Picture from here

RSS, I love RSS.   RSS makes crossposting easy.   It also allows me to read all of my news in Google Reader instead of jumping to 50 different sites that I used to visit once a day.  RSS allows users to subscribe to your site and read them where they want to, this may be good or bad based on your advertising style.  If you are like me and don’t really make a dime on your blog, then it doesn’t really matter.

Image from here

I use feedburner as a choke point for every web service that has an RSS feed (and I’m a member).   This allows me a couple things, the first is I can easily remember all the web services I sign up for.  The second thing is I have feeds that I can automatically plugin to lifestreaming services that don’t support the sites I use natively.

Through RSS I cross post my blog to Tumblr, Profilactic, Friendfeed, Suprglu, and any other life service I come across (just search for Creeva as the username).   Now At this point I’ve made feedburner to do all the heavy lifting and bandwidth intensive work for feed readers.  I even use my feed (a filtered version) to post notifications to Twitter when I have a new story published using the Twitterfeed service.

The other key thing to remember with RSS is when we get to the widget space.   Some sites don’t have an option for crossposting, they are completely locked.   You can however (in some cases) place a widget in your profile on these sites.  More times then not you can manage to place an RSS widget.  An RSS widget shows your current RSS feed items and allows you to place them on these profiles that otherwise have locked data.

With wordpress there is a plugin called feedwordpress that aggregates feeds and publishes them as items on your blog.   They keep trying to make this plugin better, but I can tell you it doesn’t seem ready for prime time yet.  I’ve tried every trick imaginable and I always end up receiving duplicate entries in my main blog.   Because of that I don’t use feedwordpress anymore, I may try in the future.  This would lead to the ultimate life caching solution, by allowing my blog to pull in all the data I generate everywhere else, and then crosspost it to all my friends across the web.  Unfortunately it’s a pipedream at this moment.

Now click the logo to subscribe to Creeva’s World 2.0:

Image from here

In the next part of our crossposting god series we are going to cover services that allow you to publish by e-mail.

Previous Entries in The Crossposting God Series:

The Crossposting God Series Part 1 – The Introduction

The Crossposting God Series Part 2 – Vox

The Crossposting God Series Part 3 – Live Journal and Derivative Sites

The Crossposting God Series Part 4 – Entry, Distribution, and End Points

The Crossposting God Series Part 5 – Myspace

Going further into my reviews of kiosk systems we acquired the Surferquest system here at work.   Unlike my piece on SteadyState I’m not going to have a bunch of screen shots to show you this time.   However I will give you my analysis and what I’ve found out.

The Surferquest system is an off the shelf software with minimal customization.  We ordered an evaluation unit and I was tasked to try it out.   I can say for our needs as a company that requires centralized management and control of machines in our environment that the Surferquest system was not quite a correct fit for us.

In our environment we don’t normally place a machine on our network until it is fully tested and verified secure, but this product is pretty much useless until it has a network connection.   I had to contact support and they gave me an unlock code that would allow me to make changes to installed software.  The unlock code lasted only 24 hours, but they sent me a utility later on that would allow me generate unlock codes for myself.

Almost all of the customization that can be done is performed remotely by Surferquest.  This means if there is a major application change that needs to be completed you need to contact them.   Do you wish to customization your login screen?  You must contact them or upload the images to their server.    You can not perform these changes locally on the box or locally within your environment.  Wish to change the active desktop they used?  Same steps apply as changing the login screen.

Restrictions applied to the software:

Disable Windows Updates
Remove from Start Menu:
My Music
My Pictures
Favorites
Recent Documents
Frequently Used Programs
Recent Network Docs
Network Places
Help
Run
My Documents
Configure Programs
Disable Windows Keys
Lock Taskbar
Disable Control Panel
Disable Balloon Tips
Remove OEM Link
Disable Task Manager
Disable Registry
Disable Find Files with F3 in Explorer
Prevents Control Panel, Printers, and Network and Dial-up Connections from running, and removes the corresponding menu items.
Removes Shut Down from the Start menu and disables the Shut Down button in the Windows Security dialog box.
Disable System Restore
Clears Recent Documents on Exit
Disable access to Recent Network Documents
CTRL key disabled

As you can see, though they use a different product to achieve the same goal, it has similar technology to the Microsoft Steadystate product I reviewed in part 3.

You can put the software within you domain, but the software will still be phoning home to the Surferquest company. While I’m positive that there is nothing sensitive being pushed across, like any company that you would have do remote assistance make sure you trust them in case of any possible data leakage.  The official answer is that it only sends out IP address information and the last time connected.  You can view this information on the stat web page they provide you

If the drive in the unit should fail or there is a hardware issue in need of support, no software is supplied.   You must receive new hardware from the vendor and return your old unit.  They state that turn around time is usually 24 hours.   Any remote management or patching must be performed by the vendor and is done via remote monitoring software that they have access to.    The software is caused Netsupport and it sneaks out your firewall on port 22 – now all you admins that left it open for SSH can feel silly (actually that’s how the firewall support team snuck out the corporate firewall there and back to their home computers when I worked at Symantec on that team).

Quick Notes

• Idle timeouts can be configured, but they default at 10 minutes.
• They use the Deep Freeze product to maintain their disk image
• When we received the unit PXE booting was enabled (and we didn’t have a BIOS password – they stated this was a mistake)
• The unit we received had PowerDVD installed, ironically no DVD drive (another oversight they admit)
• Unlock Steadystate there is no method for restricting USB drive usage

Box the unit shipped in

Front of the unit

Top of the unit

Rear of the unit

If you deploying this in your environment you need to make certain you can accept the security and loss of control you have over this unit compared to other machine in your environment.   I see this fitting more in the public space kiosk scenarios suchs as libraries or hotels.   Because they do lack the centralized control that you would normally deploy in corporate environments I say give this one a pass or at least look hard at what you are trying to accomplish.   For the public space this is a great product, extremely low maintenance, the ability to monetize but charging a fee (customized through the stat page),  and extremely well versed and fast techinical support.   If you want to deploy an Internet Cafe in your area this is the product for you.

The Kiosk Series:

The Kiosk Series – Part One – Choices For Your Environment

The Kiosk Series – Part Two – Management Considerations For Your Environment

The Kiosk Series – Part Three – Microsoft SteadyState vs Group Policies

To get an n810 or not is the question.   A few days ago I wrote a couple blog posts from my wife’s new n810.   I have some reservations about the keyboard for “power writing”, but that can be handled by a seperate bluetooth keyboard.   I think that’s not an issue.

Would I use it instead of a laptop – kind of.    Right now through work I have a Mac Book Air for my mobile device.   It’s great, it’s light, it does most of what i need it to do (what it can’t do would require linux or windows so it’s forgiven).    The one thing I run into with the air is the same thing I run into with my normal laptop, accessibility.   For normal computer use they are highly accessible, but if I do make it to HOPE this year or other travel venues it would be MUCH better to not bring a full laptop (if I do take an 810 to HOPE I’ll be accessing the internet through an encrypted Hamachi VPN tunnel to home and using a proxy there to access the Internet – no clear text information is going to be slipping by me – I can deal with the speed hit that will cause).

It’s much easier to have a bluetooth keyboard and an N810 to haul around to these places more so then a full laptop.   WIth a full laptop I need to worry about power (n810 has better battery life), privacy due to larger screen size,  finding a place to sit versus standing and using the n810.    These things are all things that go through my head while debating this purchase.

So yes the N810 would make me more mobile, and be more convenient.   I know for me (extreme power user) it won’t replace a computer or laptop, but for some people (like my sister) I could see this as a 100% computer replacement.   Too much geekery for me it seems.   So then we open up the question, could I live for a week with just the N810?

The N810 isn’t really designed for offline use.    If it has an internet connection that’s great.  I would be able to do most my blogposting and status updates via email so when I hit wifi I could sync up and go.   In alot ways I think this is enough.   To check this I need to menally compare it to my my Palm TX.

I’m not sure that the N810 will fully replace my Palm TX (then again no one said I couldn’t keep it).  WIth my palm TX I use it as an email platform, a web access device, a centralized syncing device, and an ebook reader.   Anything else I use it for is mostly games so that’s not really an issue – IM has always been painful on it do to .

Since the N810 does not have heavy document handling and I don’t think the resolution is quite right for ebook reading (the two thing I think I would keep my TX for)  it does have better web page filtering (my blog almost breaks the TX).   I would also be able to do IM since I wouldn’t be forced to stay on the IM screen like I do on the TX.   Email should be equal or better on the N810 versus the TX, Web Browsing would be better, and IM would be better.   The occasional full need to document editing and e-book reading would mean the TX could sit on the bottom of my bag (and a bluetooth keyboard would work with it – two devices one keyboard).

So theoretically I could replace my laptop about 90-95% with the two devices.   With having a much smaller footproint and ease of use in carrying these devices with me.   Having the N810 would mean that I no longer have to carry an iPod around since it would handle my podcast playing – bonus to the fact that it will auto scrobble to last.fm something that I have never gone working to a level I liked with an iPod and linux.

Movies however I’ll probably still use my palm TX – I can play full divx movies on it without having to re-encode them.   Bonus to me.    This will also have the side effect of saving me battery life on the N810 if the TX is with me.   I don’t watch movies too often on the go though.

Through hackery I would be able to sync my calender on google with my N810 – something that never worked right on the TX.   I would be able to compose music on the N810 (yes it can compose music).   Someone is also working on an instrument tuner – which is something I was going to buy this summer – so I’ll save 30.00 there.     I was going to buy an iPod, but with the 10 GB I can max out on the N810 and the fact that I only really use an ipod for podcasts would mostly make that that a non issue  – so a savings of 150.00 – so far I’ve saved myself 180.00 on stuff I would probably buy this summer.

There is an NES emulator (that works better on then on the TX) and a GBA emulator – this should save me from carrying around my GBA (which I ironically use more then my DS).   I also play RPG’s so the slight frame drop won’t really effect me.    I can use skype which really isn’t to much of an issue for me since I mostly would call my wife and we have free phone calles between us.   With utterz I can use my phone to “call in” blog posts.

I would be able to start geo caching with the N810 built in GPS, I’ve watned a gps for a long time, not for driving directions since I can look at a map easily and I’m able to figure out where I am.   My wife is sometimes jealous of my innate directional sense.   Usually I get way to lost sometimes by actually reading a map, wrongly at that.   I could get a cheap GPS for 90.00 – but that would take my total electronic purchases to 270.00.   We are approaching the N810 price.   (We actually match it if you figure out it would handle my gaming needs – but I already own those devices)

I like the N810′s keyboard versus the N800′s touch screen which my wife tried out first, but it still a small small keyboard and I have bigger fingers then her.   I can enter information quickly enough for a mobile device I can whip out real quick – and 500% faster then I can do on my phones keypad.     If I utilize bookmarks and saved password this should help limit my typing.   The less need I have on this the better.    Once again if I’m going to write a long blog post like this one is becoming i would have to have a bluetooth keyboard.

My tmobile internet connection is very slow on my cellphone, but being able to stop by any mcdonalds or burger king for quick internet access kind of alleviates that concern.   Granted wifi coverage isn’t ubiquitous but it’s common enough that I think I would be fine.

I’m probably going to decide tonight to get one.   Working through this post has helped alot.   I think I started with the fact that this would replace my palm TX, and going through that thought process I don’t think it would.   I think it will however handle the fact if I’m gone for a week or two away from a computer (though I can fathom two weeks away from a regular computer) that I could be just fine in a solely mobile solution without a laptop.    Using the host mode hack on the N810 coupled with the card reader program on the Palm TX means I’ll be able to utilize the Palm TX as a removable storage space on the N810 if I need it with normal SD cards instead of needing a thumb drive that would drain the N810′s power quicker.    This would allow me to throw another 8 GB and make the card switch out very easy for me.

I’ll keep everyone updated on what I decide.

One thing I’ve been working on for awhile is and Internet Deadman’s Switch.  With all of my crossposting and media re-usage activities in the grand scheme this should be fairly trivial.   I am sure however that some things will slip me up.   We’ll start in this section of identifying the goals I wish to acomplish and work through some of the stages in part two.

What do I mean by Deadman’s Switch?

A deadman’s switch is something that is triggered normally to keep you alive.   A quick example is the pressure plate on a riding lawn mower.   The pressure plate must have weight on it or the lawn more will not start and if the weight is removed the lawn mower will shut off.  So essentially one action cause another action to occur when certain variables are met.   My trigger would be my death.  If I didn’t verify if I was alive after a certain period of time to a program/website/etc.  the a serious of scripts and actions would trigger leaving behind all the information I wish to impart on those behind me.

Why do I want a Deadman’s Switch?

This idea started in my head about 7-8 years.   There used to be a website that had you check in once a month and if you didn’t log in it will send off emails to the ones you care about (or the ones you don’t).   This gives you the final word and allows you to send of those things that might be important.   I can leave my wife information about all my accounts and password, any relevant information that she may need and won’t be able to gather up, parting words to friends and families.   I would also thanks to my current setup be able to post to all my social networks and make an announcement of my death.   This I find intriguing and I’ll at least go through all the steps of implementing this (whether I actually use it and maintain it will remain to be seen).

What would I send?

I’ve broken down what I would want to send into four sections:

• My wife – I can deliver my final message, copies of important documents, access to all of my accounts and any other relevant information she needs
• My family – I would send each family member a personal message from the beyond – I also would send them a follow up to do with my wife in case something happened to her at the same time, that way there would still be someone i could trust that would have access to the information they may need to clean up my estate.
• Friends – I would send each of my “high level” friends an individual message – if somehow my whole family is taken out in one full attack – I don’t think I’m passing any of my personal information off to them.
• Public Internet at Large – this is broken into a few more sections, but essentially I’ll be leaving a video, audio postings, status updates to my social networks (“I’m dead thanks for all the fish”)), and a few final blog postings.

The trick to all of this is of course is reliant on a few things.   The first and foremost being that I can send email after I’m dead.   It also can not be reliant on my home PC (if a housefire hits or a tornado takes me out I don’t want my home to be the weakest link).   Finally whatever script I use must be able to pull from an FTP site (for the audio and video).    Once those can be accompished I’m fairly sure I can get everything else done.

When would I send it?

This is the other conundrum isn’t it?  How do you net tell everyone you have passed on while you are still alive (that could be embarrassing).    You need to pick a time period that seems suitable to you (every 12 hours is not suitable).  I’m thinking either every two weeks or every month I would have to login and verify that yes I am still alive and kicking.  The only problem this would really cause is if I’m kidnapped or held hostage.   The chances of those being so minimal that it is unlikely so I won’t really take those into account.   So to be safe I’ll set it for somewhere between 14 and 31 days.

Another thing I would like to do is configure it to be staggered.  That way I’ll be able to send a message to my wife warning her about the upcoming announcement of what is going to occur before it actually does.  Then to family, then to friends, and finally to the Internet as a whole.   This would keep it from being one big whirlwind hitting everyone at once like a ton of bricks.   I don’t want someone completely freaked out when they see a new youtube movie of my me uploaded.    So a staggered release would be the best scenario (if it’s possible).

How am I going to do this?

You’ll just have to wait for part 2.

Ping.fm allows me to sync my status from the following services:

• Bebo
• Blogger
• Facebook
• Hi5
• Jaiku
• Linkedin
• Myspace
• Pownce
• Tumblr
• Twitter

Keeping all the statuses in sync across all my services is a life saver.   If you would like to sign up use the beta code “pingfriends” and get in on the beta action.

Google is all about consolidation of data, there whole mantra is behind it.  They have released oodles and oodles of services that I utilize (yes I’m a google whore – there I said it), but only minimal correlation between the tools other then a common login.   Many of their tools generate reports or data that could be transformed into reports.  Some of their services it’s almost brain dead that they haven’t integrated the services.   Let’s go through the services and how I would design “Google Reports”.

The most obvious Google “products” I would lump together would be Google Analytics, Google Webmaster Tools, Google Adsense, and Google Adwords.  All four of these products are usually used together – so why can’t we get reporting for all three on one page?  All of these products can give a webmaster an overview on where his site(s) are going and what he can work on.   There is absolutely no reason to go through four different interfaces to get this information.   Yes I can set up email reports from some of them – but a singlular report and page to view them at a quick glance would be great.   If I click on something to drill down on it could then take me to to the specific related products page.  While we are the subject of Google Analytics – a listing of recent page views ala the way statcounter does it would be great.   To be honest that’s the only reason I still use my statcounter account.

Those were the four products that prompted me thinking about this in total from the beginning.   Now let’s move on to the other products, video for example.   Google Video and Youtube both fit different niches in the google video structure.   Youtube allows you to upload video more quickly but has time and size limits, Google Video however allows downloads and unlimited sized and no time limits when you use their external (non browser based) uploader.  Now Google Video’s reporting very frequently fails to work – loosing view and download counts so this needs to be addressed.   But a report that would include subscribers, views, and downloads would be fantastic.

Feedburner should be tied into analytics also for the amount of information it gives you and stats, while I’m on a mini rant here when are we going to be able to inject adsense into our feedburner items?

Now let’s break into the quickies:

Google Base – ok I still don’t understand this product so I have no idea.

Blogger and Page Creator would tie in easily with Analytics – so there is no reason not to make this automated.

Browser Sync – The number of synchronizations and all machine that you ahve synchronized against.

Calender – Ok trickier but the number of appointments from a given day/month/week

Docs – Number of edits, number of documents, space they take up, and how many of your colloboration documents have had edits.

Gmail – Number of emails received, sent, spam caught, most frequent contacts, amount of free disk space.

Groups – could tie into Analytics if your the group owner but beyond that – number of members and messages – how many new messages if your just a reader.

Igoogle – um no clues

Reader – number of stories read

Picasaweb – how many times each photo was viewed, who has linked to it, and any subscribers

Finally webhistory – the amount of searches performed, and a concise list of sites embedded in the reports.

I would want to see report being able to be generated automatically on a daily, weekly, monthly, and yearly basis.   The ability to customize reports by date or time period would also be great.   The ability to atomically email them to you at a preset time would be fantastic.

The last feature I would add is an open API so we could plugin new reports and send them to google to collect and have other programs able to fetch and manipulate the data on a client side.  I know I’m asking pie in the sky at this point.

Google literally has all this data on us and more.  They are preaching data portability and openness so why don’t they consolidate and show us more of the data they are holding.  I’m not asking for all of the secret sauce just what’s relevant to me.  Combing the original few things before I went into quickie mode though would be utterly fantastic and an excellent starting place.

Original From Journey To Get Paid: Google’s Next Service Should Be – Google Reporting.

–
Posted By Creeva Murkado to Journey To Get Paid at 4/11/2008 12:19:00 PM

Kiosk System Management Strategy

There are multiple issues involved with managing a “kiosk system”.   We have to look at the problems we will face whether they are considered to be internal or external.  From a security and management scope of this document we are going to assume they are located on the company guest network.  If the machines are located within the internal network the current maintenance procedures will apply.

While this is still in the design period the final abilities of both the kiosk system and the where it falls have not been decided upon.   Until another strategy is decided upon we are going to assume that these systems will be a member of the domain.

Hotfixing and Patching: Within the internal network we currently use a mixture of WSUS, SMS, and Antivirus servers to keep computers up to date.   Something similar would have to be replicated either on the guest or DMZ network.   If it is located on the DMZ network controls would have to be in place that the communication is pushed to the client for updates instead of the client pulling the information.  If the information absolutely must be pulled, this will be addressed in the section below titled “Securing Connections”.

Break/Fix Issues: Next to the computer there will have to be a phone located so users can report any issues that a kiosk should have.   Upon receiving the call and logging it, normal break/fix procedures would apply.

Remote Desktop: Going from the DMZ to the guest network we should be able to RDP into the kiosk unit.

Remote Monitoring: For the best security standpoint all of these units should include full auditing.   The audit trail could be maintained locally with a remote server from the DMZ pulling in the logs via either a script or an off the shelf utility designed for pulling log files off of the machine.

Utilization Report: Similar to the Audit log we can get a utility that monitors the utilization with these units and pull them into the internal network.  This can be done after tracking down a third party program that allows for utilization monitoring or by parsing the audit log and turning that into a utilization report.

Seat Type: A new seat type would have to be established to accommodate the additional costs incurred from the environment set up and maintenance of these units including but not limited the additional costs possibly incurred by having a phone nearby to inform the help desk of any issues.

Security Plan: A new security plan would have to be established since there will configuration settings that do not fit into the current security plans that the company has established.  While these will fall under a site security plan, none of our existing would not be able to fit these systems under their configuration options.

Privacy Controls: Depending on the kiosk solution we go with – whether it be a login based solution where they have a full application suite or a web kiosk something must be done to maintain user privacy.   After an inactivity time (amount to be specified later) which would either clear the process from memory or log the user out of the kiosk completely depending on which kiosk method we are using in a couple methods. One would be an off the shelf software product to this, at this point I would assume we would use all of their privacy and utilization reports. Another option would be to setup a script to kill the process or automatically log out the user and utilize the screensaver in the kiosk to run this functionality and monitor idle time.

Securing Connections: If the machines must pull information from the machines in the DMZ, then the best method would be to utilize IPSEC.  This would limit the amount of ports needed and allow us to lockdown communication to only the specific server that the kiosk would need to talk to.

Kiosk Options

When discussing kiosk system we need to discuss the scope, security issues, and functionality requirements that we must maintain to achieve a successful deployment.   There are many types of kiosk systems that we can implement within the Company network.   The solutions we are going to describe in this document are based on product literature that we have received after scope is finalized actual product testing will be done so we can verify that all the features work as described and will function within the deployed environment.

For the sake of categorization the following options were identified as possible for use within a kiosk environment.   This list is not meant to be all encompassing but rather a list of desired features that we feel can be accomplished from the products we are looking at.

·    Internal Websites – company Designated
·    External Websites – Completely open from a kiosk standpoint
·    SSL VPN – For access to the internal network
·    Citrix – for terminal server capabilities
·    Printing – locally attached print
·    Sound – for hearing active embedded media
·    USB Mounting – for USB memory sticks
·    Run Apps Locally (Read Only) – from either the memory stick or kiosk directly
·    Run Apps Locally (Read / Write) – from either the memory stick or kiosk directly
·    Write to USB Memory Stick – from kiosk
·    Access to User Documents
·    No Login – completely is designed to start being used without login
·    Boiler Plate Website – standard start page
·    Full application list
·    Internal – Authentication
·    External – No Authentication
·    Browser Plug-ins – for enhanced compatibility
·    Restricted To Certain Web Sites – Company Designated

Kiosk mode systems come in a variety of shapes, sizes, and functions.   To help narrow the design gap for our needs we have devised eight categories in which we can work around design structures for:

·    Full web only access kiosk on the company guest network
·    Limited web access on the company guest network with a locked down browser
·    Full web only access kiosk on the internal network
·    Limited web access on the internal network with a locked down browser
·    Limited seat with security controls on the company guest network
·    Limited seat with security controls on the internal network
·    Full seat with security controls on the company guest network
·    Full seat open use office solution – internal network
·    Full seat with security Controls open use office on the internal network

Each solution has its own benefits and concerns for deployment.  We will be going over these one by one to analyze and work with company to implement the correct and desired solution.  The analysis will include which functions identified above can be implemented, target placement, target users, benefits and disadvantages of each solutions, and possible security concerns.

Full web only access kiosk on the company guest network:

Description: This would be a fully open web kiosk with an address bar located at the top with the web browser being the only application available to the end user.  All functions must be done within the browser.

Possible targeted functions:

·    Internal Websites – via SSL VPN
·    External Websites –
·    SSL VPN
·    Citrix – via SSL VPN
·    Printing – locally attached print
·    Sound – for hearing active embedded media
·    Access to My Docs – Via SSL VPN
·    No Login – completely is designed to start being used without login
·    Boiler Plate Website – standard start page
·    External – No Authentication
·    Browser Plug-ins – for enhanced compatibility

Target placement:

·    Public areas where guests are most likely

Target users:

·    Visitors
·    Visiting Contractors
·    Local Contractors
·    Company Employees

Benefits:

·    Allows users access to information at placement points
·    User will not have access to the local computer beyond the web browser

Disadvantages:

·    All functions must be performed must be performed within a browser
·    Won’t be able to perform other application tasks

Security concerns:

·    If a user leaves an authenticated session up there will be a time delay before the profile resets, risking possible exposure of private data or company data if the SSL VPN was used.
·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.

Limited web access on the company guest network with a locked down browser:

Description: This solution can be configured with or without an address bar allowing the option to restrict this to certain web sites.   Active X would be disabled.

Possible targeted functions:

·    External Websites
·    Printing
·    Sound
·    No Login
·    Boiler Plate Website External – No Authentication
·    Restricted To Certain Web Sites

Target placement:

·    Public areas where guests are most likely

Target users:

·    Visitors
·    Visiting Contractors
·    Local Contractors
·    Company Employees

Benefits:

·    Tighter Security Controls
·    Limited Risk Exposure
·    Option of controlling where the users can go via the browser

Disadvantages:

·    SSL VPN will not work if active-x controls are disabled
·    All functions must be performed must be performed within a browser
·    Won’t be able to perform other application tasks
·    With no SSL-VPN – no access to internal company data

Security concerns:

·    If a user leaves an authenticated session up there will be a time delay before the profile resets, risking possible exposure of private data.

Full web only access kiosk on the internal network:

Description: While not recommended this is being offered as an option for choice.  It has the same features as the Full web only access kiosk on the company guest network, but would require user authentication due to the network access it has.

Possible targeted functions:

·    Internal Websites
·    External Websites
·    Citrix
·    Printing
·    Sound
·    Access to My Docs
·    Boiler Plate Website
·    Internal
·    Browser Plug-ins

Target placement:

·    Public sites within company buildings that are not commonly visited by the large amounts of visitors at once.  This would be to limit the amount of time that authenticated data is available if a user walks away from the kiosk.
·    Would not be recommended at location that the general public has access to

Target users:

·    Local Contractors
·    Company Employees

Benefits:

·    Company employees would be able to access their Webmail from anywhere these are placed
·    Company employees would be able to access a terminal server session from anywhere these are placed

Disadvantages:

·    All functions must be performed must be performed within a browser
·    Won’t be able to perform other application tasks

Security concerns:

·    Possible information leakage due to open Webmail or terminal server session.
·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.

Limited web access on the internal network with a locked down browser:

Description: While not recommended this is being offered as an option for choice.  It has the same features as the limited access kiosk on the company guest network, but would require user authentication due to the network access it has.

Possible targeted functions:

·    External Websites
·    Printing
·    Sound
·    No Login
·    Boiler Plate Website External – No Authentication
·    Restricted To Certain Web Sites

Target placement:

·    Public sites within company buildings that are not commonly visited by the large amounts of visitors at once.  This would be to limit the amount of time that authenticated data is available if a user walks away from the kiosk.
·    Would not be recommended at location that the general public has access to

Target users:

·    Local Contractors
·    Company Employees

Benefits:

·    Company employees would be able to access their Webmail from anywhere these are placed
·    Company employees would be able to access a terminal server session from anywhere these are placed
·    Tighter Security Controls
·    Limited Risk Exposure
·    Option of controlling where the users can go via the browser

Disadvantages:

·    All functions must be performed must be performed within a browser
·    Won’t be able to perform other application tasks
·    Some sites won’t work due to Active-X being disabled

Security concerns:

·    Possible information leakage due to open Webmail or terminal server session.

Limited seat with security controls on the company guest network:

Description: This would be a scenario where we would have an open standard windows desktop for the user to access.  It would allow only certain applications to run but will give the user access to a portable memory stick for use.

Possible targeted functions:

·    Internal Websites – via SSL VPN
·    External Websites
·    SSL VPN
·    Citrix – via SSL VPN
·    Printing
·    Sound
·    Access to My Docs – Via SSL VPN
·    No Login
·    Boiler Plate Website
·    External
·    Browser Plug-ins
·    USB Mounting
·    Write to USB Memory Stick
·    No Login
·    Boiler Plate Website
·    Browser Plug-ins
·    Restricted To Certain Web Sites – company Designated

Target placement:

·    Public open use office space

Target users:

·    Visiting Contractors
·    Local Contractors
·    Company Employees

Benefits:

·    Allows users access to information at placement points
·    Access to certain designated applications
·    Controlled environment

Disadvantages:

·    Won’t be able to perform non designated application tasks

Security concerns:

·    Possible information leakage due to open Webmail or SSL VPN session.
·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.
·    Possible application vulnerabilities could compromise the unit

Limited seat with security controls on the internal network:

Description: Same as the limited seat on the company guest network but designed for internal GRC employees.   Smart card access would be recommended and roaming profiles blocked.

Possible targeted functions:

·    Internal Websites
·    External Websites
·    Citrix
·    Printing
·    Sound
·    Access to My Docs
·    Boiler Plate Website
·    Browser Plug-ins
·    USB Mounting
·    Write to USB Memory Stick
·    Boiler Plate Website
·    Internal – Authentication
·    Browser Plug-ins
·    Restricted To Certain Web Sites – company Designated

Target placement:

·    Public open use office space

Target users:

·    Local Contractors
·    Company Employees

Benefits:

·    Allows users access to information at placement points
·    Access to certain designated applications
·    Controlled environment

Disadvantages:

·    Won’t be able to perform non designated application tasks
·    Large threat to data being exposed

Security concerns:

·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.
·    Possible information leakage due to be on the open internal network
·    Large data exposure footprint
·    Possible application vulnerabilities could compromise the unit

Full seat with security controls on the company guest network:

Description: This option would give users to the same standard applications as their normal desktop.   The hard drive would not be written to for data storage.  Roaming profiles would be blocked.  These seat would also have full security controls applied to it.

Possible targeted functions:

·    Internal Websites
·    External Websites
·    SSL VPN
·    Citrix
·    Printing
·    Sound
·    USB Mounting
·    Run Apps Locally (Read Only)
·    Run Apps Locally (Read / Write)
·    Write to USB Memory Stick
·    Access to My Docs
·    No Login – completely is designed to start being used without login
·    Boiler Plate Website
·    Full Application Suite
·    External – No Authentication
·    Browser Plug-ins
·    Restricted To Certain Web Sites – company Designated

Target placement:

·    Public open use office space

Target users:

·    Local Contractors
·    company Employees

Benefits:

·    Users are able to function as they would at their desks
·    Allows users access to information at placement points

Disadvantages:

·    No login requirements
·    Possible data exposure

Security concerns:

·    Unsigned Active-X controls could cause issues and it would be recommended denying unsigned Active-X controls.
·    Possible information leakage due to open Webmail or SSL VPN session.

Full seat open use office solution on the internal network:

Description: Standard full seat for user to use on the internal network located at open access points for any user to access.  Security settinga would be applied and user profile data removed upon log out.   It is recommended to require smart card access to these units.

Possible targeted functions:

·    Internal Websites
·    External Websites
·    Citrix
·    Printing
·    Sound
·    USB Mounting
·    Run Apps Locally (Read Only)
·    Run Apps Locally (Read / Write)
·    Write to USB Memory Stick
·    Access to My Docs
·    Boiler Plate Website
·    Full Application Suite
·    Internal Authentication
·    Browser Plug-ins

Target placement:

·    Public open use office space

Target users:

·    Local Contractors
·    Company Employees

Benefits:

·    Users are able to function as they would at their desks
·    Allows users access to information at placement points

Disadvantages:

·    Requires smart card
·    No access to local profiles

Security concerns:

·    Possible information leakage due to open sessions.

The company putting on this seminar is Carahsoft. The presenter is Monica Girolami Senior Product Marketing Manager from Symantec.

When I dialed in I was the 26th caller – so take that for whatever level of review that you want.

The speaker started only 3 minutes late.

Valued of Backup Exec 11d Agents and Options:

Agenda:
Windows Recovery Challenge
Backup Exec 11d for windows servers
Current Upgrade promotions
Questions and Answers

This is about keeping your data secure and available against malicious threats, infrastructure failures, natural disasters, and etc.

It’s about your ability for recovery not about backup *I feel I’m’ getting brainwashed

More press notes self promoting

Advantages:
Continuous Protection for exchange
Recover Critical Data in seconds
Enhanced Data Security – Encryption – 128/256 AES encryption
New Platform Support (x64 bit) -
and more….. * did they really need to add this?????

Exchange Backup old way – daily (weekly full backup) daily second backup of the mailboxes – so it’s taking twice the time. With 11d eliminates the mailbox backups – still having the ability to recover individual emails or accounts. They do this through granular recovery technology. With the continuous data protection you can continuously protect and granularly recover the data. * Roll eyes

Granular recovery requires you to have a backup up to disc – full backup would go to tape or disc.

current method of backup – sample customer – 7 hour exchange database job – mailbox backup – 23 hours – total of 30 hours. With 11d it took a total of 3 hour for everything – moving the database to tape it took a total of 5 hours. 80% reduction of time with up to the minute restoration available.

Continuous protection is now available for exchange – previously it was available for file servers. You can setup the recovery points – you can set this up down to every 15 minutes – default is 8 hours. So you could recover your system up to the last time point (down to 15 minutes ago). You can do recovery to this.

This product seems to be missing the new standard Symantec Web Interface

Active Directory Agent:

Recovery individual users, attributes, computers without reboots. Much easier then the MS method – just run a full backup job – from there you can recover the individual objects from that.
Recovers Share point databases and documents with the GRT previously mentioned

MS SQL now has continuous protection also – the agent can backup locally instead of over the network for the best continuous backup in the fastest method. 11d secures the restore selection to make sure the recovery job runs successfully.

Central Admin Server Option (CASO)- Simple Three Tier Management:

You can protect your entire environment from one location – the central admin server allows you to manage your protected servers, computers, and media servers from one location. This includes defining and distributing backup jobs, monitoring and reporting on job activity. This option was first introduced in Backup Exec 10.0

Does not require persistent architecture for remote offices
Distributed catalog architecture
simple monitoring of remote managed media server jobs

Desktop and Laptop Option – Protecting Critical work stations

5 free license with BE 11d
Continuous Protection
DLO (desktop laptop option)is ideal for a mobile work force
synchronization of users work stations
end user file retrieval
easy to manage and deploy
Licenses are available in 10 packs

Backup exec system recovery options – Do you have a disaster recovery strategy?

Formally livestate recovery – the old system recovery method was manual and was long and tedious – repair – reinstall OS – reinstall drivers – reinstall apps – re configure settings – apply journal changes – test – go live. With new method select recovery point and it can recover the entire system – only taking minutes and is more reliable with the disk based backup. Disimilar hardware recovery in minutes – enhanced P2V/V2P virtual conversion capabilities – streamlined lower priced offering of Backup Exec System Recovery 7.0.

More press quotes

Dissimilar system recovery – allows you to recover to different hardware configuration with the same data – it can even restore to a virtual machine. Backup Exec for Windows Server System Recovery Option – lower cost then the full solution – it’s a stand alone unintegrated solution – which you could run backup exec 11d on mission critical servers that would allow you to recover in just a few minutes.

Extended platform support
X64 windows media server support
Vista Support
Centralized management
NDMP support
Oracle
Linux/UNIX
DB2
Mac OSX – PPC/Intel

Free 60 day trial from www.backupexec.com
* there are even forums there WOWWEE /sarcasm off

For Exchange 2007 and Vista you need the latest Backup Exec 11d patches.

Questions and Answers:

Symantec: Please type your questions for the speaker into this chat pod.

Guest: can we ask tech questions?

Symantec: Liza, you are welcome to ask any questions. We’ll do our best to answer them. If we can’t answer them, we’ll make sure to follow up with you off line.

Guest: my back up wld not restore even if I applied sp5

Guest: with the new version does it come with tech support?

Guest: VMWARE consolidated backup support on 11d

Guest: Does the Sharepoint Agent give posting item level recovery?

Symantec: BE11d includes support if u purchased it w/ support

Guest: Running BE 11d and had need for Exchange restore of databases. I had been running D2D2T and the restore could not be done with tape. We were able to restore from disk. Could you provide best practice set up D2D2T with Exchange agent?

Guest: compare cps with cdp for exchangebackup

guest: We have had some serious issues with Lotus Notes 7.0.2 mail client and the Backup Exec remote agent, has anyone else had issues with this? The agent prevents Lotus from opening.

Guest: will cps on exchange replace brcik level backup

Rod Sellers: cps itself is very nice

Guest: We always have files being skipped in the back log in ver. 9.1. How do we prevent that? Thanks

Guest: I’m running 11d remote agents to backup my NEtware servers. I use Pre/Post options – but the Post doesn’t run. Are there any known issues around this?

Symantec: Recommend reading Exchange Best Practices wp on www.backupexec.com/save

Guest: HI, we have 400/800G tapes for our backup. Weekly we have a full backup. It is about 399G. What is the best praktice to do a full backup and do not need to use a secound tape? (incremental Backup?)

Guest: Thanks

Guest: Backup Exec 11d has been release since 11/06. How come there have been no live updates for this program?

Guest: On the topic of encryption, can Backup Exec backup laptops protected with PGP Whole Disk Encryption?

Guest: Why do they not have updated native support for NetWare and GroupWise? Not everyone runs Exchange

Symantec: Apologies everyone, slight technical problems.

Guest: On the subject of Lotus Domino, we are also having problems using the Domino option. It skips too many files.

Guest: We are using tapes. we want to convert to disk and do a virtual bkup

Symantec: Backup Exec 11d launched in Nov06 and build 11d.7170 launched March07 with support for MS Exchange 2007, MS Vista, EMC Celerra devices etc

Guest: we need to talk to u abt the conversion

Guest: is this all about MS?

Guest: AD meaning backing up individual users’ files in pcs?

guest: We have also had issues with 11d and the backup jobs not completing/failing when not being able to connect to machines assigned in the backup job. The Symantec techs also said there is a limit to the amount of machines you can have in one job, what is the limit?

Guest: We are currently using 10D, and would like to upgrade to 11D, however we are still running Exchange 5.5, with a plan to upgrade Exchange to 2003 this year.. Its my understanding that 11D does NOT support less than Exchange 2000. Am I correct here?

Guest: We have been getting weekly updates by liveupdate including SP1. Automatic doesn’t seem to work though. Try from the tools menu.

Guest: How will the desktop & laptop options work with Windows Vista? Windows Vista already has a built in snapshot for machines?

Guest: Is the automatic feature being looked at as to why is doesn’t work? Is that a feature they may take out in the next verison?

Guest: Is System Recovery like System Restore in Windows?

Guest: When is the next verison coming out?

Guest: scott, I’m just another customer. I have other priorities at my site. I just assumed it was because we were using central admin console. I do all the servers manually.

Guest: is this the IDR?

Guest: We have just upgraded to 11d. I am getting the following error message on the sever Backup Exec is running on. Backup- THC1 V-79-57344-3844 – The media server was unable to connect to the Remote Agent on machine THC1. The media server will use the local agent to try to complete the operation.Remote Agent not detected on \\THC1. The folder it is trying to backup is the Utility Partition. The rest of the server backup up fine without asking for the remote agent.

Guest: is this included in 11d?

Symantec: To get current 11d updates go to: http://seer.entsupport.symantec.com/docs/289968.htm

Guest: Does Symantec have an Archiving solution that works w/ Backup Exec? We have about 1 TB of data that needs to be archived off in a near line device that can be accessed when necessary.

Symantec: Yes, BE11d for Exchage w/ CPS eliminates Brick Level Backup

Symantec: Ceballos – Enterprise Vault http://www.symantec.com/enterprise/products/overview.jsp?pcid=2244&pvid=322_1

Guest: Is the Advanced File Open option free with 11D?

Guest: migration from 9.1 to 11d is free?

Guest: I need help in migration after the 11d comes.

Guest: Is the Advanced Open File option free with 11d?

Symantec: Frandin – Yes BE11d only supports Exchange 2K, 2K3, 2k7

Guest: how to get the ppt presentation

Guest: ok ty!

Guest: give an over view os sss

Symantec: MClark – AOFO is a purchased addonn

Guest: Is it per server?

Guest: I understand that I need a VIP Update for 11.0. Where can I get this?

Guest: please review share storage option

Symantec: live update http://seer.entsupport.symantec.com/docs/289968.htm

Guest: Could you do an overview on the Backup to Disk to Tape technologies?

Guest: Do you have a whitepaper that compares your product to others? Specifically we are using Syncsort and I want to convert but will have to do justification and any help would be appreciated.

Symantec: Agents /Options: http://www.symantec.com/enterprise/products/agents_options.jsp?pcid=2244&pvid=57_1
Symantec: Nick, today’s webcast is being recorded. A link to this recording will be available shortly on http://www.carahsoft.com/events/index.php. It will also be sent to you in a follow-up email.

Guest: how can we tell if we are current on maintenance?

Guest: can you give us teh link to the upgrade

Symantec: www.backupexec.com/save

Guest: 9.1 version support has expired. I just ordered 11d does this mean I have to order support separately?

Symantec: You can order 11d with or without support

Guest: if we have IDR in 10d, does it get upgraded to live state?

Guest: vmware review

Guest: Does BackUp Exec cover laptops encrypted with PGP Whole Disk Encryption?

Guest: presentation ppt file

Symantec: http://www.carahsoft.com/events/index.php

Guest: system recovery has to be ordered separate?

As you can see some questions went unanswered

This seminar used Adobe Acrobat Connect – this is the first time I’ve run across this remote seminar solution. I’m not too impressed with the look and feel being a spectator – maybe it is more powerful on the moderator side. Though it did have that new web 2.0 technology where you enter in your phone number and it calls you – so it has that going for it.

Neither I nor my wife have ever really run full time anti virus scanning on our home PC’s. We scna them every once in a great while when we think somehting is amiss – but 9 times out of 10 it’s usually spyware. (Disclaimer – my work machine runs Norton Anti-Virus corporate edition which I recommend if your going ot buy an AV solution)

The reasons that we never really ran it is a few, but mostly that we follow good internet practices.

1. We do not wontonly open file attachments – usually we know when someone we trust is sending us something and it wouldn’t have the title “check this out” our contacts will usually put somthing more personal in the text that wasn’t as generic as 99% of email viruses.

2. We download from trusted sources

3. Out computers ever never been directly exposed to the internet so no incoming worms here.

But it’s always better to be safe then sorry. Recently because she thought she had a mystery virus my wife has been fighting with Clam AV to find it on her PC. Nothing shows up but it takes alot of CPU and seems to take 12-13 hours to scan her machine. Because of the CPU hit her machine is mostly useless to her for this time frame.

How can we correct that?

We are going to design a centralized AV scanning box

Ever find that the equipment manuals are terrible or you just can not find a ye or no answer on how somehting functions?

That i my problem.

Buried in a closet downstairs is a wireless router that is not being used. In my new network design – I want to use it, but I need it to have NAT disabled so I can go between both segments with their real IP addresses. So I need it to act as a true wireless router and the manual says nothing about this type of function.

The router is a MN-700 Wireless b/g router by Microsoft. When I lived in Oregon it served the purpose for a couple years but got replaced when I moved back to Ohio. With my new network design though I’m going to have at least 2 wireless zones (2 more planned in the future when I have cash) . So I’m stuck on that question until I have time later to hook it all up and configure it. But the manual should have this information.

But what else am I going to do with it beyond complain about the lack of of text in the manual?

Well let’s look at the rest of the purpose of this machine (other machines mentioned we will go into detail in a later examinging equipment.

The MN-700 will ideally be put into a configuration such as the folllowing off the firewall

Wired Clients <----> MN-700 <---wired---> Firewall
|
Wireless Clients <------
|
Wireless Bridge <------

I will be uing WPA encryption on the Clients and the wireless bridge as this wireless network is going to be behind my main firewall (which has 4 interfaces) I want natting disabled since I’ll be coming through the firewall to the wired clients at the very least – and would like to be able to reach all the computers.

Why do I need to reach all the computers?

Remember the mantra to follow is central management and ease of use – while my network setup when we get through this whole series may not be the easiest to understand nor to configure. When we get to the end users they should not be able to see any impact on their normal usage and it should make everything easy and transparent. Hopefully it will also make everything more functional where the users are interacting with services they didn’t know existed on the network.

Being able to reach all the computers means that I can VNC (covered in a later article) across the network to any machine form any other machine I’m on (as long as I know the password.) This fulfills centralized management and since most my servers run headless (without a monitor attached) it allows me to administrate them without have the electric bill compounded by the electricity that a monitor would use.

I also have at least one computer on that segment where VNC communication is imperative and there is a file share on that same computer. The reason for this will be covered in a later article when I get to that computer.

What other functions will this router provide?

This router on top of his WPA encryption will be filtering client by mac address and not all of the clients will have a static IP address. So the router will also be the DHCP that services this network segment ( for the record there will be 2 other DHCP servers on the network and no I don’t want to go DHCP repeater services so I can have a central one). The DHCP pool is going to be wide enough for 20 addresses in case I get other remote device that need access via the secured wireless segment.

The router will allow for external managment so from my central desktop or laptop I can adjust or make any configuration changes necessary in a future adjustment.

I’m fairly sure this covers my working with this wireless router – I’ll have a follow up later on the MN-700 which will include screenshots of the interface.

This is why I am starting this blog. I am going through an overhaul of my home network. Still not done rewiring hte house with CAT5 so I’ll be doing ome interesting wireless tricks. I believe in centralized management, and we are going to try to make everything as tranparent to the users on the the network as possible. These tips and tricks can be translated to networks of larger and smaller sizes.

Hopefully I will have something interesting to offer.