Back in 2007, I published a script for locking down Windows XP and Windows 2003 services, using the sc command. Recently I had need to lockdown a fresh Windows 7 image and realized the list of services needed to be updated. The below list works on my laptop. For a complete list of what each of these services does, or why you do/do not need them, please refer to Microsoft Technet.
The script could not be simpler. Take the below script and save it as a batch file on your desktop.
for /f %%b in (services.txt) do sc config %%b start= disabled
for /f %%c in (services.txt) do sc stop %%c
The list of services then goes into a text file in the same directory as the batch file, named “services.txt”. You can modify the list of services at will, based upon your unique needs. (read more…)
Choosing a data center is a big decision for most companies. Your IT infrastructure represents a critical asset for your company, and unless you are an uber-dot com company like Google or Facebook (which spread their gear around the country in tens of locations), you probably only have one or two data centers. Changing data centers is expensive and time consuming, so choosing the right data center partner is incredibly important.
Unfortunately, data centers don’t make it easy on you to differentiate between them. Everyone says they are “secure,” “highly available,” and “high density.” They all show you their generator farms, their battery rooms, and their security vestibules with bullet proof glass. Tour any three data centers and you’ll be left scratching your head trying to figure out what the difference is. As a result, many people end up using price and proximity as the primary decision points. Or even worse, they look at non-material amenities like free sodas and xboxes in the break room as the deciding factor.
There are critical differences, however, between data centers. Failing to recognize them can cost you more in the long run than any savings you might glean by choosing the low-cost provider. Having purchased services from a multitude of data centers over the last two decades, and having dealt with even more as an IT consultant, I’ve learned to recognize some of the hard to spot differences that can make or break a long term data center relationship. For simplicity (so you can copy/paste into your next RFP), I’ve listed the 10 questions you should ask your next data center below. A detailed explanation of each question follows, so you know what you should look for. I hope you find this list informative.
10 questions to ask your next data center provider
Which components of the data center facility are both fault tolerant and concurrently maintainable?
How are cooling zones provisioned to maintain operating temperatures during maintenance or failures of CRAC/CRAH units?
What are the average and maximum power densities of the facility on a watts/sq’ and watts/cabinet basis?
How often does the data center load test its generators?
What are the highest risk natural disasters for the area, and what has the data center done to mitigate their impact?
What are the minimum skill sets of the remote hands and eyes staff?
Does the data center maintain multiple redundant sources of fuel and water?
What certifications has the data center earned, and do they undergo annual audits to maintain them?
How does the data center track SLA compliance, and what is their historical track record? Can they provide their last 5 failure reports?
What is the profile of their top 5 clients, and what percentage of total revenue for the facility do they represent? (read more…)
In a previous article, I extolled the virtues of DNS on Windows. In particular, I love the scripting interface that DNSCMD provides. In that article, I claimed: “Need to create 500 host records, both forward and reverse, in different domains and subnets? DNSCMD can do it with a 1-line script… there is no *nix alternative that is this simple or powerful.” Well, enough people have been bugging me to provide it so here is is:
REM### Copyright 2008 William L. Dougherty
REM### Script for bulk uploading DNS records into Windows DNS
REM### Script requires hosts.txt file in format: FQDN,IPADDR 1 host per line
for /F “tokens=1-7 delims=,. ” %%a in (hosts.txt) do dnscmd /recordadd %%b.%%c %%a a %%d.%%e.%%f.%%g && dnscmd /recordadd %%f.%%e.%%d.in-addr.arpa %%g ptr %%a.%%b.%%c
Just put it into a batch file and you are good to go. Simple, right? Well, maybe I should explain. (read more…)
Well, I agreed with Bill’s last article, until I read the part that said “Windows is better than Unix/Linux.”
Oh wait, that was the first sentence.
Now, if Bill had said “Windows is better than Unix/Linux, sometimes.” or perhaps if he had stretched and written “Windows is better than Unix/Linux — most of the time,” I may have agreed entirely.
Look, I’ve been a fairly OS neutral IT Manager for many years. If you’ve ever used CP/M, Xenix, DOS (any flavor), Novell, Windows (old school pre 3.11), OS/2, Windows, Linux, Solaris (SunOS), HP-UX, AIX, OS/400, Windows 9x/NT/2k (etc.) and now Vista (bleh), and so on, you’ll understand that every OS has features where it will excel. Every OTHER OS will have features that leave the other OS in the dust.
The key to success here is to identify where the use of one OS will benefit you more than the use of another OS.(read more…)
Windows is better than Unix/Linux. Now that I’ve incited volumes of hatred from my Unix/Linux brethren, let me clarify my stance. I work with massively heterogeneous environments. For the past 10 years, every company I’ve supported has utilized at least 3 different operating system platforms including multiple versions and flavors of Linux, Unix, Windows, with some mid-frame (As/400) and Novell thrown in for good measure. The experience has taught me to choose the best tool for the job, rather than get religious about a platform. There are many functions that Windows performs better than *nix, and the *nix community should embrace them.
I hire a lot of Unix/Linux sys admins. One of my favorite interview questions for them is: “Name 5 ways Windows is better than Unix/Linux.” This is a great stress question, because most *nix guys think Microsoft is the devil. But Microsoft remains the most successful software company in the world. If you cannot recognize the areas where Microsoft excels, you are artificially narrowing your view of the world, which means you aren’t making the best technology decisions for your company, which means you can’t work for me (To be fair, I also ask Windows guys to name ways Unix/Linux is better than Windows). As a public service to *nix admins everywhere, I offer this list of 5 ways Windows is better than *nix. There are many others, but I don’t want to overwhelm you with too much info at once. It might overload your system, and cause a kernel panic. 😉
Windows XP is the best productivity desktop
Windows 2003 Active Directory Service is the best directory service
Windows DNS is the best internal DNS server
Exchange 2007 is the best groupware application platform
Windows has better hardware support with vendor-supported drivers
Let the flame wars begin! Seriously though, I stand by each of those pronouncements. For those of you who haven’t run screaming from the room, my reasoning is below: (read more…)
I’ve spent the past few days trying to develop a simple mathematical model to predict the expected availability of complex systems. In IT, we are often asked to develop and commit to service level agreements (SLAs). If the points of failure of the system are not analyzed, and then the system availability calculated, the SLA is flawed from the beginning. To complicate matters further, different people have different definitions of availability. For instance, does scheduled downtime for maintenance count against your system availability calculation?
Common Availability Definitions:
Availability = MTBF/(MTTR+MTBF) (Mean Time Between Failure, Mean Time To Recover). This is a classic definition of availability and is often used by hardware manufacturers when they publish an availability metric for a given server.
Availability = (Uptime + Scheduled Maintenance)/(Unscheduled Downtime + Uptime + Scheduled Maintenance). This is an IT centric availability metric where the business can support scheduled downtime after hours. This model works for some types of systems, such as a file server that isn’t needed at night, but it doesn’t work as well for websites, even though many web companies still use this for their SLAs.
Availability = Uptime/(Uptime + Downtime). This metric best applies to systems that are needed 24×7 such as e-commerce sites.
Availability is most often expressed as a percentage. Sometimes, people will refer to “four nines” (99.99%) or “five nines” (99.999%). To simplify things, the following table shows the minutes of downtime allowed per year for a given availability level:
Now that DST 2007 is over, we are going to start a series of articles on securing systems and networks. I have built a lot of systems for various companies over the years. The challenge is to create repeatable processes that work in a variety of operating environments. Having a strong scripting toolkit can make all the difference, especially when you are under deadline.
The first script in the series is a Windows Services lockdown script for Windows XP & 2003. Disabling services is generally a good idea to reduce the threat profile of your computer, and to improve its performance. Every security guide out there tells you to disable unnecessary services. A few of them also give some guidance as to which services are unnecessary. Few of them tell you how to disable them consistently.
There are three ways to disable services: 1) Use the Services MMC GUI. This is a time consuming process and is prone to mistakes. 2) Use Group Policy. This works well for environments that use Group Policy, but is harder to implement for stand-alone servers, such as web servers. 3) Use the sc.exe command line utility.
If you do not know the sc command, learn it! sc is a powerful utility for controlling services on local or remote hosts. sc will let you configure how services start, change the user account and password they run under, and start/stop/pause the services. The basic syntax of sc is:
We are going to use 2 different sc commands in our service lockdown script: config & stop. These should be self explanatory, but config will allow us to disable the service, and stop will stop the service. To make this work, we need three files: 1) The script batch file; 2) a list of servers by name called hosts.txt; 3) a list of services we want to disable called services.txt. The two text files must be in the same directory as the batch file. The code is fairly simple: (read more…)
As discussed here, the Daylight Saving Time change for 2007 is going to cause problems for unpatched technologies. Most vendors, including Microsoft, have released patches. One big area that is lacking is Windows Mobile smartphones & PDAs. Microsoft release a registry fix and instructed the carriers to push out a patch. Most of the carriers, in their infinite wisdom, have neglected to do so. If you rely on your Windows smartphone, you need this fix. Microsoft published the registry fix here. This fix requires you to build a CAB file and then install it. To save you the trouble, I have bundled the CAB file for you: