IT Solutions | Direct Access: So-long, VPN Client

What is DirectAccess?

Direct Access is a means by which your enterprise workstation is able to ‘phone home’ without any assistance, such as would be required to access a VPN configured through a firewall or a Microsoft Routing and Remote Access Server.  The idea is that you are always able to route back to your Microsoft network using public IPv4 DNS records via the Secure Sockets Layer, similar to how you would sign-in to a secure web page for sensitive information, such as personal banking.  This eliminates the need for integrating a service like RADIUS to provide domain-based authentication and deploying an VPN client software to all of the systems (not to mention training your staff on how to use it.)

Why use DirectAccess?

Simply put, DirectAccess eliminates one more step that is needed to remotely access a corporate environment, and reduces the surface area for end-user error.  Since it uses the Secure Sockets Layer – which is shared by the aforementioned secure web browsing, variables such as remote routers and firewalls can also be eliminated as a variable since there are usually no restrictions on the SSL port, whereas a non-SSL VPN client would require that specific additional ports be opened at the connecting network, relative to the protocol being used.

A problem that used to exist in the old DirectAccess architecture of Server 2008 R2 was the reliance on IPv6, which as I mentioned can be a big project in itself to implement on a network that is not already using it.  Server 2012 Direct Access is fully IPv4 compliant, and the configuration of it

What do you need to run DirectAccess (Windows 2012)?

DirectAccess requires the following components on your network:

-          Client workstations running Windows enterprise software (Windows 7 Enterprise or Ultimate, Windows 8 Enterprise)

• If using Windows 7 clients, a local Certificate Authority is recommended to provide client-authentication certificates for backwards-compatibility.  This is not a requirement in Windows 8.

-          A Windows Server 2012 host with a network controller

-          A Windows domain controller (running Windows Server 2008 SP2, or a higher edition) and DNS server

Contact Trigon today if you would like more information on Direct Access and how it can improve your small business!

IT Support | Hard drive encryption: The good, the bad, & the ugly...

Hard drive encryption is one of those tools that administrators have a love/hate relationship with.  In its simplest terms, it is a way to secure data so that it is inaccessible to those that are not authorized to have access.  There are different ways to encrypt a hard drive, depending on how secure you want to make the information and how easily or difficult you want to make access to that data.

First off is the basic hardware encryption.  This typically requires a simple password to unlock the drive for use.  As soon as the computer is booted, a password is requested in order to be able to use the drive.  If the incorrect password is entered a certain number of times (typically three), the system needs to be either rebooted or power cycled to be able to try again.  If the password is not known, the drive is not accessible.

Secondly, there is software encryption.  This is a program either installed on or integrated with the Operating System that can use any combination of ways to unlock the information encrypted.  It could range from a simple password like the hardware encryption technique described above, to requiring a security certificate and password combination, to one that requires a specific hardware aspect (such as a specialized flash drive inserted into the system) and one or more software measures (password, security certificate, and/or biometric reader) that are all required for access.

So why do administrators have a love/hate relationship with it?  The good part about encryption is that if a drive or system is either lost, stolen, or somehow ends up in the wrong hands, it is difficult or impossible to break the encryption to access the information.  Obviously, the more secure the measures to encrypt the data, the more difficult it is for any would-be hackers to access the information that they are not authorized to have.

The bad part about encryption is if the access method to the data by those authorized to have access is not available (password forgotten, specialized flash drive left in the office when the laptop is taken home, etc.), the data is not available when it is needed.  This typically is only a nuisance, as the password can be retrieved if either a Master Password or some other password-recovery method is utilized or the specialized flash drive can be retrieved from the office the following business day.

The ugly part comes in when something out of the ordinary occurs.  Most of the time, this is something along the lines of a particular person having the encryption password with no Master Password created, and then that particular person leaves the company.  Or it is the specialized flash drive that gets broken or is unreadable by the system.  Some of these types of risks can be mitigated by having a recovery measure implemented, like a Master Password or a secondary flash drive with the decryption information stored on it.  However, not all risks in regard to hard drive encryption can always be avoided, as sometimes information is encrypted and should only be accessed by one person for security reasons.

So should you use hard drive encryption?  The answer: it depends.  How secure do you need your data to be so that if it does fall into the wrong hands, it won’t be easily accessible? What steps are you able and willing to implement to mitigate the risks imposed if the primary access method is permanently lost?  What is the risk of the data being lost/stolen versus the inability to access that data?

If you need help with a disk encrypytion solution, please contact Trigon today!

IT Risk Management & What it Means to Your Organization

Building a robust, secure, scalable and reliable IT infrastructure can be very costly. Conversely, not being prepared for an incident that could bring down the entire company for an extended period of time could be devastating and even more costly.

IT Risk Management is the process of defining and understanding the possibility of risk and the potential damage it could have on an organization. IT Risk Management is usually comprised of one of the following four areas:

1. Security – Ensuring that corporate data is protected from both external and internal threats
2. Availability – Making sure that systems are able to be accessed at all times. Or, in the case of an outage, that the impact can me limited and the systems can be recovered quickly
3. Performance – Baselines are established and this metric is monitored regularly
4. Compliance – Proper policies should be enabled to ensure that regulatory agency requirements are strictly adhered to

These identified risk areas are not the sole responsibility of the IT department.  While there are technical components and business processes that must be managed by IT, employee training is extremely important. Even the most stringent security policies cannot prevent a security breach. The end users must abide to the policies accordingly and work within established guidelines on a consistent and daily basis. Security is a shared responsibility.

If you have not trained your employees on how to recognize and report possible risk or security concerns, Trigon Technology Group has a proven Security Awareness Program that can help your workforce make better decisions and, ultimately, lower your IT risk portfolio.

For more information..

IT Support | DAG Spanning Datacenters

With the expansion of use of DAGs in Exchange 2010 there are some uses for a DAG that spans datacenter. When bandwidth and latency is good everything is smooth sailing. When either of these things go wrong things can go horribly wrong. There are a few small but important things you should verify before implementing this. Also leave time to test the setup before going to production. There are a few situations where without the proper configuration and hotfixes for your environment where things can go very very badly. If latency is high things like a race condition can cause your cluster to lose quorum, and when this happens all mailboxes can become dismounted. Check out this link and get those hotfixes in place.

1. Verify your NIC settings
2. Verify your TCP settings
3. Verify your cluster settings

Network Card Settings

The following settings should be checked on your network cards these are important for all DAGs but are more important when you are spanning datacenters across a site-to-site VPNs. When everything is local and bandwidth is prime than the little things don’t matter as much. One thing I found is that IPv6 should be enabled on all NICs for exchange, as well as making sure everything is correct for routing and DNS is correct. Make sure you all replication and mapi networks are reachable and configured correctly.

TCP settings

There are a few settings that can improve DAG performance dramatically, they help with the replication traffic for the DAG.
Everything in this article

netsh int tcp set global chimney=disabled

netsh int tcp set global rss=disabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

New DWORD

EnableTCPA

set value to 0 to disable netDMA

The above settings do not seem to play well with Exchange, and disabling all of the above will make things much happier, be sure to do this on all mailbox servers. It would be nice if this was common knowledge but it doesn’t seem that many documents cover this.

Cluster Adjustments

The following settings can help prevent major issues if your DAG is physically spanned across datacenters, these following settings will help keep your dag resilient, and prevent a few issues that network latency can cause you and some massive headaches.

cluster /prop CrossSubnetDelay=4000

cluster /prop SameSubnetDelay=2000

cluster /prop SameSubnetThreshold=10

cluster /prop CrossSubnetThreshold=10

To verify run the cluster /prop command.

The cross subnet command will help tremendously as the default 1000 and a threshold of 5. They will keep your DAG running smoothly in a spanned DAG.

_______________________________________

I hope the above can help someone.

IT Support | Cisco Aironet Quick Start

Configuring a Cisco Wireless access point out of the box seems like a daunting task but if you are implementing a simple setup, a single SSID on your flat network the configuration can be completed much easier than you would believe.

Starting the device

After you have un-boxed the device, and powered it up you should connect to the device via console cable. The default username and password are Cisco and Cisco as well as Cisco for the enable password. I would recommend changing these before putting this in a production environment. Following this from the terminal you need to enter configure mode before entering the configuration commands. I recommend doing this configuration from the command line as the GUI is slow un-responsive at times and requires multiple steps to complete the same tasks.

The configuration

Starting in configure mode create your SSID with the following commands, as well as establish your WPA preshared key.
dot11 ssid NetworkSSID

   authentication open

   authentication key-management wpa

   guest-mode

   wpa-psk ascii (Type password here)

The above will establish the SSID but it will still need to be assigned to the correct interface and turn on the wireless radio. Cisco ships their WAPs with the radios off, there are warnings all over the device and packaging regarding this.

interface Dot11Radio0

encryption mode ciphers aes-ccm tkip

ssid NetworkSSID

no shut
that will set the encryption, and get the device up and running with the SSID being broadcast.

Last Steps

The last thing to do is configure the device with a management IP address.

interface BVI 1

ip address x.x.x.x y.y.y.y

There you have it the fast way to get a Cisco Aironet up and running, cheers!

IT Solutions | Chrome Security Exploit Found

Google’s web browser Chrome has been praised as one of the most secure web browsers available due to the security features that were built into the browser.  One such feature is sandboxing which allows a piece of code the ability to run in a restricted environment but does not allow it any I/O access such as the ability to write to the hard disk.  Sandboxing has played a huge part in making Chrome as secure as it is.  For three years Google participated in an event called Pwn2own which is a competition to find security holes in popular web browsers in the hopes of learning if there were any holes in Chrome that need to be addressed.  Pwn2own has laptops setup running fully patched versions of Mac OS X and Windows 7 with Internet Explorer, Safari, Firefox and Chrome. Each year Chrome came through unscathed.  This year though Google opted not to take part in Pwn2own and instead created their own competition named Pwnium.  Here they have offered contestants money for finding and exploiting security holes.  At Pwnium a full exploit was discovered by Sergey Glazunov.  The details of the exploit have not been released yet but what is known is that Sergey managed to bypass the sandbox and gain full control of the computer using the access rights of the currently logged on user.  Google has quickly patched the exploit and released it via Chrome’s automatic update feature. 

 I personally have to applaud the efforts of the software companies who take part in Pwn2own and Google with their Pwnium competition in trying to make the web a safer place for everyone.  If you’re reading this and have questions in regards to security for your network then contact us and find out how we can assist you.

IT Solutions | Data Leaks That You Can Control

Every company has data leaks.

It is impossible to plug every one of them. It is possible to manage them though. The data leak doesn’t have to be access to the network by nefarious individuals. Most likely it is your own employees taking action without really thinking of the consequences. Like the domain admin giving a domain level account and password over the cell phone in a crowded elevator -- He was trying to solve an issue, but missed the environmental conditions he was in. So now everyone in that elevator knew a domain level admin credentials for that company. But you don't know which company he works for you say...sure we do, just look at his ID badge clipped for convenience to his clothing. It’s the little things that get you in trouble too.

Some sources of data leakage are:

• Allowing access to personal email, staff can send out data without you tracking it.
• Allowing USB usage, staff can put in a USB drive, phone, and even IPods that can sip the data.
• Sensitive papers lying about on desks unsecured to be viewed by anyone.
• Talking about sensitive information in public spaces

How to manage this? Well there are several ways. The most successful way is to institute policies for your staff. Having the staff aware there are guidelines and consequences is addressing most of the issues. You will need to have a training schedule for new hires and reviews for user. Having the user acknowledge the policies with a signed document will provide you foundation for maintaining the security. These policies can be as simple as the clean desk policy which dictates what can be left out when a user is not at their desk, to technology policies which dictates what devices are allowed into the site and how they are used.

To support the policies you can leverage technology. Using Active Directory Group Policies to control access to resources on the network, device usage such as turning off USB ports, all this is possible. You can use third party applications to control web access to email, track access, and allow access.

This may seem draconian, and it can be if misused. But the trick is to apply the right amount of restrictions to protect the company and balance the access given for work. So you can't access Facebook on your work computer, big deal, you’re working. Odds are you have it on your phone anyway. Using technology to enforce the policies will enable you to maintained standards consistently all day to all staff. It is auditable and can be changed as the environment changes.

So keep you staff informed, your policies current, and use your technology to simplify and standardize, and revisit both often for review and updates.

IT Support | Office 365 Launches in June, Ballmer Says.

PCWorld:

Microsoft spokespeople have been coy about when the Office 365 cloud service will launch, saying only that it will come out later in 2011. But CEO Steve Ballmer has revealed that it will launch in June.

Speaking in Delhi, India, to an industry group last week, Ballmer said, "We're pushing hard in the productivity space. We'll launch our Office 365 cloud service, which gives you Lync and Exchange and SharePoint and Office and more as a subscribable service that comes from the cloud. That launches in the month of June."

The cloud service will replace the current Business Productivity Online Suite (BPOS), and include access to Exchange, SharePoint, the Lync unified communications suite, and both desktop and Web-based versions of Office tools such as Word, Excel and PowerPoint. The Office 365 beta has attracted more than 100,000 customers, and was recently expanded to become a public beta available to anyone.

Whoa, now. It seems like Microsoft is finally ready to get the good folks that their Office products to learn how the Cloud can help them. Don't be afraid of the Cloud, gang. We use it every day. I'm using the Cloud to write this post. Ahhh!!

I don't know about you, but I prefer to write documents via web browser, or to a lesser extent, a service that syncs automatically with Dropbox in order to store my files safely. Using Word is great and all, but if that HDD explodes while you're writing the best blog post ever, it's as good as toast. Apps like PlainText and Elements save while you're typing to the Dropbox folder of your choice. Late or not, Microsoft seems to be getting the idea with this instant-save business. The less the user has to worry about backing things up, the better. 

Windows 7 Speech Recognition vs DragonSpeak PART 2.

In the world of software technology, nothing is more popular than speech dictation software. Not even posting what you had for breakfast on the Twitter is this important. You can see for yourself with our intense feature that revolved around Windows 7 Speech Recognition when compared to DragonSpeak Naturally Speaking. We need to give the people what they want. We've spent hours going over emails, comments, billboards, and telegrams where the readers have voiced their opinions on just which piece of software has it made in the shade. Let's review some of the most heated, opinioned comments.

You are most certainly mistaken about windows 7. There is a portion of the setup devoted to reading passages in order to improve recognition of the individuals voice. each time you run the program, it gives new passages to read in order to further improve ease of use. after only an hour of playing with it, i have windows 7 down to only 1 mistake every other paragraph. - Vic

Well, then. It seems our esteemed author may have not been as thorough as our dear readers would have been led to believe. Of course, he did state that this was a very early impression of usage with the software, so let's cut him some slack.

I have had RSI for some time now, and thought Windows 7 speech recognition would be the solution for my tendinitis. However, the Windows 7 speech recognition has some serious limitations, specially if you want to click anywhere on the screen. I settled upon an extension for Win 7 called Voice Finger (http://voicefinger.cozendey.com ), that somehow fill the gaps in Win 7 recognition.  I guess this software is not targeted to people who use speech recognition like an alternative from time to time, but if you want (or needs) to reduce computer contact to zero, this software is great.  - Robert

Thanks for the input, Robert. It seems like it would be the best option to shop around and test every piece of software you can get your hands on. 

Robert Lamb is mistaken. You can click anywhere on the screen in Windows Speech Recognition by calling out the command "Mousegrid". Then you can narrow down the screen to the exact place you want to click with pinpoint percision. - Samuel

Alright then. Well, we're all learning here. Thanks for the tips on Mousegrid, Sammy.

I really want to use the Windows version as I really disliked Dragon 10 and doubt I will ever use it again. - Mike

You can't win them all, Dragon 10. Actually, you're losing pretty heavily, so far.

I have not checked out dragon naturallyspeaking. I plan to do that and compare. However windows seven voice recognition comes bundled together. - Llavan

This seems to be the biggest benefit so far to the Windows 7 Speech Recognition software. Who wants to go out and buy a box from Best Buy these days? It's so far away and you need to get into a car.... The worst.

I am currently using the windows seven version. In fact in posting this blog I'm using the windows seven version. I found it definitely has some issues but Its workable. - GlassKing

Whoa! Is there any more meta than using Speech Recognition software to comment on a blog post ABOUT Speech Recognition software?

I have used both, Dragon is far far far superior in dictation, i am french and i trained Dragon with my English accent, I can speak using my worst lazy talk and it will not make a mistake, but window 7 even with all the training, i get three errors in the first sentence. Yes you can hate it write a paragraph or three if you train it much much much and talking 1/8" from the microphone yelling and talking each syllable very distinctly and talking slow. With dragron you just forget and talk whatever way you talk and it will write exactly what you said. Thanks, Jean Marie

Well said, Jean Marie. 

I would say W7 is easier to learn while Dragon is much harder to learn. Both have trouble with pull down menus on third party apps. The only advantage, if you can call it an advantage, that Dragon has is some customization options and the ability to purchase command sets for specific applications. My final thought, to date, use W7 version. If you feel limited you could invest in Dragon for some advanced features, but there is the cost to consider! - Chewy

If there was one person I thought would have trouble with Speech software, it would have been Chewy.

I've used both systems. I would have to say that the windows system is much better at understanding what I'm saying. Dragon does have a few advanced features that windows doesn't but I don't think it justifies dragons cost. - Bull

Well, the readers have it. Windows 7 has the superior Speech Recognition sofware. It only took us several months to get through all of the comments and reader mail, but we feel this is conclusively the final word on the battle between these two heavyweights. 

IT Support | Windows 7 SP1

Are you a new Operating System earlier adopter or one who typically waits for the first Service Pack release of a new OS?  I tend to be a wait and see adopter.  If there are no glaring issues after a few months of a new OS release, and I feel the new features will benefit me, then I will perform a clean install.  I don’t like upgrades.  Working in IT Support, history has taught me that upgrading to a new OS causes problems; sometimes of apocalyptic proportions.

For those of you who wait for SP1, I salute you.  Delayed gratification can be a good thing.  Except in the case of Vista SP1.  If you went that route you were probably not too happy.

Service Packs tend to include new features.  This is not the case with Windows 7 SP1; at least in the current beta version.  SP1 contains only a compilation of all the updates released so far.  So if you want Windows 7 with SP1 before the official release, just install Windows 7 and run Windows Update.

Here is a list of the base system requirements.

• 1 GHz or faster x86 (32-bit) or x64 (64-bit) processor

• 1 GB RAM for x86 or 2 GB RAM for x64

• 16 GB available disk space for x86 or 20 GB for x64

• DirectX 9 graphics processor with WDDM 1.0 or higher driver

• DVD-compatible drive

As more is always better with computers; if you want to use advanced features like BitLocker you will need more.  Here is a link to Microsoft’s official Windows 7 system requirements.

http://windows.microsoft.com/systemrequirements

If you would like help identifying your companies IT Solutions needs and their requirements please contact Trigon at http://www.trigonit.com/contact-trigon