Pages

12/16/2004

Cisco::Network


Cisco CCNA Preparation
Cisco has made a wonderful site available for those preparing to take the CCNA exam. It could also be very useful to read up on topics there even if you don't plan on getting certified.

http://www.cisco.com/go/prepcenter

You will need to be registered with a Cisco profile, such as you would already have to submit support incidents via web.

12/07/2004

VOIP::Security


Security concerns with VOIP & SIP are discussed at:
http://www.eweek.com/article2/0,1759,1734367,00.asp

Response from a Cisco CCIE security engineer:
My opinion is that in the enterprise, voice spam will be no worse or better than
data spam. With our solution, all spam (either voice or traditional email) will be
filtered or stored based on administrative storage policies on the email message
stores. I think the bigger problem will be with SIP phones and Internet Telephony
to the home, where there are NO corporate policies in place to control the amount
or type of email that gets sent to the home email user.

In regards to the other issues, in particular the DDoS attacks and other network
attacks, Cisco addresses those with our defense in depth approach to securing the
entire network infrastructure. The specific attack mitigation strategies and
deployment guidelines are detailed in the SAFE Whitepaper, SAFE: IP Telephony
Security in Depth. This whitepaper can be located at:
http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safip_wp.pdf

I'd also like to mention the Network World article regarding the voice security
testing of a Cisco IP Telephony infrastructure. By building a secured
network infrastructure, Cisco IP Telephony was the only IP Telephony system
to be rated "Secure" by Miercom, which provided the testing for the Network
World article. Details of the test can be located at:
http://www.nwfusion.com/reviews/2004/0524voipsecurity.html


10/22/2004

HTML::Redirect



< html>
< header>
< meta HTTP-EQUIV="REFRESH" content="0;url=http://www.mypage.com/ccmuser">
< /header>
< body>
If you are not redirected to the logon page, click below:

< a href="http://www.mypage.com/ccmuser">http://www.mypage.com/ccmuser
< /a>
< /body>
< /html>
< /code>

10/21/2004

Windows::XP::Wireless::Network::User Profile


I can't connect to my wireless network if I logon my computer as administrator.
Wireless configuration settings are stored in the user profile folder:
c:\documents and settings\[userid]

It is stored in the hidden, system folder named WLANProfiles.
Copying this folder to the other user profiles allows those users to connect to the wireless lan with the same configuration settings, such as WEP keys and preferred networks.

10/01/2004

9/23/2004

Regular Expressions


I want to create a regex that finds everything before the first period in a string. (Like match the www in the string "www.google.com") The problem is that
^.*\.
won't stop at first occurrance it will match www.google.
To do this the regex is:
^[^.]*\.

That means to match 0 to any number of a character that is NOT a period

9/20/2004

Change Management

9/16/2004

Update Recipient Policy-NOT


How can you find a list of users that you have unchecked the box "Automatically Update e-mail addresses based on recipient policy" ?

ldifde -f USERS.TXT -r "(objectClass=user)" -l msExchPoliciesExcluded

8/13/2004

Spyware


Spyware are the children of S A T A N.

This is a very good site for all of us fighting Spyware.


Spyware Warrior

7/30/2004

::Spyware::


Spy Blaster at www.spyblaster.com is actually a rogue spyware tool that actually makes these problems worse. There are now a multitude of untrustworthy "spyware" products out there. These can be trusted:
Ad-aware, Pest Patrol, Spybot Search & Destroy, and Webroot Spy Sweeper
Spybot and Ad aware have free versions.
Be sure to run Ad Aware engine 6.181 and update to the latest "pattern" file every time.
Run Spybot 1.3 with the latest updates.
Often "cleaning" doesn't even work unless you turn off WinXP system restore and run removal in safe mode.
HijackThis.exe is good for finding browser helper objects.
Also, see my prior posting about using ActiveX filters.
Once you are really messed up with spyware it is often easier(and faster) to just wipe out your machine and start fresh.

7/27/2004

AD::Exchange::LDP


Using ldp.exe to look up a user in the active directory
Great tip about using LDP.EXE to lookup what user has a particular mail nickname. My more brute force standby method would have been to use LDIFDE to export them all and then search the entire list. http://datacomguy.tripod.com/blog/2003/08/exchange-2000export-e-mail-aliases.html

Using LDP to lookup user object:
1. Start ldp.exe
2. Connection | Connect and choose your DC
3. Connect | Bind and authenticate
4. View | Tree and browse to the top-level OU from which you want to search
5. Connect | New to clear the right pane
6. Right click on that OU and choose Search
7. To search on the alias, use: “(&(objectclass=*)(mailnickname=aliasnamehere))“

Further information: http://support.microsoft.com/?kbid=224543

7/22/2004

SMTP::Headers::Manual testing


I was trying to explain how to do this to somebody today and decided to look for a reference about it rather than try to make my own.
Low and behold:

http://support.microsoft.com/default.aspx?kbid=153119&product=exch2k

Windows::Time


Set time to Naval Observatory
http://support.microsoft.com/default.aspx?scid=kb;EN-US;314054
Windows includes W32Time, the Time Service tool that is required by the Kerberos authentication protocol. The purpose of the Time Service is to ensure that all computers that are running Microsoft Windows 2000 or later in an organization use a common time.

To ensure appropriate common time usage, the Time Service uses a hierarchical relationship that controls authority, and the Time Service does not permit loops. By default, Windows-based computers use the following hierarchy:
All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
All member servers follow the same process that client desktop computers follow.
All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.
In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. It is recommended that you configure the PDC operations master to gather the time from an external source. This event is logged in the System event log on the computer as event ID 62.

Administrators can configure the Time Service on the PDC operations master at the root of the forest to recognize an external Simple Network Time Protocol (SNTP) time server as authoritative. Use the following net time command:
net time /setsntp:server_list

The United States Naval Observatory runs several SNTP time servers that are satisfactory for this function, for example, ntp2.usno.navy.mil (at 192.5.41.209) and tock.usno.navy.mil (at 192.5.41.41).

After you set the SNTP time server as authoritative, run the following command on computers other than the domain controller to reset the local computer's time against the authoritative time server:
net time /set

Cisco::Switch::Inline Power


Worth noting:  the "old" inline power modules from Cisco provide "Cisco proprietary" inline power to Cisco devices.  The new "AF" standard modules provide the "new" standard POE power.
And the 4506 switches can have a limited power capacity that must be planned for.   There is a calculator at:
http://tools.cisco.com/cpc/launch.jsp
I can't fill up my 4506 chassis with inline power modules and provide power to all the modules and still have redundancy for the 2800W power supply. 

This link contains more details about power supplies and providing inline power with 4500 series switches:
http://www.cisco.com/en/US/products/hw/switches/ps4324/products_data_sheet09186a00801f3dd9.html
It is possible to add an external power source using a "shelf" and installing power supplies in it to provide for power supply redundancy:

WS-P4502-1PSU
Catalyst 4500 Aux. Power Shelf (2 slot), incl. one PWR-4502

PWR-4502
Catalyst 4500 Aux. Power Shelf Redundant Power Supply

To get one each of the above would be about $6K




7/16/2004

Exchange Technical Information


While googling it is sometimes easy to forget to check the obvious. The excellent technical information provided by Microsoft is not to be ignored:
Microsoft Exchange Server: Outlook Information

Check out this great PDF from the top of the list above:

Client Network Traffic with Exchange 2000

Outlook/Exchange Network Traffic


This is an excellent article:
Control Client Network Traffic

It contains an interesting discussion of the Exchange Provider binding order contained in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Exchange\Exchange Provider\ Rpc_Binding_Order
The article defines them as follows:
Network Protocols for MAPI Clients
Registry protocolMeaning
ncalrpcLocal RPC calls (client and server on the same system).
ncacn_ip_tpcTCP/IP transmitted over Winsock. The client locates the server using DNS, a local hosts files, or a raw IP address, but not NetBIOS.
ncacn_spxNovell SPX using the NetWare Bindery to locate the server. NetBIOS is not used.
ncacn_spNamed pipes. The client locates the server using a NetBIOS computer name, WINS, or LMHOSTS.
netbiosThe default NetBIOS protocol.
ncacn_vns_sppBanyan VINES.


And recommends removing the bindings that you do not use. e.g. vines, novell....


7/13/2004

SpyWare


Kill ActiveX spyware before it loads
Download a reg file to merge to set the "kill bit" on bad ActiveX spyware to prevent them from loading.
http://www.spywareguide.com/blockfile.php

See info at:
http://support.microsoft.com/support/kb/articles/q240/7/97.asp

VOIP::Video Conferencing::ISDN



AT&T IP Gateway Services is an interesting solution to provide bridging and gateway services to an IP video conferencing endpoint without being required to provide ISDN BRI services to the endpoint location. If you already have excess capacity on an AT&T internet T1/T3 connection you can use that to make the connection to the service. And there is no monthly recurring charges - only usage charges. Details: http://www.business.att.com/products/productdetails.jsp?productid=vgs

I plan to use an ISDN backup to this solution which could also provide add'l capacity to make one more call if we ever need it. This ISDN switcher can be used to share this between up to 4 endpoints (one at a time.) http://www.covid.com/VConferencing/CVD5316.html

7/10/2004

More DNS



From: MyITForum

Have you pinged a machine before by name, got a reply, but when you attempt to connect to it, you connect to a different machine name or cannot connect at all? If you shook your head in agreement, nodded, mumbled something about this happening to you, then this article may shed some light.

Windows 2003::DNS


Interesting contribution to MyITForum:

FEATURED ARTICLE:
---------------------------------------------------------------------
Windows Server 2003: The EDNS0 enigma
by Marcus Oh, Contributor myITforum.com

During a migration to Windows Server 2003, we upgraded our root
domain name server (DNS). Although everything appeared fine, we
started receiving complaints about getting to certain sites. Areas of
Yahoo, such as mail.yahoo.com and finance.yahoo.com, seemed to be the
biggest issue. At first, it looked like Yahoo was unresponsive to
queries. However, we found host records to other sites were resolving
properly, but their MX records were not. This meant that e-mail was
not routing!

As a means of troubleshooting, we double-checked all our DNS
configurations. Everything looked fine. As a second step, we gathered
network traces to find out what was going on. The traces showed
packets leaving the root DNS server, destined for Yahoo, but showed
no replies returning.

The problem here is that Windows 2003 enables Extension Mechanisms
for DNS (EDNS0 as defined in RFC 2671), a standard introduced in
1999, by default. EDNSO allows requestors to advertise their EDNS0
capabilities, hence receiving UDP packets larger than 512 bytes.

While this in itself is not problematic, some firewalls do not allow
UDP packets larger than 512 bytes. This explains why the network
traces showed nothing returning! Our DNS servers were sending out
packets advertising themselves as capable of EDNS0, and our firewalls
were dropping the responses. Turning off EDNS0 support allowed all
queries to work as expected.

If you're experiencing the same issue or planning an upgrade of your
own, this command will disable this enabled-by-default feature:

dnscmd ServerName /Config /EnableEDnsProbes 0


Good to know!

7/08/2004

WAN::Internet::Redundancy



Interesting load balancing product at http://www.firewalls.com/pc/viewPrd.asp?idcategory=42&idproduct=129

Cisco::Firewall::Redundancy



This poor guy at http://www.dslreports.com/forum/remark,10404384~mode=flat has my same problem.

I get no help from their recommendations. I've been down that thought process before and I still don't think I can NAT two separate IP subnets through PIX and get them routed out the correct default route that way.

Cisco::Firewall



For troubleshooting PIX to PIX vpn:

show crypto isakmp sa


This has acted kind of squirrely lately.

Cisco::Router::Firewall::Routing Based on Source Address


with hint from http://puck.nether.net/lists/cisco-nsp/9020.html
The setup for policy based routing to accomplish this is something like:

access-list 1 permit 1.2.3.192 64.0.0.0
!
interface ethernet0/0
ip policy route-map policy-map
!
route-map policy-map
match ip address 1
set ip next-hop 1.2.3.193


The Cisco docs are at: http://www.cisco.com/univercd/cc/td/doc/product/software/ios112/112cg_cr/5rbook/5riprout.htm#xtocid2198498

But this doesn't seem to work on PIX firewall.....

7/07/2004

Enterprise Instant Messaging


Client user demands "chat" features for our extranet for yet another ball and chain on their attorneys. I'm philosophically opposed. I spent some time researching security/etc.
MEMORANDUM
To: My Boss
From: DataComGuy
Re: Instant Messaging for Extranets

Public Instant Messaging Inadvisable
There are public instant messaging (“IM”) systems, such as ICQ, MSN, Yahoo Messenger, and AOL Instant Messaging (AIM.) These services provide a freeware client to users and integrate them using a public directory service to authenticate users and public chat servers to connect them. The use of Public instant messaging systems from the corporate network presents many security concerns.
  • Privacy:
    Communications take place in clear text, unencrypted, over the internet. In many cases, even a chat session between two people inside the same corporate network at adjacent desks will pass outside the organization over the internet through a public server and back in.

  • Network Security:
    For public IM services to operate within a corporate network environment, best practices for firewall configuration would need to be ignored in order to allow network traffic to pass to and from the workstations running the IM client software. Many of these changes would impact security all the servers and users connected to the network. The few security features that are available with public IM systems rely on the users’ installing additional security software or making software configuration modifications on the IM client. This reduces network security to it’s weakest link. If a single person fails to follow security guidelines the entire network is vulernable.

  • Authentication:
    Public IM systems allow anyone to join their directory service. As a result there is no way to know for certain who you are communicating with. When directory security is breached there is also a great possibility for an increase in unsolicited commercial e-mail (SPAM). The IM client itself is another SPAMMERS use to pass unsolicited messages. Although public services may take precautions, methods have been found to send broadcasts of unsolicited commercial mail or other objectionable messages. In addition, the directory service itself can be compromised to obtain lists of e-mail addresses for sending “traditional” SPAM.

  • Virus Infection:
    Most public IM services allow the exchange of files, bypassing network based virus protection. This substantially increases the risk of virus infection. In addition, it is likely that viruses will be developed that exploit instant messaging clients to propagate themselves and/or execute.. Often IM client software includes scripting features which would facilitate the creation of malicious message content. Already many IM script worms have been identified such as W32Aimven.worm , W32Aplore@mm, andW32Holar.A@mm.

  • Policy Enforcement:
    When IM is used, there is no way to enforce corporate policies about file downloads, virus scanning, or security settings for the entire organization. Chats cannot be monitored and logged to enforce policies regarding communications.


  • Enterprise Instant Messaging
    There are several products on the market in the category of Enterprise Instant Messaging. Many of these products have simply taken the same insecure public class products above and moved them inside a firewall. While this addresses network security concerns it also prevents communication with users outside the network.

    Other products are gateways that encrypt traffic to and from public services. Some might proxy these sessions to insulate user machines from direct communication with the internet and may prevent inbound chat attempts from all but approved senders. Some of these products may provide policy enforcement options to require users’ IM clients to have their security features configured properly. This class of products doesn’t address privacy concerns with the public directory service and is trusting the outside directory service to authenticate users. Most of these products still present network security concerns because the users’ on the inside of the network are still connecting at a packet level with users outside the network.

    The most secure products in this category have directory service and other servers that are installed in a DMZ network that can be protected from the internet and requires no direct communication between internet machines and machines on the inside network. IBM Lotus Quickplace is an example of a product that creates this type of DMZ environment. The best products also provide administrative control to enforce corporate policies by such things as preventing file transfers, logging communications, encrypting communications, and so on.

    IBM Lotus Sametime server is a good choice for enterprise instant messaging. Sametime integrates with our IBM Lotus Quickplace extranet servers which could allow chat features to be added to the meeting rooms in addition to other IM features.

    Instant Messaging


    Does anybody use Enterprise IM? How do you handle security, viruses, etc? Does it integrate with AD or do you have to administer yet another directory?

    Here's a product I ran across and don't have time to look at right now.
    OmniPod

    6/30/2004

    Research::VOIP::Cisco IP Phone User Training

    Useful hits in my search on this topic -

    http://www.voiptrainer.com/ Video/DVD (pay) - wouldn't be customized.
    http://www.ciptug.org/ User group (pay)
    http://voip.concordia.ca/help/refmaterials/ A university's project site.
    http://www.cisco.com/warp/public/779/largeent/avvid/products/7960/index_1020.htm Pretty cool demo/tutorial free at Cisco.
    http://www.cisco.com/warp/public/cc/pd/unco/un/vodpr/Cisco video on demand for Unity - too bad they don't have these for Call Manager for admin audience and IP phones for user audience.

    6/16/2004

    Video Conferencing: IP gateway services



    An excellent old article at nwfusion provided me a good starting point in researching alternatives to purchasing a video conferencing gateway/bridge.

    I found the following promising services:
    VC Gateway Services
    http://www.business.att.com/products/productdetails.jsp?productId=vgs


    http://www.enlightentech.net/new/prod_esdn.html


    http://www.glowpoint.com/Services/GlowpointUnlimited.html

    http://www.masergy.com/internet/products/html/incontrolvideo.jsp

    6/14/2004

    Symantec NAVCE Password Reset



    Interesting item from: Kevin

    ----------------------------------------------------------------------------
    Try to change this key in registry
    HKLM\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\ConsolePassword
    to value 1084A085DC6BD2D755D4D6A7726

    The new password is now symantec
    ----------------------------------------------------------------------------


    6/09/2004

    Electrical Receptacles & Plugs



    http://www.nema.org/DocUploads/A609D971-5F91-4D4C-A45AB58C4736B176/Plug_Receptacle.pdf
    contains a very useful reference with pictures to all the different plug and outlet types.

    e-mail disclaimers


    This article at: http://www.theregister.co.uk/2001/05/18/the_2001_daftas_most_incomprehensible/
    makes light of this e-mail disclaimer, but I think they are forgetting that hardly anyone using internet mail understands the basic issues outlined in it.

    I got an e-mail from helpdesk one day that a particular user complained e-mail was unbearably slow and it needs fixed. Calling the user I learned that someone had e-mailed him a power point presentation at 6:56 that he needed for a conference call at 7:00 and he didn't receive it until 7:03. This "unacceptable delay" was hindering the completion of his vitally important business.

    I'd say that rather than laughing and pointing, some version of that disclaimer needs to be below the send button of every internet mail client.

    5/14/2004

    MS Word::DocsOpen


    DocsOpen & MSWord wierdness
    When using "embedded smart tags" or "disable feature introduced after" options in DOCSOpen we get "invalid document path not found" errors. If somebody takes this document home and has the above options enabled it "infects" the document by setting the options to match and then craps out when imported into document mgmt.

    This MicroSystems document has a lot of great info about Word conversion issues.

    5/13/2004

    Strategic Management



    Strategic Management
    Strategic Management: Text and Tools for Business Policy, Second Edition
    Online textbook from University of Rhode Island professors.

    5/12/2004

    Avoiding TRIPOD.COM Sidebar

    Geeeez, tripod.com sticks a banner at the top of my site - isn't it enough that my site is advertising matchmaker services for tripod and heaven knows what else?

    Now they started sticking that stupid side bar search that brings up "other similar tripod sites."  But I haven't seen one that I want to be called similar to. 

    Am I complaining too much about stuff I get for free?  (But look at the Google search engine and Blogger, they are free but they aren't blatantly lame…)

    Hopefully you weren't turned away by this BS before you read this post.  To stop this insanity, I have a suggestion:

    If you are using Internet Explorer, setup http://*.tripod.com on the list of restricted sites.  This will disable java and prevent that crap from coming up every time you open one of my pages.


    5/11/2004

    Perl::Compiler::PAR


    I've mentioned PAR in the past. It's been a while since I used it and I recently had to set it up fresh on my machine. I've found my documentation on this process lacking and had a bit of trouble. For future reference, here is some more info.
    http://par.perl.org is the official site with the info to get setup.
    Check out the FAQ for installing on Windows. PPM is the best method. The Windows files/binary are available here too.

    5/06/2004

    Outlook::Calendar


    Outlook Team Calendar
    This looks promising:
    OLTeamCalendar

    But it tells me I need to download and install CDO and the url it refers me to says it's no longer available for download:
    http://www.microsoft.com/exchange/downloads/CDO.HTML

    5/05/2004

    Link::Freeware::Programming


    Jans Freeware Collection
    A great collection of freeware, articles, and information about various programming topics.
    Some interesting looking tools.

    4/27/2004

    DOCSOpen Outlook Integration


    One of many idiotic problems with this buggy integration -
    SD010943

    DOCS Open - Outlook Integration - Attaching Documents to Outlook XP Plain Text Format E-mail Messages

    In DOCS Open 3.9.5, using Outlook Integration Build 20, and in DOCS Open 3.9.6, using Microsoft Outlook XP, when you attempt to attach a document to an e-mail message in Plain Text format, instead of attaching the document, the View menu in Outlook expands and no document is attached.
    Steps to reproduce:
    1. Start DOCS Open.
    2. Start Microsoft Outlook XP.
    3. Open an existing e-mail message in Plain Text format.
    4. Click the Reply or Forward button.
    5. Select Insert>From DOCS Open (or click the toolbar button); a Quick Retrieve window appears.
    6. Select a document and click OK; the Insert Type window appears.
    7. Click Attach.
    8. Instead of attaching the document, the View menu in Outlook expands, and no document is attached.

    If you then open an e-mail message in HTML or Rich Text format and repeat the steps to reproduce as listed above, then two documents are attached (the document previously selected during the Plain Text e-mail and the current attachment). Once a document is successfully attached to an e-mail message, it is then possible to attach documents to Plain Text format e-mail messages.
    Resolution:
    This issue is resolved in DOCS Open 3.9.6 Outlook Integration Patch 1 (Build 24)

    4/23/2004

    Windows::Policy Restrictions


    "Add/Remove Programs has been restricted."
    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall]
    "NoAddRemovePrograms"=dword:00000000
    "NoWindowsSetupPage"=dword:00000000

    4/20/2004

    MRTG::Server Monitoring::Windows 2000


    This http://www.wtcs.org/snmp4tpc/redirect.htm is an excellent source for CFG examples using MRTG to poll SNMP stuff off Windows servers.

    4/07/2004

    LAN Cabling::Tutorial


    This is a good tutorial covering several topics understandably:
    http://www.lanshack.com/cat5e-tutorial.asp

    4/02/2004

    Windows::Registry::Internet Explorer::Security Settings



    From: JSI


    5130 » How can I manage Internet Explorer Security Zones via the registry?

    The security zone settings for Internet Explorer are located at:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings


    AND


    HKEY_Local_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings


    The values that are located in both keys are additive. If a Web site is added to both keys, only the HKCU sites can be seen in the GUI, but both settings are enforced.

    If you only want machine based settings to be enforced, copy and paste the following to a HKLM_Only.reg file and Merge it with the computers registry:

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
    "Security_HKLM_only"=dword:00000001


    The sub-keys of the Internet Settings key, for both HKLM and HKCU paths, are:

    TemplatePolicies
    ZoneMap
    Zones

    The Zones sub-key contains a sub-key for each zone defined. The defaults are:

    Key Meaning
    0 My Computer, NOT available in the Zone box of the Security tab.
    1 Local Intranet Zone.
    2 Trusted sites Zone.
    3 Internet Zone.
    4 Restricted Sites Zone


    These sub-keys contain the following Value Names:

    Value Name Data Type Meaning
    Description REG_SZ Displayed when you select a Zone in the Zone box of the GUI.
    DisplayName REG_SZ Displayed when you select a Zone in the Zone box of the GUI.
    Icon REG_SZ The icon that is displayed.
    CurrentLevel REG_DWORD The current Security setting.
    MinLevel REG_DWORD The lowest Security level allowed before a warning is issued.
    RecommendedLevel REG_DWORD The recommended Security level.
    Flags REG_DWORD Controls the users ability to modify the Security settings.


    The data values for the CurrentLevel, MinLevel, and RecommendedLevel Value Names are:

    Data value Meaning
    0x00010000 Low Security.
    0x00011000 Medium Security.
    0x00012000 High Security.


    The data values for the Flags value Name are additive:

    Data value Meaning
    1 Allow changes to custom settings.
    2 Allow users to add Web sites to this zone.
    4 Require HTTPS Web sites.
    8 Include Web sites that bypass the proxy server.
    16 Include Web sites not listed in other zones.
    32 Do NOT show security zone in Internet Properties.
    64 Show the Requires Server Verification dialog.
    128 UNCs are treated as Intranet connections.


    NOTE: The My Computer zone does NOT contain the CurrentLevel, MinLevel, and RecommendedLevel Value Names.

    The following Value Names are all REG_DWORD data types. Their data values are:

    Data value Meaning
    0 This action is allowed.
    1 This action will generate a prompt.
    3 This action is prohibited.


    Value Setting
    Name
    1001 Download signed ActiveX controls
    1004 Download unsigned ActiveX controls
    1200 Run ActiveX controls and plug-ins
    1201 Initialize and run ActiveX controls and plug-ins not marked as safe
    1400 Active scripting
    1402 Scripting of Java programs
    1405 Script ActiveX controls marked as safe for scripting
    1406 Access data sources across domains
    1407 Allow paste operations via script
    1601 Submit non-encrypted form data
    1604 Font download
    1605 Unknown
    1606 User Data persistence
    1607 Navigate sub-frames across different domains
    1800 Installation of desktop items
    1802 Drag and drop or copy and paste of files
    1803 File Download. No prompt setting as download is either allowed or NOT allowed.
    1804 Load applications and files in an IFRAME
    1805 Unknown
    1806 Launching applications and unsafe files
    1A02 Allow cookies that are stored on your computer
    1A03 Allow per-session cookies (not stored)
    The 1A00 Value Name, a REG_DWORD data type, has the following possible data values:
    Decimal Data value Meaning
    0 Automatically logon with current username and password.
    65536 Prompt for user name and password.
    131072 Automatic logon only in the Intranet zone.
    196608 Anonymous logon.


    The 1C00 Value Name, a REG_DWORD data type, has the following possible JAVA data values:

    Decimal Data value Meaning
    0 Disable Java.
    65536 High safety.
    131072 Medium safety.
    196608 Low safety.
    8388608 Custom.


    The 1E05 Value Name, a REG_DWORD data type, specifies software channel permissions.

    The TemplatePolicies sub-key of the Internet Settings key has the default security zones settings. The Low, Medium, and High sub-keys contains Value Names that represents the Zones default values.

    The ZoneMap sub-key of the Internet Settings key has the following sub-keys:

    Domains - Contains domains and protocols that have been added. Each added domain is a sub-key of Domains. Sub-domains are sub-keys of the the domain that they belong to. Each domain has a protocol Value Name (ftp, http, https, etc.) whose data value is the numerical value of the security zone (0x00012000 is High Security) to which it is added.

    The ProtocolDefaults sub-key of the Internet Settings key defines the default security zone for a given protocol, by adding a Value Name (file, ftp, http, https, etc.), with NO colons (:) or slashes (/). These REG_DWORD data types the following possible data values:

    Key Meaning
    0 My Computer, NOT available in the Zone box of the Security tab.
    1 Local Intranet Zone.
    2 Trusted sites Zone.
    3 Internet Zone.
    4 Restricted Sites Zone


    The Ranges sub-key of the Internet Settings key contain arbitrary sub-keys that define the ranges of the TCP/IP address. The :Ranges Value Name of these arbitrary sub-keys, a REG_SZ data type, contains the range affected (192.168.0.*). A * Value Name, a REG_DWORD data type, contains the security zone that the range falls within (0x1 is Local Intranet).



    3/25/2004

    Electrical Plugs


    NEMA Numbers
    L = Indicates a locking plug
    5 = indicates voltage, where:
    1 = 125V, 2-pole, 2-wire
    2 = 250V, 2-pole, 2-wire
    5 = 125V, 2-pole, 3-wire (Grounded)
    6 = 250V, 2-pole, 3-wire (Grounded)
    7 = 277V, 2-pole, 3-wire (Grounded)
    10 = 125V/250V, 3-pole, 3-wire
    11 = 250V, 3-phase, 3-pole, 3-wire
    14 = 125V/250V, 3-pole, 4-wire (Grounded)
    15 = 250V, 3-phase, 3-pole, 4-wire (Grounded)
    18 = 120V/208V, 4-pole, 4-wire (Grounded)
    20 = Amperage rating, in this case 20 Amps
    R = Mounting configuration, where:
    P = Plug (for line cords)
    R = Box-mounted receptacle or outlet
    C = Connector (for line cords)

    2/26/2004

    Windows::DHCP Server


    http://www.comptechdoc.org/os/windows/win2k/win2kdhcp.html contains a great summary of DHCP information, installation, configuration.

    2/25/2004

    Telecom::VoIP::FXS and FXO Interfaces



    What is an FXS interface vs FXO interface?

    FXS = Foreign Exchange Subscriber = "client" - controls "off hook"

    FXO = Foreign Exchange Office = "server" - provides power, controls everything else.

    When making a connection from a telephone system to another device this distinction is important.

    http://www.patton.com/technotes/fxs_fxo.pdf has a very good discussion about this.

    It boils down to the same thing as a similar interface and pinout discussions - consider null-modem cables and crossover ethernet cables
    This category of topic came way back when I wanted to setup my "normal" PC devices to print to my DEC laser printers that I used with the PDP-11. (Until "progress" required we replace it with the slow, piddly Laserjet-III......) Had to have a serial cable custom built so that all the right pins on one side would talk to all the right pins on the other.

    Cisco Firewall::FILTERing URL's::Long URL's


    Also had some curious issues with AOL mail logon.
    Alleviated when I added the following to the end of the filter url line:
    longurl-truncate cgi-truncate

    2/20/2004

    Cisco Firewall::FILTERing URL's::Westlaw

    Updated
    Using either N2H2 or Websense content filtering server with the Cisco firewall (v6.3.3) url-server and filter url commands is a great way to employ URL filtering to objectionable sites. However we experienced a strange issue with Westlaw's research site. At www.westlaw.com users logon and do legal research and choose to print. Interestingly, the printing happens on WestLaw provided printers that are "attached" to the Westlaw service network via modems. Even though this printing is "internal" to Westlaw some print jobs fail for some reason when using url filtering on the firewall. It must create some really odd url to launch the print job and some of these url's must be crapping out at the firewall and/or the content filtering server.
    A while back in an attempt to implement this filtering a problem arose with long url's. According to the vendors the solution to this issue was to upgrade to latest firewal code. That has been done and those url's that brought this previous issue to light now are working fine. (logon to hotmail.com and transactions at airline reservation sites resulted in some wild-and long-urls.) But now we have this Westlaw thing.
    The workaround to the immediate issue is to make an exception to the filter url statement for the following networks at Westlaw:
    163.231.237.0/24
    167.68.6.0/23
    AND167.231.253.0/24

    But I fear a deeper issue is learking in there waiting to arise in some situation that doesn't have a clear and simple workaround.

    Exchange 2000::Windows 2000::Account Expiration


    Had an odd problem recently with getting into an Exchange mailbox. A user's AD account was setup to expire at a certain date and time. When that time came she was logged on and working in her mailbox. Kaboom-she's kicked out at the appointed time. She tries to log back on and can't. All working as designed. If only the admin had setup the proper account to expire instead of this person who is now locked. No biggy: just re-enable the account in ADUC. Okay fine, now she can log on, but--holy crap!--can't get into Exchange.

    Nor can anyone with full rights assigned to her mailbox get into it. Attempting to send an e-mail to that mailbox -> bounced message.

    To get this to work I had to delete the exchange account (we have it setup so the mailbox is not really deleted for 30 days) and then relink the exchange account to the AD user.

    Conclusion: Expiring accounts is a baaaaaad thing.

    2/11/2004

    DocsOpen UN-Integration::MSWord::Windows Registry


    For MSWord and other applications using ODMA integration to DocsOpen (or other ODMA compliant DMS, if any...) ODMA is "activated" in the registry under:
    [HKEY_CLASSES_ROOT\ODMA32]

    If you remove that key and all it's subkeys then DMS is unintegrated.
    This can be done by manually merging a registry file that looks like:
    Windows Registry Editor Version 5.00

    [-HKEY_CLASSES_ROOT\ODMA32]

    Merging that file can be done in a BAT file with the line:
    regedit /s [filename].REG


    Webview::Windows XP::AD Logon


    Continuing saga from previous posting....
    When you use Webview interface to Elite time entry and passthrough authentication -
    "Pre-Windows 2000" account must exactly match the Elite userid - also case sensitive
    and
    The case with which the user logs on does not matter (like it does for Elite.)

    Elite::Windows XP::AD Logon


    When security passes through XP/AD logon to Elite it is case sensitive and will fail if the user doesn't capitalize properly.
    If the elite userid is all in lower case, then the user's "Pre-Windows 2000" account must be in all lower case AND the user must key in all lower case when they logon.
    Of course if you have multiple "pass through" security applications that have this issue then you will have to change either the elite userid or the userid in the other application to match and then match that to the "Pre-Windows 2000" account.

    Aint ya glad you use directory services.... Don't ya wish everybody did?

    1/02/2004

    MSWord::DocsOpen


    DOCS Open - Word - "Microsoft Visual Basic: Ambiguous name detected: TMPDDE"
    In DOCS Open, when you start Microsoft Word, the following error message may appear:

    "Microsoft Visual Basic: Ambiguous name detected: TMPDDE."

    This issue also occurs when you attempt to open documents from the Quick Retrieve window or when you save Word documents.

    OtherKeywords: temp dde, MS, launching, launch, 97, 2000, 2002, XP



    --------------------------------------------------------------------------------
    Resolution:
    A temporary macro file is created upon opening Word and is then automatically deleted. Occasionally when Word is opened, this file is not deleted. The error message appears when Word attempts to write a new temporary macro file, and one already exists.

    Steps to eliminate the error:

    1. Open Word.
    2. Select Tools>Macro>Macros.
    3. Browse through the list of macros and delete any .TMPDDE macros.
    4. Close and then reopen Word.

    The error message should not appear. (If you are still receiving the error message, check for viruses on all Microsoft Word files being used. An infected file could corrupt the NORMAL.DOT template file and the TMPDDE file.)

    NOTE: If you do not locate any TMPDDE macros, (the TMPDDE macro may not be visible through Tools>Macro on the Word toolbar), one of the following options will resolve this issue:

    Delete the TMPDDE macro from the MS Word Global Template (NORMAL.DOT) file; this will require you to open the NORMAL.DOT macro template file in Visual Basic within Word and modify it to remove the TMPDDE macro section.

    OR

    Rename the MS Word Global Template (NORMAL.DOT) file; note that Word must be closed before you can perform this action.

    For more information about this issue, please consult the following article on Microsoft's Web site: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q174966