Category - Security

Stop the insanity, regain control of user management and security

Sometime it’s the fundamentals that get missed when you are in FireDrill mode for too long and need to get things done. Or maybe you inherited a fileserver where there are WAY too many admins and you are troubleshooting access issues. Take a moment, step back and revisit the basics of Group strategies and how they should be applied to all sorts of scenarios. You have to understand the history before you can start with the new stuff.

Wait a second. You’re talking about everyday boring groups? Those things you use to group users together so that you can assign access rights to resources? How is this going to help me regain control of users? Let me share a story.

WP_20140506_08_33_02_ProRecently I inherited a Clustered FileServer that had a couple of thousand users who accessed resources from many, many domains across this international Active Directory forest. Upon further examination, the use of groups WAS employed (poorly), but only ONE GROUP was created. This group gave whoever was a member “Full Control” of the file permissions down through the entire folder structure on the server.  On top of that – it was used across a dozen different shares, accessed by different groups of users across the entire organization. This fileserver was running on aging hardware, constantly getting “full” and was due for a swap to a new solution. How do I handle this while continuing to work on my regular day job?

Procuring the new hardware was easy.

CiB-9220_Top_Banner_Demo_2

I ordered up a nice 70 terabyte Cluster-In-A-Box from DataOnStorage and got it setup as a Clustered Fileserver. After establishing a large DrivePool and carving out a new Dual Parity StorageSpace – I set about doing some basic Group planning for future access.

Every SysAdmin has their own philosophy on how to assign access rights to shares and folder permissions. There have been some enhancements with Windows Server 2012 R2, but fundamentally things have not changed all that much (A,G,DL,P):

Assign users into
Global Groups. Nest them inside
Domain Local groups and Assign
Permissions to the share / folder structure.

Why do I bring this up? You would be surprised at the number of times I’ve see ACLs (Access Control Lists) for folders / shares that have individual users added directly added to them. Usually as a result of someone granting Full Control to a non technical person (who has no background in managing servers) and them getting a little too advanced for themselves by  changing file permissions, only to “Apply this to all files and sub folders”.

Do yourself a favor. Please explain this concept to anyone who will be managing a folder structure or share on a server. DON’T MAKE THE ASSUMPTION that they know what you are talking about. But also explain to them about reusing groups where it makes sense and possibly “mail enabling” groups in order to make them multi-purposed.  A well managed AD with an understood and communicated Group Strategy will go a LONG way to keep your sanity, keep the users in line and reign in wayward file servers.

That migration project for the file server?  It’s almost done. I’ve practiced what I’ve preached here and contacted the respective owners of the various shares to re-confirm what their requested level of security is.  I’ve create groups and nested them inside local groups on the new server. I’ve also “trained” the owner of the shares what groups are being used and I’ve delegated them the rights to go an manage the group memberships to ultimately control who has access to the resources. I’ve setup some RoboCopy command scripts to copy over data and synchronize  data.  I’m almost ready to flip the switch – just got to get back from my travels on the road and send out the notification emails.

I think some of the follow up from the final process would make a good couple of posts. Stay tuned for more.

If you can’t wait and need to make sometime to figure out what’s coming around the bend  – check out the new EvalCenter with it’s concept of “Tech Journeys” and explore some Hybrid datacenter concepts or Mobile Device Management. .

Windows PC SCAM help via Microsoft Canada

hacker_0

Even though I moved to the “Mother Ship” here in Redmond back in January – I still get emails, texts, Tweets and Facebook Updates about someone who has had a relative / friend who has unfortunately been scammed by some FRICKIN’ A** Holes social engineering their way into their PC. The “technicians from Microsoft” are slick, say the right things, play on the fear of the individual and their lack of knowledge about technology and inevitably convinces them to either:

  • sign up for a security service that makes their system more infected and has their data and machine held hostage for regular payments
  • allows them to install malware on their system thinking that it is some sort of anti-virus
  • harvests information for identity theft and credit card scams / skimming
  • takes control of their email / social accounts to impersonate them online and scam their friends as well

It just goes on and on. It’s very infuriating and frustrating hearing about it and can be quite difficult to help them out remotely – I’d rather drive to their home and fix it personally out of principal – but that just won’t work.

What can YOU do about it? Well – first step in solving the problem is INFORMING yourself and ALL OF YOUR CONTACTS – friends, relatives, play-group friends, kids ball teams / hockey teams – just get this information out there.

The number ONE law of computer security (paraphrasing here) is “if a bad guy can persuade you to run his/her program on your computer, it’s not your computer anymore”.  This applies if you allow others to socially engineer you into installing software yourself or allowing them to remote into your system.

My friends back at Microsoft Canada have had a go at creating an InfoGraphic to help get the information out as well as what to do if you have been scammed. Feel Free to Download it, share it out, post it up on Facebook – tweet it – whatever you like – just get the word out!

MSFT-PhoneScam-Infographic-FINAL

Internet Safety resources for conversation w/ kids

image

I had the pleasure of meeting and talking with my son’s grade four class the other day about Internet Safety, Online Privacy and responsible/fun internet use at home. The topic can get big and ugly and has the potential to be a “Scare Attack” / “Shields Up” situation where parents shut down and don’t want to deal with things because it’s just too big or they just don’t understand and are overwhelmed. I thought I’d share some things that helped make it successful.

Fear Not – I am here to help. Let me point you to resources YOU can use to inform yourself on what kids are doing, what you can do to open a dialogue with them and what you can do to help them learn to be safe on the internet. Check out the various Hyperlinks throughout this post.

First off – My employer (Microsoft Canada) is a founding member of “Be Web Aware” along with Bell Canada and the Media Awareness Network.  It is a national, bilingual public education program on Internet Safety. FREE RESOURCES that you can use as a parent, an educator or as a kid to learn about how to be safe online. You can get all sorts of info from here as well as the Media Awareness Network (including pre-made presentations in French and English.

Secondly – as with any kind of a discussion or presentation – tailor it to your audience and make it relevant. Mine was to a class of 9 and 10 year olds. They are already using the internet and have already started using email / online chats and messenger programs. As a result – I focused on topics about sharing information, usage guidelines, working with parents to establish lines of communication with questions and answers.  I also found the content I was working with had way to many justification slides with stats and percentages – Kids don’t care – they want it simplified, not statistical.  Keep the stats for the parents.

Third – I kept it interactive and full of questions and answers as well as mini-quiz times to validate points. Lots of examples that were in their own words and level of language. If I started to see them wrestling around – I knew it was time to move on and re-engage.

Fourth – Had them think about their parents in their shoes a lot. What did we do for fun when we were kids. What did we do and how it really wasn’t any different then what they do – just different tools / toys – that’s all. Ultimately – not much has changed – We like to play with friends, connect and communicate with them (we used telephones or face to face) and have fun / amuse ourselves.

Fifth – wrapping up within the 40 minute interactive session to leave time for more questions / statements about what they saw. Summary message was working together with parents to find happy medium to allow the kids to use / explore the internet while at the same time staying safe and keeping parents informed instead of left in the dark. I encouraged them all to share what they learned with their parents as well as their other friends who weren’t in the class.

I plan on putting on a bigger 90 minute presentation / Q&A talk in the fall timeframe for more then just the single school. I’m going to approach all of them in the neighbourhood and use a larger venue for an early evening talk for parents and kids to attend.

RESOURCES?


Warning: sizeof(): Parameter must be an array or an object that implements Countable in D:\home\site\wwwroot\wp-content\plugins\projectnami-blob-cache\project-nami-blob-cache.php on line 416

Fatal error: Uncaught WindowsAzure\Common\ServiceException: Fail: Code: 400 Value: The account being accessed does not support http. details (if any): <?xml version="1.0" encoding="utf-8"?><Error><Code>AccountRequiresHttps</Code><Message>The account being accessed does not support http. RequestId:c146dcaf-401e-0132-2847-33d6ca000000 Time:2021-04-17T05:09:14.0672893Z</Message><AccountName>ritgcache</AccountName></Error>. in D:\home\site\wwwroot\wp-content\plugins\projectnami-blob-cache\library\WindowsAzure\Common\Internal\Http\HttpClient.php:382 Stack trace: #0 D:\home\site\wwwroot\wp-content\plugins\projectnami-blob-cache\library\WindowsAzure\Common\Internal\Http\HttpClient.php(275): WindowsAzure\Common\Internal\Http\HttpClient::throwIfError(400, 'The account bei...', '\xEF\xBB\xBF<?xml versio...', Array) #1 D:\home\site\wwwroot\wp-content\plugins\projectnami-blob-cache\library\WindowsAzure\Common\Internal\RestProxy.php(141): WindowsAzure\Common\Internal\Http\HttpClient->send(Array, Object(WindowsAzure\Common\Internal\ in D:\home\site\wwwroot\wp-content\plugins\projectnami-blob-cache\library\WindowsAzure\Common\Internal\Http\HttpClient.php on line 382