Running with high privileges

You know you shouldn't do it, but you're running as Administrator aren't you? You've disabled UAC in Windows Vista, although we don't blame you we did too. But really, consider what you really need there's an awful lot you can get done and you can always RUNAS where necessary.

Using SQL Query Analyzer

Now using this tool in itself isn't a crime, but using it to poke around in databases directly is. Yes it might be easier to tweak that third-party application this way, rather than using the awful administration tools provided. But really, don't do it. Far too many have come to grief at the hand of an ill crafted SQL statement. DELETE without a WHERE, it's easily done.

Backups

You are doing backups aren't you? When was the last time you audited the backup logs?

Reusing old hardware

Now all too often admins will point to their print-server, hand-crafted from a collection of old PC parts and gaffer-tape. They'll wax lyrical about how cheap it was and how environmentally friendly they are. But it's simply storing up trouble for later. We absolutely advocate keeping some old hardware around, it can get you out of a jam. But don't under any circumstances allow it to become part of your infrastructure because when it dies, and it will, you'll have a bigger mess to clear up and no easy way of doing it.

Wide open Wifi

There will always be one, and it'll probably be a salesman, who decides their convenience is more important than your security. They'll bring in an old wifi router from home and plug it into the office lan. Then smugly sit across the room from their desk, tapping away on their newly untethered hardware. So keep an eye out and if you see access points you don't recognise, track them down.

Lack of training

While vendor certified training for all the users in an organisation is a pipedream, there's an awful lot to be gained from providing basic training to staff.  It doesn't have to be expensive, even creating crib-sheets for users covering commonly used applications can bring benefits.

Passwords

How often to you change passwords? Now, whilst enforcing policies that require users to change passwords too regularly can actually make security worse, setting reasonable time limits will go some way towards preventing that favourite user security subversion – sharing passwords!

User buy-in is always helpful, whatever policy you have to enforce. So provide helpful hints to users on how to choose and remember appropriate passwords, for instance using the first characters of a phrase or replacing characters with appropriate numbers (e.g. B becomes 8, 1 become l etc.).

Failing to maintain good records

Keeping and maintaining records is time consuming, there’s no getting around the fact. However, it will save you immeasurably more time when for instance a laptop is misplaced or stolen. Knowing the specifications of all your equipment will make planning upgrades easier, it will make contacting manufacturers for tech support easier. You don’t need a complicated system, particularly in a small business, a simple spreadsheet or database should suffice.

Not listening to your users

Although it’s all too easy to assume you know best, that isn’t always so. The task you’re providing a software solution for is their area of expertise, not yours; after all they do their job every day. Interview your users, spend some time with them and get to know how they perform tasks – you can use this information to see if new software will be a good fit.

Giving in to your users

Now having just said your should listen to your users, you shouldn't confuse listening with capitulating. Users are often resistant to change and you may feel the line of least resistance is to customize software to fit in with existing business practise. All too otften the changes to process required are minimal and persuading users to change means substantial gains as it means working with software rather than against it. Also, if you need a better reason, upgrading customised software is always more troublesome than updating out-of-the-box installations.

Backups (Part II)

When was the last time you did a test restore? Knowing you're performing backups is one thing, ensuring they will actually work is quite another.

Lack of testing

The mantra should be test, test, test. Really, it's almost always better (whatever the short-term pain) to put off implementation to do more testing, rather than have a malfunctioning live system. Actually this is a good test of management, when senior staff are screaming for the system, can your manager (or possibly you) hold them at bay?

     

Even in a small organisation, the task of managing updates is a substantial one. While some, such as Anti-Virus products, provide integrated update management many do not. While there are a number of patch management applications, they are mostly tailored and indeed priced for larger enterprise users.

WSUS
Microsoft Windows Software Update Services (WSUS) which is available for the very attractive price of nothing provides patching for recent Microsoft operating systems, front and back office products. The product provides good reporting capabilities so you can see at a glance which machines are current and which patches are required. GPO’s (Group Policy Objects) can be used to create individual update profiles for different machine groups, for instance providing a small group who get patches first, and allowing servers to be treated differently to other clients.

     

There are a number of important considerations when choosing backup media, of these tape capacity, transfer speed and longevity.

Care should be taken when considering tape capacity as manufacturers will often quote a compressed value. When comparing either transfer speed or capacity you should always ensure that it's the native values you use.

AIT
Currently, as of 4 January 2008, AIT-5 is the latest shipping version of this particular tape technology originated by Sony. It provides for native storage capacity upto 400GB at a transfer rate of 24MB/s.

DDS/DAT
This certainly is a story of rebounding branding. DAT was originally launched as a digital audio format, and was later utilised for data backup with the creation of DSS (Digital Data Storage). However the latest incarnations have returned to the DAT branding roots as the DAT72 and DAT160 formats. DAT72 utilises that same tape form-factor as earlier DDS models. However the DAT160 drives whilst maintaining read/write compatibility with earlier tapes actually use a slightly wider tape housed in a thicker case to achieve their higher 80GB capacity, at a rated transfer rate of 5MB/s.

DLT/LTO
DEC (Digital Equipment Corporation) designed the TK50 tape drives launched in 1984, which would later become DLT. The DLT tape technology was purchased by Quantum Corporation 1994 as part of a wider aquisition from DEC. Quantum maintain a more detailed history of DLT on their website. LTO, as it has the advantage that a number of vendors produce hardware, has gained substantial market share. Even Quantum, the effective owner of the DLT format, manufacturers LTO drives.

In terms of performance and capacity, DLT provides 800GB of storage at a transfer rate of 100-125MB/s, LTO provides 800GB of storage at a transfer rate of 120MB/s. However given comments by Quantum suggesting that they may entirely phase-out production of DLT hardware in favour of the LTO within a 2 years (from March 2007) LTO would appear the obvious choice, unless you have substantial investment in DLT already.

Which format is for me?
There is no simple answer to this question, it depends largely on your current and projected data backup requirements. If you have little data to backup, then one of the cheaper formats either AIT or DAT would make sense as not only are the drives cheaper but media costs are lower too. If you have larger volumes of data to backup then the choice becomes trickier. Multiple tape backups in lower cost drives may seem attractive, but are prone to error and require operator intervention. You could choose a DAT autoloader which can handle multiple tapes, but this pushes up the purchase price to a point where a higher capacity format may make better sense in the long run.

The only way to decide is to get an accurate measure of your storage requirements and it's rate of increase. Check the volume of data you currently backup this will give you a current volume. To obtain a rate of increase, which it's important to remember may vary due to a number of factors, either look back if you have sufficient backup history data or keep track of the backup size for a few weeks. I'd recommend having at least a month's worth of data before you even consider trying to use it to extrapolate future needs. I always try to plan for 18 months ahead, any more and you have no chance of being remotely correct, less and you'll be needing to buy replacement hardware in under a year.

If all else fails and you still can't find the budget for the hardware you need to backup all your companies data, maybe then is the time to check what you're actually backing-up. You'd be surprised how often the employees think you are responsible for backing up copies of all their family photos and their MP3 collection, solve that problem and you might find you've solved your budget problems too!

     

Whilst the new year is often a time to make resolutions, we don't advocate that - you'll only break them anyway!  
However there's no better time than now to do a bunch of those little jobs that fall between the cracks during the rest of the year.  We're really concentrating here on managed switches.

Document your configuration
Consider annotating your switch configuration, most support it, and it will ensure that those more obscure VLAN's still make sense when you revisit them 6 months later.

Naming prevents mistakes
Give your switches sensible, descriptive names.  When you've only got 2 switches on your network this seems unnecessary, but as the network grows connecting to the wrong device accidentally becomes a real possibility.  Seeing that name at the console might well save you from disaster.

Backup, Backup, Backup
Backup switch configurations.  We tend not to think of these silent workhorses of our networks that much until something goes wrong, and you don't want to be in the situation of having to recreate a configuration from memory after replacing deceased hardware.

Update firmware with care!
Whilst you might keep your operating systems regularly updated, network hardware often gets overlooked.  Yet it is important to remember that such devices can have vulnerabilities and particularly those at the network edge should be kept up to date.  What we don't recommend however, is simply upgrading to the latest version for no reason.  Check your with either your vendors support site for vulnerability reports and fixes for example Cisco provide comprehensive details on their Security Advisories site.  Alternatively there are third parties such as the Carnegie Mellon Emergency Response Team site which aggregates advisories and vulnerability reports from multiple sources.

     

We were promised a paperless office in the 1970's first and every decade since, but it's still just as far away as ever.  PDF's are great and the fax is nearly obsolete, but the average office still can't help churning out piles of printed paper.  So if we must have these purveyors of tattooed dead tree slices in the office, let's make some sensible policy decisions : 

Where possible, resist the demands for individual personal printers.  They've become somewhat of an executive status symbol, and while some may be justified most are not.  The well worn excuse of confidential correspondence can be nullified by ensuring your workgroup printer provides the functionality to store jobs with PIN protection, or purchasing an add-on such as HP's EIO hard disk to provide it.

If possible a single vendor makes stocking replacement toner / ink / maintenance kits both cheaper and easier.  If your requirements for large format, or industry specific printing requirements make this impossible, the odd exception is fine.

The most common support call from a user is that a document isn't printing because they've got the wrong paper size set.  The second most common support call is for replacement toner.  If you can teach your users to solve these 2 problems themselves, you support calls will drop by a substantial amount.  Until someones desides pushing harder is the way to resolve the fact that the only toner replacement to hand isn't for their printer model!

     

If you've got a problem on the wire, that's above layer 2 in the epoymous OSI model, then a network sniffer may well be your tool of choice. Choosing a packet sniffer is mainly a combination of platform and preference.

For Windows, the obvious choice is Wireshark (previously Ethereal) it's both free and provides most of the functionality you're likely to need.

Microsoft provides Network Monitor (netmon) which is also a good tool, although for most tasks it doesn't substantially differentiate itself from Wireshark - you may however, prefer the user inferface. Even if you aren't interested in Microsoft's offering, the netmon blog does provide a good source of information on packet capture and analysis for the beginner.

For other platforms, we'd recommend Wireshark. But getting it installed on a Mac can prove problematic, if you don't read the documentation carefully first.

So go out there and capture some packets, ethically of course!

     

Firstly let's skip the argument about what is and isn't a podcast, we'll do that some other time.  Call them what whatever you like, there is a plethora of good technical content out there, which sure beats the time we used to spend frantically searching compuserve at 9600 baud for Acorn Econet (and that's not a spelling mistake!) wiring diagrams. Listed below are a few of our favourite vidcast / netcast / podcasts :

• Technet Radio - Microsoft's very own audio offering.
• IT Idiots - Video based offering, covering a variety of Windows technologies.
• Windows Weekly - Paul Thurrott covers all things Microsoft.
• dnrTV - Carl Franklin and guests cover a wide variety of Microsoft technologies in glorious screencast goodness!