My PC Geek

10. Disk Space Monitor

http://www.tinyurl.com/Rzrvm77

9. Bulk Password Reset

http://www.tinyurl.com/Lgntax2

8. Windows Service Monitor

http://www.tinyurl.com/Qzh9fog

7. VMware Change Reporter

http://www.tinyurl.com/Kzpc4s3

6. Active Directory Object Restore Wizard

http://www.tinyurl.com/BRces62

5. File Server Change Reporter

http://www.tinyurl.com/ih55n2d

4. Inactive Users Tracker

http://www.tinyurl.com/N56p4n5

3. Password Expiration Notifier

http://www.tinyurl.com/TYe7ak

2. USB Blocker

http://www.tinyurl.com/Zh5a8w8

1. Active Directory Change Reporter

http://www.tinyurl.com/Kf9kn3s

Installation guide for installing the Citrix ICA client under Ubuntu Linux

Prerequisites:

1. Download the latest Linux client from www.citrix.com

2. Install Openmotif onto your machine

• sudo apt-get install motif-clients
• sudo apt-get install libmotif-dev

Installation:

1. Install the 32-bit Citrix client.

1. Download the linux client tarball (currently here) to some temp dir, e.g. /tmp/citrix
2. Extract the tarball, e.g. (change parameters as necessary)

DOWNLOAD_DIR="/tmp/citrix"
TARBALL_FN="linuxx86-11.0.140395.tar.gz"
pushd ${DOWNLOAD_DIR}
tar xfz ${TARBALL_FN} # add '> /dev/null' for quiet

1. From the download directory, run the text-mode installer

sudo ./setupwfc

• Take the option to “Install Citrix Receiver”, install to

/usr/lib/ICAClient

• , choose additional options as needed, and quit the installer.
• Check to see that the installer created
  • the executable /usr/lib/ICAClient/wfcmgr
  • a launcher like Applications>Internet>Citrix Receiver or Internet>Citrix Receiver
• Check that /usr/lib/ICAClient/wfcmgr has needed libraries, e.g.

CLIENT_EXEC="/usr/lib/ICAClient/wfcmgr"
ldd ${CLIENT_EXEC}

• You will probably get results like

linux-gate.so.1 => (0xf77a3000)
libXm.so.4 => not found
libXp.so.6 => /usr/lib32/libXp.so.6 (0xf777f000)
libXpm.so.4 => /usr/lib32/libXpm.so.4 (0xf776c000)
libSM.so.6 => /usr/lib32/libSM.so.6 (0xf7763000)
libICE.so.6 => /usr/lib32/libICE.so.6 (0xf7748000)
libXmu.so.6 => /usr/lib32/libXmu.so.6 (0xf772f000)
libdl.so.2 => /lib32/libdl.so.2 (0xf772b000)
libpthread.so.0 => /lib32/libpthread.so.0 (0xf7712000)
libc.so.6 => /lib32/libc.so.6 (0xf75cd000)
libXt.so.6 => /usr/lib32/libXt.so.6 (0xf757a000)
libX11.so.6 => /usr/lib32/libX11.so.6 (0xf744b000)
libXext.so.6 => /usr/lib32/libXext.so.6 (0xf743b000)
libXau.so.6 => /usr/lib32/libXau.so.6 (0xf7437000)
libuuid.so.1 => /lib32/libuuid.so.1 (0xf7431000)
/lib/ld-linux.so.2 (0xf77a4000)
libxcb.so.1 => /usr/lib32/libxcb.so.1 (0xf7413000)
libXdmcp.so.6 => /usr/lib32/libXdmcp.so.6 (0xf740e000)

• Note the not found above. If you don’t get one of those, try just running /usr/lib/ICAClient/wfcmgr: if that launches the Citrix Receiver, you’re done, and you can probably exit these instructions. If not, proceed to next step.

2. Download and setup all needed 32-bit libraries.

• If you are missing libXm.so.4
  • Install motif and create a symlink to the latest similar library

sudo aptitude install libmotif3
ls -al /usr/lib/libXm.so*
# if the latest version is libXm.so.3.0.2, then
sudo ln -s /usr/lib/libXm.so.3.0.2 /usr/lib/libXm.so.4

Repeat running ldd until all libraries are found. I.e.

CLIENT_EXEC="/usr/lib/ICAClient/wfcmgr"
ERROR_STRING='not found'
ldd ${CLIENT_EXEC} | fgrep -e "${ERROR_STRING}"

should produce no output.

3. Run the native client from a terminal, e.g.

${CLIENT_EXEC}

• The Citrix Receiver should launch with no errors. Choose Connections>Exit to quit the native client. If you see errors in the terminal, use the terminal messages to guide your efforts. You may need to repeat steps above.

4. Run the client from the launcher noted above.

Last Step – copy all of the Mozilla trusted certificate authorities to your Citrix client directory

sudo cp /usr/share/ca-certificates/mozilla/* /usr/lib/ICAClient/keystore/cacerts/

http://www.gns3-labs.com/2010/02/28/gns3-announcement-official-release-of-gns3-07-stable/

GNS3 0.7 is now released, it includes lot of bug fixes and improvements as well as some new features:

• Support & debugging on Windows 7.
• Qemuwrapper improvements & Windows compatibility.
• Integration of Cisco IDS/IPS, including a new symbol.
• Qemu 0.11.0 patched and Putty have been added in the Windows all-in-one package.
• An option to show the z coordinate of any object on the scene (View -> Show layers).
• Interface labels follow their moving parent nodes.
• Modified interface labels are saved in .net files.
• Option to slow start nodes (wait x seconds between each start).
• Links connected to Qemu based nodes are now removable (nodes have to be shutdown to do so).
• Possibility to set an hypervisor for Ethernet switches, ATM switches, ATM bridges and Frame Relay switches.
• New symbols for voice labs (Call manager, SIP server, IP phone, voice router, voice access server and PBX).
• New dialog window to browse and change a router startup-config.
• Undo/redo of actions is now supported.
• Qemu & qemu-img paths are saved in .net files if needed.
• Slight improvements for the snapshot system, including a new dialog window to manage it.
• Wics description in tooptips.
• Wics restoration from .net files.
• Support of relative paths in .net files (if the base path is the same as the .net file).
• Test button to validate you can launch Qemuwrapper, Qemu and qemu-img.
• New translation in Czech (thanks to Ondrej Filip).
• Lot of various small bug fixes and improvements.
• “versions” command to display Qt, PyQt and SIP versions

This version has been tested on the following OS:

• Windows 7 Professional x86 (Qt 4.5.3, PyQt 4.6.2, SIP 4.9.3)
• Windows XP SP3 x86 (Qt 4.5.3, PyQt 4.6.2, SIP 4.9.3)
• Ubuntu 9.10 (Qt 4.5.2, PyQt 4.6.1, SIP 4.9.1)
• Mac OS X Snow Leopard (Qt 4.5.3, PyQt 4.6.2, SIP 4.9.3)

Note that GNS3 doesn’t work properly with Qt 4.6.1 and 4.6.2 (graphical bugs)

Help us to improve GNS3, please post your bugs report on the forum, under Development -> Bug reports

An emulated host based on a very small Linux (likely to be Linux microcore) is under development and will be distributed with the next releases as well as in standalone. The documentation and translations will be updated in the next weeks.

You should know four things before you start:

1. I am writing this primarily for myself as a cookbook for future Exchange installations.  It is provided WITHOUT WARRANTY OR GUARANTY OF ANY SORT.  USE AT YOUR OWN RISK!
2. It will take longer than two hours to complete because of the delays waiting for your Certificate.  However, the actual work can be completed in the stated time.
3. You need to have a basic knowledge of Windows, Active Directory, and mail servers to get through this.

The idea is to create down and dirty, point form instructions on how to get Exchange 2007 FULLY operational with just two hours of work.  To make this more difficult, I did my install on a Windows Server 2008 64 bit platform but I believe these instructions will function on Vista 64 bit or Server 2003 64 bit.  Yes, 64 Bit is required for Exchange 2007 in production.  The 32 bit version is for test labs only and is NOT supported by Microsoft.

The other thing I did to make this more realistic, is to name the internal domain something completely different from the email domain (i.e. CORPDOMAIN.LOCAL vs ABCDEDOMAIN.COM).

Lets get to it.

A – PREWORK:

1. Install Windows 2008 64 Bit on a new box and run Microsoft Update to patch it to whatever is current.
2. Make sure IPv6 is DISABLED PRIOR to the install of Exchange.  NOTE: Unchecking the IPv6 check-box on the network card, will not cut it.  See THIS and THIS and THIS for details..
3. If the server is not already a Domain Controller, you need to run DCPROMO to make it so.  Exchange 2007 must be on a network with Active Directory.  DCPROMO will install required DNS for most config’s.
4. There are 4 DNS changes you should make:
   • Create your EXTERNAL DNS’ MX records for the email domains in question to point to this new Exchange Server’s IP Address
   • Create an A Record in DNS for AUTODISCOVER.YOURMAILDOMAIN.COM for your servers IP
   • Create a REVERSE LOOKUP (RDNS) entry for your Exchange servers IP
   • Create a Sender Policy Framework (SPF) entry for your Exchange servers IP

   Note that only the MX record is required to get Exchange to function.  The last three are NOT required but you will likely want them so why not do it now?  Also you will have to wait for those settings to replicate throughout the internet (usually 12 hours).

   • For example, if your internal domain is CORPDOMAIN.LOCAL and your email domain is ABCDEDOMAIN.COM, you need to make sure that whoever is hosting the “authoritative DNS” for ABCDEDOMAIN.COM has an MX (i.e Mail Exchanger) record as well as an “A” record for AUTODISCOVER.ABCDEDOMAIN.COM, pointed to your new Exchange servers IP address.
5. I ran my Server 08 live on the internet, relying solely on its integrated firewall.  This is great for testing because when you install Exchange, it will automatically open required the holes in the firewall.  If you have an external/hardware/real firewall you will need to poke your own holes in it!

B – EXCHANGE INSTALL:

1. Install “Exchange Service Pack 1″
   • This is largely a “click next” affair but but it will perform a pile of “pre-installation checks” to make you have the prerequisites; you won’t.  So just do exactly what it tells you.  For example it will tell you to install IIS and IIS 6 MANAGEMENT CONSOLE, so do that.  Below are screen shots of my test servers ROLES and also a shot of IIS7 FEATURES.
     • The one additional FEATURE to what is Exchange tells you to do is RPC OVER HTTP.  I will mention it later, so if you don’t install it now, don’t worry about it
     • 
     • 
   • Ignore the following error: (as per Microsoft article 556055)
     Warning: Setup cannot detect an SMTP or Send connector with an address space of ‘*’.
     Mail flow to the Internet may not work properly.”.
   • Service Pack 1 for Exchange is the FULL version of Exchange, not a bunch of new hot fix binary bits and so you can install it directly.  You do not need to install Exchange 07 and then patch it.  If that isn’t clear enough know that Windows Server 08 will not let you install the original RTM version of Exchange 2007.
   • This process will require at least one reboot after installing pre-req’s.
2. Run Microsoft Update and make sure it includes Roll Up 1 for SP1 and then reboot.
3. Users created in ACTIVE DIRECTORY USERS AND COMPUTERS do not have email accounts automatically created for them.  As such you may want to create new users via RECIPIENT CONFIGURATION, NEW MAILBOX.
   
4. From the server surf to https://127.0.0.1/owa/ (this is the Outlook Web Access page) and sign in as ADMINISTRATOR (or the account you created in step 3) to make sure the core is functional then log out.  From a different PC surf to https://mail.yourdomain.com/owa .
   • At this point you won’t be able to do much other than see that your Exchange is installed properly.
5. Go to ORGANIZATION CONFIGURATION, HUB TRANSPORT, ACCEPTED DOMAINS, and set the default.
6. Go to ORGANIZATION CONFIGURATION, HUB TRANSPORT, EMAIL ADDRESS POLICIES and create a entry for your primary domain.
7. Create a wild card (*) SEND CONNECTOR (As per Microsoft article 556055)
8. Exchange Server 2007 Hub Transport, by default, allow only secure authenticated connections.  If you don’t have an Edge server in front of the Hub Transport server (i.e. you are setting up Exchange to function completely from a single server, like we are in this article) , you will need tell Exchange to accept anonymous connections from other mail servers and clients on the web.You cannot set this change through GUI (only when creating new connectors), so you’ll need to open the Exchange Management Shell and enter (just copy and paste this text then go back and edit the <SERVER-NAME> : set-ReceiveConnector “Default <Servername>” -permissiongroups:”ExchangeUsers,ExchangeServers,ExchangeLegacyServers,AnonymousUsers”
   • Be sure sure to get rid of the < and > brackets:
   • http://forums.msexchange.org/m_1800412705/mpage_1/key_/tm.htm http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=703467&SiteID=17
9. Surf to the OWA site (i.e. https://127.0.0.1/owa) and send an email to a remote address then reply to that message and make sure you receive it back

C – OUTLOOK ANYWHERE:

Outlook Anywhere, which was named RPC OVER HTTP in Exchange 2003 SP2, is the system that lets you connect Outlook clients to your in-house Exchange server without first requiring a VPN.  This will be important for your mobile workers.

1. If you did not already install RPC OVER HTTP as mentioned in step 1 in the section above, now is the time.   Simply launch Server 2008 Server Manager, click on FEATURES then ADD FEATURE.  When you are done your FEATURES should look like.
   
   • 
2. SERVER CONFIGURATION, CLIENT ACCESS, OUTLOOK ANYWHERE WIZARD, in the Action Pane on the FAR RIGHT and choose BASIC AUTHENTICATION.  (This is safe because we will encrypt your communications later on in the process.)
   
   • 
3. The following is the hardest part of this whole adventure; buying the certificate!  You need a real cert to allow Outlook clients to connect.  Exchange 2007 uses a new type of cert alternately called a Universal Communications Certificate (UCC) or Subject Alternative Name (SAN) certificate.   All this means is that you can bundle more than one domain name into a single cert.
   • If you don’t know what you are doing with certificates or Exchange 2007, read this excellent explanation but do NOT carry out the instructions because they skip over the installation of an “Intermediate Certificate” which will be required by most of us.
   • From my experience, blog reading and conversations with Microsoft support staff, I suggest you buy your cert from GoDaddy.com .  I found GoDaddy’s process and seriously cluttered webpages to be quite difficult to follow, but they have three things going for them: they are the second cheapest I can find; they have free dedicated, qualified, SSL PHONE support (480-505-8852); and as an added bonus their certs actually work!
     
     The biggest question is: What names do you put into this multi-name cert, and here is the answer:

     Description	Example
     Mx record Root domain name Autodiscover record Local server FQDN Server Host Name	mail.commodore.ca commodore.ca autodiscover.commodore.ca svr08box.insidecorpdomain.local svr08box

• The next question is: How do I create the Certificate Request (CSR)?  I was going to type the command directly into the Exchange Power Shell (as per the help files) but an MS Exchange Support tech, suggested I use this site to create the command line for me:
  
• As per the DigiCert instructions, just “Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell Paste the New-ExchangeCertificate command from this page into the Exchange Management Shell window and press Enter Your CSR file should now be in C:\ on your server (as named by the -Path option in the command itself.)”
• Go to GoDaddy.com and spend an hour trying to figure out their pages and processes to submit the CSR and receive the cert.  Note that at the end of their process it says that they have just sent you an email which you are required to open and respond to in order to receive your cert… ya, they haven’t.  After three phone calls and 9 hours, my email showed up.
  • NOTE: When you are submitting the CSR to GoDaddy, you will be prompted (at the bottom right of the page) to select the type of server this cert will be used on.  Even though Exchange CSR’s are not generated using IIS, you must select IIS.
• If you used GoDaddy you will have to install and “Intermediate Certificate”  (also called a “Chained Certificate”.  This is an additional step, not covered in most explanations/blogs/help files.  Fortunately it is quite easy to complete:

• DO NOT follow the UCC CERTIFICATE INSTALLATION instructions as the end of this screen shot. Just see the next bullet for an easier way.  The text instructions are here and GoDaddy updated their Exchange cert instructions in Sept 2009 and they are also now “correct”.
• After you get your cert, launch the Exchange Power Shell and type the following to install and enable the cert, in one fell swoop:Import-ExchangeCertificate –Path c:\<MYCERT>.p7b | Enable-ExchangeCertificate –Services “SMTP, IMAP, IIS, POP” When this is complete run: Get-ExchangeCertificate | FL

  and make sure everything looks as you expect

1. After your UCC Certificate (and any required Intermediate Certificates) are installed, you can try surfing to your Outlook Web Access site https://mail.yourdomain.com/owa and confirm that the UCC  certificate is operational.

1. You can also easily check your connectivity using www.testexchangeconnectivity.com .
2. Next you need to configure your Outlook clients.  I used Outlook 2007 exclusively but the process is apparently the same for Outlook 2007 if it has SP2. Start a new Outlook profile and get start a NEW ACCOUNT.  Then there are two ways to finish:
   • MANUAL: Choose to manually configure my settings. Select EXCHANGE, type in the external name of your mail server (i.e. mail.commodore.ca ) and your username (i.e. fwillis), click MORE SETTINGS set the PROXY settings to what you see in the screen shot below (obviously adjusting the name for your domain).
   • 
     The odd setting is ONLY CONNECT TO SERVERS WITH THE PRINCPLE NAME… and using a setting beginning with msstd://mail.abcdedomaincom  .  On the off chance you care, MSSTD in an acronym for Microsoft Standard Form.

     When you click OK and close the dialog boxes, you will be prompted to sign in and your servername will become underscored.

   • AUTODISCOVER:  If you just let Outlook 2007 try to perform an autoconfig, it should create all of the above settings for you (yes, including the proxy).  If your autoconfig is not working, make sure you have a DNS A Record for AUTODISCOVER.YOURMAILDOMAIN.COM.

Thats all folks!  Wasn’t that easy and fun for the whole family?

D – EXCHANGE ANTISPAM:

1. Start Exchange Power Shell, change into the file location where Exchange was installed and then into the SCRIPTS folder.  Then run:
   Install-AntispamAgents.ps1
   and restart the MISCROSOFT EXCHANGE TRANSPORT SERVICE.  See this and this for more details if you need them.
2. Go to the ORGANIZATION CONFIGURATION and then HUB TRANSPORT and find the ANTISPAM tab and double click on IP BLOCK LIST PROVIDERS (a.k.a. RBL, Real-Time Blackhole Lists, DNSRBL, Real-Time Block Lists) and add a few such as:
   
   I suggest you also read up on each RBL (like SpamHaus’ ZEN server) to make sure you understood what it is blocking.
3. A few hours later (or the next day) you should check to see if the blocking is doing anything by starting the Exchange Power Shell, change into the file location where Exchange was installed and then into the SCRIPTS folder and running:
   get-AntispamTopRBLProviders.ps1 and then  get-AntispamTopRecipients.ps1
   
   You can see from my example that NJABL did not stop a single message after two days of use so I removed it from the IP BLOCK LIST PROVIDERS .  Note that there are many excellent AntiSpam scripts in this folder and you should play with them all.
4. You should also review the ORGANIZATION CONFIGURATION, HUB TRANSPORT, ANTISPAM, SENDER CONFIDENCE item.  I made no changes to mine and all seems well, but you should understand what it does.
5. Run Microsoft/Windows Update and notice that there is a EXCHANGE SERVER SPAM DEF’N patch that comes out apparently every day.  I have installed this update on mine server several times now without incident.
6. If you have more questions about MS’ AntiSpam, this is the offiicial guide.

I like Greylisting to handle spam but I do not use it on Exchange because Exchange 07 does not natively support it and much to my surprise and to Microsoft’s credit, I just don’t needed it!  If you want Greylisting you need an add-on product and two free ones are recommended (by associates of mine):

1. JEPs which looks pretty damn good to me
2. ASSP which I understand to be more complex and requires PERL, but does a good job.

If you like to buy your antispam, this page provides a nice grid of AntiSpam software options and costs.

E – POP3:

On the off chance you care about POP3, follow these three simple steps:

1. Start the MICROSOFT EXCHANGE POP3 Service on the Server
   
2. If you want to block POP3 users from using “Exchange mail” disable MAPI.  This is step is only required if you want to use the Outlook 2007 AUTOCONFIGURE feature (or you just don’t want POP users burning up storage on your server)
   
3. If you followed step 2 then when you create a new mail account in Outlook, the autoconfigure will take care of the rest.  If you did not follow step 2, then you will setup the POP account like any other and then go into your Advanced Account Settings and turn on MY OUTGOING SERVER REQUIRES AUTHENTICATION and THIS SERVER REQUIRES ENCRYPTED SSL CONNECTION
   

F – VERIFICATION:

After you have everything running to your satisfaction you should run a couple of simple and fast system checks:

1. In the Exchange Management Console, click TOOLBOX, BEST PRACTICES ANALYZER, approve any updates and checks that it wants to do and then click GO TO WELCOME SCREEN.  Then start a HEALTH CHECK as per the obvious screen shots below.  Be sure to read the results and make whatever changes it suggests.
   
2. In the Exchange Management Shell, you should run:get-OrganizationConfig and then you should run: Test-SystemHealth

   and make sure everything looks as you expect it should.

G – LINKS:

Although many links are embedded in this page, I thought it might be useful to list a bunch of them discreetly:

http://www.petri.co.il/configure_rpc_over_https_on_a_single_server.htm

http://support.microsoft.com/kb/556055

http://forums.msexchange.org/m_1800412705/mpage_1/key_/tm.htm

http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=703467&SiteID=17

http://msexchangeteam.com/archive/2007/07/02/445698.aspx

https://www.digicert.com/easy-csr/exchange2007.htm

http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html

https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1144&ratingconfirm=1

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23163272.html

http://technet.microsoft.com/en-us/library/aa996604(EXCHG.80).aspx

http://www.blackberrycool.com/2009/10/18/blackberry-os-5-download-for-the-bold-8900-tour-8520-and-storm/

I have tested and it really helps with the battery life.

Instructions to install on ANY supported device from ANY CARRIER.

1. Download the above OS file to the PC then install it to the PC by running (double clicking) the file you downloaded.
2. Go to c:\program files\common files\research in motion\apploader and delete the file named “vendor.xml.”
3. Plug in BB and double click on “Loader.exe.” It’s located in the same place as the above vendor.xml file.

The process takes about 45 minutes to an hour depending on how much data you have to backup and restore during the process. Once it’s done loading the new OS it will reboot (it may do this twice during the entire process.) You will see a white screen with an hourglass for up to 20 minutes at a time while the DM says “waiting for initialization.”
If, for some reason, you end up with a white screen with small icons and the number 507, simply connect to the PC again and run Loader.exe again and it should load the OS to the device.

Introduction

I had this posted on a Old Gentoo Linux site that was torn down, I figured I would post it on my site.  Enjoy!

This is the Legacy BackupExec Remote Agent. There is no RALUS License needed for Backup Exec to recognise the Legacy remote agent. The Legacy Symantec Backup Exec Remote Agent for Linux and Unix Servers enables Windows Server network administrators to perform backup and restore operations on Linux, Unix and Solaris hosts that are connected to the network.

Location of the Legacy Agent

This agent can be found under installation directory of the Veritas (Symantec) Backup Exec Program.

\\BackupServer\C$\Program Files\VERITAS\Backup Exec\NT\Agents\Legacy Unix Agent\be_agnt.tar

Or you can download the latest version here.

http://seer.entsupport.symantec.com/docs/262592.htm

I will be using the one from my Veritas installation folder in this tutorial.

Copy the be_agent.tar

Copy the be_agnt.tar to your Linux/Gentoo server. I used the WinSCP program to transfer the tar to my /tmp/be_agnt folder.

I created a folder under /tmp/be_agnt and then extracted the tar.

# mkdir /tmp/be_agnt

You will need to manually create these directories – for somereason these do not get created.

# mkdir /etc/rc.d
# mkdir /etc/rc.d/rc2.d

For Backup Exec version 8.5, also create these directories.

# mkdir /etc/rc.d/init.d
# mkdir /etc/rc.d/rc3.d
# mkdir /etc/rc.d/rc5.d

Move the be_agnt.tar to the /tmp/be_agnt directory using the WinSCP

# cd /tmp/be_agnt
# tar -xvf be_agnt.tar
# ./INSTALL

The Install

Backup Exec Unix Agent Language Selection v4.3

Backup Exec UNIX Agent Install v3.7
Copyright 2001 VERITAS Software Corporation.  All Rights Reserved.

Operating systems supported:
 1. Solaris Sparc 2.6, 2.7, 8, 9
 2. Solaris Intel x86 2.6, 7, 8
 3. HP UX 10.20, 11.x
 4. IBM AIX 4.3.x, 5.x
 5. Linux 2.4 (RedHat7.1+, SuSE7.1+, Caldera3.1+, Turbo7.0+, Mandrake8.0+)
 6. Linux 2.2, 2.0 (RedHat7.0-, SuSE7.1-, Caldera2.4-, Turbo6.5-, Mandrake7.2-)
 7. SCO UnixWare 7.x

Operating system detected:
Linux 2.2, 2.0 (RedHat7.0-, SuSE7.1-, Caldera2.4-, Turbo6.5-, Mandrake7.2-)

Is this correct? (y/n) y

Operating system selected:
Linux 2.2, 2.0 (RedHat7.0-, SuSE7.1-, Caldera2.4-, Turbo6.5-, Mandrake7.2-)

Installing the Backup Exec UNIX Agent for system type: linux

Please enter the full directory path where the Backup Exec Agent should
be installed: [/etc/bkupexec] HIT ENTER HERE

Your system's initialization procedure has been modified to
automatically start the Agent the next time your system is started.

All necessary Backup Exec Agent files have been copied to: /etc/bkupexec

Adding the following line to /etc/services:
grfs            6101/tcp        # Backup Exec Agent

The configuration for the Backup Exec Agent is stored in
/etc/bkupexec/agent.cfg.  You may edit this file at any time to
change the configuration for the Agent.

You will now be prompted to enter the initial values for the
Agent configuration.

Press Enter to continue

0+1 records in
0+1 records out
31 bytes (31 B) copied, 7.3794e-05 s, 420 kB/s

Please enter the name for this workstation [WORKSTATIONNAME.DOMAIN.COM]:

Do you require a password for this workstation? (y/n) y

Please enter the password for this workstation: YOURPASSWORD

Does this workstation have 2 or more network interfaces? (y/n) n

Please enter a directory path you want to export as a published path: /var

Please enter a unique resource name for this published path: [var]

Do you want to allow files to be restored to this published path? (y/n) y

Do you require a password for this published path? (y/n) n

Do you want to publish another directory path? (y/n) n

You must enter the names of the Backup Exec media servers which will
access this workstation.  The media server's internet addresses must be
defined in the /etc/hosts file or accessible via a naming service.

Please enter a media server name: YOURBACKUPSERVER

Locating eabackup....located and added to media server list.

Do you want to add another media server? (y/n) n

The Backup Exec Agent must periodically send advertisement messages
to the media servers to inform them that this workstation is
accessible.  Please enter the frequency (in seconds) that these
advertisements should be sent: [30] HIT ENTER HERE

Symbolic links to directories may be backed up in one of two ways.

Method 1:  The symbolically linked directory is handled as a special file
           and only the information required to recreate the symbolic
           link is backed up.

Method 2:  The symbolically linked directory is backed up as a normal
           directory.  All files and subdirectories within the
           symbolically linked directory are also backed up.

Method 1 is preferred because it minimizes the amount of data which must
be backed up.

Which method do you want to use? (1 or 2) [1] 2

Backup Exec Agent configuration complete.

Note: You may edit the file /etc/bkupexec/agent.cfg to change your Backup
        Exec Agent configuration at any time.  Configuration changes for the
        Backup Exec Agent will take effect after the host is restarted.

Check Your Configuration

#nano -w /etc/bkupexec/agent.cfg

#
# This is the config file for the Backup Exec Unix Agent.  It specifies what
# directories are published, the access privileges, and which media server
# machines should receive the advertisements for these resources.
#
# The "-c <filename>" command line option for the Agent program can be
# used to specify an agent config file for the Agent to use.  Otherwise, the
# Agent will use the agent.cfg file in the current directory.
#
# The format for this file is line oriented.  Each line contains a keyword
# which corresponds to a specific configuration command.  Some configuration
# commands require additional parameters which are entered on the line with
# the command.  Blank lines or lines beginning with a '#' are ignored.
#
# Parameters enclosed in the symbols <> are required fields.  The
# user MUST supply values for these parameters.
#
# Parameters enclosed in the symbols [] are optional fields.  The
# user is not required to specify these parameters.
#
# The allowable commands are:
#
#     name <workstation name>
#     password <passwd>
#     export <directory> as <resourcename> [write_protected] [password <passwd>] [include_remote] [no_nfs_locking]
#     tell <machine name>
#     tell_interval <number of seconds>
#     follow_symdirs
#     exclude_file <filename>
#     exclude_dir <directory name>
#
# The commands are described below:
#
# name <workstation name>
#   - This command is used to define the name which the agent program will
#     advertise to media servers and clients. The workstation name is limited to upper-case
#     alphabet characters (A-Z), the digits (0-9), and the underscore (_) character.
#     The agent program will automatically modify the workstation name if it reads
#     the configuration file and detects illegal characters in the workstation name.
#     The agent program will uppercase lowercase characters, and it will replace all
#     other illegal characters with the underscore (_) character.  After the agent has
#     read its configuration file, it will display the workstation name as it will
#     appear in Backup Exec client source selection screens.
#
# password <passwd>
#   - In order to access this workstation from the Backup Exec Client,
#     the user must enter the password, "passwd".  This command is
#     optional and if it is not present, then the password for the
#     workstation is simply the [ENTER] key.
#
# export <directory> as <resourcename> [write_protected] [password <passwd>] [include_remote] [no_nfs_locking]
#   - export is used to specify a directory tree to publish
#     so that it may be accessed by the Backup Exec Client.
#     "resourcename" will appear in the Backup Exec Client's sub-device
#     selection screens.
#     If "write_protected" is specified, the directory can be accessed
#     for backup operations but not for restore operations.
#     If "password <passwd>" is specified the user will be required to
#     enter the password, <passwd> before accessing the directory.
#     If "include_remote" is specified, any remotely mounted file systems with
#     mount points within the directory tree will also be accessible for
#     backup and restore operations.
#     If "no_nfs_locking" is specified, files will not be locked during
#     backup operations if they are located in remotely mounted file systems
#     with mount points within the directory tree.
#
#   Examples:
#     export / as ROOT write_protected
#     export /usr as USR password SARAFINA
#
# tell <machine name>
#   - The TELL command takes a machine name as an argument.  This
#     machine will be added to the list of machines that advertisements
#     will be sent to.  This machine name MUST be found in the /etc/hosts
#     file.
#
# tell_interval <number_of_seconds>
#   - This command specifies the delay time between advertisements.
#     This number shouldn't be too large (more than several minutes)
#     or it will take a long time before the backup application learns
#     about it, it should also not be too small or there will be excessive
#     network traffic.  Each advertisement transaction requires 8 network
#     packets.
#
# follow_symdirs
#   - By default symbolically linked directories are not backed up.  Only
#     the "link" itself is backed up.  If "follow_symdirs" is specified,
#     then the "link" is not backed up, instead the entire linked directory
#     tree is backed up.  This option is not available with the SCO agent.
#
# exclude_file <filename>
#   - This command prevents the named file from being accessible for backup.  The
#     filename must use a fully specified path.
#
# exclude_dir <directory name>
#   - This command prevents the named directory from being accessible for backup.
#     The directory name must use a fully specified path.
#
# preserve_ctime
#   - This option forces the agent to ignore the message which sets object's (files,
#     directorys) attributes when a backup occurs.  Normally during a backup, the
#     backup engine preserves an object's last access timestamp by resetting the
#     last access timestamp to the value before the backup occurred.  When the
#     agent modifies the object's last access timestamp, the OS internally updates
#     the object's "ctime". An object's "ctime" is the time when an object's
#     attributes (permissions, timestamps, etc) have been modified.  By not
#     attempting to reset the attributes after a backup, the object's ctime is
#     not updated.  This option does not effect setting object attributes during
#     restore operations.
#
# force_address <IP address>
#   - When a system has 2 or more network interfaces, this option can be used
#     to specify which interface will be used by the agent.
#

name COMPUTERNAME.DOMAIN.COM
password YOURPASSWORD
export / as root
export /var as VAR
force_address THE IP OF THE COMPUTER THE REMOTE AGENT IS INSTALLED ON
tell YOURBACKUPSERVER OR THE IP OF THE BACKUPSERVER
tell_interval 30
follow_symdirs
exclude_dir /dev
exclude_dir /proc

The Startup

Add the script to your local.start

/etc/rc.d/agent.init start

Add the script to your local.stop

/etc/rc.d/agent.init stop

For Backup Exec version 8.5, use the path /etc/rc.d/init.d/agent.init

Restart local.start

#/etc/init.d/local restart

Firewall

If there is a firewall involved, be sure to open port 6101.

If I missed anything please add. Everything seems to working for me with this setup.

Enjoy!

Download Trinity Rescue Kit at http://trinityhome.org/Home/index.php?wpid=1&front_id=12

Cautions! It’s illegal (with most countries cyber laws, I think) to crack or reset another Windows logon account password that is not yours.  So use this at your own risk.  I will not be held responsible if you break any laws.

Burn the ISO and insert into your computer.

Boot up to the ISO, you may need to hit F12, F2, or del depending on your motherboard.

Once Trinity has finished booting up follow this procedure.

Find local users/Administrators

At # type:

winpass -l

Trinity will try to mount the harddrive and you will recieve this message below.

The winpass command will then displaying message that resemble these:

Searching and mounting all file system on local machine
Windows NT/2K/XP installation(s) found in:
1: /hda1/Windows
Make your choice or ‘q’ to quit [1]:

In this case, type 1 and press ENTER or just hit ENTER key to accept the default value, i.e. [1].

1

You should see all the local users/Administrators listed.

Now type:

winpass -u Administrator

Next, it’s time to reset password of the specified Windows Vista account. The Trinity Rescue Kit suggests resetting it to a blank password that might work better than setting a new password! So, just type * (asterisk key) and hit the ENTER key to reset a blank or empty password for the specified Windows account.

Then, type Y and press ENTER key at the “Do you really wish to change it?” message prompt.

Now, type: to restart the machine. (make sure you remove the Trinity CD on reboot)

shutdown -r now

This time, your Windows Vista should have automatically logged on with Administrator account without asking for a forgotten password!

Encourage your users to follow best practices for password protection.

• Always use strong passwords.
• If passwords must be written down on a piece of paper, store the paper in a secure place and destroy it when it is no longer needed. (Don’t stick it to your monitor)
• Never share passwords with anyone.
• Use different passwords for all user accounts.
• Change passwords immediately if they may have been compromised.
• Be careful about where passwords are saved on computers. Some dialog boxes, such as those for remote access and other telephone connections, present an option to save or remember a password. Selecting this option poses a potential security threat.  If you must save your password on your computer use something like Password Safe.
• Any Administrator or Domain Administrator account should not be used for day to day use.  You should always run your machine under a non-privileged user account and runas administrator for administrative needs. Windows 7 UAC has really improved since Vista in help of running administrative task.

Define password policy so that all user accounts are protected with strong passwords.

• Define the Enforce password history policy setting so that several previous passwords are remembered. With this policy setting, users cannot use the same password when their password expires.
  • Recommended last 10 passwords
• Define the Maximum password age policy setting so that passwords expire as often as necessary for your environment, typically, every 30 to 90 days. With this policy setting, if an attacker cracks a password, the attacker only has access to the network until the password expires.
• Define the Minimum password age policy setting so that passwords cannot be changed until they are more than a certain number of days old. This policy setting works in combination with the Enforce password history policy setting. If a minimum password age is defined, users cannot repeatedly change their passwords to get around the Enforce password history policy setting and then use their original password. Users must wait the specified number of days to change their passwords.
• Define a Minimum password length policy setting so that passwords must consist of at least a specified number of characters. Long passwords–seven or more characters–are usually stronger than short ones. With this policy setting, users cannot use blank passwords, and they have to create passwords that are a certain number of characters long.  Suggested 8 Characters.
• Enable the Password must meet complexity requirements policy setting. This policy setting checks all new passwords to ensure that they meet basic strong password requirements.
  • Upper and Lower Case, Numeric, Symbols
  • Not a word found in the dictionary, language, slang, etc
  • Not based on personal info, like your last name
  • Force changed every quarter, 45 – 90 days

Be cautious when defining account lockout policy.

• Account lockout policy should not be applied haphazardly. While you increase the probability of thwarting an unauthorized attack on your organization with account lockout policy, you can also unintentionally lock out authorized users, which can be quite costly for your organization.
• If you decide to apply account lockout policy, set the Account lockout threshold policy setting to a high enough number that authorized users are not locked out of their user accounts simply because they mistype a password.

Service Accounts:

This is a feature I see the most overlooked but very important. Since service accounts are designed to support services running on only a limited number of computers, it makes sense to limit the scope as to where the service can logon. This will help with overall security attack surface and will also narrow the attacks to just the computers where the service account is allowed to logon when being attacked by the service account itself.

The setting to restrict the workstations where the service account can logon is located where the user is configured, which is Active Directory Users and Computers within Active Directory. When you find the service account, right-click on it and select properties. Then, maneuver over to the Account tab. From there, select the Log On To button, which will display the Logon Workstations dialog box.

Domain Administrator Accounts:

You should create two accounts for yourself.  One Restricted account that you use for day to day task as you work, check email, etc and one Domain Admin account to use for running administrative tasks.  There is no reason to run day to day tasks with a domain admin account. You should also remove your restricted account from the local administrators group as well.  It’s a pain, but it’s much more secure and with windows 7 makes it a little easier with the new improved UAC.

I am writing this article to help some users that are not so tech savvy.  I am going to make this as clear and simple as I can. I have targeted this article for the Operating System’s Windows 2000/XP/Vista/Windows7.

Let us take this family of four, Lyn and Melinda and their two kids.  They bought a computer about two years ago with Windows XP Home Edition and they set it up in their living room.  Lyn uses his computer to edit sensitive work documents with Microsoft Office, some private financial with QuickBooks and client data kept in Microsoft’s Outlook.  Melinda uses the computer to run her home business where she keeps track of the business finances also with QuickBooks.  The two children use it for mainly browsing the internet and posting their status on Myspace and Facebook and using various instant messaging utilities. The kids also keep a huge collection of music where they downloaded from Limewire.

So when they first bought the computer they brought it in their living room and simply plugged it up with all the color coded cables and turned it on.  When it first boots up it asks right out of the box to create user accounts.  They create their user accounts using Windows default settings – unwillingly giving all four users full ADMINISTRATIVE privileges.  Giving these privileges is a HUGE security risk and it allows all users to install things and change any aspect to the operating system.

Over time, everyone gets annoyed with the computer being slow, unreliable, pop-ups pop up, miscellaneous computer errors appear.  Their anti-virus has been disabled (which they have several different ones) Their other anti-virus keeps constantly keeps popping up warning a virus and malware has been found and nothing happens when you try to clean it. The family cannot seem to figure out what is causing all of the ruckus. In addition, some unusual transactions start appearing on Melinda’s bank account.  Melinda’s Bank calls her up telling her they have frozen her debit card due to 80 plus transactions that happened in just a few minutes.

Anyone that knows computer security can spot immediately major mistakes on how a computer was setup and managed.  Giving all of the users administrative privileges is a BIG NO NO! Especially giving children those privileges is even a bigger NO NO!  As any parent will testify, Children love playing computer games.  After school, they will come home download and install any game they see fit browsing around on the internet just so they can compete with their friends online.  Very rarely,  a child will ever think about running an anti-virus or malware scanner on the downloaded game before installing.   If the game has a label “free”, it is just as they say, “nothing is for free.” Most of the time “free” games come with malware. Which you then install as an administrator gives the malware full administrative privileges to everything on the system.  I hope I am scaring you a bit.  People tell me, “well it’s okay”, I have a firewall protecting me.  In this case not even 1000 firewalls will help you.  The damage has been done.  The malware has already gotten past the firewall by being downloaded by the child and installed.

So giving any account administrative privileges being used regularly is not recommended.  For general use, it’s best practice, in my personal opinion is make every user on the computer a restricted user that can ONLY make changes to their documents, and have a SINGLE administrative account that is governed and password protected and only used for system maintenance purposes and used to install “well known and trusted applications”..Similar to the practice used in linux machines.

All though this practice will not defeat all forms of malware, but it will make it MUCH harder for malicious application to take control of your system.  This means that malware arriving and installing at the child’s account it will only be able to manipulate the data on the child’s profile or document folder. Remember that when an application is run, it is subject to the same privileges and restrictions as the user who started it, therefore an application running under a restricted user account should not be able to make changes to the operation system, or access any other user’s files.

Now I am going to try to explain the best way I know possible to secure your Windows 2000/XP/Vista machine.  I know that all operating systems are somewhat different on the installation so this will be a generic tutorial.  I will break it down in steps.

1. Backup your data and wipe the hard drive.  There is no better way than starting fresh and clean.
2. NTFS or FAT?  What did you just call me? No actually, these are hard drive formats.  Have you ever installed Windows and it asks you what format would you like? Well I am not going to go into much detail about what each one does, but the format you want is NTFS.  Why NTFS? Well it is secure and it locks down user access and control of your folders and files.  Simple enough huh?
3. Create ONE administrator account.  For an example make it “SuperUser” and make all other user accounts restricted accounts.
4. Create “SuperUser” complex password.  Actually creating a complex is really easy.  I am going to show you how to create a very powerfully complex password that is easy to remember.  Take a favorite word that you well know but noting that references you that someone may know about you.  For an example I am going to use the word “Transformers”  Well take the word and replace it with special characters and add two digits at the end.  “Tr@nsf0rm3r501” So I replaced the “a” with “@”, “o” with “0”, “e” with “3” (E backwards), “s” with “5” and tagged 01 at the end.  Most easy password to remember just substitute letters with special characters that resemble letters.
5. Logon as “SuperUser” and install all of those Microsoft Critical updates.
   1. Click Start > Run, type sysdm.cpl, and press Enter.  Click the Automatic Updates tab.  Make sure the Automatic (recommended) Automatically download recommended updates for my computer and install them option is checked.
   2. Make sure the Microsoft Firewall is turned on. Go to My Computer > Right click “Internet Connection” > Select “Properties” > Click the “Advanced” tab > check the box and click “Apply”.
   3. Create user accounts for the rest of the family members.  Control Panel > User Accounts.  Create an account for yourself and the wife and kids and make sure they are all set to “restricted” including yourself. Additionally turn off “Fast User switching” by going to Control Panel > User Accounts > “Change how users log on and off”.  This will reduce the chance of a malicious application running under a restricted user account managing to “jump” over to the “SuperUser” account if both are logged on at the same time.
   4. Anti-virus!  No need to buy expensive Anti-Virus.  There are two really GREAT anti-virus software out there that are free and probably better than the leading anti-virus software on the market.  Free AVG and AVAST Anti-virus.  http://free.avg.com/ and http://www.avast.com/
   5. Testing!  Log on as a restricted user and try to install something.  You should get the error message “ Access denied – User has no administrative Privileges” error.

Part 2 will be continued…

After disappointing the many fans that expected Microsoft to announce Windows 7 RTM on July 13th, the Redmond company has yet to announce a date for the RTM. The good news is that they have just announced when some of us can expect to see the RTM ready for download:

• Independent Software Vendors and Independent Hardware Vendors : Via Microsoft Connect or MSDN on August 6th

• Microsoft Partner Program Gold/Certified Members: Via Microsoft Partner Network (MPN) Portal on August 16th. Remaining languages will be available by October 1st.

• Microsoft Action Pack Subscribers: Available to download starting August 23rd. Remaining languages will be available by October 1st.

• OEMs: Approximately two days after Microsoft officially RTM

• Volume License with Software Assurance: via the Volume License Service Center (VLSC) starting August 7th.

• Technet and MSDN: August 6th

Microsoft previously said that Windows 7 will RTM during the second half of July, and that its MSDN and Technet subscribers would be able to download it a few weeks after. Current rumors are pointing the Windows 7 RTM date at July 24th.

Windows 7 will be available to customers worldwide on October 22nd.