Thursday, January 27, 2005

Let’s Stop Complaining About Microsoft Doing the Right Thing

I’m on the road this week teaching a one-day class on supporting Windows XP for a private client. The classroom conversation, as usual, drifts frequently to a discussion of the pros and cons of Service Pack 2. This blog entry is not about Service Pack 2, but it is about the Internet Connection Firewall.

As you probably know, the ICF is now turned on by default on Windows XP systems updated with Service Pack 2. Many students complain about this default configuration, but they’re missing the point.

First, we in the IT community have complained for years about the lack of security in Microsoft products. We compared their products to Novell and UNIX products in which only essential modules or daemons were enabled and we had to explicitly enable everything else. Microsoft, on the other hand, shipped their products with a multitude of services enabled by default. That made for great ease-of-use, but lousy security. Now, Microsoft shuts down network access to workstations unless specific ports or programs are explicitly allowed and people start whining. Gee, isn’t that a step toward what we were asking for? Can we pause for a moment in support of the theory of least privilege?

Here’s the deal: Certain services are permitted by default such as Remote Assistance. You can use Group Policy settings to easily configure the ICF to permit whatever other traffic you wish on multiple workstations or perform simple configurations on an individual workstation to allow the desired traffic through the firewall. One example of desirable traffic that you might wish to allow through the firewall is Remote Desktop. The real question, though, is why on earth would someone in an enterprise want to allow most other types of incoming connections on the average workstation, especially an average user’s workstation? Put it (whatever it is) on a server. That shared printer? Put it on a print server. That shared file or folder that everyone needs to access? That goes on a file server. Certainly, there are times when, as an IT professional, you might need to enable certain services such as TFTP for backing up or restoring configurations on your laptop. That should, however, be the exception and definitely not the rule. The point is simple: Let’s quit complaining about Microsoft doing the right thing and learn how to configure the firewall. Better yet, use workstations as workstations and leave the serving to servers.

Sunday, January 23, 2005

How to Understand OC (Optical Carrier) Levels

SONET (Synchronous Optical Networking) is a standard for using optical fiber to communicate digital information including telephone and data traffic. The basic SONET service operates at OC1 (51.84 Mbits/second). OC is an acronym for Optical Carrier. OC levels are used to describe the various service levels used in SONET.

As of this writing (early 2005), the state of the art in SONET is OC192 (9953.28Mbits/second) which is 192 times faster than the basic SONET service of OC1. Higher OC levels have been designated to allow for future technological advances.

Learn more about data transmission and other basic concepts of networking in our Networking Fundamentals 2-Day Hands-On Workshop, now available for scheduling onsite at your location for groups of four or more. Call 206.988.5858 or click this link for details.

Friday, January 21, 2005

The Story of the PING Utility

Ping is a 1000 line utility written in 1983 by the late Mike Muuss (pronounced “moose”). He was working at the US Army’s Ballistics Research Lab and experienced network connection difficulties. PING was written in response to those difficulties. He is quoted as saying, “If I’d known it was going to be my legacy, I’d have built more functionality into it.”

Contrary to popular belief, PING is not an acronym for anything. It simply stands for “ping” which is based on Navy SONAR, which in turn is based on bat and porpoise navigation.

Ping works by sending an ICMP (Internet Control Message Protocol) signal to a remote host and waiting for a reply.

Read more about ping at Mike Muuss’ website. Unfortunately, Mike was killed in an automobile accident on November 20, 2000. Learn more about ping and other troubleshooting tools in any of our seminars and workshops for IT professionals.

Tuesday, January 18, 2005

How to Understand Task Manager’s Performance Tab

Here’s the explanation of the different fields of the Performance Tab in Windows Task Manager:

CPU Usage tells the percentage of time the processor is working on useful tasks. If your computer is running slowly and this graph indicates a high level of usage, find out what process is monopolizing your processor.

CPU Usage History graphs how busy the processor has been over a period of time. You can set the value for the Update Speed on the View menu. Your choices are:

  • High = twice per second
  • Normal = once every two seconds
  • Low = once every four seconds
  • Paused = the display is not automatically updated

PF Usage shows how busy your paging file is. If your computer is running at a consistently high level, you can increase the page file size.

Page File Usage History graphs page file usage over a period of time. You can set the value for the Update Speed on the View menu.

Totals displays the number of handles, threads, and processes running on the computer.

Commit Charge (K) is memory allocated to the operating system and programs. The value listed under Peak may exceed the total amount of RAM on the system because Commit Charge includes memory copied to the paging file (virtual memory). The value for Total will match the Page File Usage History graph.

Physical Memory (K) is the total amount of RAM installed on your computer.

Available is free memory that is available for use.

The System Cache displays RAM used to map pages of open files.

Kernel Memory (K) is the amount of memory used by the operating system kernel and device drivers. Some memory can be copied to the paging file to free physical memory. That is displayed under Paged. The physical memory can then be used by the operating system.

Nonpaged is memory that will not be copied to the paging file and remains resident in RAM.

You can learn a lot more about tuning, troubleshooting, and administering a Windows Server 2003 box in our Windows Server 2003 seminar. We do an entire section on Performance Monitor, plus lots of coverage of other built-in tools.

Sunday, January 16, 2005

How to Change File Associations

It’s not complicated at all, but it’s a frequent question. How do you change the program that opens a file based on its extension? For example, I often prefer to open text files with WordPad instead of NotePad in Windows. I like the formatting better, so I associate .txt files with WordPad instead of the default of NotePad.

There are several ways to do it; here’s one:

  1. Right-click on any file with the extension in question (such as “.txt”)
  2. Choose Open With and then click on Choose Program…
  3. In the dialog box that appears, choose the program you wish to associate with the extension and check the box near the bottom of the window that says “Always use the selected program to open this kind of file”.
  4. Click the OK button and you’re done.

Tuesday, January 11, 2005

How to Use the "alias" Command

In Linux/UNIX, the alias command is a shell function that allows you to substitute one command for another. Aliases are also handy for assigning default arguments to commands, such as ensuring that the “-i” (interactive) option is always used with “cp” and “mv”.

The syntax for the alias command is: #alias [new command]=”[command with arguments]” #alias cps=”cp -s” would create the new alias “cps” which would always invoke the “cp” command with the symbolic link argument.
You can see existing aliases by issuing the alias command with no options at a command prompt.

Aliases can be removed with the unalias command: #unalias cps will remove the “cps” alias.

Get hands-on practice using the alias command and lots of other commands in our two-day Linux hands-on seminar available in open-enrollment public seminars or you can schedule it in the location of your choosing for groups of four or more as an onsite seminar.

Sunday, January 9, 2005

How to Restore a PIX Firewall to its Factory Defaults

Warning: The following procedure will erase any existing configuration on the PIX firewall. You are strongly encouraged to make a backup of the firewall’s configuration prior to executing the following procedure.

To prepare the PIX Firewall to be decommissioned or restored to its factory default state, perform the following steps:

Connect to the console port of the PIX and bring up Hyperterminal (or your preferred terminal emulation software).

Enter Priviledged Exec Mode, then enter Global Configuration Mode and type the following commands:

ca zeroize rsa [enter]
ca save all [enter]
exit [enter]
write erase [enter]
[enter] To Confirm Erase
reload [enter]
[enter] To Confirm Reload

At this point, the PIX should reload, perform the Power On Self Test and then display the following text:

Pre-configure PIX Firewall now through interactive prompts [yes]?

At this point, the PIX is set to the factory defaults. You can power it down or rebuild the configuration.

You can practice this procedure and many others when you register for our 2-day hands-on ASA / PIX firewall seminar. It’s available in public seminars in Seattle or in onsite presentations at the location of your choice for groups of four or more.

Saturday, January 8, 2005

How to Configure DHCP on a Cisco Router

Many students in our Cisco workshops need to use a router as a Dynamic Host Configuration Protocol (DHCP) server. Here’s how to do it.

Begin by configuring a DHCP database agent, such as a TFTP or FTP server that will store the DHCP bindings database. In global configuration mode, enter the following command:

router(config)#ip dhcp database [url]

The Cisco DHCP implementation assumes that all addresses in the configured subnet are available for use. If you want to exclude certain addresses, you must explicitly configure them (also in global configuration mode):

router(config)#ip dhcp excluded-address low-address [high-address]

Now, configure a DHCP pool name, which also allows you to enter DHCP configuration mode. In the example, the pool name is “dhcpdemo”. You then specify the DHCP pool subnet address and mask.

router(config)#ip dhcp pool dhcpdemo

router(dhcp-config)#network 10.16.0.0 /8

In the above example, the “/8″ indicates an 8 bit subnet mask or 255.0.0.0.

Now, you need to configure the DHCP options, including a domain name, DNS server address(es), WINS server (NetBIOS name server) address(es) and NetBIOS node type (if you don’t know which node type to use, choose “h”), the client's default router (gateway), and lease time [(days, hours, minutes) infinite] (Defaults to one day).

router(dhcp-config)#domain-name soundtraining.net

router(dhcp-config)#dns-server 10.0.0.2

router(dhcp-config)#netbios-name-server 10.0.0.2

router(dhcp-config)#netbios-node-type h

router(dhcp-config)#default-router 10.0.0.1

router(dhcp-config)#lease 8

There are many more commands and options available with DHCP on a Cisco router. To learn more about them and gain hands-on experience, register for our Cisco Router Fundamentals 2-Day Workshop available in various cities or as an onsite presentation at your location for your group of four or more.

Wednesday, January 5, 2005

Alternate Configuration makes it easy to move between networks

Use the “Alternate IP” feature in Windows XP Pro or Server 2003 when you need to move a computer between a network using static IP addressing and one using dynamic IP addressing. Configure the alternate IP address in the IP properties sheet. Right-click on My Network Places and select Properties. Right-click on the connection you wish to configure (perhaps your wireless NIC or another local area connection) and select Properties. In the windows displaying the various items used by the connection, double-click on Internet Protocol (TCP/IP). If you are presently using a static IP address, select the radio button labeled Obtain an IP address automatically. Notice at the top of the Internet Protocol properties window the tab labeled Alternate Configuration. When you select that tab, you’re given the option to use an APIPA address or to configure a custom address which will be used when a DHCP server is not available. (APIPA is an acronym for “Automatic Private IP Addressing”, the technology that creates IP addresses in the 169.254.0.0 network when DHCP servers aren’t available and alternate configuration hasn’t been set.)

Tuesday, January 4, 2005

How to Configure Logon Banners

Cisco router login banners: In global configuration mode, issue the command “banner motd #” and press the Enter key. Type your login banner followed by another “#” and, once again press the Enter key. Learn more about configuring Cisco router logon banners in our two-day Cisco router hands-on workshop, available in both public and onsite workshops.

On a Linux system, the banner is in /etc/issue. Use vi or any text editor to edit the file with whatever text you wish to display before a user logs on. Learn more about configuring Linux logon banners in our two-day hands-on Linux workshops, available in both public and onsite workshops.

Windows login banners can be created through a Group Policy Object for either the domain or locally. (This tip applies to Windows 2000/XP/2003 machines.) Open the Group Policy editor by clicking Start, then click Run, and type “gpedit.msc”. Next, navigate to Computer Configuration>>Windows Settings>>Security Settings>>Local Policies>>Security Options. Configure the actual message text under “Interactive logon: Message text for users attempting to logon” and configure the banner window title under “Interactive logon: Message title for users attempting to logon” (in Windows 2000, it’s just the object called “Message text…). Learn more about configuring Windows logon banners in our two-day Windows seminars, available in both public and onsite workshops.

Regardless of the system you administer, common logon banners say things like, “Restricted system. Do not attempt unauthorized logon. Unauthorized logon attempts may be prosecuted.” or words to that effect. Service providers sometimes use the banner to indicate their ownership of the device and to provide contact information for support.