2008 R2 release is “Windows 7 Server” — which, based on previous Microsoft naming conventions, should be the codename for the release that comes out after Windows Server 2008 R2…. Yeah….
A comment sent to me by an anonymous reader, good old anonymous@anonymous.com this morning makes more sense now. (Note to reader: Why anonymous? If you don’t want me to use your name in a posting, I won’t.)“Okay, I don’t know how someone on our side could have miscommunicated this or if you are purposely reporting this incorrectly, but let’s be clear on this: Windows 7 Server is and has always been Windows Server 2008 R2.
“Furthermore, Windows 7, despite it’s rather pretentious sounding code name (a result of Sinofsky’s like of big round numbers) is NOT Windows NT 7, but rather 6.1(current builds are numbered 67xx as a direct continuation of the longhorn codebase). Put simply, it is not a big jump as a codebase revision and the new changes, on both the client and server, will be focused on user features, not core OS components. The big core OS changes are WDDM 2 and a kernel scheduler update to remove the simple bitmask enumeration of processors so that the OS can schedule more than 64 concurrent threads.
“Finally, and I can’t be more clear on this, ‘Windows 7? client and Windows Server 2008 R2 will RTM simultaneously (and just so you are 100% clear on this) and are based on exactly the same codebase (just as Vista SP1 and Server 2008 are based on an identical core OS codebase).
“As for the next major release (meaning a full revision of the NT codebase) that will not occur until well after the current Win7 wave.”
[ZDNet Via TwistedEthics - Thanks Phil!]
Recent Comments