Windows 2000::Security Policy

secedit can be run with switches to force the application of policies from AD.
SECEDIT /refreshpolicy machine_policy [or user_policy] /enforce


IP Accelerator

interesting product:

Citrix Performance Counter Recommendations

Reference from:
Formatted into a table. Most of it is basic common sense and goes for any Windows server.
processor utilizationless than 90%
processor interruptsaverage 100 per second
context switchesless than 500 per second
memory-available bytesgreater than 32 MB + 4-14 MB per user + 1 MB per idle session
memory-pages per secondless than 5
percentage of disk timegreater than baseline
disk queue length1.5 to 2.0, >2 may mean disk hardware incompatibility or failure
NIC Bytes Total / secondless than network transfer rates


Citrix::Outlook::Execute PRF on first run

I haven't tried this but it sounds promising. It might trigger some ideas some day.
From a newsgroup:

Configure the registry to trigger Outlook to import the PRF file when Outlook starts up. You can use the Add/Remove Registry Entries page in Custom Installation Wizard or the Custom Maintenance Wizard to deploy these registry key options to your users. You can also use the wizards to distribute the PRF file to users by using the Add/Remove Files page.
Delete the following registry key value : HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Setup\First-Run.
In the HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Setup subkey, set the value of ImportPRF to a string value that specifies the name and path of the PRF file. For example, set ImportPRF to \\server1\share\outlook.prf.

Perl::Script::Rename Files

Below is a sample script depecting file directory operations. This was a fast and dirty script to rename files into a different name format. It doesn't deal with name collisions when users have same last name. I only had a handful of them to deal with:

$indir = 'c:\\dev\\picname\\input';
$outdir = 'c:\\dev\\picname\\output';

opendir(DIR, "$indir");
my @files = readdir(DIR);

my $file;

foreach $file (@files) {
if ($file eq ".") {next};
if ($file eq "..") {next};
#input filename
my $infile = "$indir\\$file";

#output filename

my @temp = split(/(,\s|\s)/,$file);

my $newfile = "$outdir\\P-$temp[0].jpg";

print "$infile --> $newfile\n";

rename ($infile, $newfile);

}#end foreach $file


Citrix/NT Terminal Server Optimization



Terminal Server and Citrix Metaframe

Microsoft Terminal Server is a totally different beast than your standard NT and although most of the tips mentioned in elsewhere there are a number of special considerations that need to be looked at.


In Control Panel / Network / Services / Server / Properties. Set the option to Maximize Throughput for Network Applications. The system default is Minimize Memory and it was originally thought that Maximize Throughput for File Sharing was the best setting but testing has disproved this.


Go to Control Panel / System / Performance and make sure the Best Foreground Application Response is set to maximum.


Control Panel / System / Performance / Change set the Registry Size to at least 50MB. Many people say that it should be set to at least 4 times the default setting to allow for growth. But we believe that for many people this is too large. Our advice would be monitor the growth of your registry and set it accordingly, 50MB will be adequate for most people.


In Control Panel / System / Performance / Change make the Paging File 2.5 times the size of the system memory.


Do not give anyone access to screensavers. This can be done through system policies but we also recommend, once all the applications are loaded onto the system, doing a search for all files ending with a .scr and deleting them.


Stop people changing their desktop wallpaper. Again this is a system policy option but for Metaframe users why not go to Citrix Connection Configuration / Advanced and tick the Disable Wallpaper Option.


In some cases, the logon process may be very slow due to an application searching for fonts. Applications such as Lotus CC:Mail and NWScript can cause this problem. To overcome this issue at Control Panel / System / Environment go to the System Variables section and click on the variable named Path. Add to the end of this string add ;%SystemRoot%\Fonts and click Set.


If you do not use audio in your thin client setup then disable this both on the client and the server. If you use Metaframe this can be done in Citrix Connection Configuration / Client, tick the Client Audio Mapping. However this only works for ICA clients not RDP and the sound is still played on the server even though the client can’t hear it. To disable this entirely go to Control Panel / Sounds and make the scheme No Sounds.


Supercache is the new caching technique introduced by Citrix in hotfix ME180021.EXE for Metaframe 1.8, in ME100044.exe for Metaframe 1.0 and in hotfix SE17B099.EXE for Winframe 1.7.

SuperCache is a new caching technique that can result in a large improvement in usability and performance over a slow connection, or for applications that tend to redisplay a large area of the screen in response to small localized changes. Example applications that will show a large caching improvement over a slow connection are Microsoft Internet Explorer (IE) and Visual FoxPro.

Once the hotfix is installed SuperCache is still disabled and needs to be enabled to work. You do this by going to the Command Prompt and typing:

Keysync ICAThinwireFlags /Enable:2

To disable type:

Keysync ICAThinwireFlags /Disable:2

You will need to reboot inorder for these setting to come into effect.

When SuperCache is enabled, large bitmaps are displayed in a number of columns in left to right order, instead of top to bottom order. This is readily apparent when running a client over a slow line.

CITRIX::Slow/lag in keystrokes

Sometimes when typing a document or e-mail in a Citrix session the server stops accepting keystrokes and my typing gets "buffered" then eventually catches up.
A couple of news group articles warn that if latency gets up to 650ms to 700ms Citrix sessions start to die.
A continuous ping from an affected workstation to the server shows response times of 20-30ms for 99% of the time with occasional responses over 400ms to maybe 550ms max.
On the client I am trying setting the "latency reduction" to ON and check the box to "local text echo"
This can be setup automatically by changing lines in the APPSRV.INI:

This needs changed in the copy of this file in the user profile directory of the client machine:
C:\Documents and Settings\[USERID]\Application Data\ICAClient

(there is also a copy in the program directory - a bit confusing.)

Network Troubleshooting Tools

Hot Tools presentation, Laura Chappell

- NetScan Tools Pro: $199
Many features, excellent help file including RFC references and detailed information.

- Ethereal: Free!
Excellent free traffic capture and analysis. !Can sort the tracefile by column!

- Sam Spade: Free!
A smaller multifeatured program like NetScan Tools. Their tools can also be run from their website for testing outside firewalls/etc.

- Snort + IDSCenter: Free!
Free Intrusion Detection utility. IDSCenter -> graphical interface into Snort.

- nMap: Free!
Port/Ping Scanning & OS fingerprinting
Available version for NT

- Ettercap: Free!
Attack tool - use only for testing and with extreme caution.
"Man in the middle" tool to inject characters into datastream or kill connections.

- GRC Tools: Free tools from Jim Gibson
e.g. ID Serve - OS fingerprinting tool

- DSniff: various tools
e.g. passive tools such as MailSnarf - passive packet analysis tool for smtp & active attack tools: Arpspoof, DNSspoof
Macof - attacks a switch attempting to force it into "failover mode" making it "a hub"

- Specter Honeypot: $899 ($599 "Specter Light")
Specter Light - only pretends to be a Windows version.
runs on Win2K.

- White Glove: $99
White Glove = CDROM bootable Linux (separate)
Deception Toolkit = honey pot that runs well under White Glove

- AirMagnet: ?buy through reseller?
Can run on IPaq!
Wireless analyzer to find 802.11a&b traffic on what channels.
Passive listener - doesn't actively probe for access.

- GPS + Antennas
Interface to wireless device to record locations.
amps & antennas - need in depth consulting help to select amp & antennas that go together and suit your needs.

- L0phtCrack - now LC4: $99 - "John the Ripper" <-Linux only
Password auditor/cracking
Has 15 day trial download available - brute force attack not available.

- LANGuard
?free for noncommercial use?
vulnerability scanner - various scans/probes, OS fingerprinting, and various recon: http banner page, file shares, possible vulnerabilities.
GFI has various tools available. Some are freeware: network security scanner and security alerts

- NetStumbler/MiniStumber(pocketPC): Free
actively polls wireless channels - can be averted by disabling poll responses on access points.
Can be interfaced into GPS to log coordinates with access point info - to map active access points.

- Invisible Secrets: $39.95
LSB steganography tool - Least Significant Bit Steganography
2 types = Data injection, Data replacement
steals 1 or more bits from each byte to hide another image inside the carrier image.

- HexWorkshop: $49.95
Hex Editor

- Etherpeek: $995 - standard version
protocol analyzer with Expert assistance built-in (in NX version: $3495)

- Sniffer: $$$thru reseller
protocol analyzer. Strength = it's excellent decode capability.
I use it and I really like it's "scope" view. It's well integrated tools make it easy to use and fairly intuitive (for this category of product.)

- Iris: $
was "capturenet" and "peepnet"
traffic analyzer - useful to reconstruct HTTP web browsing sessions.

- Brutus: Free!
Password cracking tool using your own password file.

- CameraShy: Free!
A cult of dead cow browser created to communicate with Chinese dissidents.
Identifies images with possible steganography altered files. = a test page.
Product "6/4" was also created for peer to peer file sharing and firewall tunnelling.

- PingPlotter: $24.95

- KeyGhost: $99 - $199 depending on memory
Hardware Keylogger - keystrokes stored in the hardware device. Can be viewed from the machine with the password/etc.

-SpyCop: $69.95
Software to check computer for spyware or malware.


Digital Prints Online

I love my digital camera. I use SnapFish to print my digital pictures. When I order 100 or more they are $0.25 per print.
Others available:
and "as low as $0.22 per print" - when you prepay for 500 prints.


Windows 2000 SP4 Issues

Compiled at:

- Includes Citrix logon issues.


Spam::Avoiding address harvesting from your website

I loath people who use robots to walk through websites gleaning e-mail addresses. To help prevent it, some say, you can hide the e-mail address itself and instead calling a script to redirect mailto links. However how soon until the spammers read these articles and rewritten code to guess at e-mail link redirector parameters. (or recognize implementations copied or very close to the examples provided by the helpful people who gave us the information.)

I like the above ideas best, however there are some other possibilities.

Many say we should "munge" your address by writing addresses something like:
datacomguy -at- bigfoot -dot- com

I see this all over the place, but let's face it: most people out there are barely able to deal with such complex ideas as "click that little address and it will send me an e-mail." Expecting people to read your instructions, understand what to do, and use their keyboard and fingers to type your e-mail address into their e-mail software will be excluding 90% of the civilized computer using world who are either too thick or just too lazy to do it.

I've also seen some who turn *all* e-mail address links into graphics and link each of them to their own custom response form. This is going a bit far and is a bit more labor intensive. This method does have the advantage of being able *totally* hide your e-mail address. Sender's will have a much less "feature rich" experience sending you e-mail using a form. Making a paragraph break or a bulleted list will be difficult or impossible. And they are likely to hit the send button impatiently one or several times more while the next page is rendering. Or they might wonder if "it went through" and send you the same message again.