Last year, I spent all of the Saturday morning before hand checking registry settings on each computer to make sure they would adjust appropriately come Sunday morning. That isn’t a very efficient way to spend an entire morning, but it had to be done to make sure funny things didn’t happen to our overnight programs and everything played at the correct time.

This year, everything has been made so much easier for me. See, I found this utility called TZEdit. (Downloadable from onlinecomputertips.com)

I can confirm that this utility works on both Windows XP and Windows Server 2008. I can’t say anything about other operating systems, but I suspect that it will work for Vista and Windows 7, too (they have a similar codebase to Server 2008).

This utility allowed me to confirm that each computer had the daylight savings times set correctly for our time zone (starting on the First Sunday of October at 2am).

Now I can sit back and relax, knowing that my computers should drift through daylight savings without a worry. The only thing I need to remember is to not to put anything into the 2am hour, as that will be skipped. Apart from that, it’s all sweet.

Now would be a great time for you to check all of your computers for Daylight Savings compatibility. Don’t leave it until the last minute.

I fail to see how a toolbar with a Yahoo search bar can enhance your security. Seriously, it’s just annoying. And I want to disable it. Don’t you want to do the same?

There wasn’t an option within the network management console to disable such a feature site wide, and the AVG Knowledge Base didn’t provide any help. In fact, the best advice I got was to reinstall the software and choose not to install it. However, the Network Edition remote installation tool didn’t support this, and doing it manually on every PC wasn’t an option for me.

Thankfully, Group Policy came to the rescue! It all revolves around the CLSID, which, in short, is a unique identifier given to each Internet Explorer Addon.

The CLSID for the AVG Network Edition is:

{CCC7A320-B3CA-4199-B1A6-9F516DD69829}

What if you want to find a CLSID for a different add on which you want to kill? It’s simple! Kinda. Within Internet Explorer, navigate to Tools > Manage Addons. The CLSID is shown if you right click on the column headings on that popup window and tick the CLSID option. Make note of it.

Within the Group Policy Management Console, navigate to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Security Features > Add-on Management. You want to open up the Add On List. Here’s what Microsoft instructs in regards to this window:

You specify individual add-ons by using the CLSID in the Add-on List policy setting. The Value Name part of the policy setting must be the CLSID of the add-on, and the CLSID must include the braces that enclose the rest of the CLSID. The Value part of the policy setting must contain one of three possible values:

• 0 – The add-on is disabled, and users cannot manage the add-on from the user interface.
• 1 – The add-on is enabled, and users cannot manage the add-on from the user interface.
• 2 – The add-on is enabled, and users can manage the add-on from the user interface.

So, to disable the AVG Security Toolbar, you would set the Value Name as {CCC7A320-B3CA-4199-B1A6-9F516DD69829} (including the curly braces) and the Value as 0. Save all of that, and then wait for the changes to be applied to your machines (or force it with gpupdate).

What a relief this is. Now my users aren’t bothered with annoying toolbars or invaded search results, and we still have AVG running unaffected! Group Policy saved the day, once again.

There is: It’s a command line tool called gpupdate, and it’s real simple.

Sit yourself down in front of a computer on the domain, and load up a command prompt. The quickest and dirtiest way to get it working is to type gpupdate /force - this will just force the system to grab all computer and user policies and apply them. If it needs the user to logoff and then log back on again, it will prompt you to do so, unless you add the /logoff switch to the end – this will force it to logoff.

All your waiting is over.

Today, I’m going to show you how to configure your Active Directory network to run smoother, be more secure and more resistant to disasters which could occur.

Multiple Domain Controllers

Having multiple controllers will protect you against hardware failure in one machine, network congestion when everyone logs on in the morning, and also helps you run perform maintenance easier. For example, restarting your only domain controller to do software updates will prevent anyone doing anything on the network until it fully restarts; this isn’t good for productivity, and may cause people to loose faith in the network if it happens regularly.

The initial cost of purchasing multiple servers and multiple licenses may be high at first, but is a wise investment. Even having two controllers will significantly benefit any Active Directory network.

Strict Password Policies

Passwords are the key to your network. Even if a single user’s account is compromised, the effects can be detrimental to an organisation; the effects of this have been well reported, such as when the corporate account of a Twitter staff member was accessed, and confidential business documents leaked.

The best way to ensure password security is to apply a password security policy through Group Policy. This will ensure your user’s passwords contain a mixture of upper and lower case characters, as well as numerals. It’s also a good idea to ensure passwords are changed regularly; the Active Directory default is 100 days, but I suggest changing it to 60 days.

For extra sensitive accounts, it would be a good idea to have this set at an even lower interval. For example, Administrator accounts should be set to 30 days.

Folder Redirection, not just roaming profiles

Logon and logoff times can be dramatically improved if you avoid storing data in roaming profiles. In case you didn’t already know, roaming profiles are copied off the server and onto the local machine at logon time, and then copied back to the server at logoff. After a while profiles can grow to massive sizes, especially if you have all of your documents stored in there.

Do your network a favor, and use folder redirection to store all of the documents directly on the server, rather than in the profiles. If necessary, allow offline folders to synchronise these redirected folders (especially on laptops!); offline folder synchronisation is  much more smarter than plain old roaming profiles.

Distributed File System (DFS)

Having your network shares stored on only one server is a bad idea. What if that server fails? What happens to your files? Not good!

You need to take advantage of Microsoft’s Distributed File System, which allows you to have the same network share stored on multiple servers and synchronised automatically. If one server goes down, then the other servers in the DFS cluster will take over. This system compliments the idea of Multiple Domain Controllers beautifully.

Domain Controllers never run other services

Domain controllers should be really secure machines. They are the backbone of the network; you don’t want anything compromising the security. I recommend that other services are not installed on domain controllers. Keep the web services, terminal services, update services, databases and antivirus management systems away from the domain controller servers!

I acknowledge that it can be hard to do this if you’re on a tight budget. The cheapest and safest configuration I can think of consists of three servers:

1. Domain controller / file server (DFS)
2. Backup Domain controller / file server (DFS)
3. The Everything else server (Web, database, updates, terminal services, etc.)

If you’re struggling to get hardware for these servers, try Ebay or a e-waste recycling centre. If you’re not for profit, Donortec can help you with the software licensing.

Remote sites? Read Only Domain Controllers

Remember what I just said about Domain Controller security? Well, if you have any servers at a remote site which you don’t have direct control over the physical security, I recommend you have your remote server  setup as a Read Only Domain Controller.

This means that any changes to the directory can only be made back to a non-read only domain controller (i.e. at your head office). The benefit to this is that if someone gets physical access to the server, they can’t make directory changes which could be detrimental to the entire network. If you don’t have a fast link to the main servers, it will also improve access speed for the remote site.

Enforced Client Health

It’s important to ensure your client computers meet certain security requirements. For example, should ensure your clients have anti-malware software installed. The easiest way to ensure security software installed is to have some checks performed in the machine startup scripts. Check to see if certain software is installed, and if it isn’t, then perform the install automatically.

As far as configuration of the software goes, you would want to ensure everything is in a manages environment. Using software such as Symantec Endpoint Protection or AVG Network Edition can help you establish this by providing a central management system for this software.

You could take this one step further and implement Network Access Protection. For smaller networks it may not be justified, but in larger networks of larger complexity and having larger security requirements, I highly recommend this.

Strict NTFS ACLs

You want your access control at the NTFS level, not the share level. Setting all of your permissions at the share level is just asking for trouble; it won’t help you if someone gets physical access to the drive. Have all of your users in appropriate groups, and assign access to folders and shares based on what group they are in.

Don’t give too many people too much access. In fact, don’t give anyone access to anything they don’t need. Some organisations have an Everyone drive, where everything is stored; in the majority of cases, this isn’t a brilliant idea. When was the last time someone in the promotions department needed access to the payroll? Or someone on reception needed access to confidential corporate forecasts? Not often, I’m sure.

The best policy to adopt is that each department gets access to their own department’s folder, until a case arises where they need access to another department’s files.

Also, while it may be tempting to take advantage of the Everyone security group to allow every user access to certain files, it is best not to. Instead, have a security group which encompasses all of your users.  Remember, the Everyone group includes IIS users and guest accounts – you probably don’t want these accounts to have access to your files.

In Conclusion…

I’ve presented some easy (and some not so easy) ways to secure, optimise and utilise best practices in an Active Directory environment. Hopefully you can implement some of these tips, as well as find other ways to improve your network. Feel free to post any further suggestions in the comments.

Crashing no less than six times in the space of fifteen minutes while trying to write yesterday’s blog post about Kwok. That’s right: Firefox crashed six times! Thank goodness for WordPress’ Auto Save.

Very embarrassing. Well, for Mozilla, at least. It’s just plain annoying for me.

This isn’t the first time I have had Firefox crash repeatedly on my Mac. Last time it happened, I was using Tiger. This time, I am using Snow Leopard.

Was I doing anything unusual when the crash occurred? No. I was basically just writing in WordPress, and occasionally uploading an image (with both the standard uploader and the Flash uploader). There have been reports of Firefox crashing when using WordPress, but that was resolved as an issue with Google Gears; I don’t use Gears, so this doesn’t help me.

I have used this experience as a chance to learn about how Mozilla deals with crash reports.

If you navigate your Firefox browser to about:crashes, you will get a list of GUIDs which reference to your crashes. Click on one of them, and you will be taken to the Mozilla crash reporting website, where you can see the gruesome details about the crash. Core dumps, running threads, modules, kernel details – it’s all there.

Bundle this with Bugzilla, and Mozilla really does have a great platform for dealing with crashes and bugs. It’s a really comprehensive system they have setup to deal with the sheer volume of issues they would have. Great job! Now, can you please fix my Firefox?

We’re not talking about a simple spreadsheet, although that may be useful for very small-scale solutions. You need Kwok; Kwok Information Server.

Kwok allows you to keep track of all of you assets, the hardware and the software. Don’t store all of your information in one person’s brain – keep if all stored in a collaborative system.  Here’s what Kwok can do for you:

• Hardware management: register every bit of hardware in the system, and then assign it to users or a specific location. Keep track of who is using what
• Software management: register all of your software licenses, and then link these to specific computers. It’s easy to see how many licensees you have for each piece of software
• Issue tracking: log all issues experienced with your equipment, and then use it to track updates and assign a resolution. No more “oh, I forgot about that problem!”
• Knowledge base: log important pieces of information regarding your systems or policies. Have some computers which require some special attention? Add an article about it before you get hit by a bus

This is a very powerful feature set. Combine it with LDAP Integration (so you can link it to your Active Directory), email updates, vendor contact details, and a whole set of other features, and you have one very powerful system!

What would make this whole system even better for you is investing in asset labels – stickers identifying the owner of the hardware and containing a unique identifier. Whack one on each bit of hardware, and log that number against the asset in Kwok. It’s a simple way to keep track of the correspondence between physical assets and records in Kwok.

Kwok is a web based system which is open source. It requires Apache Tomcat and PostgreSQL to run, but the package includes the whole system. Just plonk it in a folder on your server, and step through the provided instructions.

There’s a few things I find troublesome with Kwok. Firstly, there is a lack of delete button in several sections, such as ‘issues’. Secondly, the interface can be a bit slow to move around if you’re new to it – for example, it took me a while to find the pagination section on the hardware screen.

Overall, this is a great concept for a system, and a reasonable implementation. If you don’t have any sort of asset management, then this could be just what you need to get organised. Don’t wait until you have a specific reason to document everything – do it now!

(By the way, if you are looking for some asset labels to stick on everything, try Avonlea Labels. Our ones look fantastic, and are quite strong)

However, something inside me told me that I should go and get this upgrade as soon as possible. After all, I hadn’t upgraded to Leopard, and was still running Tiger. I also thought it would be worth upgrading to a 64 bit operating system.

The installation went well. The whole thing was finished before I could read a few articles in the latest Audio Technology (they have a good review on headphones, by the way). Very smooth, and much more streamline than any Windows installations I have ever performed (and I’ve done that a fair few times!).

The advantages I have received over using Tiger are numerous. I can see the small speed difference between the 64 bit apps and the old 32 bit apps. I love the new dock, the refined finder and better networking. Hey, even the Exchange supports makes me want to setup my own Exchange server!

Sure, many of the features I have benefited from would have been there by just upgrading to Leopard ages ago. However, I never actually used Leopard – while I didn’t see any problem with it, but it was still the OS which I never used. That’s just how it worked.

Do I regret being an early adopter of Snow Leopard? Not yet. And I don’t think I will. It’s been smooth sailing so far, and I expect it to stay that way. After all, Macs are renowned for being no-nonsense, and just getting the job done.

If you have an Intel Mac with Tiger, you should really be thinking about upgrading. In fact, don’t think about it; just do it. The upgrade is painless, and well worth it. If you get the box set, you even get iLife 09 and iWork 09 – it’s a wise investment.

DonorTec provides donated software and hardware from companies such as Microsoft and Cisco to eligible Australian non profit groups with Income Tax Exempt Status (ITE). Via this program you can get the latest products each year e.g. Microsoft Windows Vista

If you’re strapped for cash, then this is just what you need. No more *cough* illegal software. No more borrowing that copy of XP from a friend. This is the real deal!

Their catalog of software is extensive: from Windows XP and Vista through to Windows Server 2008, Office 2007, Expression Web, etc. The list goes on. There is also a great list of hardware from Cisco, but at the time of writing, they don’t have any readily avaliable.

However, there are certain rules, particularly in regards to the Microsoft products. You can only order once a year, and but within a 24 month period, you can not order more than six software titles, and you can not order more than fifty licenses for each title.

There’s also a couple of other gotchas, but overall it is a very nice program. Did I mention how much they charge for their products? Windows XP costs $11 per licence, and Windows Server 2008 only costs $48. CALs also sell for around $3.

How can they do this? All of the software and hardware is donated by the suppliers.

The key to this is: planning. You need to plan not only how many licenses for each product you will need now, but also in the next 24 months. Develop a long-term strategic plan. But remember, plans are only guesses; I think it is best to over-order slightly, to cover all bases.

Finally, you need to ensure you have an ATO recognised Income Tax Exemption (ITE). Luckily, our government makes it very easy to check out your accreditation status through the web.

In case you didn’t already know, Microsoft’s Active Directory uses the LDAP protocol to store and communicate it’s data. As this is an open protocol, there’s plenty you can integrate it with. In this article, I’ll focus on PHP.

It’s really easy to get started integrating PHP with LDAP. There’s many truly great and in depth articles on this subject, such as one from Developer.com. If you want long explanations, head they way. Over here, I’ve got a quick and dirty example:

<?php

$username = "administrator";
$password = "MYSecur3Password4";
$server = "192.168.10.5";

$connect = ldap_connect($server);
$bind = ldap_bind($connect, $username, $password);

if($bind == TRUE) {
echo "LDAP Connect Success!";
} else {
echo "LDAP Connect Failure!";
}

?>

That will do a really simple connect to your Active Directory server, such as a Microsoft Windows Server 2008. You can modify this code to grab the username and password as user input from a login form, and then authenticate against that.

However, you must always check to make sure the username and password fields are not empty, or else it will probably authenticate anonymously and return a TRUE value. Here’s a modified example to grab the data from a logon form as POST data:

<?php

if(empty($_POST['username']) || empty($_POST['password'])) {
die("Username or Password field was left blank. Please try again.");
}

$username = $_POST['username'];
$password = $_POST['username'];
$server = "192.168.10.5";

$connect = ldap_connect($server);
$bind = ldap_bind($connect, $username, $password);

if($bind == TRUE) {
echo "LDAP Connect Success!";
} else {
echo "LDAP Connect Failure!";
}

?>

So, that’s the basics. However, it’s probably not much good if you want to do anything else than a quick authentication check. The PHP LDAP Extension supports a myriad of fancy things, from searching to editing and even deleting records. But you don’t want to do that manually. What you really want to do it use a library such as the adLDAP library, and use that to do all sorts of fancy things.

Here’s the feature list:

• User authentication
• Group management
• User management
• Contact management
• Exchange mailbox creation

It’s really worth checking out. They even provide info on how to achieve a seamless signon for within your domain. Here’s the IIS/PHP instructions:

Format the machine and install Linux (recommended), or remove anonymous access from the directory with the IIS management console, the username is available with $_SERVER[“LOGON_USER”].

Seamless authentication with Apache on Windows can be achieved with mod-auth-sspi

[ From: Seamless Authentication - adLDAP Wiki ]

So, there you have it. Active Directory authentication with PHP.

If your station would like to do outside broadcasts (OBs) using the internet, you will soon have the opportunity to apply for up to $2,500 toward IP-based OB equipment through CBOnline grants. These grants will be available only during 2009/10 – with applications closing on Monday 12 October 2009.

If you’re new to IP-based OBs and need some ideas for how to go about it, download the Mobile Broadcasting for Community Radio Stations Manual. It describes what options are available and whether IP-based OBs are suitable for your station.

This is fantastic! I’ll start putting my application together ASAP. While I couldn’t put together a full OB rig (kitted out with proper PA gear, outboard processing, UHF mics, etc.) for under $2,500 it would certainly buy the basics any station would need to get started. And that, I believe, is what this grant is about – getting stations started.

The part I find most interesting about this announcement is the Mobile Broadcasting for Community Radio Stations Manual. Let me say first that this is a great idea, publishing a concise manual to give stations a run down 0f how to perform an IP-based OB. It’s the right idea, but I think it has been executed in the wrong way.

The part that was unexpected and disturbing to me was that proprietary software was used for all of the examples! NCH’s Broadwave was pretty much used exclusively for the streaming, and Hamachi’s Log Me In was used for remote computer access. Both proprietry pieces of software, and both require you to buy a licence (they both have limited free versions, but it’s a licencing minefield).

While there is nothing wrong with each of these pieces of software, and I don’t blame them for using them as an example, mention should have been made of the open source alternatives. Shoutcast or Icecast are both massively popular pieces of software which allow you to stream stably for long periods of time. Shoutcast is closed source, but 100% free, and Icecast is 100% open source. I know they both work incredibly well because I use them both on a regular basis.

As far as remote access goes, I thought VNC would have been the option of choice. It’s open source, has a massive community around it, and is also easy to get running.

There was an appendix which made a brief mention of other streaming solutions. On this list I found NCH VRS (a logging program, not even proper streaming!), Real Producer Basic, VLC, Audio TX Communicator (a hardware solution), Ustream and Ubroadcast. At least mention was made of one open source piece of software, that being VLC.

The CBF is on the right path in producing this manual, but surly community radio should be trying out the open source products before dishing out cash to companies for proprietary software. It would be great if this manual could be revised to include mention of open source software.