Certified Mail

Grabbing the Throttle; Tool Time; Attachment Security; and more

• By MCP Magazine Readers
• 03/01/2004

Grab the Throttle
I must say that Keith Ward’s editorial in the January issue, “Grab the Throttle,” hits home with me. I was always told that if you want something, you have to go get it, because no one is going to give you anything! Here’s an example: Working as a heavy equipment operator for over 20 years, I wanted to do something different and provide a better living for my family. I started taking night classes to get an MCSE in Windows NT 4.0. Many of the other students were head and shoulders better than I was at this stuff. I decided that if I wanted to get better at computers, I needed to be doing it eight hours a day and not just eight hours a week. I took an almost-$5 per hour paycut and started working as a support tech. After a year, the company saw my commitment, and I was offered a training position and a chance to launch Windows XP. I’m currently an MCSE and MCSA in Windows 2000 and working at a help desk. I still have dreams of being a network administrator. If you aren’t qualified, how do you get qualified? You have to be willing to grab the throttle!
—Jeff Wallen, via online
Arizona

I have a private pilot’s license, too. Nothing is better than buzzing the “padi fields” and coconut trees! My initial PPL was on a Cessna 172, and I loved every minute of it. Anyway, I think this new “Take Control” technique in the magazine is to help one improve, be more responsible, more alert, look at all options and always choose the best one. Everybody wants to move up, and here we’re being shown how. We all start as tech support or on a help desk and want to move to administrator, engineer or architect/consultant. So this new concept—and the articles—might help. Of course, there’s a lot of other stuff one needs to do before taking the big leap (such as specializing in a specific field, like security).
—Gill, via online
Singapore, Southeast Asia

Tool Time
I’m just beginning to look into auditing and policy management tools. I’ve heard of FAZAM, but are there other tools I should look at?
—Amy Bremer
Newton, Massachusetts

We’ve done a lot of work with both policy and auditing tools. In fact, we recently wrote a review of multiple policy and auditing tools, “12 Mighty Labors of Active Directory Management,” in the September 2003 issue. We also describe in-depth how you can perform these 12 mighty labors without commercial tools (online at: http://mcpmag.com/Features/article.asp?EditorialsID=361). Both articles will give you a better idea of what you need to do to manage an Active Directory.

As far as Fazam is concerned, it’s now integrated with NetIQ’s Security Administration Suite, which provides much more functionality than Fazam alone. You can also start by using the Microsoft Group Policy Management Console. The GPMC is free at www.microsoft. com/downloads and provides great support for Group Policy Management in AD.

Active Administrator from Small Wonders Software/ScriptLogic is also a useful tool in the arena of audit and policy management. It wasn’t included in our original review, but we think it bears a closer look if you want a commercial tool, because it seems to address both of your areas of concern.

It depends on the size of your network or the number of users and systems you need to manage, but our advice is this: Take a look at the GPMC first. It’s free and may well do most of what you need. If that doesn’t do it, move on to Active Administrator and/or Fazam.
—Nelson and Danielle Ruest

Attachment Security
If someone sends an e-mail attachment such as a text file using Yahoo e-mail, what are the security risks? Where is encryption initiated? If the file had been initiated from and received by machines with Windows XP, Outlook 2000 or later, and Internet Explorer 6.0 with all the latest service packs, does the attachment get encrypted? What is a good operating procedure for security of e-mail attachments?
—Wayne Henegar, MCP
Mt. Carmel, Illinois

By default, attachments aren’t ever encrypted, and most free e-mail Services, like Yahoo, don’t handle S/MIME, which is required for encryption. At best, you could ZIP and encrypt a file at the sender, in which case, it would remain encrypted until decrypted on the destination machine. But, you’re not sending a text file attachment at that point.

If you’re using Yahoo, the only way to ensure nobody can eavesdrop is to encrypt the file—using something like WinZIP or Windows XP’s own built-in compressed folders feature—on the sending machine, and then have the recipient decrypt it. You’ll need to provide the recipient with the ZIP file’s password to do so. Then everything in the ZIP will be encrypted through the entire process, even when sitting in Yahoo.

At best, what Yahoo does is employ SSL/TLS to encrypt the connection between your browser and the Yahoo servers. That means the data is encrypted while physically in transit, but not encrypted while sitting on Yahoo’s servers. Using something like WinZIP can offer a workaround.
—Don Jones

Taking Control
In reference to the January 2004 feature, “Taking Control of Your Users,” by Mark Wingard: very good article. I know because I can speak from experience. Our help desk calls have dropped significantly because we use a single image for computers and have also implemented a common operating environment. Using Windows XP with Group Policy Objects, we give users the tools needed to do their job, yet prevent them from shooting themselves in the foot. Standardization is the key to a smooth-running company and IT department.
—Houston Admin, via online
Houston, Texas

Wireless Tips
Thanks for the informative article in your January “Tips & Tricks” column, “Little-Known Wireless Facts.” You seem to be just the person to clarify a few questions my organization has concerning wireless.

I work on the Tech Support Team at The Summit Country Day School in Cincinnati. We have approximately 1000 students, faculty and staff of about 200 and around 700 computers. Of the 700 computers, we have 15 laptop carts of 16 to 20 machines and a laptop for each faculty member. The carts each have an access point and are wireless running 802.11b. We have about 10 other access points on campus (802.11b). Due to some major construction, several of our desktop labs are temporarily running on the wireless network, also.

Our problem and, I guess my question, concerns the use of 802.11g access points and the potential for improved throughput in real world usage. Currently we’re having fairly good success with wireless when users are just using the computers to read e-mail or surf (research). However, we’ve had some serious bottlenecks during times when many users are logging on for the first few times (getting new profiles) or when an entire class pushes print in order to submit a paper to a teacher just as class ends. When 16 users are all logging on at once, we have issues where the users’ mapped drives, and so on don’t always load properly, and the actual boot time is very long due to the battle for bandwidth the machines are waging. Similar problems occur when a lot of users print or try to access bandwidth intensive Web sites.

Would upgrading the laptop cart access points to 802.11g help to alleviate the bottleneck from the machines to the access point during the peak though put times? We really don’t have a problem with the network once the data gets past the access point. I understand that some APs slow down to 802.11 when used with the 802.11b cards. If this is correct, can they still handle the wireless data coming though the air at the wider bandwidth?
—Kevin Ross, MCSE, A+
Cincinnati, Ohio

802.11g would definitely help. All of the users are sharing one wireless “pipe.” By making that pipe bigger, they’ll be able to work more quickly.
The trick is that if there are any 802.11b clients within range of the 802.11g AP, then all 802.11g devices will operate at a slower, “mixed-mode” speed. It’s faster than b, but much slower than full g. The only way around that is to eliminate all b clients within range of the AP.
Glad you enjoyed the article!
—Don Jones

NTFS and Encryption
Thanks for pointing out the presence of the CvtArea option in Chris Brooke’s January’s “Scripting for MCSEs” column, “Build a Better NTFS Converter. I was unaware of that.

A minor nitpick, though... Without specifically enabling encryption for files, they won’t be more secure than on FAT32. ACLs are enforced by Windows, not the file system. With an NTFS-aware boot disk or a Linux boot disk, the file system is bare, and all security—except encryption—ineffective. If physical access to the drive is possible (like a stolen laptop) and you’re not using encryption, don’t depend on NTFS security features to protect that data. This goes for any unencrypted file system.

Encrypt those documents and spreadsheets if you want them secure—this is very important. If you’re not familiar with this, give it a try. Download that NTFS boot disk (not the Windows XP install disk; it enforces those permissions). You won’t need the admin password to mount the volume and you can read any file on the system. Any modern Linux CD should be able to do this, too.
—Phil, via online
Columbia, Missouri

Thanks, Phil. Actually, I did mention encryption in the column, but it was sort-of "in passing." Indeed, you’re correct: EFS is the only effective way to protect files in the event that someone gains physical access to the computer. Oh sure, you could enforce BIOS passwords and configure your BIOS to disable the floppy and CD-ROM. Of course, then all they need is a small screwdriver to remove the drive and place it in an external enclosure and they would once again have access. Thanks for pushing us to give EFS its due!
—Chris Brooke