markwilson.it

Some more about sIDHistory

Posted on Wednesday 6 July 2005Tuesday 17 July 2007 By Mark Wilson

This content is 20 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A few weeks back I was looking at migrating users between forests using ADMT when the source and target domain names are similar. It worked in my virtual environment but when we went to put it into practice there were some issues caused by different people’s perception of what the sIDHistory attribute will do.

sIDHistory will not avoid the need to enter the correct password to access resources in the original domain.

If there is a trust in place, then the trusting domain will trust users in the trusted domain.

If there is no longer a trust (or as in my client’s case, where there was no direct trust but a sequence of non-transitive external trusts) then sIDHistory will allow migrated users security credentials to be compared with the access control entries (ACEs) in the access control list (ACL) for a resource and if there is a match then they will be authorised; however they still need to be authenticated.

If the passwords are the same in the new and the old domains, then there will be no password prompt (as the hashes will match and the user will authenticate transparently); however if there are different passwords in use, then the correct password for the user’s old account in the resource domain will still need to be supplied.

Use drag and drop to quickly open files in Notepad

Posted on Monday 4 July 2005Tuesday 17 July 2007 By Mark Wilson

I use Windows Notepad a lot and, a few months back, I posted a tip for Send to… Notepad to help people open text files from a context-sensitive right click. Whilst watching me struggle to edit a load of text files with strange file extensions (as he taught me how to use PHP yesterday), Alex came up with another suggestion. It’s probably well known, but if you create a link to Notepad on the Windows quick launch bar (just drag and drop from the start menu), you can drag and drop files onto it and they will open in Notepad. Simple, but very, very useful!

Can you help to make poverty history?

Posted on Sunday 3 July 2005Tuesday 17 July 2007 By Mark Wilson

Yesterday’s Live 8 concerts were a fantastic spectacle. I know that many critics doubt the effect that the Live 8 campaign can have; and as this is a technology blog I will put aside the politics, but one thing the Live 8 event has done is to grab the attention of the media (I guess bloggers are a small part of that group) and the general public (I definitely fit there) and focus it on the G8 summit, something which most of us would normally ignore.

I watched a big chunk of the UK coverage on television (but didn’t stay up to 4am to see the end of the US concert) and for me the favourites had to be the original Pink Floyd (reunited after 24 years – as one banner said “pigs have flown: Pink Floyd reunited”), The Who? and Faithless (we saw a short clip from the concert in Berlin). The great thing about these events is that you also hear acts that you wouldn’t normally pay any attention to – I thought Joss Stone was great; caught the end of the Snow Patrol set; and was pleasantly surprised to enjoy what I saw of Craig David’s acoustic set in Paris. I missed the Madonna set (which was reported to be fantastic), and was underwhelmed by the much-hyped Paul McCartney and U2 version of Sergeant Pepper’s Lonely Hearts Club Band but the McCartney performance of All along the Watchtower was great – it would have been cool if he’d played that with U2 (as they have both recorded it)…

Take part in the Make Poverty History campaign by adding your name to the list.

Links

Live 8 Live
Make Poverty History
White Band

Reminiscing about my first computers

Posted on Friday 1 July 2005Tuesday 17 July 2007 By Mark Wilson

Alex‘s post about his first home computer got me reminiscing about mine – a Sinclair ZX Spectrum+. Then I remembered having an emulator for one a few years ago but couldn’t find it anywhere until I stumbled across World of Spectrum, which features Spectrum emulators for a variety of platforms along with a stack of games and other resources. I downloaded SPIN, which seems great, and a few games that I haven’t seen for years like Manic Miner, Horace Goes Skiing and Jet Set Willy (unfortunately the copyright owners have denied distribution for my old favourite – JetPac). There are other emulators around on the ‘net (e.g. Speculator), but SPIN was free and seems pretty good to me.

I know exactly what Alex meant when he talked about playing on his Texas Instruments TI99/4A emulator “Whilst grinning like an idiot. And chuckling. Out loud. On my own”.

There are also emulators for the Spectrum which run on Windows CE and Symbian Series 60, so I could soon be having 1980s fun on my mobile devices too!

The Spectrum+ wasn’t my first computer though. We had Acorn/BBC Bs, a Commadore PET, Sinclair ZX81s and ZX Spectrums at my middle school and then I did most of my GCSE/A Level stuff (and early hacking) on Research Machines Nimbus PCs (the only PCs I’ve ever come across that used the Intel 80186 CPU rather than the 8086 or 80286 of the time).

As for my first laptop – I still have an Amstrad PPC 640 in the attic!

Oh, those were the days…

One last patch for Windows 2000

Posted on Thursday 30 June 2005Tuesday 17 July 2007 By Mark Wilson

Windows 2000 mainstream support is due to end today and a couple of days back, as expected, Microsoft released update rollup 1 for Windows 2000 service pack 4. Full details of this update (including why it is not called Windows 2000 service pack 5) are included in Microsoft knowledge base article 891861 and the problems which it resolves are listed in Microsoft knowledge base article 900345.

I’ve been working with Windows 2000 since the late 90s, when it was NT 5.0 beta 2, and I guess I’ll still be using it for a while yet (as will many of my clients) but for a view on why 48% of corporates are still using Windows 2000, see my decision time for Windows 2000 users post from a few days back.

Chaining proxy servers

Posted on Thursday 30 June 2005Tuesday 17 July 2007 By Mark Wilson

I spent some time yesterday chaining two ISA Server 2000 proxy arrays. As there doesn’t seem to be a lot of information about on the subject, I thought I’d provide some here (most of what can be found easily is about using proxy chaining for anonymity, and mostly reads as if it’s intended for nefarious purposes).

Both Microsoft Proxy Server and Microsoft Internet Security and Acceleration (ISA) Server can be configured in a chain to distribute the web cache, forming hierarchical configurations with other proxy servers. One example of where this might be useful is for networks with geographically separated segments, such as branch offices. The proxy chain allows servers to query an upstream serverâ€™s cache before accessing resources on the Internet. Using this type of configuration, the clients in the branch office benefit from a local cache as well as the cache at the main office.

Proxy chaining is also known as proxy cascading or hierarchical caching and it is primarily used to improve cache performance and balance the caching load by placing information closer to proxy clients (note that only client requests for the web proxy service can be routed upstream because only the web proxy service uses caching).

My client’s scenario was slightly different. They have two proxy arrays – one for the Americas and another for Europe, the Middle East and Africa (EMEA) but they also need to access resources in their parent company using that company’s proxy server (accessed across the private network). Using this configuration, any requests that are not cached in the local proxy will require Internet access, unless the domain name matches the internal domain name for the parent company in which case they need to be forwarded to the parent company’s proxy servers.

This is fairly straightforward to configure but it is important to check first that the proxy server(s) can perform a DNS lookup for the upstream proxy server(s) and access the appropriate network. When I originally configured the proxy array, I had secured the network interfaces and added a static route to the organisation’s internal network using the route -p add networkaddress mask subnetmask gatewayaddress command but I also had to add a route to the parent company’s network, otherwise all requests that didn’t match the internal network were routed via the external (Internet-facing) default gateway. Once I could both resolve the upstream proxy server names in DNS and ping them I was ready to configure the routes in ISA Server.

I already had a destination set for the internal domain, based on the IP address range for the internal network (10.0.0.0-10.255.255.255), so I added another one for the parent company’s internal DNS domain name (*.companyname.countrycode). Once this was complete, I could establish a new routing rule in the ISA Server network configuration. Leaving the default rule in place as the last to be applied (routing all destinations directly to the specified destination), I added another rule with a higher rank order which applied to my new destination set and routed them to a specified upstream server (i.e. the parent company’s proxy server), with no caching in this case. Verifying the configuration was as simple as accessing the sites from a browser and reviewing the access logs, where access requests for the parent company’s internal sites were shown with an s-object-source of “upstream”.

Watch out for cookies when using the Microsoft AntiSpyware beta

Posted on Wednesday 29 June 2005Tuesday 17 July 2007 By Mark Wilson

Last year I blogged about Microsoft’s acquisition of Giant Software and I’ve been using their AntiSpyware Beta since it was made available in January; but last week I was looking at the inordinate amount of spam my Dad receives and that got me thinking about the overall security on his PC (which has my e-mail addresses in the address book!). After installing Lavasoft Ad-Aware SE Personal, I found that the Microsoft AntiSpyware Beta product he had been using was doing a pretty good job, but there were a load of tracking cookies which it had not identified. Today, I ran the same tests on two of my PCs and found the same.

As the Microsoft product is based on Giant’s well-regarded software I decided to look a bit deeper…

It turns out that although the Giant version of the product scans for cookies, the Microsoft version does not as they are not regarded as a threat (despite Ad-Aware classifying them as critical objects). In their information for Giant AntiSpyware users who have active subscriptions, Microsoft says:

“Giant AntiSpyware detects and removes cookies from your computer. Because many Web sites require the use of cookies to enable a great user experience, Windows AntiSpyware (Beta) does not remove cookies.”

So are cookies a threat? The answer is both “Yes” and “No”. Quoting from an HP article on where spyware hides:

“Cookies can help users streamline online transactions, remember browsing preferences and user profiles, and personalize pages. Many users don’t realize that cookies can be used to compile data so companies can construct a profile about the websites they visit and the web banner advertisements they click through. This information is mined so companies can deliver targeted ads.

Some websites respectfully use temporary cookies (session cookies) that disappear when you close the browser. Many more websites use persistent cookies that remain on your hard drive indefinitely. Microsoft Internet Explorer and Netscape Navigator, the two most popular browsers, still send out existing cookies even if you’ve disabled cookies in your browser settings. This means you must delete cookie files manually to keep from being tracked by third-party ad networks and spyware providers.”

And from the privacy.net cookie demo:

“Some common uses for Internet cookies are:

An anonymous code given to you so the web site operator can see how many users return at a later time. These cookies are configured to stay on your system for months or years and are called “persistent” cookies.

A code identifying you. This usually occurs after a registration. The site could keep a detailed account of pages visited, items purchased, etc. and even combine the information with information from other sources once they know who you are.

A list of items you purchased. This is often used in “shopping cart” web sites to keep track of your order. Often cookies of this type ‘expire’ as soon as you log out or after a short time. These are called “session” cookies.

Personal preferences. This can be anonymous or linked to personal information provided during a registration.

Cookies are supposed to be only accessible from the site that placed them there. However, in some cases cookies from other sites show up in the log files so it is not a secure way to authenticate a user.”

So you can see that session cookies are fine. So are some persistent cookies (e.g. the one which tells the BBC website where I live so it can give me localised information); but most of the ones I found were tracking cookies for advertising sites. These are not good and I urge Microsoft to include cookie detection in the release version of Microsoft AntiSpyware (perhaps using the SpyNet AntiSpyware community to distinguish between good and bad cookies?).

Finally, for anyone worrying about what happens when their version of the Microsoft AntiSpyware Beta expires at the end of July, Microsoft has started to push updates and one of my PCs upgraded itself to version 1.0.614 today, which expires at the end of December. The others are still on 10.0.501 but I expect to see them do the same over the next few weeks.

Jack Kilby, who invented the integrated circuit, passes away

Posted on Wednesday 29 June 2005Tuesday 17 July 2007 By Mark Wilson

I just read that Jack St.Clair Kilby died last week. The sad thing is that I’d never heard of Jack until I read his obituary even though his invention – the integrated circuit (IC) – undoubtedly paved the way for the computerised world in which we live today. His former employer, Texas Instruments, have a tribute site. What I find interesting is that had he not been a new employee (hence with no accrued annual leave), he wouldn’t have had the opportunity to carry out his early experiments whilst the rest of the company were on vacation!

Decision time for Windows 2000 users – what I really think

Posted on Monday 27 June 2005Tuesday 17 July 2007 By Mark Wilson

Last week, I was fortunate enough to be quoted on the front page of IT Week by Martin Veitch, in his article “Decision Time for Win2000 Users“. Of course, as my wife is a Public Relations Consultant, I understand (and even expect) only a partial quote when a journalist asks for comment, so I’m using my blog to put this into context, as the soundbite which Martin used seems to have surprised some people, including one of Microsoft UK’s Enterprise Strategy Consultants.

Yes, Windows 2000 is still popular. The AssetMetrix Research Labs report, on which Martin’s article is based, notes that between the last quarter of 2003 and the first quarter of 2005 the popularity of Windows 2000 only fell by 4%. However, the real news here is not that clients are sticking with Windows 2000 but that people are finally junking Windows 9x/ME/NT and moving to XP. Windows 9x system usage fell over the same period from 28% to 5%, Windows NT was down slightly (down from 13.5% to 10%) whilst Windows XP usage increased from less than 7% to 38%.

My colleagues and I have worked with many organisations to migrate from Windows 9x and NT to XP; but the reason that Windows 2000 is still in use by 48% of corporate IT environments is that (when patched), it is a stable and reliable platform. Microsoft may have ended support for NT last year, and 2000 is about to go onto extended support but firms are willing to tolerate the risk of not moving, whilst they recoup the investment that they have made. The heady days of the late 1990s “millennium date bug” upgrades are gone and business users are demanding value for money from their IT assets. Many of my clients have moved away from a 3 year write down of desktop PCs to 5 years, or even 7 years in one case (mind you, I’m helping them to move their retail estate from NT 3.51 to XP!). That means that those who took a big leap to implement Active Directory and adopt Windows 2000 are contemplating skipping a release, before they move directly to the next version of Windows (codenamed Longhorn). What I do expect to see over the next year or so is a lack of Windows 2000 device drivers and the consequential hardware issues driving a move to Windows XP and Server 2003 where perhaps corporates are downgrading Windows XP licenses on new PCs to match their Windows 2000 standard operating environments (SOEs).

As for Linux or the new low-cost Mac, well, at the risk of being flamed (or even accused of being sponsored by Microsoft – which incidentally I’m not!), I don’t see any of my customers moving from Windows on the desktop (yet). The education sector may be being forced down an open source route to save money (false economy I say – we should be teaching our children using the software that they will later encounter in the workplace), and consumers/hobbyists will be looking at the best technology, but in the commercial world, the reality is that organisations are not usually interested in the best technology, or even the lowest total cost of ownership (TCO) – a much overused term which is always open to dispute – but are more concerned with deploying software that the majority of users can use with the least retraining whilst minimising licensing costs through volume licensing agreements – by and large that will mean using the Windows platform and the software vendor will be Microsoft!

So what is my real advice for Windows 2000 users?

Build on your Windows 2000 investment and take advantage of new security features by moving to Windows XP (with SP2) and Windows Server 2003 (with SP1) now.
Windows 9x/NT to 2000 was a step change but the move to XP/2003 is less so (and the licensing costs should be minimal for those organisations that already have software assurance).
Don’t wait until Windows Longhorn. This will be another major release, which is not expected until 2006 (client, with the server version following in 2007), after which many organisations will still wait for the first service pack before deploying.
Finally, new technologies (such as Internet Explorer 7.0), with new features and security enhancements will only be available for recent platforms (i.e. those that are still supported by Microsoft).

Supplying logon credentials within a URL

Posted on Monday 13 June 2005Tuesday 17 July 2007 By Mark Wilson

Alex e-mailed me earlier and told me that the RSS feed on my family blog was broken. Actually, I’d password protected the site, and forgotten to update the details in Feedburner (which translates Blogger’s Atom output to RSS for me). I couldn’t find any fields in the feed service settings to supply username and password credentials until an unusually helpful error message suggested that I should enter the URL as http://username:password@domainname/document.extension.

I knew that particular syntax worked for FTP, but not for HTTP too! Of course, if I was really that bothered about security I should secure the site using HTTPS, but in this case, the username and password is only a deterrent and there’s not really anything there that needs SSL security.