James D. StallardWeblog

With the rising cost of fuel impacting everyone's bottom lines and the increasingly good PR to be had, one of my clients asked me to come up with a centrally controlled power management solution for their Windows XP estate of around 3500 machines.

According to a report prepared for the US Environmental Protection Agency "An organization can save $10 to $50 per computer annually by enabling power management features that place a computer monitor into a low-power “sleep” mode during periods of inactivity". In 2008, the US pays 5p per Kilowatt Hour on average, we pay almost double that at 9.5p (source: www.eia.doe.gov and www.uswitch.com), making the savings between £10 and £50 per monitor, per year give or take the exchange rate fluctuations.

Based on those figures, this represented savings of between £35,000 and £174,000 EVERY YEAR, just in power, just in monitors - not forgetting that those figures do not include the machines themselves and the savings in air-conditioning. Indeed, many businesses only require air conditioning to counter the heat created by all those machines and monitors being left fully powered up.

The big reason why Microsoft never implemented Power Management control via GPO is that GPOs are designed to deliver registry integer and string values and for some reason Power Management settings are held as binary values. This has meant that the only solution to date is a specialist application (and custom GPO template) that can perform the translation between GPO-based registry integer and string values, and the Operating System. It's a messy solution at best.

There is an application out there that does GPO based Power Management, but it requires the application to be installed on every machine and a poorly designed Group Policy template; and after testing it for my client I wasn't happy with the functionality or quality, or the number of times I had to reboot my machine after yet another a terminal Dr Watson failure. The only other solution I found is poorly written and requires a software deployment mechanism to get it beyond a limited pilot.

So, I designed and created a new solution.

The new solution is completely (and easily) centrally controllable by group membership and allows you to set as many different combinations of Power Management settings across your IT estate as you like (vastly more flexible than GPOs). The new solution allows you to centrally control Power Management on machines that are not logged on and for users after they log on. The new solution uses the built-in Windows XP APIs and applications to guarantee compatibility across all Windows XP Service Pack levels with no crashes or any unexpected behaviour. The new solution integrates totally into Active Directory on Windows 2000, 2003 and 2008 and is completely transparent to users. A version that can handle Windows 2000 and Windows Vista will be available shortly.

How much is it?
. A one off consultancy fee to attend your site, install and configure it, and train your administrators. Two days is usually sufficient, more might be warranted in large enterprises with complex environments. The rate for this service is £750 plus VAT per day, and expenses at cost.
. A subscription fee of £4.85 per seat, per year. Significant discounts are available for multi-year subscriptions and large numbers of users.

Using the lowest savings figures, and assuming only monitors were powered down to standby mode, the following represents your investment and return:
If you have 500 machines and took 2 days consultancy (Total cost of £3925 in the first year), the new solution will return your Year 1 investment in less than 10 months and Year 2 on in less than 6 months (based on yearly savings of only £10 per machine). Far greater savings are possible putting the machines themselves into standby as well as the monitors. Wake-on-LAN can even be configured to allow machines on standby to wake up and carry out anti-virus, patching or software installation activities.

Please contact me at www.leafgrove.com or using the email link on this entry for more information and discounted pricing.

Is it me or is there a deafening silence, where there should have been celebration?

The long-time bug in DNS that allowed cache-poisoning and effectively allowed an attacker to hi-jack a legit website for their own needs has existed since the start of DNS. The bug is well known and is the result of less-than-perfect design of the solution itself - interestingly not really the fault of the vendors writing DNS Server applications.

Ok, so the bug has now been addressed by the major and most of the minor vendors. The celebration point is that dozens of vendors (many in direct competition) all got together and released a fix for the same bug, AT THE SAME TIME. Think about that for a second, that single fact is nothing short of miraculous. I have to wonder if this example of large-scale global collaboration by vendors is a statistical blip, or the sign of things to come.

While driving home the other day, I saw in the distance, running towards me a naked girl. As I drove closer, the girl continued to be naked and what's more she was being ignored by everyone passing her. As I passed her, I realised that she was fully clothed in a flesh coloured, skin tight lycra running unitard.

I wasn't sure if I should be relieved or disappointed

The Government is missing out on hiring the skills of some of the top people in the industry, and as a result is being forced to pay up to 5x over the odds for sub-par skills recruited through the mess of inter-related Office of Government Commerce (OGC)/Catalist suppliers.

Why?

In order to work on most Government and related projects, you must have a security clearance, there are various types of clearance, but the most common requirement is SC, which we are told takes up to 6 weeks to obtain (it's actually supposed to be 30 days). You cannot get a clearance, unless you have already had a job requiring clearance and it's impossible to get a job without the clearance first.

The large OGC suppliers have all worked on Government projects and therefore have a large pool of security cleared staff. Never mind that these staff are not necessarily the best for the particular job requirement, they are almost always the only staff that will be recruited (at exhorbitant markups), because no one else has security clearance.

It's more than a year since the cabinet office issued this memo stating that advance clearance was only to be required in cases where the requirement is urgent and the term of the requirement is short. The memo also states that these circumstances should be rare.

I can't tell you who the wrong do-ers are. After all, the agencies will claim to be acting on the instructions of their client (usually another agency or OGC supplier). However, I can tell you that the practice is not only widespread, it is the rule, rather than the exception. Here is an example of yet another agency (in this case Spring, but I have many more) demanding advance clearance before even considering a candidate - clearly in breach of the guidelines issued last year.

I have written previously on how to quickly create a free, secure and fast VPN solution on Windows Server 2003. Having just migrated my own VPN to Windows Server 2008, I thought I should do a new article for the more recent operating system. This version of the install requires only one network interface and therefore does not require configuration as a router, which simplifies the solution and makes it far easier to implement in todays subnetted networks.

This solution provides for proper 2 factor authentication, which makes it plenty secure enough for it's intended use - a quick and secure way to provide remote access to your network while the comms team sets up their enterprise class VPN solution. The solution is not perfect, primarily in it's requirement to manage the pre-shared key by hand - unworkable for more than a *very* small number of users.

I built this solution using a VM and total configuration and testing time is comfortably under an hour.

First, deploy yourself a fresh Windows Server 2008 VM; not forgetting to sysprep it (thus making sure you have a nice fresh SID!) if necessary and then join it to the domain, so it can authenticate users on the domain.

After logging on as an administrator for the first time, the server manager should open up and allow you to install additional roles. The roles wizard is excellent, but a little mickey mouse for those of us that know what we're about.

If you are using a VM and have the capability, you might want to take a snapshot of the machine at this point in case you want to start again.

Install the Role
Open the Server Manager (right-click on my computer and select manage).
Start the roles wizard by expanding out the left hand menu, selecting roles and clicking the add roles button.
Select the Network Policy and Access Services check box and click next through to the role services dialog.
Select only the Remote access service and click through to install.

Configure RRAS
Once complete, close the role wizard and from the administrative tools menu, open routing and remote access.

Verify the machine name in the snapin is correct and right-click on it, selecting configure and enable to start the wizard. It's worth noting here that if you want to fry the config and start again, you can right-click on the server name and select disable routing and remote access to completely clrea the RRAS config.

Unless specified, from now on leave all the default settings and only change what is decribed below:

Select Custom Configuration
Check VPN Access Only
Finish and start the service

Right-click on the server and select properties:
Server Properties
General Tab: Enable this computer as a: (IPv4) Remote Access Server, uncheck everything else

Security Tab: Authentication Provider: Windows Authentication
Allow custom IPSEC policy for L2tp connection (enter a long passphrase to act as shared key, save this for entry into the client

setup)

IPv4 Tab: Enable IP forwarding
This server can assign addresses by using DHCP
Enable broadcast name resolution

PPP Tab: Check all

Logging Tab: Log all events

Ports Properties
Uncheck all connections boxes for everything other than L2TP and where required, set maximum ports to 1 or 0
L2TP: Remote access connections (inbound only)
Uncheck everything else
Maximum ports: 10 (or whatever you think you'll need)

IPv4 Properties
Routing: Only General and Static Routes, remove everything else
General Properties
Logging Tab: Log errors and warnings

Remote Access Logging and Policies
New Network Policy
Policy Name: "Permit Windows VPN Access"
Policy Condition: Tunnel-Type matches "Layer Two Tunneling Protocol (L2TP)"
Policy Condition: Tunnel-Type matches "Point to Point Tunneling Protocol (PPTP)" (only if you require it)
Access is determined by user dial-in properties (IE set on the Dial-In tab of the user account)
Configure Authentication Methods
Check: Microsoft Encrypted Authentication v2 (MS-CHAP v2) (and user can change password feature)
Check: Microsoft Encrypted Authentication (MSCHAP) (and user can change password feature)
Uncheck everything else on authentication methods
Default remaining settings

Don't forget to remove any snapshots you created as they are no longer required.

Once the setup is complete you will need to open the firewall and configure a public facing IP and preferably a prublic DNS entry too. If this is your home connection and you have no fixed public IP or public DNS then you can set your firewall to accept the connections and static map the ports straight through to your new VPN server.

Firewall Configuration Settings
L2TP Inbound Requirements: Protocol 50, IPSec NAT-T UDP 4500, IKE UDP 500
PPTP Inbound Requirement: Protocol 47, PPTP TCP 1723
Configure the firewall to allow any source to access the firewall on the above ports and the rule to map the results to the internal IP of the VPN Server.

To configure the Windows VPN Client
New Connection Wizard
Connect to the network at my workplace
Virtual Private Network Connection
Set the connection Name "My VPN"
Decide if a dial-up connection is required first
Enter the IP address/DNS Name of the VPN Server

Connection Properties
Options Tab: Check all Dialling Options
Security Tab: IPSec Settings
Use pre-shared key for authentication
(enter text to act as shared key, same as that entered above)
Security Tab: Everything else, leave as default
Networking Tab: Type of VPN L2TP IPSec VPN or PPTP if you configured it above
Networking Tab: Everything else, leave as default

There, all done. I've used this in a few places and because the setup is so quick and easy, on the very rare occasions when it goes wrong, it's actually quicker to fry the config and start again than to try and diagnose what went wrong.

Having migrated this blog to Windows Server 2008 I was checking the logs and noticed that the mail.asp pages was being abused to try and send me spam email.

This has been going on for a while, but my mailserver knows the difference between legit comment and muppets posting porn site links and I never received the duff email. However, I felt that I should be doing something to stop this behaviour.

To this end I've modded the email response page to break the typical attempts and stop it from working. If you also run BlogX and want to know how this was done, please drop me a line.

Of course, there are a variety of methods of doing this, so I will have to see how successful my first try was. It's likely I'll have to brush off more of my rusty ASP to solve it permanently.

Update: My first try was not that successful and about 80% of the bot-based spammers was able to get through. However, my second attempt makes use of the server itself to detect the source of request and block anyone not using the page for legit comment.

I have emailed the author of the blog software who will be implementing a verification methodology where users are required to confirm over email - thus neatly removing any false/spoofed addresses and their messages. This will be available once Matthew1471 has finished his finals!

The fact that you're able to read this at all can be considered something of a success as I've just finished migrating my various web applications to new webservers running Windows Server 2008. IIS 7 is a whole new ball game, and I don't just mean the incomprehensible admin interface!

The first problem was working out what needed to be installed; in fact, I installed and uninstalled IIS so many times (OK, only 3) that eventually the web service refused to serve even HTML pages and I had to rebuild the server from scratch. Twice. Thank the Lord for unattended installations and VMware ESX 3.5 or I would have gone a little more insane

So, one working webserver later, I migrated the first of the apps, a basic HTML only site with authentication. So far so good on a few more apps - until I got to my main website www.leafgrove.com, where I "discovered" that CDONTS no longer works and the email contact page was broken as a result. Actually, I discovered this years ago when I moved this app to Windows 2003 Server, but back then all you had to do was find a copy of CDONTS.DLL on Windows 2000 Server SP4+, copy it over and register it. The new solution is CDOSYS and I felt better using that rather than the now very old code from W2K.

A couple of hours (I know, but my ASP is rusty ) with my favourite scripting tool (Sapien PrimalScript 2007) and I had written a spanking new email processor and even improved the old processor's functionality. Some testing followed, and we were finally up and away on that site too.

A couple of other sites making use of HTTP redirects had to be tweaked and I was left with the blog.

The blog was fine until you tried to edit or create entries, whereupon you got one of those useless HTTP500 errors. HTTP500 is a generic message that the server returns when it's sure something's broken but it's not prepared to tell you what. To get any sense out of it you have to switch off friendly messages in the browser and switch on client side errors on the server (not forgetting to switch them off again afterwards!). The problem turned out to be parent paths - which was exactly the same problem as it was a couple of years ago when I migrated this blog to Windows 2003 Server.. The disabling of parent paths was done by Microsoft as a security measure and the correct thing to do is fix the code to remove the ".." where proper paths should be. However, the original issue no longer exists and as this isn't my code and I don't fancy editing 30 odd ASP files looking for duff includes I chose to take the lazy route.

No worries there then, a click or two later to enable parent paths and all was operational.

Being as this is all new, I would appreciate feedback from those that notice any difference. If your feedback is particularly helpful, I might even come up with a prize or something for your efforts! Just click the email button below or drop me a line at the usual place.

Recently, my Lacie Ethernet Disk (perhaps the cheapest server based storage money can buy) has been shutting down spontaneously. There was no fixed time or set of curcumstances and nothing in the logs other than the usual "shutdown at blah was unexpected" messages in the event logs. Sometimes it would stay up for a week, sometime not even 20 minutes.

The problem turned out to be the weather and was solved by moving it from the top of the rack to the middle.
Confused? Here goes...

The Lacie is not a particularly robust bit of kit internally, and the large disks generate a fair bit of heat. This is probably why the casing is metal as aluminium is an excellent conductor of heat, where plastic isn't. Overly high internal temperatures in the Lacie cause it to power off. My Lacie was sat in the top of my rack, the rest of the space being taken up by servers and the like.

My server room used to get very hot in summer, but last year I put in AirCon and things have much improved - but the unit is only 7Kw capable and the heat is not entirely dissipated from the rear of the rack due to lousy air circulation. The big servers are full of fans and cope fine, but the Lacie is a little more sensitive.

So, it turns out that when we have a bit of sun; as recently, the rack gets just hot enough internally to cause the Lacie to shutdown. I moved the Lacie to the middle of the rack where there is less heat and also where the ambient room temperature is lower and voila, it's been up for a while now and no issues.

Bulimia is not funny, but it was nevertheless entertaining watching BBC news this morning where John Prescott's bulimia was reported. Not even the usually straight-faced early morning presenters were able to keep the smile out of their faces and voices at the thought of the ex-deputy prime minister barfing his chinese dinner into westminster's porcelain chariots.

Desktop Virtualisation is the replacement of the traditional desktop hardware with a thin or zero client device that presents only an interface to a Virtual Machine - running on VMWare ESX/VI3/Virtual Server, Microsoft Virtual Server or some other virtualisation platform (seriously, there are others ). You can do this with a PC and a software application, but although useful in a number of situations, that's not what's got me interested.

My experience is currently limited to the Pano Logic Pano Device and Pano Desktop Manager Software v1.1 and later, but I'm voraciously reading whatever I can find about their competitors. Pano is not the only way to skin this particular cat and the industry hasn't yet sorted out the winners and losers in the marketplace.

The Pano device itself is basically an X-Windows terminal that connects to the X Server running on the Pano Desktop Manager (DM). The DM is running Centos and some clever software that allows the Pano devices to be attributed to a pool of Virtual Machines hosted on (in this case) a VMWare Virtual Infrastucture running ESX v3.5. The Pano device is able to find the DM via one of a number of methods, but my favourite is by configuring a special option on the DHCP servers. Once found, the DM registers the device and allows you to 'manage' it from a web application.

When a user powers on the pano device, they are presented (almost instantly) with a customisable X-Windows logon, which accepts their Active Directory domain credentials. The DM then proxies these credentials to a "vacant" Desktop Virtual Machine (DVM) and logs them in to the terminal services connection provided with Windows 2000svr, XP, 2003, Vista and 2008. All the standard applications are available that were installed when the VM was built/cloned, and the user notices nothing different from then on. There is some necessary configuration to do with the Active Directory in terms of GPOs, redirected folders and the like to ensure a smooth and integrated user experience, but essentially that's your lot.

So simple, It's a wonder we weren't doing it years ago.