The Cranium Cabinet

Find it:

Black Careers

Dads like this separate the men from the boys:

And true.

There are no words:

If you are like me, and mostly every other user in the world, you don’t backup your files. You may have an external hard drive, DVD burner, or CD burner, but how often do you really back up your files to those mediums? Further more, once you have backed it up to CD or DVD, do you really know where it is a year from now? The answer is probably “no.”

Well, Microsoft has a little known tool just for you called “SkyDrive.” SkyDrive is a free 25GB worth of storage that will always be there for you. It is definitely more reliable than CD, DVD, or even your external hard drive because it is housed on Microsoft’s Data Architecture. This is most likely a SAN with tons of fault tolerance built in that is worth more than what I will make in 10 years before taxes. No, I’m not joking.

So, how do you sign up you ask? Well, first you will need to go to skydrive.live.com. If you already have a Live ID, you pretty much don’t have to do anything else but sign in. If not, you will have to create a Live ID, which is no big deal, it’s free, they don’t spam you, so it’s all good.

After signing in, you will see four basic folders. Click on any one these and begin adding your files. If you do not want them to be public, by all means DO NOT PUT THEM IN THE PUBLIC FOLDERS. From here, you can assign permissions, share with other people via email addresses, etc. They have also added a nifty feature which allows you to download everything in a directory to one .zip file. COOL!

So there you have it, 25GB of free space that will be there whenever you need it, from whatever computer you are logged in to (so long as you have internet access).

Over by the HOL section, they have a little Guitar Hero III Setup… Some people take it more seriously than others.

Well, I guess MS thought my thoughts were good enough to put on their official blogger list. Check it out:

http://teched.indepthtalk.net/Bloggers/TechEd2008.category

He guards Hades...

Yesterday and today I attended a couple sessions on Kerberos, Windows Security, and why to never use NTLM ever again.

In both sessions (SIA301 and SIA401) the speaker was Mark Minasi. He was a pretty good speaker, very energetic, strays from the topic occasionally, but all in all pretty good. He’s also a super-nerd, but hey, I guess they all are here.

The first session really boiled down to three things:

1. Get your users on board with security. This means no more post it notes, and definite consequences for violating the security policy.
2. Get rid of NTLM, NTLMv2, and most definitely LANMAN.
3. Start using PKI, certificates, and Smart Cards in your domain as soon as possible.

Windows 6 (Vista) and 7 do not use LM Hashes by default, so that is something you don’t have to worry about. But for the rest of us using XP, you can disable those nasty authentication methods with Group Policy. We all know this, and I think Server 2003 R2 does it by default, but you need to have at least an 8 character password, even though thats not really enough. Moore’s law makes that pretty crackable in a small amount of time, so I think the standard will be 12 characters pretty soon, then more and more and more as technology progresses. Obviously, the more complex a password, the more likely a user is to write it down somewhere, which is why PKI and Smart Cards are the way to go.

Cracking open Kerberos really help me understand the way that the Ticket Granting Ticket, Ticket Granting Service, and Service Tickets work. I would explain the whole thing, but if you don’t really get techno-stuff, it won’t really be of any value to you. All you need to know is that it is very secure and almost impossible to hack, especially since by default your hash changes every 10 hours.

That’s about it for the Windows Security stuff, a lot of new enchancements in 6 and 7 using UAC as well as disabling NTLM by default.

Don’t worry guys (back at the office), I’ll bring you somethin’ real nice. Some guy gave me a bag of 50 pens to pass around. YEE HAW!

Incase anyone cares:

SCCM - 2007
Virtual Env. 6 VMs
1. Domain Controller
2. Site Server
3. Remote Site Sysmte
4. XP Client
5. Vista Client
6. Bare metal
DC name is ADServer, Server 2003 SP1, DNS and DHCP, member of SMSDomain
Site server is SMSServer, Server 2003 SP2 member of SMSDomain, SQL 2005 SP2 (minimum supported in SCCM 2007)
Member Server, SMSMenber, Server2003 SP2, WSUS and WDS
Install Clients using Client Push, Software Update Point Client Installaion, Group Policy
Comfiguration Packs for compliance can be downloaded.
**Deploying OS via network boot. PXE Boot.
Remote Help, Remote Desktop, Remote Assistance

Preparing AD
Prepare Active Directory, it is needed for SCCM, all members need to be in Active Directory. Extending Schema is recommended. Must be done to implement NAC (Server 2008). 4 Classes and 14 Attributes added in Schema Expansion.
To extended schema, must be a member of Schema Admins. Domain must allow Schema additions.
Errors typically mean you don’t have rights (8202). Don’t need to take Schema Master offline to extend schema. (online doc says to do so).
Must turn on Advanced Features in AD to see Schema Updates. Go to System container and give site server computer account permissions, needs FULL CONTROL RIGHTS. Then you must go to Advanced and give full control to all child objects.
In AD Sties and Services:
Never use Defaul-first-site-name as a boundary for SCCM. Create a new AD site. Bind new site to specific subnets. Then move SCCM server to correct site.
Installing SCCM
Read documentation… mm hmm. Run PreReq Checker. Best performance: Site Server-32bit OS, SQL Server on 64-bit OS, 64-bit SQL. Next version will require all 64-bit. SDK Server = SMS Provider, can be the SCCM Server. Management point is FQDN of SCCM Server, e.g. smsserver.smsdomain.com
If using Server 2008 for SCCM, webdav is not installed in IIS by default. More complicated on Server 2008, sounds like a PITA. Documentation online.
No advantages at this time to using SQL2008 over SQL2005 SP2.
Install using custom settings. Never use Simple Settings. You will lose control over clients, etc., if using Simple Settings.
CEIP insures that developers spend time in the most used areas of the program. Recommended checked.
Choose appropriate drive/install location. Never install to OS drive. Installation can not be moved.
3-Character site code, can never be changed. Alpha-numeric. Site name is more descriptive, not changeable.
2 Site Modes. Native mode supports PKI and is the most secure. Mixed mode doesn’t use PKI, clients create Self-signed cert and send info back to CM Server. Reccomendation: Always install in mixed mode. You can upgrade to Native mode later on, admin console settings and importing certs. Native mode supports clients over the internet via certificates.
Client agents can be turned on/off at any time.
Management point is where web management will be installed.
Clients communicate over HTTP in mixed mode, SSL in Native mode. Can change ports if desired.
Site server must download approximately 80MB of files from internet to complete install. if not internet connectivity, go to command prompt on a computer with internet access, run setup /download [path] from SCCM install media. Then transfer files to non-internet computer and select the option in installation of selecting the files, can be UNC or local.
Entire CM Environment is supported in virtualization.
Managing CM
If some clients are in a different forest, must use a Server Locator Point. Assign this role through the management console.
Site Server must have admin rights on integrated component/site system servers, such as SQL, WSUS, WDS. Add CM computer object as admin in local admins.
Site Systems, add via hostname/FQDN.  If you choose to use a service account instead of computer account to manage systems and services, you may, but it is recommended to use the computer account.
If you are in a DMZ, supporting internet based clients, select “Allow only site server initiated data transfers from this site system”. This will allow the site server to never push data, the CM Server simply pulls data. This means you don’t have to punch any holes in your firewall.
Active software update point is the point which clients scan against. You can synch from Microsoft Update, upstream server.
Hardware and software inventory is available. Schedules are totally customizable. Software, by default, scans executables on all client HD’s and subfolders. You can create custom rules that use wildcard characters as well, such as %programfiles% in case clients install to different hard drives, etc.
Asset Intelligence is disabled by default.  AI has 150,000 different application signatures, a lot better than software inventory. Not recommended to enable all, because 2 are not used.
Manage clients by “Collections” under Computer Management.
Discover systems with Active Directory System Discovery. Disabled by default. Can specify a specific container in AD or all. Automatically assigns to your boundary, not equal to making an approved client.
To push clients, you must have an Admin context/service account. Can either go to each client computer and assign user to local admins, or add to domain admins.  Then tell CM about admin account. Go to client installations and client push installation. This is under site management,site settings. This is not validated by CM, you must validate on your own. to validate, go to command prompt and do a net use [drive] \\[memberserver]\admin$ /u:[domain]\[admin push user] [password]. If it completes successfully, you are good.
2 types on client push, admin and automated. Admin is manual, automated will push a client as soon as it finds a new client in AD. This allows no control over client installation, would recommend admin. This is default, to automate, just go to general tab in client push properties and check the checkbox.
Pay attention to action pane, you can easily install all clients or delete all clients if you are not paying attention.
If you already have WSUS installed, you can publish clients from WSUS. To put in all parameters as you were pushing from SCCM into the client push installation, you need to do nothing if you are publishing active directory. If not, you can use a GP adm template to input the appropriate parameters.
To view inventory for client, right click client, start, Resource Explorer. Allows to see hardware, hardware history, software, etc.
You can create custom categories in Application Intelligence and assign unidentified clients to these categories. You can also search online automatically for correct categories for unidentified software.
You can set requirements for software and then see how many of your computers are out of spec, or, you can set your own products/software and requirements.
Asset Intelligence Certificate is required for an AI Synchronization Point. Fortunately, Microsoft now provides this .pfx for free. Call MS.
To get all system components yo uhave to integrate system type and system ID in your custom query.
2 types of collections: direct membership and query-based. query-based is recommended.
can publish/advertise packages and have the clients download the package from the CM server.
Maintenance windows are configurable so that you can control when those software updates happen on the clients that might cause it to reboot. You create maintenance windows on collections, e.g. All Windows Servers. Modify collection settings, no maintenance windows by default. Any admin, upon creation of an advertisement, can select “ignore maintenance windows” and will over ride your maintenance window.
Must use .msi or .sms for package definitions.
Uses BITS to throttle content download for branch DPs. Standard distro point must be BITS enabled, which it is not by default. You can set schedule for BITS throttling and Kbps as well.
You can set a custom severity level for updates.
Templates can be created for updates to set settings and prevent answering the same questions each month when updates roll out. You can also specify how long updates are optional before they are forced. you can surpress restarts on servers. Can integrate with SCOM to put computer in maintenance mode while updating. Can use WOL to wake a computer to install updates. Can integrate with SMS 2003.
WSUS acts as a catalog and store. Unfortunately, must have WSUS to do updates with CCM.
Configuration items are what you want to scan for on your system. For example, who does not have a required app installed. Detects by product code, not .exe. Therefore, users can not change names to avoid validation.
You can flag updates as NAC compliant. Therefore, if a computer does not have the update, it will be quarantined.
FISMA, SOX, HIPAA, etc are able to download as configuration packs to implement configuration in your enterprise. http://technet.microsoft.com/en-us/configmgr/cc462788.aspx
To deploy using pxe, add role to WDS server, PXE service point. Allow port to be opened. You can create a self-signed cert of import one.
Golden master images are just what it sounds like. Build a system how you want, make it a golden master, then deploy via PXE. IT is best to add applications to golden image than to deploy them via CM. Faster.