The world seen from an IT consultant's perspective

User Account Control: Inside Windows 7 User Account Control

2009-06-11T14:31:00.000+02:00

This article from Mark tells you everything you did not know about UAC.

User Account Control: Inside Windows 7 User Account Control: "Standard user accounts provide for better security and lower total cost of ownership in both home and corporate environments. When users run with standard user rights instead of administrative rights, the security configuration of the system, including antivirus and firewall, is protected. This provides users a secure area that can protect their account and the rest of the system. For enterprise deployments, the policies set by desktop IT managers cannot be overridden, and on a shared family computer, different user accounts are protected from changes made by other accounts."

How to locate the cause of error code 1603 in a verbose MSI log file

2009-06-09T10:27:00.001+02:00

Aaron Stebner's WebLog : How to locate the cause of error code 1603 in a verbose MSI log file: "How to locate the cause of error code 1603 in a verbose MSI log file"

Paddy had been drinking at his local Dublin pub all day

2009-06-05T09:24:00.000+02:00

Paddy had been drinking at his local Dublin pub all day and most of the night celebrating St Patrick's Day.

Mick, the bartender says, " You'll not be drinking anymore tonight Paddy.

Paddy replies, "OK Mick, I'll be on my way then."

Paddy spins around on his stool and steps off. He falls flat on his face. "Shoite" he says and pulls himself up by the stool and dusts himself off.

He takes a step towards the door and falls flat on his face, "Shoite, Shoite!"

He looks to the doorway and thinks to himself that if he can just get to the door and some fresh air he'll be fine. He belly crawls to the door and shimmies up the door frame. He sticks his head outside and takes a deep breath of fresh air, feels much better and takes a step out onto the sidewalk and falls flat on his face.

"Bi'Jesus... I'm fockin' focked," he says.

He can see his house just a few doors down, and crawls to the door, hauls himself up the door frame, opens the door and shimmies inside. He takes a look up the stairs and says "No fockin' way". He crawls up the stairs to his bedroom door and says "I can make it to the bed."

He takes a step into the room and falls flat on his face. He says "Fock it" and falls into bed.

The next morning, his wife Jess comes into the room carrying a cup of coffee and says, "Get up Paddy. Did you have a bit to drink last night?".

Paddy says, "I did Jess. I was fockin' pissed. But how'd you know?"

"Mick phoned, . . . You left your wheelchair at the pub."

.NET Reflector, class browser, analyzer and decompiler for .NET

2009-06-04T14:58:00.000+02:00

This is a tool that is excellent if you ever want to dig into .NET executables and libraries.

.NET Reflector, class browser, analyzer and decompiler for .NET: ".NET Reflector enables you to easily view, navigate, and search through, the class hierarchies of .NET assemblies, even if you don't have the code for them. With it, you can decompile and analyze .NET assemblies in C#, Visual Basic, and IL."

Download from here

FromSMS - Turn your S60 device into SMS interface for your web application!

2009-05-28T10:02:00.000+02:00

FromSMS - Turn your S60 device into SMS interface for your web application!: "When your web application needs to send and/or receive SMS messages cost-efficiently, FromSMS is the solution for you. FromSMS offers a simple HTTPS POST interface for sending of SMS messages - all you need is an S60 mobile device with free FromSMS Client installed."

Where to download merge modules for visual basic 6 SP6

2009-05-25T13:43:00.001+02:00

If you follow the link above you can download all merge modules that ships with Visual Basic 6.0 and Visual C++ 6.0 - updated to SP6.

Where to find merge modules

2009-05-25T11:13:00.001+02:00

Merge modules are nice to have when you create packages using common components. A good source for such merge modules can be found here.

How to install to other folders than default folder

2009-05-25T09:49:00.001+02:00

From time to time you want to install your Advanced Installer MSI file to another folder than the default folder as specified in the project.

Except from installing the MSI file by hand and specifying where to install the application there are two other ways to change the install dir.

Install the application, specifying the target directory as the public property APPDIR. APPDIR is not listed as a public property, so you need to type it by hand.
Create a transform file using Orca, a tool from Microsoft. (An example on how to do so can be found here.) As the property is not listed you will need to create a new transform, go into the PROPERTIES table and then create a new property called APPDIR.

Good luck!

Codesmith template driven engine

2009-05-23T04:20:00.000+02:00

CodeSmith is a software development tool to help you get your job done faster. Technically speaking it is a template driven source code generator that automates the creation of common application source code for any language (C#, Java, VB, PHP, ASP.NET, SQL, etc.).

If I ever go into software development this is a tool that I will look into.

Global Load balancing solutions

2009-05-23T03:26:00.000+02:00

As I have received some questions about GLB I will try to answer some of them here.

What is Global Load Balancing?

Global load balancing is a concept where several data centers answers to a web site.

In its simplest form you can create a GLB by using DNS to point to the IP address of your different web sites. This way you can share the load between your data centers.

But often you want more. Today most modern GLB solution can give you more:

Direct you to the closest data center (based on IP addresses). (Speed.)
Make sure the data center is up and running before sending clients there. (Always up.)

And probably more as well.

Most load balancers, if not all, uses DNS to direct traffic. The GLB is basically a DNS server that checks the incoming request and makes intelligent decisions before returning an answer.

This page talks about why GLB does not work. I do not agree to everything on this page but you will have to make out your own mind.

What GLB is not

With GLB you only get the solution to distribute traffic between your data centers. You still have to solve database replication, how to maintain your files in sync and so forth.

Who are the players?

I have done some research and found these vendors. I have not tried any of the solutions, only read the product documentation. I am sure there are other players, but they are sometimes hard to find.

Player	Comment
F5 Big-IP GTM	The most expensive solution I have found. I have used F5 products before and they usually work well. You can only buy this as an appliance. You can choose to buy it as a GTM only or as a local traffic management (load balancer) with GTM on top.
Zeus ZXTM GLB	You can buy this as an appliance or as a VMWare image. Promises good performance, supports active-active data centers and you can make rules on how to route traffic.
Coyotepoint Envoy	Envoy is an add-on to their local load balancer appliance. That is - you need to buy everything from them. With Envoy you can create policies for traffic management.

CRM and IIS error 2148074242

2009-05-14T15:18:00.000+02:00

IIS retuns 500 2148074242 when you access an MS CRM site.

When you try to connect to a Web site that is hosted on Microsoft Internet Information Services 6.0, Microsoft Internet Information Services 5.1, or Microsoft Internet Information Services 5.0, you may receive an error message that is similar to the following: Error 500: The function requested is not supported. Additionally, you may receive entries that are similar to the following in the Extended W3C log: 18:59:54 127.0.0.1 GET /localstart.asp 500 2148074242

The solution is found here.

Fortigate and SNMP graphs are broken

2009-05-14T14:46:00.001+02:00

For some time I have suspected that Fortigate firewalls does not return the right SNMP value for traffic statistics on VLAN interfaces.

I asked Fortinet support. This is the answer I got:

Actually this is due to NP2 accelerated traffic. Only part of this traffic is seen by the main CPU (mainly the first and last packets of the session) and therefore traffic statistics for vlan interfaces can only report these packets which are seen by the main CPU.

Statistics on physical ports and aggregate ports are correctly collected because these are low-level statistics. Many vlan interfaces can be bound to the same physical or aggregate port. So, dispatching traffic statistics between these vlan can only be done if the traffic goes through the main CPU.

FortiOS allows to disable NP2 acceleration (for tests purposes). As soon as NP2 acceleration is disabled then statistics on vlan interfaces is consistent with the actual traffic.

There is no way to collect these statistics from the NP2. It can't be fixed.

My question is why support SNMP when it is broken???

Online service manuals for cars and boats

2009-05-05T23:28:00.001+02:00

Have you ever needed handbooks, service manuals, blueprints or other documentation for your favorite car or boat? Original documentation is hard to get, at least for newer engines. DIY is an acronym for do it yourself.

For cars, Haynes books have been around for some years now. And probably some other books.

Luckily for all of us that don't want to wait forever for books to arrive there are some online sites that gives you exactly what you want. You have to pay for it as a subscription, instead of a one time fee as books are.

Site	Content
ALLData DIY	Online content for cars
Seloc online	A sea of information. Seloc Online is the most comprehensive database tool available for do-it-yourself repairs! Our database of marine engine repair offers complete service procedures, wiring diagrams, maintenence schedules, specifications, parts database, a marine dealer locator and much more.

Whats new in FortiOS 4.0

2009-04-27T11:33:00.001+02:00

Fortigate just announced their new FortiOS 4.0. Some of the features seems very promising.

The first thing I notice is that not all devices can run FortiOS 4.0. If you have an old firewall (probably FG60) you need to upgrade the hardware before you upgrade the software. This basically means that you will have to buy a new firewall.

There also are some new features that will require an upgrade of the firewall - and a hard drive.

Here are the good news:

In source and destination interface and zone you now now have an "any" policy. Using this policy your rule can apply to all your interfaces or zones.
DoS rules are added outside of the IPS engine.
Traffic shaping policy is now moved outside of the firewall policy. This is good as you now can apply a max for all traffic (sessions) on a shaper, like limiting SMTP to only use a maximum of 200kB. In previous versions the shaper shaped down to 200kB per session.
HTTP proxy. Probably useless if you do not have an hard drive on your firewall.
The virtual servers concept is improved. Better check of available servers and limiting of concurrent sessions.
The SSL VPN is improved. With customized portals.
WAN optimization. This is only for a few firewalls. But when it works it competes with Riverbed (read about my review here).
Data leak prevention. This are statically configured rules that blocks [IM,HTTP,FTP,NNTP] traffic if the traffic matches something static.
Application control. Have still not found its purpose...
Extended AV database. It is probably better than the normal AV database...
On the protection profile you can now add more ports for a given protocol. Data leak prevention policies are also configured here.

And the bad news:

PPTP VPN is removed.
Dynamic routing for IPv6 is still not implemented. (At least in the GUI.)
Some VPN monitoring tools have moved. You will learn again where to find it. Hint: User\Monitor from the context menu.

Technorati tags: fortinet, fortigate

RSA Authentication Manager 7.1

2009-03-26T01:16:00.001+01:00

Lately I have been working on an installation of RSA Authentication Manager 7.1 For those familiar with SecurID and other previous versions of this software this is almost a complete rewrite of the previous version. Oracle is used as the internal database and BEA is used as application server. as you might guess the software is rewritten into Java.

I do not consider my installation to be big of any kind. I have installed two servers with the base license and configured everything from there.

In this process I have gained some experience - both bad and good on how RSA products work and how their support works.

I have used their support several times and they have to this date always answered me quickly and with an answer that I can accept.

But the way they manage their licenses and support is not always easy to cope with. To download seed files (files to configure tokens) I first had to install an SSL certificate and then authenticate myself using that certificate. Duh, security sucks from time to time.

Important for your strong security infrastructure is application support. AM7.1 comes out of the box with

Windows web agent for IIS
Windows client agent (GINA replacement, off-line authentication mm)
Windows EAP agent for use with Dial-up networking
Apache web agent (unsure of what platforms)
Java web agent

This sounds great? I thought so myself. But then I started to look into the agent support.

Web agent for JAVA

Only Solaris platform is supported. Not good.

Web agent for IIS

This agent supports some versions of IIS. Currently x32 and x64 Windows 2003 and some Windows 2000. Windows 2008 is not supported yet, but RSA have promised something during H1 2008.
The IIS agent is straight forward. You just choose the site to protect, and you are protected. Single-signon is supported for two applications; Sharepoint and Outloook Web Access.
Development support is limited to a COM object you can call to ask for logged on user and store some data in an encrypted cookie.
.NET is not supported, except for COM interop. The application has to run in SYSTEM context.

ISA server support

The ISA Server can do RSA authentication out of the box. (Configuring support is not something you do easily...) When configured with RSA support you have to authenticate before you ever get to the web site.
There is no authentication information passthrough (unless you have the web agent installed on the client) so the users needs to log on again.

Publish MOSS with ISA 2006

2009-03-18T13:21:00.002+01:00

If you publish Sharepoint/MOSS 2007 sites with ISA server 2006 you can experience problems with versioning adn check-out/check-in. The symptoms occurs when the ISA server publishes via an SSL certificate and the web site on MOSS is unsecured.

The cause of this is that the ISA server adds :443 to the Host HTTP header.

Extract files from an MSI file

2009-03-12T12:00:00.000+01:00

If you ever need to extract files from within MSI files, or add standalone cab files into an existing MSI file - here is the tool to do so.

Msidb.exe (Windows): "Msidb.exe uses MsiDatabaseImport and MsiDatabaseExport to import and export database tables and streams."

Strobist

2009-03-12T10:06:00.000+01:00

Strobist: "Learn How to Light"

Forefront TMG (ISA Server) Product Team Blog : Walk-through for RSA SecurID Delegation for ISA Server 2006

2009-03-10T10:31:00.000+01:00

Forefront TMG (ISA Server) Product Team Blog : Walk-through for RSA SecurID Delegation for ISA Server 2006: "Walk-through for RSA SecurID Delegation for ISA Server 2006"

AM71 and backup causing corruption

2009-03-06T13:06:00.001+01:00

BackupExec and Oracle does not work well together. At least when not configured correctly.

I was working on an RSA SecurID Autentication Manager 7.1 installation that stopped each night.

Symptom

In the <servername>_server.log I found this error message:

java.sql.SQLException: ORA-01034: ORACLE not available
ORA-27101: shared memory realm does not exist

Cause

After looking around for a while I got a hold of TOAD and started to look into the data in the Oracle server. When I tried to dig in to the data I got an error message about the data files. That made me find this excellent blog post about Oracle data files that gets into RECOVER mode because of backup related issues.

By following the steps explained there I made the server work again.

If you need to obtain the Oracle sys password, read here.

How to get AM71 Oracle master password

2009-03-05T11:58:00.002+01:00

Do you need to connect to the Oracle server that runs behind the RSA Authentication Manager 7.1? (The new version of SecurID.)

On the server, in the installation catalog\utils, run this command:

rsautil manage-secrets -a listall

In return you will get a password. You can then connect to the Oracle server using sqlplus:

sqlplus sys/<password> as sysdba

ISA server 2006 and RSA SecurID/AM7 configuration

2009-03-04T15:49:00.000+01:00

Forefront TMG (ISA Server) Product Team Blog : Walk-through for RSA SecurID Authentication for ISA Server 2006 Part 2: ISA Array Members Preparation: "RSA SecurID Authentication for ISA Server 2006"

DWL-AP900+ as a wireless client

2009-02-28T10:25:00.000+01:00

D-Link TechSupport - FAQ: "AP Client or Wireless Client mode allows the DWL-900AP+ to become a wireless client to another AP or wireless router. Wireless adapters (clients) will not communicate with access points in AP Client or Wireless Client mode."

FortiOS 4.0

2009-02-25T22:45:00.001+01:00

Finally a new main version of FortiOS has arrived.

Microsoft NAP and multiple domains

2009-02-25T13:53:00.000+01:00

Do you a RADIUS server that can authenticate to several Microsoft domains or other RADIUS servers?

RADIUS Proxy: "Network Policy Server (NPS) can be used as a RADIUS proxy to provide the routing of RADIUS messages between RADIUS clients (access servers) and RADIUS servers that perform user authentication, authorization, and accounting for the connection attempt. When used as a RADIUS proxy, NPS is a central switching or routing point through which RADIUS access and accounting messages flow. NPS records information in an accounting log about the messages that are forwarded."

Network Access Protection that comes with Windows 2008 can do just what you want. Read more here