Rule #1: Don't piss the geeks off. They control the universe, and can make your life a living hell.
What triggered this brief rant? We have remote control abilities for a reason folks. We don't make a habit of spying on you, face it, you're not that interesting, but we need the tools to do our job.
I had a user (who has been granted local administrative privileges) on his laptop. This user had disabled a portion of our remote control abilities. This is a minor pain, and we have ways to re-activate them. But it just pisses me off.
in short, "Just don't do it"
Monday, April 25, 2011
Tuesday, April 19, 2011
Documen... What? Huh?
Gotta love hybrid systems, sometimes things are done one way, and other times another (for whatever reason) and if you do it the "right" way for a specific group, it works, but another group it won't.
You've got to stay consistent, and you need to keep documentation as to how things are done for individual groups.
I just ran into a case where I shot myself in the foot, because the "right" way wasn't the way I was expecting, and of course, it appears to work for a brief period, and then it fails again.
ah well, my own fault, now lets make it work right.
You've got to stay consistent, and you need to keep documentation as to how things are done for individual groups.
I just ran into a case where I shot myself in the foot, because the "right" way wasn't the way I was expecting, and of course, it appears to work for a brief period, and then it fails again.
ah well, my own fault, now lets make it work right.
Monday, April 18, 2011
Generic email accounts. Love to Hate Them
No matter where you work, you are almost certain to run into generic e-mail accounts. There are some places that you are going to have to use them. But what do you do with them?
Some departments are prime candidates for generic email accounts. These are typically departments that deal with outside entities, and ones that need some sort of continuity when staff changes or goes on vacation. Say "Accounts Payable", "Accounts Receivable" and "Human Resources" are good candidates (not to mention "Postmaster", "Abuse", "webmaster", "Hostmaster", and any other pseudo-required addresses)
What to do with them?
Option 1) Just set a person up to pull the messages via POP/IMAP, and let them deal with everything from there. I think this is the worst of the three options I list here. You know darn well that whoever has this account set up isn't going to remember the password to the account, you aren't going to be able to enforce good password security, and if you need to "move" the account to someone else for whatever reason, you'll probably have to reset the password.
Option 2) Don't actually create a mailbox, but rather set up a mail alias. This avoids the problems listed above, but creates its own set. namely that the poor schmuck that gets these messages will have to filter them him- or her-self, and that if something should happen, the next person doesn't have access to historical messages.
Option 3) set up some sort of "Ticket" system that can tie into your email system. Each message that comes in either creates a new ticket, or is attached to an existing ticket. This way anybody with appropriate authorization can get access to any old messages, and you can have multiple people with access to the system each dealing with things, and actions can be logged, I.E. "Invoice Received & imported into Accounting system, waiting to pay pending notification from receiving dept." and if the primary person is on vacation, whoever is filling the position can see what is going on without having to change credentials, forward messages, etc.
This falls under the category of "more work up-front solves problems later on"
Some departments are prime candidates for generic email accounts. These are typically departments that deal with outside entities, and ones that need some sort of continuity when staff changes or goes on vacation. Say "Accounts Payable", "Accounts Receivable" and "Human Resources" are good candidates (not to mention "Postmaster", "Abuse", "webmaster", "Hostmaster", and any other pseudo-required addresses)
What to do with them?
Option 1) Just set a person up to pull the messages via POP/IMAP, and let them deal with everything from there. I think this is the worst of the three options I list here. You know darn well that whoever has this account set up isn't going to remember the password to the account, you aren't going to be able to enforce good password security, and if you need to "move" the account to someone else for whatever reason, you'll probably have to reset the password.
Option 2) Don't actually create a mailbox, but rather set up a mail alias. This avoids the problems listed above, but creates its own set. namely that the poor schmuck that gets these messages will have to filter them him- or her-self, and that if something should happen, the next person doesn't have access to historical messages.
Option 3) set up some sort of "Ticket" system that can tie into your email system. Each message that comes in either creates a new ticket, or is attached to an existing ticket. This way anybody with appropriate authorization can get access to any old messages, and you can have multiple people with access to the system each dealing with things, and actions can be logged, I.E. "Invoice Received & imported into Accounting system, waiting to pay pending notification from receiving dept." and if the primary person is on vacation, whoever is filling the position can see what is going on without having to change credentials, forward messages, etc.
This falls under the category of "more work up-front solves problems later on"
Saturday, April 16, 2011
9-5++
Gotta love working in IT. Don't get me wrong, I find it very rewarding, but there comes a time when I want to leave work at work. I've been working at my current position for just under 3 years now, and was at my position prior to that for three years. There is one thing that is somewhat of a constant when working in IT Support. The dreaded Cell Phone.
Theoretically my work hours are from 8am to 5pm, with an hour for lunch. From a practical standpoint, I start getting calls and emails at around 7:30am, and they continue on well past 5. Part of that can be attributed to working in Higher Ed. Classes don't stop at 5, they continue until 10, and some adjunct faculty members aren't on campus during our normal hours. Some of it can't.
I've been on the road to a family function on a Saturday morning, I've taken calls from the CFO while trying to put my 1 year old to bed, I've troubleshot printers while waiting for a ride to a wedding in a different time zone.
I have a company issue iPad, and I have a very hard time ignoring the little "1" on the mail icon, emails will come in all the time, some of them are easier to ignore than others.
My anniversary is come up soon, and my wife and I are planning to get away for a couple days, just the two of us. The kids are going to stay with their grandparents. Do I leave the phone? Or do I take it so that they can reach us of they need to? There's no easy answer.
Ah well, so far it has been a quiet weekend, only 1 email so far, but one that fell under the category of "rather important, and needs to be dealt with sooner rather than later"
On that note, I'm going to wash the dinner dishes, and hope to sleep without hearing the dreaded "you've got mail" chime.
Theoretically my work hours are from 8am to 5pm, with an hour for lunch. From a practical standpoint, I start getting calls and emails at around 7:30am, and they continue on well past 5. Part of that can be attributed to working in Higher Ed. Classes don't stop at 5, they continue until 10, and some adjunct faculty members aren't on campus during our normal hours. Some of it can't.
I've been on the road to a family function on a Saturday morning, I've taken calls from the CFO while trying to put my 1 year old to bed, I've troubleshot printers while waiting for a ride to a wedding in a different time zone.
I have a company issue iPad, and I have a very hard time ignoring the little "1" on the mail icon, emails will come in all the time, some of them are easier to ignore than others.
My anniversary is come up soon, and my wife and I are planning to get away for a couple days, just the two of us. The kids are going to stay with their grandparents. Do I leave the phone? Or do I take it so that they can reach us of they need to? There's no easy answer.
Ah well, so far it has been a quiet weekend, only 1 email so far, but one that fell under the category of "rather important, and needs to be dealt with sooner rather than later"
On that note, I'm going to wash the dinner dishes, and hope to sleep without hearing the dreaded "you've got mail" chime.
Friday, April 15, 2011
Ampersand Dollar Percent Pound Exclamation Sign
Yes, I'm swearing in Long-Hand today. First thing when I walk through the door I religiously read the latest ISC posts. this one caught my attention MS11-020 (KB2508429) Upgrading from Critical to PATCH NOW.
Things like this really make my day. When you read further it states that the exploit being patched can be executed without authentication! I really don't like the idea of having "my computers" be vulnerable to something like this.
Now don't get me wrong, I have already pushed the patch out to all of my computers via WSUS, what this means though is I am setting an installation deadline to ensure that it is installed as soon as possible. I also now need to go in, and check to make sure that all computers have the patch installed. when I have 500ish computers, and not all of them are physically located on campus all the time (Laptops, Road Warriors, etc.) This can be somewhat difficult.
I don't like forcing deadlines on patch installs, doubly so when the install is going to require a reboot, but there are times when it needs to be done. This is one of them.
Things like this really make my day. When you read further it states that the exploit being patched can be executed without authentication! I really don't like the idea of having "my computers" be vulnerable to something like this.
Now don't get me wrong, I have already pushed the patch out to all of my computers via WSUS, what this means though is I am setting an installation deadline to ensure that it is installed as soon as possible. I also now need to go in, and check to make sure that all computers have the patch installed. when I have 500ish computers, and not all of them are physically located on campus all the time (Laptops, Road Warriors, etc.) This can be somewhat difficult.
I don't like forcing deadlines on patch installs, doubly so when the install is going to require a reboot, but there are times when it needs to be done. This is one of them.
Thursday, April 14, 2011
Security Incident - What would you do?
We've received a notification that one of our user's accounts has probably been compromised.
What would you do? Reset the Password, and force the user to preset ID to get a new password? send an email asking the user to change their password?
dangit... we need another policy
What would you do? Reset the Password, and force the user to preset ID to get a new password? send an email asking the user to change their password?
dangit... we need another policy
Updates, More Updates, and...
This has been a busy week for us. Microsoft released a huge slew of updates, Adobe has an update to Flash that is due out tomorrow.
I run a set of terminal servers, let me tell you, they've been getting a workout of reboots recently. I ran the latest set of MS patches last night, it took about an hour a server to complete them. Once Adobe releases the Flash update, I will have to push it out, and restart them again. Luckily, I can easily drain/stop the servers so that I can bring them down without any disruption of service.
Hint: Keep yourself up to date by following The SANS Internet Storm Center
I run a set of terminal servers, let me tell you, they've been getting a workout of reboots recently. I ran the latest set of MS patches last night, it took about an hour a server to complete them. Once Adobe releases the Flash update, I will have to push it out, and restart them again. Luckily, I can easily drain/stop the servers so that I can bring them down without any disruption of service.
Hint: Keep yourself up to date by following The SANS Internet Storm Center
Subscribe to:
Comments (Atom)