Orb Designs Graffiti, a Daily Blog - July 11, 2005 thru July 17, 2005

GRAFFITI -- July 11, 2005 thru July 17, 2005

>> Link to the Current Week <<

Last Week << Mon Tues Wed Thu Fri Sat Sun >> Next Week

Welcome to Orb Graffiti, a place for me to write daily about life and computers. Contrary to popular belief, the two are not interchangeable. About eMail - I publish email sometimes. If you send me an email and you want privacy or anonymity, please say so clearly at the beginning of your message.

MONDAY Tues Wed Thu Fri Sat Sun
July 11, 2005

0844 - Good morning, or so it seems. I'm here (at work), so another day upright is a good day, true? Low energy, nothing much to write home about. I did very, very little over the weekend. No yardwork (a shocker, that one), no nothing. We shopped, and I was lazy, the rest of yesterday, hoping to kick whatever was bugging my system. Didn't work much - this feels like a mild flu, but I should be fine in another couple of days. There are other things to share, pictures of the remodeled library, fun with bandwidth limiting and more, but not today, I think. I'll conserve my energy for wage-earning at present. Have a lovely day!

Top / Email Brian

Mon TUESDAY Wed Thu Fri Sat Sun
July 12, 2005

1421 - Good afternoon. Here's what I just sent out to my users:


Subject: Updates available from Microsoft

Welcome to the second Tuesday of the month, All Praise Microsoft.

That's right, it's patch Tuesday, the RRT are busier than I am, and
you've got a couple of chores, too. Okay. If you use MS Windows, you
have chores. If not, you're ... better off.

Summary for this message:

1. Configure proxy settings for MS Updates to work with Proxy Server.
2. Update MS Windows.
3. Update MS Office.


First off, proxy settings: Here's a tested fix to the problem of Windows
Update / Automatic Updates not working properly from inside of the
proxy/firewall environment:

START --> Run

type "cmd" in the command line dialog, then click on the Run button.

In the command window, type this at the prompt:

	proxycfg -p "http://nnn.nnn.nnn.nnn:wxyz"

then press Enter. The output from running proxyconfig will show, among
other things, the string "Updated Proxy Settings", and the list of
"Proxy Server(s)", including just the one given on the command line.

After a reboot, Windows Update and Automatic Updates should work fine
for you going forward, from inside NFR. If you take your machine offsite
and need to apply updates, then you may need to remove that setting:

START --> Run :    cmd

	proxycfg -d

that blanks the proxy settings, or

	proxycfg -u

to import settings from Internet Explorer's setup (Test to make sure
that IE is getting out to the web properly before running the '-u'
version).


Windows Updates for PATCH TUESDAY.

Open Internet Explorer. Tools menu --> Windows Update.

Follow the prompts, apply all critical updates (Express Update option
will be fine).

Rebooting may be required.


MS Office Updates

This month there's a vulnerability that allows people who send you a
specially-crafted malicious document to execute code on your system, as
the user you login as. Since your user account is probably an
administrator account, this is a very bad thing. Update your system.

Open Internet Explorer. Go to this URL:

http://office.microsoft.com/en-us/officeupdate/default.aspx

Click on "Check for Updates" in the section near the top, titled "Office
Update". Follow the prompts to apply available updates. If your computer
requires the original Office CD to complete installation, then get that
and keep rolling. Repeat this process until no updates are available.

I've written about proxycfg recently, on this day, and since it's now pertinent, I'm sending it out for general consumption. Please note that you need to personalize that configuration for your environment. It's probable that proxycfg -u will best meet your needs.

In other news, I'm still fighting this low-grade bug, mostly just a sore throat, a few aches here and there, and compromised sleeping patterns making me crusty and irritable (no real change, according to some). I've also replaced via hot-swap a batch of UPS batteries today. Much less beeping ... a good thing. Now on with my day, have a good 'un!

Top / Email Brian

Mon Tues WEDNESDAY Thu Fri Sat Sun
July 13, 2005

0645 - Good morning. Within moments of my posting yesterday afternoon, I received an email about proxycfg, and thought someone had fingers way too fast...

Subject: a few words on ProxyCfg

Hello, Brian.

I hope you're feeling better soon. I'm always impressed by your whirlwind of activity.

I do most of the care and feeding for [redacted, let's just say, a bunch of hardware, well protected.]

I discovered proxycfg.exe as part of a Microsoft SharePoint server installation, and then again as part of debugging Windows Update vs. Automatic Updates with our SUS server.

ProxyCfg isn't included in various upgraded SP installations of Windows 2000, but it can be simply copied from, say, a Windows XP machine and then used locally.

I use Group Policies instead to set the proxy settings, though. One key thing that I had to get over was a Local Policy setting on various machines that set global proxy settings to our web proxy server.

This also affected what the "system" tried to use for web access, including the Automatic Updates. Since that service couldn't authenticate itself, this would fail.

Hindsight being 20/20, Googling for "make proxy settings per-machine" turns up lots of useful links, e.g.

This and this.

My response was two-fold.

1a) Script changes to all machines to manipulate the registry to get rid of the bad local policy setting. This made sure that when, say, laptops are taken off the network, they can access the Internet.

1b) Implement a Group Policy in Active Directory that turned off the above setting, and set my configuration for internal use by Automatic Updates of the internal SUS server.

2) Make firewall changes to allow internal machines to access the network block at Microsoft that hosts the Windows Update website.

The reason for 2) is that I decided that forcing all traffic through the authenticating proxy server was security for security's sake, and actually caused harm by denying patches to machines that fell through our administrative cracks. I periodically follow up on the logging of that web traffic, which allows me to find those machines, which typically includes guest access in conference rooms.

Following 2) and review of what outbound web traffic we block, I have also allowed access to sites that host security updates for various products that are either unaware of proxy settings, or can't use an authenticating proxy server, e.g. McAfee, F-Secure, Kaspersky and another Microsoft block that hosts their "SpyNet" for their AntiSpyware app they acquired from Giant Software.

"Mr. Whatsit"

Since I don't have a domain environment to worry about, I was basically just concerned with getting the job done without having to manually download patches and installing them one by one on client workstations (or trusting users to do that for themselves). Speaking of downloading patches, that was made harder by Microsoft requiring that patch download by done only by a legitimately licensed Windows OS. That's right, I can't browse to the MS site and pull down a set of patches for applying to multiple client workstations. Bastards! "Mr. Whatsit" gave me permission to post the above, should any of you other kind readers find it useful, with the proviso that I remove his primary network and systems description, along with his contact info. Perfectly understandable, so I've given him (or her) the psuedonym that our Rose's unpronounceable Polish Gentleman was known by in "Keeping Up Appearances", one of my favorite Brit comedies.

Now to work with me. Have a great day!

Top / Email Brian

Mon Tues Wed THURSDAY Fri Sat Sun
July 14, 2005

0944 - Good morning. On the downslope side of the week, and past this morning's early dental cleaning appointment. Nothing but late afternoon pop-up showers and thunderstorms according to this morning's forecast, so of course I came out of the dentist's office to find it pissing down rain. Lovely. Anyway, plenty of work for me here, so I'd best be about it. Ciao!

1046 - Me again. Go read this short article: "The Jailing of Judy Miller" Think about that for a while. Later...

Top / Email Brian

Mon Tues Wed Thu FRIDAY Sat Sun
July 15, 2005

0638 - Good morning and happy Friday! It's heartening to know that all I have to do is expose my continuing ignorance on the web, and wonderful strangers will send me email to correct my woeful ways... Here's my new friend from earlier this week:

Subject: Windows updates for free download

Hello again, Brian.

Nice to hear that you're feeling better, despite all those trips to the dentist.

It may interest you to know that you can indeed get the latest updates from Microsoft without having to go through Windows Update.

There's all kinds of linked ways on the Microsoft site to get where you want to be, but you can jump right to:

http://www.microsoft.com/technet/security/current.aspx

For the IT guys' technical details and patches. Just scroll down. Works great with FireFox on a non-Windows machine and the downloads don't ask for validation (also, when I do get those for software downloads at Microsoft, I follow the link, and then am sure to take the "Don't check, just take me to the download" option.

I like to use the filters on this site to bring offline machines up to date, say, when I plan to go to "Aunt Millie's" house and she only has dial-up.

There are other ways to get patches on those Windows machines without Active Directory. For example, SUS and its new incarnation WSUS don't need it all, but you do need to set up a Windows web server and somehow configure the machines.

If your workstations are executing a login script, one hurdle you might have is that the user is not a local Administrator. Here, the sudo-like tool "RunAs" is your friend. Unfortunately, Microsoft doesn't give a way to pass a password to it for scripting. However, the "Sanur" tool was designed for just this eventuality. It still works, but development has stopped. It is available here, with links to other tools:

http://www.commandline.co.uk/sanur/

Also, the free "PS" tools from:

http://www.sysinternals.com/

Are like pennies from Heaven. They're easily scriptable. For example, I make a list of machines, then call psexec to reach across the network, run a script to install something, check something, delete something or make a registry change, and then exit. Sweet.

Psshutdown is handy to remotely tell machines to shutdown.

My favourite use is to get an interactive shell, e.g.

Psexec \\target -u [domain\]username -p password cmd

That's probably far too plaintext for your liking, but without a ssh daemon, it does the trick on the internal WAN.

Psinfo, pslist and pskill are also must-haves. Especially pskill, which lets you kill a process that Administrator can't kill, even remotely.

Mr. Whatsit 8)

I replied...

Mr. Whatsit wrote:

...
> http://www.microsoft.com/technet/security/current.aspx

Cool. I'd been in that way once or twice before, but (silly me) assumed that when they broke one way to get patches, they broke them all.

> I like to use the filters on this site to bring offline machines up to
> date, say, when I plan to go to "Aunt Millie's" house and she only has
> dial-up.

Mmmmm. Cool. I have one great offsetting advantage in living on the opposite coast from all of my family: I don't have to do relative tech support. The downside is that I miss seeing them...

> There are other ways to get patches on those Windows machines without
> Active Directory. For example, SUS and its new incarnation WSUS don't
> need it all, but you do need to set up a Windows web server and somehow
> configure the machines.

It's that last bit that throws me. And for the number of systems I have to watch over, it's not worth all that effort.

...
> Are like pennies from Heaven. They're easily scriptable. For example,
> I make a list of machines, then call psexec to reach across the network,
> run a script to install something, check something, delete something or
> make a registry change, and then exit. Sweet.

I keep hearing good things about the sysinternals site, but until this gig, really haven't had to spend an inordinate amount of time with windows machines.

> Psexec \\target -u [domain\]username -p password cmd

Eeeeeek!!! I can hear CMOT Dibbler selling sausages at my funeral, were I to implement that on our network!!!!

Other than that last frightener, cool, thanks! Good intel.

be well,

.brian

--
Brian Bilbrey : http://www.orbdesigns.com/
"Kirk to Enterprise -- beam down yeoman Rand and a six-pack."

Here are some recent pictures from the last couple of weeks...

The storm-wracked skies of the last couple of weeks have been pretty exciting. Lots of thunder and lightning, very Wagneric. No Valkyries in that sundown shot at left, above, but it is missing only bolts from above to match the way the weather's been. When we do have sun, the plants are soaking it up (and they appreciate the rain, too). In front, we added four more hanging baskets (previously mentioned). Out back, the pepper plants are starting to take off, finally, The Salsa pepper plants are still pretty spindly and meagre, but they're producing - that's the third I've gotten off of two plants about that size. The tomatoes are also coming into production. I'm able to take enough ripe fruit off each night to make salad. Pretty soon it'll be overwhelming, but these are good problems to have. Finally from this first set, you can see new furniture (chairs, "game" table and chairs) arranged in the library with the old bookshelves rearranged. In the large niche in the far wall, currently occupied by something modern, we'll be putting in a framed Renoir print from our Barnes Foundation trip (as soon as we get it matted and framed).

We both like flowers as well as vegetables and herbs. Out front once again, the Gladiolas are in full bloom, even though only perhaps half came up this year. By way of contrast, the Tiger Lilies are all up, and spreading, but they're not in bloom yet. The yellow and white Glads came in first, and although they're not going to be as stunning this year, the reds and pinks are just starting to bloom. In pots out back on the porch, we replaced some Snapdragons with blue Delphiniums, they're really quite lovely, and draw honey bees in from all around. Now that Molly's had her experience with catching a bee in her mouth, we're not as concerned anymore. Finally, a distance shot of the tomato bed from just a couple days ago -- you can see all the fruit coming in.

Now, to work with me. I'm going to start testing clients against all the server stuff I have setup behind a new VPN endpoint. We'll see how easily I can break what I've had a considerable amount of help with setting up. Have a great day!

Top / Email Brian

Mon Tues Wed Thu Fri SATURDAY Sun
July 16, 2005

1732 - Good evening. Slept in a bit, to about 0830, followed by a lazy early morning. I made up for it with three hours of edging and mowing, while thunder crashed all around. No rain but for two minutes while I was string-trimming the fence line in back. But the rain stopped before I wandered over to put away the mower, so I continued to completion. Just now the lightning and thunder are back again, and rain's threatening. The afternoon has been uneventful, a bit of reading, a bit of browsing, and I'm working with Kubuntu on the Sony R505 from work. It's really a sweet little hardware package, ideal for lots of admin-type tasks as it has a real serial IO port on the back, and it is very small, light chunk of hardware. Tonight we're having BLT, with some lovely beefsteak tomatoes straight from the Department of Agriculture test gardens. No, we didn't ask too many questions. Grin. See you tomorrow.

Top / Email Brian

Mon Tues Wed Thu Fri Sat SUNDAY
July 17, 2005

1404 - Good afternoon. I skipped last Sunday's post, because I felt like crap. So I'm due to spend some time considering the costs of our Middle Eastern entanglements...

Sgt. Ryan J. Montgomery, 22, of Greensburg, Ky., died July 3 in Baghdad, Iraq, when an improvised explosive device detonated near his HMMWV while his unit was conducting convoy operations.
Spc. Rafael A. Carrillo, Jr., 21, of Boys Ranch, Texas, died June 28 in Baghdad, Iraq, where an enemy mortar detonated near his HMMWV.
Sgt. Chad M. Mercer, 25, of Waycross, Ga., died June 30 in Baghdad, Iraq, where his M2A2 Bradley Fighting Vehicle rolled over while conducting combat operations.
Staff Sgt. Jeremy A. Brown, 26, of Mabscott, W.Va., died July 3 in Mosul Iraq, from injuries sustained earlier that day in Tal Afar, Iraq, where the HMMWV in which he was riding accidentally rolled over.
Petty Officer 2nd Class Danny P. Dietz, 25, of Littleton, Colo. died while conducting counter-terrorism operations in Kunar Province, Afghanistan.
Lt. Michael P. Murphy, 29, of Patchogue, N.Y. died while conducting counter-terrorism operations in Kunar Province, Afghanistan.
Staff Sgt. Scottie L. Bright, 36, of Jackson, Miss. died on July 5, 2005, in Baghdad, Iraq, when an improvised explosive device detonated near his HMMWV during patrol operations.
Cpl. Lyle J. Cambridge, 23, of Shiprock, N.M. died on July 5, 2005, in Baghdad, Iraq, when an improvised explosive device detonated near his HMMWV during patrol operations.
Spc. Christopher W. Dickison, 26, of Seattle, Wa., died July 5, in Baqubah, Iraq, when an improvised explosive device detonated near his patrol.
Pvt. Anthony M. Mazzarella, 22, of Blue Springs, Mo., died July 5, in Taji, Iraq, when the HMMWV in which he was riding accidentally rolled over.
Sgt. Deyson K. Cariaga, 20, of Honolulu, Hawaii, died on July 8, in Al Hammadi, Iraq, when the HMMWV in which he was riding struck a land mine.
Staff Sgt. Joseph P. Goodrich, 32, of Allegheny, Pa. died July 10 from enemy indirect fire while conducting combat operations in Hit, Iraq.
Lance Cpl. Ryan J. Kovacicek, 22, of Washington, Pa. died July 10 from enemy indirect fire while conducting combat operations in Hit, Iraq.
Petty Officer 2nd Class Matthew G. Axelson, 29, of Cupertino, Calif, died while conducting counter-terrorism operations in Kunar province, Afghanistan.
Lance Cpl. Kevin B. Joyce, 19, of Ganado, Ariz., died June 25 after falling into the Pech River while conducting combat operations in Afghanistan.
Spc. Hoby F. Bradfield Jr., 22, of The Woodlands, Texas, died July 9 in Tal Afar, Iraq while he was conducting a dismounted cordon search.
Pfc. Eric P. Woods, 26, of Omaha, Neb., died on July 9 in Tal Afar, Iraq, when his HMMWV struck an improvised explosive device that caused the vehicle to overturn.
Sgt. Timothy J. Sutton, 22, of Springfield, Mo., died on July 11 in Baghdad, Iraq, where his HMMWV struck a land mine.
Spc. Benyahmin B. Yahudah, 24, of Bogart, Ga., died on July 13 in Baghdad, Iraq, where a vehicle borne improvised explosive device detonated near his dismounted patrol.

I have seventeen things to do, and not enough energy for any of them, really. Let's see what trouble I can get into ... see you next week!

Top / Email Brian

Last Week << Mon Tues Wed Thu Fri Sat Sun >> Next Week

Visit the rest of the DAYNOTES GANG, a collection of bright minds and sharp wits. Really, I don't know why they tolerate me <grin>. My personal inspiration for these pages is Dr. Jerry Pournelle. I am also indebted to Bob Thompson and Tom Syroid for their patience, guidance and feedback. Of course, I am sustained by and beholden to my lovely wife, Marcia. You can find her online too, at http://www.dutchgirl.net/. Thanks for dropping by.

Home

Graffiti

About

Sitemap

Visual

DevWork

Email Brian

GPG Key

GRAFFITI -- July 11, 2005 thru July 17, 2005

>> Link to the Current Week <<