Here are some of the issues:

- If your son or daugher is enrolling in a computer intensive program, such as computer science, graphic arts or music technology, they should not purchase anything until they’ve been to orientation.  The program likely has specific requirements.

- Check with college or university where your son or daughter has enrolled.  They may have a “laptop” program where all students are required to purchase the same or similar notebook.  My son attended Clemson University where every student was required to purchase an IBM (now Lenovo) notebook.

- Don’t be in a rush.  Many colleges and universities have libraries and labs stuffed full of computers free for the using.  Ours even has small computer rooms in each dormitory building.  There is often no need for your student to have their own computer the day classes start.

- Mac or PC?  I tell parents to buy what your student will be productive using.  Now is not the time to switch between Mac / PC based on costs, opinions of others, etc.  It’s no fun to have your big paper due and you can’t figure out how to use your computer.

- What brand? Most brands are comparable.  Stick to a name brand and you’ll be fine.

- What size?  Really just personal preference… but I will share that while the small “netbooks” can be checked out our library, they are not preferred to the normal laptops.  On the other hand, a 17 inch notebook can get very heavy walking across a campus the size of a small country.

- Laptop or Desktop?  Our help desk, like many others,  is more than happy to help students with their computers…. but we don’t make house calls.  It’s no fun dragging a huge desktop computer across campus. 

- Which laptop / notebook should I buy?  For Apple fans, the choices are a lot simpler.  Pick your Macbook, add Apple Care for extended warranty coverage and you’re done.  PC notebooks are more complicated… There are lots of companies, places to buy, etc.

I suggest you consider two strategies….  buy cheap with a very limited warranty or go for a nice laptop with 3 or 4 years of warranty and accidental damage protection.

A nice, but basic, notebook with a one year warranty from a name brand should cost about $500.  Compare that to the little nicer system with a 3 year warranty and accidental damage coverage.. it will probably cost north of $1000.   The cheap system will work… and with the money you save you can afford to buy another one in two or three years if the need arises.

Another note on warranties… be very cautious of store warranties.  Personally, I would never buy one.  Get a manufacturer warranty or buy one online at www.squaretrade.com.

Speaking of in store purchases… it’s very hard to beat the deals you’ll likely find in the big box retailer Sunday flyer.  Here’s the trick…. buy the laptop, but turn down every other add on they offer.  Even if you buy retail, you can still buy your warranty online MUCH cheaper and with much better service.

What about software?

Anti-virus software can be obtained free from www.avgfree.com or Microsoft at http://www.microsoft.com/security_essentials/.  The free software is very good.  But also, many institutions require students to install a specific vendors software to permit their computer on the campus network.  It’s very frustrating to have paid for security software only to have to remove it to get on the network.  Avantage Apple:  Mac computers don’t need anti-virus software.

Office Suite: The standard is Microsoft Office.   Many large colleges and universities are now providing Microsoft Office to students for free (i.e. cost included in tuition / fees).  If you need to buy it, the best place for students, once they have their .edu email address is working…. go to www.theultimatesteal.com to get MS Office for about $80.

Other thoughts:  get a good power strip.   That expensive new computer is just one thunderstorm away from being very expensive toast!  However, don’t go overboard on price.  I look for a basic strip with surge supression at the local home improvement store.   I’m intrigued with the supposed warranty that covers lightning damage to connected equipment.  I like the idea, but I’ve never heard of anyone collecting on it though.

These are just my opinions… your mileage may vary.  Comments welcome.

For those of you unaware, Windows Storage Server is a customized version of the ordinary Windows Server product line that is optimized to do one thing well: storage and file serving.  It has lots of great features, but this isn’t a commercial.

We use it to host file shares for all our students, faculty, staff, and departments. Overall it’s worked well for us as we are Microsoft centric. Almost all our desktops are Windows, our file servers are Windows, blah blah blah. Who should know better about doing file sharing on a network?

This almost always works well, but Microsoft needs to save my sanity by rationalizing how this fish/fowl thing is licensed and supported.

Here’s the rub… Windows Server licenses have always been available to purchase to deploy on whatever hardware you like. If the hardware is on the qualified list, it will be supported with rarely a problem. Don’t like your hardware? Don’t worry, get some more and migrate your install there.

Windows Storage Server (WSS) is another animal. It’s sold through partners and the license is tied to the hardware it’s installed on. Need new hardware… Too bad!   Like your hardware, but want the newer software… You’re outta luck, Chuck!

This is just plain stupid and confusing.   And it’s not just confusing to us poor IT Directors.  We purchased our latest incarnation from HP.  HP is a great company, but they are likewise confused.  They are selling an HP server with a Microsoft operating system in their storage group.  Makes sense… NOT!  Because not only do they sell it in their Storage business group, they also attempt to support it there.

We had our server lock up, (which is thankfully not the common occurance it used to be with Microsoft), and we immediately opened a support case with HP.   A few hours into working with support to troubleshoot the issue, the tech threw up his hands and said we could not be supported.  Whaaat?  Why?  We were informed that we had permitted the install of some terrible, dirty, nasty, un-supportable software on HP’s machine!  Furthermore, if my server admin had just bothered to read the user’s manual (RTFM!) she would have known not to even attempt such a stupid maneuver!

Ok… what was this terrible, malicous software you ask?  What software could reduce HP’s marvel of engineering to a heap of twisted, smoking, unmanagable silicon?  CRITICAL WINDOWS SECURITY UPDATES!  Nope you can’t install them without the permission of HP Support!  Must get them from HP we were told.  It’s all explained in the user manuals.  “Didn’t you read them, you foolish end user?”.

Ok… so what now?  We were told “You must wipe the server to bare metal and reinstall Windows Storage Server from scratch, including all data volumes.”.  Gee, backup and restore of 11TB is going to take awhile.   

Wow.  What do do now?  I decided to take the prudent step of RTFMing for myself!  Guess what?  Let me paraphrase the install guide:  “Step 4:  Customers are highly encouraged to visit the Microsft Windows website to dowload and install any critical security updates.”.

Needless to say, the HP support guy on the phone was speechless for a moment, then put me on hold for about 15 minutes  (We have been on the phone about an hour at this point!).  When he returned, his tune had changed…. our case has been escalated to Tier 3…. we’re still waiting for an answer by the way.

So… what’s the point?  Microsoft needs to stop selling this product through OEMs, tied to hardware.  Again, I think it’s a good product, else I wouldn’t have bought it.  Just sell it along side all the other operating system products so vendors will support it in the same way.   Please!

Don’t get me wrong.  Barracuda is a great company with very good, cost-effective products.  But look at their product line. 

Do you need redundant SPAM filters?  Take two 1U hardware boxes and call the doctor in the morning!  Need email archiving or load balancing?  Add some more boxes.  Oh… need some other functionality?  Add some more boxes!     Just how many racks full of these 1U things do I need?

What’s set me off is that today I attended a technology marketing event… everyone did a great job… it was a wonderful, informative event.  There I head a vendor say… our wireless access points require a hardware controller.  Ok… but he went on to say… and it’s great because it’s a hardened linux SERVER!

So what … it’s a server.    Hmmm… I just spent big bucks getting all my servers virtualized using VMWARE.   Oops… well I guess not all of them… because I forgot the APPLIANCES.  If one of my virtual servers “fails” it migrates to another host courtesy of VMWARE’s fantastic VMOTION technology.  If one of my appliances dies, I either have to have purchased two of each ( $$$ )for redundancy, or go without while I wait for a replacement. 

On the other hand, we just did an evaluation of an open source tool for server monitoring called Zenoss.  Zenoss can be donloaded in several ways, source, binaries, and as a VMWARE image.  It’s a totally preconfigured virtual Linux server, application, and supporting stuff you need to run the software.  Yes… it’s a “virtual appliance”.  It was almost trivial to download and start it up in our environment.  No hardware to buy, ship, install, power, connect, or repair.

It’s time to dump the hardware appliance.   We’ve fought the battle against server sprawl.  Let’s put an end to the creeping appliance menace.

Barracuda… take a stand and make your products available as virtual machines.  In this instance, I would definitely be willing to pay more to get less.

That’s my take on it… what’s yours?

Thanks to some research on the web, we got the idea that the real issue was with the internal fans. That made sense because the computers in question will boot and run for a few minutes before automatically shutting down.

To test the theory, we transplanted a fan from a good power supply into a bad one. After staying on for five days, we declared victory!

We’ve purchased a bunch of 70mm fans on ebay and we’ll be replacing them on our own. We’ll also be saving $$$. The fans were less than $3 each.

This points out that when procuring technology we as IT managers need to understand how long our suppliers will support their products.

I don’t think it’s unreasonable to expect hardware vendors to support their products for a reasonable period of time.

DHCP (Dynamic Host Configuration Protocol) is the protocol that enables clients to obtain a centrally managed set of network configuration parameters.  These parameters include the network IP address, gateway, and DNS servers.    ( More info: http://en.wikipedia.org/wiki/Dhcp ).

Like many network protocols, DCHP was seemingly designed without regard to any security concerns.

In our example, our primary concern is with rogue DHCP servers.    A rogue sever is a DHCP server that is not authorized by the network administrator.    These servers are typically misconfigured either due to ignorance or malicious intent.    Either way, the end users are impacted.  At best, the improper network parameters assigned by the rogue server cause the client inconvenience…i.e. they client workstation can’t access the network.  However, the malicious DHCP server can assign network settings that can enable all sorts of evil intent.

Let’s address the “innocent” case.  On our network, this typically occurs when a student (or faculty!)  attempt to install their own wireless router.  The majority of these devices have a DHCP server that’s enabled by default.   All that’s required is to take the router out of the box and plug one of the LAN connections into one of our wired network ports.  Power it up and BAM the router is handing out 192.168.0.x network addresses that don’t route on our network.  At that point the clients getting these addresses have a non working network…. and they call the Help Desk.

The malicious case is much more serious.  Basically this happens when a workstation gets infected with malware.   The malware can contain a built in DHCP server that will hand out network settings any time the computer is connected to the network.   This is major security threat because now ALL the computers (and users) on the network are now at risk! 

I can identify two major threats posed by a rogue DHCP server, but there are probably more.

 The first is sniffing.  Because DHCP servers typically hand out a gateway address, the malware author can direct most, if not all, client traffic to a rogue router that can redirect or copy the traffic at will.  This enables all kinds of “Man-in-the-middle” and network sniffing attacks.

The only major risk I know of is DNS.  This rogue DHCP server can hand out any DNS server it likes.  That means that when users visit their friendly bank website… it might be real… or it might be fake.

So what’s a network administrator to do?

Well, I’m not representing myself as a “guru”, I can only share what we did.

First, since we use HP Procurve network switches, we deployed their DHCP blocking technology.  This prevents wired ports from passing DHCP network packets from unregistered DHCP servers.  It’s not perfect, but it really helps.  The major issue / short coming that we identified is when we use the switch to plug in a wireless access point.   An AP doesn’t have any corresponding technology, so a rogue DHCP server can still impact other clients on the same AP…. better, but not perfect.  The solution was to turn on “Client Isolation” on the access points that prevents all client to client traffic on the access points.

Secondly, we continue to deploy wireless and remove or restrict access to wired network connections.  This hopefully prevents jacking in consumer grade wireless routers.

Third, we block all off campus DNS.  I’d love to redirect that traffic to a special DNS server that would force all web requests to be redirected to an informative page…. 

Fourth, we use Microsoft’s dhcploc.exe program to probe for rogue DHCP servers anytime we suspect a problem.  

I’d truly love to see a system to continously monitor and alert on DHCP issues…. But that’s a topic for another day.

Like many smaller schools, we have ( “own” ) a very limited number of IP addresses.   For years, we’ve run our campus with only a class “C” address block which means we have 254 available addresses.

In order to allow our students (and everyone else) access to the net, we’ve employed the common firewall technique referred to as “Network Address Technology”, or NAT.

It’s always worked well until the game consoles start complaining that our NAT setting was too “strict” and students were demanding that we “fix it”.  Unforunately, there is no “strictness” setting on the firewall.

To make a long story short, game consoles are designed to be connected to a DSL or cable modem with a dedicated IP address or behind a home router.  Although that router supports NAT, it also supports “Universal Plug and Play” or uPnP.    uPnp allows clients ( i.e.  the game consoles ) to negotiate opening ports and forwarding traffic to the inside private ip address. 

Unfortunately, there is no enterprise firewall that supports uPnP.   The only option that I know of is to get a bigger allocation of routable IP addresses and stop using NAT. 

That’s the plan… and if it works, I’ll let you know.

So after watching the PBS Frontline program on the Colgan Air crash, I have a question about the status of the Continental Airlines trademark.

In simplest terms… (and just my opinion):

1. Continental Airlines contracted with Colgan Air to act as a feeder for it’s longer routes.  In doing so, it permitted, or even required Colgan Air to conduct the flights in aircraft carring the “Continental Airlines” trademark. 

2. Under trademark law, the “owner” of a trademark may license it to another.  However, the owner must excercise sufficent control of the quality of goods and services offered by the licensor or the trademark could be considered abandoned.

3. It seems, to me anyway, that safety is an essential essence of quality that the public expects in an airline flight.

4. Continental Airlines admitted in a Congressional hearing, that they did nothing to require Colgan to adhere to their standards of safety.

Taken together, it would seem to me that Continental Airlines, and perhaps every other major carrier that “brands” another commuter airline with its name risks legal abandonement of its trademark.

I think this is a major issue of fairness to the consumer.  In today’s world, corporations are seemingly permitted to make all kinds of claims and then disclaim those claims and bear no responsibility.  By putting the Continental name and logo on the tickets and aircraft, it claimed that those flights were operated with the same standard of care as its own flights.  It then, on tickets, schedules, etc, notified passengers that the flight was operated by Colgan. 

The law seems to think that every passenger that sees the Continental name and logo will also see the notification that the flight was operated by another company.  By putting the company logo on the planes, it told passengers they could expect the Continental record for quality, i.e. safety.  By putting the notification that the flight was operated by another, it merely stated a fact.  It required it’s customers to draw their own conclusion about quality.  Note that it didn’t say “Continental makes no representation as to the safety of Colgan Air Flights.

Even if they did, there wouldn’t there be quite a few that noticed the huge Continenal logo on the plane, but missed the fine print other places?

I’m only asking…. 

I could go on and on about why, but I want to focus on one major issue I have.  The “promise” of leasing is that you pay for the equipment while using it… and when the lease is over, you pack it up and ship it off. 

Anyone contgemplating a lease needs understand the reality of leasing is much different.  Lease contracts are stuffed full of provisions to make it practically impossible to return the equipment and force you to buy the equipment with funds you hadn’t budgeted.   That’s how the lease company makes money; they low ball the monthly payments to suck you in, then prevent return of the equipment and force buyout of obsolete equipment at (un)fair market value.

So… if you’re must lease, here’s just two of the crazy clauses I’ve seen:

1. Return All or None:  You must be able to return every one of those computers you leased in working condition… or you can’t return any.   What happens when one of those computers is fried by a power surge?  What happens when one of the computers is stolen?

2. Return in the original packing: Do you have room to store 300 computer boxes for three, four, or even five years?

So… you realize you’re screwed and you’re going to have to come up with a bunch of dough to buy these old computers you really don’t want any more.  (Hmmm… wasn’t that the reason you leased in the first place?)  So how much are you going to owe?   Check you lease.   Your leasing company has helpfully defined “Fair Market Value” as something like: “What we say it’s worth, plus the labor cost to remove and reinstall in a typical office environment.”.  Think about that… 

So… if you must lease, here’s what I recommend:

- Give up on the idea of returning the equipment.  Instead go for a $1 buyout lease. 

- Use your bank if possible.  They value your continuing business and will be much more negotiable.

- Devise a budget strategy to avoid leasing in the future.

- If you insist on a FMV lease, get references from clients that have just returned the equipment.  Compare the terms of their lease with the one you are comptemplating.

Hope this helps.

DNS stands for Domain Name Services.  It’s the directory that allows your computer to look up the internet address of your favorite website… be it google, facebook, youtube,  … or your bank!

If your computer is vulnerable to malware, and it changes your DNS servers, then potentially the next time you attempt to login to your banking website…. it will be the hacker’s clone of the website, not the real thing.  If this happens, you guessed it,  the hacker now has your username and password… not good!

That’s why almost everybody sets up their own DNS server in house and then hands out that address via DHCP to computers as they boot up.  However, it’s very important given this malware threat to take the next step… block all other DNS server access on a firewall.  This ensures that users infected malware that have changed DNS settings will not be able to visit fradulent sites.

In fact, they won’t be able to browse the web at all.  That’s a good thing because the next step they’ll take is to call the IT help desk.

Do the right thing to help protect your users… block outbound user DNS requests on your firewall!

About a year ago, we needed to implement two factor authentication on our dial up VPN.  To save money, we ( correction I ) bit on a drug dealer ploy from a vendor that offered SaaS two factor authentication. 

Here’s how the service worked: anyone attempting to connect to our VPN would get a phone call on their cell phone asking them to press the “#” key to complete the connection to the VPN.   So… to connect users have to know their username, password, and have their cell phone.  Neat!

The service was easy to implement, it worked great, and for higher education with the few users we have… it was FREE!   It was their policy, splashed all over their website.  Because after all, we were not their primary market… so they could afford to be so generous… RIGHT.

Well… you know what happend next…. They decided they weren’t makeing enough money… so in the words of the account rep… they changed their “business model”.  No advance notice, no phase in of fees… just pay up or get shut off.

I’m not saying that everyone that pursues this business model is evil… just be prepared with backup plans if / when the vendor pulls this “stunt”.