Friday, October 27, 2006

Dell BIOS Silent Install

GX650A08.EXE /nopause

Now we can update bios through SMS.

Googlepedia Mistake

I just installed the Googlepedia extension (or are they add-ons now).  It is a fantastic way to enhance Google results by simultaneously searching Wikipedia for every Google search.  The benefit is that on your left, you get Google's results and on the right, you get the closest Wikipedia article.  This method works so well that I can see Google offering plugins for both Firefox and Internet Explorer or just modifying their results page.

The problem is that Google's advertising is gone.  In it's place is where you see the Wikipedia article.  Google will not stand for it and frankly, I don't think that it is really right.  I don't mind choosing not to view ads by using an Ad blocker, I feel that everyone has the right to control what advertising they are being showed.  I also believe that advertisers have the right to encourage people to view their Ad by offering content.  I use a Tivo to skip most Ads, but I have the option to view the Ads that interest me.

If Google is smart, they will modify their search results and offer Wikipedia results but move it down enough to show their advertising.  In fact, they could improve the intelligence of the Wikipedia search and if there was no match, they could have the Wikipedia article disappear.  Right now my only complaint with the Googlepedia extension is when it brings up an article that is not related to my search.


Googlepedia Add-On



Tuesday, October 24, 2006

Changing Registry ACL's EnMasse

Securing the Windows 2000 Registry

Here is an interesting way to modify security permissions (ACL) on computer/servers through GPO policies.

Active Directory administrators that are using a group policy security template can add the following lines to their .inf template file:


[Registry Keys]

"CLASSES_ROOT",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)"
"MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Services\EventLog",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers",2,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Computername",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\Software\Microsoft\Windows NT\CurrentVersion",0,"D:AR(A;CI;KR;;;AU)"
"MACHINE\SOFTWARE\Classes\.hlp",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\SOFTWARE\Classes\helpfile",0,"D:PAR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\Software\Classes",0,"D:AR(A;CI;KA;;;BA)(A;CI;KR;;;AU)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"
"MACHINE\Software",0,"D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPSDRC;;;PU)(A;CI;KA;;;SY)(A;CI;KR;;;BU)"

We have some bad permission policies that were created when we still had Windows 98 and Windows NT. Back then, modifying the default permissions was a strong security stance but today it is giving us more grief than benefit. Especially since Microsoft has improved it's default configuration in regards to security.

We had an issue a few months ago when a Windows Update assumed that we had "Bypass Traverse checking" enabled for Everyone in secpol.msc. If you didn't have bypass traverse checking enabled for a user account, then you wouldn't see your desktop.

Automatically log off users


How to create an ADM file for winexit.scr


;; Remember in GPMC to go View->Filtering
;; and uncheck "Only show policy settings that can be fully managed"
;;
;; David Carlin (djc6@case.edu) 2/25/2005
;;
;; WINEXIT.SCR is located in the Windows Server 2003 Resource Kit

CLASS USER

CATEGORY !!Screen_Saver_Policy

POLICY !!TERMINATE_APPS
KEYNAME "Control Panel\Screen Saver.Logoff"
VALUENAME ForceLogoff
VALUEON "1" VALUEOFF "0"
END POLICY

POLICY !!COUNTDOWN_TIMEOUT
KEYNAME "Control Panel\Screen Saver.Logoff"
VALUENAME CountDownTimer
VALUEON "300"
END POLICY

POLICY !!ENTER_DIALOG_MESSAGE
KEYNAME "Control Panel\Screen Saver.Logoff"
PART !!ENTER_DIALOG_MESSAGE
EDITTEXT
DEFAULT !!DEFAULT_MESSAGE
VALUENAME DialogMessage
END PART
END POLICY

END CATEGORY

[strings]
Screen_Saver_Policy="Winexit.scr Policy settings"
TERMINATE_APPS="Terminate running applications"
COUNTDOWN_TIMEOUT="Enable 5 minute warning logoff notice"
ENTER_DIALOG_MESSAGE="Warning message about being logged off"
DEFAULT_MESSAGE="You are about to be logged out. Press the cancel button to stop this process."


Wednesday, October 18, 2006

Rails and Plugins

dollars_and_cents: a Rails plugin | Archives | codablog | Coda Hale

I thought that Agile Web Development with Rails: Second Edition was going to repeat a lot of information from the first edition. I was wrong; the second edition updates a lot of techniques using conventions that have developed since the last book.

For example, one of the best ways to start a rails project is by using migrations. This book works with that and I assume even more. Personally the migrations section was well worth it. As an added benefit, I'm getting different information going through the depot example a second time because I understand how rails works and can understand better why the examples do this or that.

Quick notes: The book uses Edge Rails which I refused to install (my only problem with the book). The migrations model uses a :decimal call that is not available in rails 1.1.6 I was able to use my first rails plugin called dollars_and_cents. Radrails made the install very easy. The hard part was modifying the code to use this plugin.

Here is my notes:

Migration line: add_column :products, :price_in_cents, :integer, :default => 0

I ran 'ruby script/generate scaffold Product' which created a new products view. I used this code to modify the views and then copied them into the admin view.

list.rhtml:
<table>
<tr>
<% for column in Product.content_columns %>
<th><%= column.human_name %></th>
<% end %>
<th>Price</th>
</tr>

<% for product in @products %>
<tr>
<% for column in Product.content_columns %>
<td><%=h product.send(column.name) %></td>
<% end %>
<td><%=h number_to_currency(product.price)%></td>
<td><%= link_to 'Show', :action => 'show', :id => product %></td>
<td><%= link_to 'Edit', :action => 'edit', :id => product %></td>
<td><%= link_to 'Destroy', { :action => 'destroy', :id => product }, :confirm => 'Are you sure?', :post => true %></td>
</tr>
<% end %>
</table>

_form.rhtml (replace the last couple lines with this):
<p><label for="product_price">Price in dollars</label><br/>
<%= text_field 'product', 'price' %></p>
<!--[eoform:product]-->

show.rhtml (abridged):
<% for column in Product.content_columns %>
<p>
<b><%= column.human_name %>:</b> <%=h @product.send(column.name) %>
</p>
<% end %>

<p>
<b>Price in Dollars:</b> <%=h number_to_currency(@product.price) %>
</p>

Must Have for Integrating Linux in a Windows World

Ubuntu's AD Samba Guide ActiveDirectoryHowto - Community Ubuntu Documentation

Novell's Ubuntu AD Samba Guide HOWTO: Configure Ubuntu for Active Directory Authentication
Note: Samba is hosted on Novell's servers because Novell is starting to seem pretty agnostic on what distribution people are running. Good for them

I was able allow my machine to authenticate on a Windows AD domain without joining it to the domain. The second step of setting up libpam-ldap and ncsd would require changes to the domain controllers, but I am only able to log on if the user account in /usr/passwd is identical to a domain account. If I had libpam-ldap installed and joined this computer to the domain, I would be able to accept anyone's domain account as a login on this machine.

I am now able to cruise network shares through Gnome (nautilus) with smb://servername without having to supply a password for each connection. Previously, my credentials would be encrypted to the nautilus keyring, so it may have seemed like authentication only happened once but it was really happening each time you connected. With a kerberos ticket, I am authenticated as myself until the ticket is closed or if the ticket is revoked by a domain controller.  This truely becomes a single sign on Microsoft environment.

Now I have to work out how single sign ons for our intranet is handled (NTLM?) which was developed on .Net.  When I go to the site with Firefox (Windows and Linux) I get asked for continuous passwords, it seems.  I had heard from a Novell Open Audio Podcast that Suse had figured out a way to use Firefox with single sign on.  I just can't remember if it was with a Firefox kerberos plugin, or if there was a special setting in the about:config.

Friday, October 13, 2006

Microsoft Support

Safe mode services loaded

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

Riddle me this:

All week our net team of 4 has been working on a stumper of a problem. In fact, I don't think Microsoft knows where to test and focus their attention. We have been talking to Microsoft for approximately 4 hours for the last 4 days and the only thing we have determined is that our registry is getting corrupted, our domain is working correctly, and there doesn't appear to be a virus or other malware installed on the computer. The problem started with 1-2 issues on Monday morning and escalates to 7 identical computers by Thursday out of a total of 577 workstations where 250 are identical hardware and all are RISed with similar images. The most unique group has 6 computers and only 1 was affected.

Here are the details:

After approving September's patches on Saturday for an install on Sunday at 9am, I got my first call of a netlogon service problem. The user was not able to logon because the netlogon service was not able to start. A second blank error message pops up with a big red "X" and a Okay button before sending you back to the ctl-alt-del screen. Logging in as that user, my domain account with local admin rights, or the local renamed administrator account all produces the same results.

Going into Safe Mode, Safe Mode with Networking, Safe Mode with Command Prompt. All cause a hard reboot right when the graphics card should take off. The last Known Good Configuration gives us the same results as starting Windows normally.

My first diagnosis was a roached OS and I re-imaged it. I found out late that someone else ran into the same scenario on Friday (before approval of updates) and solved it by re-imaging.

Now we start to get suspicious, when we start seeing our third, then fourth bad machine on Monday when we are able to keep a couple for studying (that's when someone figured out that Debug mode works) and start our call with Microsoft.

Booting into the Debug mode allows for normal logins of local administrators and domain accounts

I spent an hour making sure that memtest and Dell utilities determining that the hardware was okay.

To be continued...