Evolution of my IT workspace

I’ve just reached my 6th year of working as an independent consultant and having just bought myself a new Microsoft Surface Pro 3, I find myself thinking about what has changed in the way I work, and what changes may be to come.

In my day to day work I find myself split between working from my home-office and working onsite with clients. Sometimes that’s in an office and sometimes that’s sitting crossed legged on a datacentre floor.

Working as an IT consultant gives me a very good excuse to have as many gizmos as possible and this means the tools I use day-to-day have changed quite a lot.

The Laptop phase

When I left my previous company, I was used to working on a high-spec laptop. This worked well for me, so I immediately invested in a top-spec 15” Dell laptop, docking station and used it with my existing Dell UltraSharp 24” monitor. This allowed me to carry everything I needed with me, and meant I had all the tools I could possibly need wherever I was.

As time went by I realised that having a monstrous laptop was a pain. It got hot, had terrible battery life (even though it had the chunky battery that stuck out the back) and was very heavy and seemed quite easy to damage. It also had a frustrating firmware bug that meant the motherboard would throttle down the CPU to an unusably slow speed whenever it got warm!

After a couple of years, I thought it was time for a change. I wanted something smaller and better built.

As an aside, I occasionally DJ and fancied making the shift from CDs and vinyl to digital DJing (I was hooked on Native Instruments Traktor Scratch Pro and later the Kontrol S4).

The small laptop and desktop phase

Having had an iPhone for a while I decided to jump ship to a Mac. Many thought it strange for someone who fundamentally works with Microsoft software to turn up with a Mac! BUT Mac’s can run Windows very nicely J

I bought a 13” MacBook Pro, the aluminium ‘Unibody’ type. I just love the design and build of these machines. They were absolutely fantastic. The main benefit was VMWare Fusion. This allowed me to run Windows as a Virtual Machine. I had a clean Mac environment, used for music, Traktor DJ software, photos and syncing my iPhone; and I had Windows running everything I needed for work. At the time it was still really important to have things like a DVD drive!

It went through several upgrades – RAM and hard disks, culminating in a ridiculously expensive 512Gb SSD. I’ll never forget that first switch to an SSD – what a phenomenal difference, I would never go back!

In the office I had also built a custom PC. Having always had many spare PC parts around, it was easy to knock something together. It was a nice Intel i7 machine that I ran on the 24” monitor. I also purchased a 2nd 24” monitor. This was a dream setup for productivity in the office. I was doing a lot of work from the office, so it was great to have decent setup.

So what was I doing with my data at this time? Previously having just one laptop, meant I always had everything with me. But I now had two machines. This was a bit awkward, but I had setup a SharePoint 2010 server which is where I kept my critical data. I still had some things I could only get to from the office – like payroll and other irritating stuff like that.

My desktop PC lasted me for over 5 years, without modification and my MacBook Pro I had for 3 years – it was brilliant. I even sold it for 60% of what I paid for it new! Try that with a PC laptop!

My work patterns had shifted and I was doing a lot more work onsite. This meant doing a lot of work from my laptop.

The larger laptop and desktop phase

Apple had just released the new retina MacBook Pro range and I couldn’t resist. I sacrificed the DVD drive – but by now I never used it. It was thinner, still had the amazing build quality and was a properly powerful machine. The 15” screen was also much better for long days working on it.

I forgot to mention that I have also always had an iPad since they first came out.

The iPad has built in 3G, so is always connected, it’s also on the network Three (cheap!), and my iPhone is on a different network – giving me a bit of redundancy in connectivity in emergency remote situations. My laptop allows me to do everything I could need to, but I often wouldn’t want to take something that large. I can get by really well with an iPad, for times when I am travelling, but only going to a meeting for example. I can email, and can even do remote desktop connections for emergency system fixes, but it’s certainly not something you can work on all day. So I always had that dilemma – particularly when going on holiday – can I just take my iPad, or should I take the laptop too, just in case?

About 3 months ago I took the plunge and migrated my email on to Office365. It was an emotional moment, having tried to ignore its existence for so long – thinking to myself ‘I run my hosted services a lot better, I want it in my control’, but then realising that it would be a lot simpler and one less thing to worry about. Getting it effectively free also helped (I have a Microsoft Action Pack subscription to give me internal and test licenses and you get 5 Office365 E3 licenses with it).

So I moved my email, and also the data in my old SharePoint server. With 1TB of storage in OneDrive For Business (what a stupid name for a product!), I also threw all my static files in there and just let it sync up. It made sharing data with customers really easy too. Plus it has benefits like Rights Management, which means I can securely protect documents with sensitive data, and still share them with my colleagues too. Even my payroll software (12Pay) data file now resides in there, so I can access it from my laptop and desktop, wherever they are.

The revolution?

So after a long and wordy resume of the toys I’ve been buying over the years, where are we now?

I used the excuse that ‘I need to understand how tablets can work in a managed corporate environment’, to buy myself a new Microsoft Surface Pro 3 tablet. Microsoft claim this is the tablet that can replace your laptop (and desktop).

Now it’s very early days, having only had it for a weekend, but I am really beginning to think that this could be true.

It does have all the power you and storage you need (mine has an i7, 8GB RAM and 512GB of SSD storage), and it genuinely is a real tablet. On my weekly trip to Bath, where I work with Gradwell Communications, I will now only have to take this tiny device with me. I have ordered a docking station, so I can instantly connect it up to a monitor and keyboard, plus I won’t need to take a power supply with me. Thinking back to my argument for buying an expensive 15” MacBook Pro – now seems a little silly – there isn’t an office you go to that doesn’t have a monitor, keyboard and mouse you can borrow – plus being hunched over a laptop all day isn’t exactly comfortable.

I am currently on a train (returning from a holiday, where yes, I wouldn’t have wanted to take my laptop), using the full version of Word, with a decent keyboard and trackpad too. If any emergency had occurred I would have been able to cope. The only downside being that it doesn’t have separate 3G, so I tether via my phone, which is fine, and will save me £15/month on the Three contract. I even have a USB (yes it has a USB port!) Ethernet adapter, so I can connect to a wired network if necessary.

I’ll need to see how I settle in with it, but I can certainly think of many types of jobs where a Surface Pro 3 is all I would need, particularly with a docking station in the office and the power supply left at home!

So what now for the 15” MacBook Pro and the new 6-core Mac Pro in the office? Well, I still need something to DJ on (although I am thinking of trying Traktor on the Surface Pro!), and this tablet wont drive my two Dell 24” 4K monitors on my desk! I’ll allow myself that luxury and be keeping them both for now!

The Recommendations

So what would my recommendations be for anyone that has bothered to read this far? Firstly, I am an IT geek and can happily manage setups are wouldn’t be suitable for most! For someone that works independently I could see that a Surface Pro, coupled with some Cloud storage system (quick plug for Gradwell Cloud, www.gradwellcloud.com), would work wonderfully!

Also, being a Microsoft product, and a full version of Windows, it will integrate perfectly in to a larger corporate Windows network. I have many customers where I have deployed systems like Microsoft System Center Configuration Manager to manage and maintain all their IT assets. Just make sure that (being an ultra-mobile device), you have very good remote access systems setup – I cannot recommend enough Microsoft DirectAccess (ask me if you need help with this one!), it’s the (near)perfect remote access solution.

The small business still has a slightly trickier time. This is not a Surface specific issue, but now the server in the corner (aka Microsoft Small Business Server) is well and truly dead (or should be if you haven’t already got rid it!) there is a gap in the workstation management aspect of small IT networks. Savvy business will have moved their email to Hosted Exchange and their data in to some form of Cloud Storage (e.g. Office365, OneDrive For Business, second shameless www.gradwellcloud.com plug), but there is still a lack of workstation management, like you used to be able to get with Active Directory and Group Policy that was part of Small Business Server. There is Windows InTune, which does allow you to have some control over your IT assets. But without having any central servers of your own, you still can’t easily control logins to machines that are not part of an Active Directory Domain (this is the central user database that everything used to authenticate to – disable a user there and they are locked out of everything, email, file servers, workstation login etc – not so easy now!). I hope Microsoft will bring out a version of Azure Directory Services that will allow machines to join the domain and be managed by Group Policy (without having your own local AD). In the meantime just make sure your workstations and laptop are well managed and are as secure as possible! That could be the next blog post!

We do really need to think about security. Properly.

I have just returned from an IT directors forum (conveniently held on a cruise ship) where I had the pleasure of meeting many IT security experts and sharing their thoughts and experience.

The frequency, complexity and skills involved in cyber attacks is increasingly exponentially. And, these attacks are becoming more and more targeted i.e. criminals are specifically choosing you, learning about you, then crafting specific methods to steal your data.

You need to think carefully about this. The people I spoke to over the last few days talk ‘when’, not ‘if’. Their opinion is that it will, without doubt, happen to you.

So what can be done about this? Some people say ‘nothing’ – if a determined hacker wants you, they will get you. Obviously they are not suggesting you don’t do anything, but you have to consider this when designing your systems and processes.

The first stage is that you need to understand the information you have and how important it is. What is the impact if someone does steal it. The best principles are to put your assets in bubbles of criticality, allowing you to better protect the parts which really matter. Then work out how that information enters and leaves that bubble. You may have one bubble inside another.

Protecting just at the perimeter is not the solution. You are far more likely to have a data breach from an insider, than an external attacker.

I feel that all the talks I have been to are mostly intended for larger businesses. However SMEs now really have to starting thinking about this too. It can be difficult to set aside the time to think about this, and even harder to start implementing changes.

There was once a day when people thought their system was secure because they enabled password expiry every 90 days. Even this seemed painful to users.

There are no simple answers unfortunately, and you have to think through your entire plan top to bottom. However some pointers to think about:

  1. Patch your servers. Regularly. Always.
  2. Segment your network. Does you HR database need to be on the same LAN as all your users? So isolate it, along with the people that need access to it.
  3. Think about your access permissions to your files. It may be easy to give access for everyone to everything, but they don’t need it. A malicious piece of code assuming the identity of a compromised account with glad take everything it can.
  4. Take away all those Administrator rights. If you need admin rights, setup a different account and use it only when you need to.
  5. Take away those admin rights from services too. Use dedicated service accounts for everything. Too many times I see a SQL server running as the domain administrator. It dosent need it. Everything should have separate accounts.
  6. Vet your staff. And make sure they are happy.
  7. Don’t leave easy workarounds in important processes. If staff circumvent it, an attacker certainly will.
  8. Take the quick wins – eg disk encryption (BitLocker is great!), think about removable media too though (again BitLocker can really help here)

The next interesting thing I learnt about is crisis management. Hell, if they say your data will get stolen, you may as well prepare to deal with the crisis when it happens (assuming you know you’ve been breached, it’s more than likely you won’t even know).

Some things I took away from it were:

  1. Train your staff. Make sure a consistent message is portrayed to customers (or journalists).
  2. This will no longer be IT’s problem, they won’t be able to fix this for you
  3. Respond fast – really fast. Seconds matter now. Social networking allows people to talk about you very effectively, a message will travel so fast, make sure it’s the right message. Oh and be humble and concise too.

Getting all this right takes time. Many people I know are looking to ISO27001, which is a good thing. But it’s tricky to do, time consuming and can be expensive. However, what I am also finding is that customers are now expecting it and requiring it. Especially if you a collaborating with someone else who is certified, customers will expect the whole chain to be certified.

So start thinking about IT security now and start making changes. This will forever be an evolving landscape – you won’t be able to fix it, it’s a constant battle you need to fight and be ready for every day.

Some other points that were brought up in the event, some I found amusing, but actually valid and thought provoking:

  1. Bugs – they can be bought really cheaply now. What’s inside that new plant pot that you received from a random person. What have you been discussing near it recently?
  2. ‘I only manufacture toilet rolls, why would anyone be bothered with me?’. I presume you have competitors? What if they knew all your cost prices and supply details you have with your customer. Wondering why you’re losing out on a load of deals? Maybe they know what you are offering. What if your complete accounts were published online.
  3. Would your staff be pleased if all their personal details and salaries were published on a website – it’s all inside that simple old payroll system!

DirectAccess 2012 with RSA deployment experience

I have just completed a large deployment of DirectAccess for a UK business. They were migrating from UAG and also wanted to implement RSA authentication.

The solution involved two separate load balanced arrays in different sites, RSA OTP authentication, Network Policy Health checks (NAP/HRA), Windows 7 client roaming between sites and ManageOut.

The deployment could have been a smooth experience, but I can across numerous issues, and errors in the Microsoft documentation – particularly when it came to multi-site setup and load balancing.

Microsoft have produced some nice lab guides and walk-throughs, but these are littered with errors, and there appears to be no official ‘meaty’ documentation on the setup; which I found unusual and frustrating. It feels like a they had a great idea with 2012 DA, but rushed it out the door, lacking large amounts of testing and detail.

I am pleased to say that the solution works well however!

Some issues I encountered were:

  • Amount of hacking required with Powershell to make Win7 client roaming work
  • Changing IP-HTTPS encryption certificate in the GUI resets some of that customisation, requiring rerunning of some scripts to ‘fix’ it after the change (Set-NetIPHTTPSConfiguration -PolicyStore PersistentStore -ServerURL “https://+:443/IPHTTPS”)
  • Adding a node to NLB sometimes gets the subnet mask wrong on the dedicated IP. In this case the subnet mask got set to 255.255.255.15 instead of 255.255.255.240. This caused a ‘misconfigured’ error.
  • Detail on a unified IPv6 address for DNS64 across the load balanced servers and sites, was lacking. It feels like a very dirty hack to add a common IPv6 address across all nodes. See 2.1.3.2 here http://technet.microsoft.com/en-us/library/jj735306.aspx
  • I found this custom IPv6 address seemed to ‘disappear’ often
  • Once you setup this custom DNS64 address you can use the GUI to add new DNS suffixes. It insists on an IPv4 address. You have to use powershell to add new ones: Add-DAClientDnsConfiguration -DnsSuffix ‘.domainname.com‘ -DnsIPAddress @(‘customipv6DNS64address‘) -Verbose -ComputerName ‘daservername
  • I also found the Windows 7 IP-HTTPS client sometimes got stuck in an error ‘No Usable Certificate(s) 0x103’. None of the MS blogs contained a solution. Restarting the IP Helper services resolve it – or just booting the laptop with no network connection. It seems to appear if it automatically connects to a 802.1x WPA Enterprise WLAN on startup.

What is digitally signed email, and why do I sign my emails?

I may be being slightly evangelical here, but I believe there are huge benefits to be had by making use of digital signatures and secure email. I would like to explain what it is all about, how it works (basically) and why you may want to do the same.

So what is digitally signed email?

Using digital signatures allows you to confirm, without doubt, that an email came from the person that sent it and that it has not been altered by anyone else while on route to you. It can also secure the email to ensure only the intended person can read it.

How does it work?

To send secure or signed email you first need a Digital Certificate. Digital Certificates are based on the common cryptography technique known as public/private key encryption. I am not going to go in to how this works here, but it is the same system that is used in secure websites and SSL (that padlock you see in your web browser).

To obtain a certificate you have two options. You can either generate your own (which is not recommend as I’ll explain later) or go to a certification authority who will sell you one. They will perform security checks on you to ensure you are who you say you are. This is a critical process as you need to be able to trust the certificate when it says its valid. Once this is complete you will be able to download and install your certificate. All computers have a built in list of trusted certification authorities. Any certificate generated by one of these companies will automatically be trusted and show as valid by your computer. If you generate your own certificate, the recipient will get a warning that they do not trust it, which partially defeats the point.

Your certificate consists of two parts, the ‘public’ and ‘private’ keys. The private key is very important and must be kept safe and secret. You should never give anyone a copy of your private key. Some certification authorities will allow you to download another copy of your private key, should you lose it. Please dont get worry or think to yourself ‘this sounds complicated’, these are things you don’t have to worry about since its all part of the operating system and it all just works in the background.

Once you have your certificate installed and configured, when you send an email you can choose to ‘Apply a digital signature’. This means that when you click send, the email client will look at the contents of your email, open your private key from your digital certificate and generate a signature. It then attaches this signature and the public part of your certificate in the email. When the recipient opens your email, the email client should notice that there is a signature attached. Using this signature it can then verify that your email has not been altered. It will then go off and check with the certification authority that you used to purchas your certificate from that you are valid and trusted. After all this, your recipient should just see a red rosette on the email showing everything is good and trusted.

The real benefits come in when both parties have digital certificates. Once I have sent someone my public key (which is done every time I send a signed email), if they too have a certificate their email client can use the combination of theirs and my certificate to encrypt the email to me so only I can read it. When I receive that email (which will appear as garbage to anyone else), I then use my secret private key to decrypt and display the message. Again this all happens transparently in the background by my email client, so all I see is the email (exactly as they sent it, guaranteed to be unaltered) and a small blue rosette to show it was encrypted.

There are other methods of sending secure email, typically involving 3rd party products, but I really like this way as it is the ‘purist’ way of doing it. It is the most widely accepted and secure method – mainly because nearly all email clients support it out of the box (and its not just a Microsoft thing either), it is a common internet standard (known as ‘S/MIME’).

So why do I sign my emails?

Well basically, I sign all my emails in attempt to spread the word, to get people to read this article and hopefully go and get themselves a digital certificate for email. In an ideal world everyone that I do business with would have a digital certificate. That way I can send sensitive information as easily as sending an email (simply because I AM just sending an email), and I can be confident that only they can read the email.

If you are interested in sending secure and trustworthy email, then please drop me a line via the contact page on my website. I can point you in the right direction and help you get set up.

Ben Nichols
Director

BN Information Security Limited
w: http://www.bn-is.com

Installing Windows 7 RC x64 with NVidia graphics card

Over the last few days I have been testing Windows 7 RC (build 7100). I have to say that I think it is a fantastic operating system and I am really looking forward to the final version.

I’ve been installing it on several machines, including my laptop, workstation and as of yesterday, my Media PC. I hit a fairly major snag with the last install. After the initial setup screen the setup process started to ‘Blue Screen’ showing an error with NVLDDMKM.dll. This prevents the setup from completing and the system just loops round continuously blue screening.

The system is a MSI Media Live machine. It has an AMD dual core Opteron and on-board NVidia graphics. The problem is caused by the pre-release NVidia driver that is included with this build of Windows 7. I’ve noticed previously on other machines that after installing Windows 7, one of the first updates it installs is a new NVidia graphics driver.

I thought I may be stuck – or have to try and fudge in a new driver, or just revert to the 32-bit version of Windows 7. The solution was actually much simpler. The system was still connected to my Plasma TV over an HDMI connection. When I moved the machine and connected it to a standard VGA monitor, the system stopped blue screening and setup completed fine! The system then installed the new NVidia drivers, I reconnected it to my Plasma over HDMI, and it works fine!

Strange issue, which I’m sure will be fixed when newer drivers a bundled with Windows 7. I hope this saves someone else some hassle!

Ben Nichols
BN Information Security Limited

HP Color LaserJet DHCP option 119 bug

A little while ago I was testing a Polycom CX700 phone for Microsoft Office Communications Server. This is a very clever phone that runs Windows CE and the Office Communicator Phone edition. The phone configures itself entirely from the network (DHCP and DNS). So in order for it work work correctly I was changing several DHCP settings.

Shortly after getting my new phone working I noticed that my HP Color LaserJet CP3505dn stopped working correctly. It would only appear to print one page, immediately after turning it on. I was finding myself having to turn it off and on repeatedly just to get a few pages out of it. Strangely the LCD menu seemed to also grind to a halt after about 30 seconds of being switched on, the buttons would take increasingly longer to respond until it stopped altogether.

I started to dig deeper and noticed that it would come back to life if I unplugged the network cable, but stopped responding 30 seconds or so after plugging it in again (it would also print out about 1 page if there was something in the queue on the print server). I then looked at its internal web page and I noticed the majority of the links and settings were missing:

I thought back to any changes I may have made recently and I remembered my DHCP settings. I went through and removed all the custom settings I had added for the Polycom CX700 (a.k.a. ‘Tanjay’) and to my surprise the printer fixed itself! Everything on the printer was working again correctly, including the web admin page, which had all its settings and links returned:

I narrowed the problem down to a DHCP option ‘119 – Domain Suffix Search’. If anything was set in this DHCP option, the printer would stop working.

So be warned network admins that have any HP LaserJet’s that get their IP address from DHCP! Setting option 119, might cause your printers to stop working.

The main reason I am sharing this is because I first tried to tell HP about this. I thought that since I had clearly discovered a bug in their firmware, they would want to know about it. After opening a support case with them, and receiving the usual ‘have you tried turning it off and on again’ reply, they went silent. I tried to follow it up, but every single one of my emails went unanswered. Since I usually Google for answers to problems like this – and not finding any this time – I thought I should share this, so someone else might find this solution and save themselves some time!

Ben Nichols
BN Information Security Limited

This is the start of my Blog

Hello and thank you for visiting my blog. This is the start of my blogging career and I am quite looking forward to it.

I hope to share with you useful information that I discover through my day to day activities as an IT consultant. I frequently use internet searches to find solutions to tricky problems and find it an invaluable resource. Therefore I would like to contribute my experiences and expertise where I can, through this blog.

A little about myself:
I am currently based in the centre of Bristol, UK. I have been here for over 10 years now. I first moved to Bristol in 1998 when I started my Masters degree in Electrical & Electronic Engineering at the University of Bristol. Towards the end of my university career I started to work closely with a friend of mine, Chris Falconer, doing small development projects in classic ASP and ASP.NET as soon as it was launched. When we both graduated in 2002, we formed a company called Size13 Solutions.

In 2004 Size13 Solutions merged with another Bristol based company called SpiderYarn and SpiderGroup was formed.

In September 2008 I parted ways with the 3 other directors of SpiderGroup and formed my own company, BN Information Security. I now focus on IT Consultancy, specialising in Microsoft solutions. Please visit my new company website http://www.bn-is.com/. A good friend of mine has been working on this site for me. Many thanks to Derek Marshall of Threetrees.

I hope you will keep an eye out for future blog posts and make any comments you feel appropriate . I appreciate all and any feedback.

Best Regards,

Ben Nichols