WindowsNetworking.com Monthly Newsletter of May 2011 Sponsored by: ManageEngine

Welcome to the WindowsNetworking.com newsletter by Debra Littlejohn Shinder, MVP. Each month we will bring you interesting and helpful information on the world of Windows Networking. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: dshinder@windowsnetworking.com

1. Having Fun with Home Remote Access

I had the chance to work with some friends last weekend and they had a few Windows Server 2008 R2 licenses to play around with. They asked me for some advice on using Windows Server 2008 R2 to create some kind of remote access solution to their homes. I said "you bet! - There are a lot of things you can do with Windows Server 2008 R2 to enable remote access to your home networks."

Now I need to tell you that these guys don't have "your little sister's home network," where there is a NAT device on the edge that also acts as a WAP. These folks actually work at home so it's both a home network and a work network. They have CAT6E cabled networks with drops to each room that terminate at a patch panel in their server rooms. These guys do lots of experimentation and so there are years' worth of accumulated old hardware in their server rooms, and they have multiple network segments mapped out because they've tested things with a variety of DMZ configurations and internal segmentation schemes.

All of which is to say that these guys are pretty smart and they wanted do to something useful and it didn't have to be simple. So I thought about the options and figured we could do one or more of the following:

• Set up a Remote Desktop Services server together with a Remote Desktop Gateway. The Remote Desktop Gateway would allow them to tunnel RDP connections over an SSL tunnel, so even if they were located behind a firewall that blocked outbound RDP, they could still sneak through the "universal firewall port" of TCP port 443
• Install a VPN server behind the NAT device they're already using. We thought about putting the Windows Server 2008 R2 RRAS on the edge, but they are using DHCP for their public address, and sometimes the NAT devices provided by the telco are tweaked to receive the public addresses and problems can occur if you introduce your own gear on the edge. No problem - we'll just put a VPN server behind the NAT device.
• Regarding the VPN server, we had to think about which VPN protocols to use. Of course, they were already using Windows 7 clients and loving the OS, and the same was true for their family members. Given that Windows 7 was the client of choice, we decided SSTP should be the VPN protocol of choice. SSTP will allow them to VPN to their home network without having to worry about firewalls, because SSTP tunnels the VPN connection inside an SSL tunnel, which again allows it through firewalls that enable the "universal firewall port" of TCP port 443.
  

Anything else other than RDP/RDG and VPN? There are some web services that we could publish, but since they only had a single public IP address, that would get tricky without a web proxy server.

What do you think? What else could these guys do with a basic Windows Server 2008 R2 to make for a high performance, high fidelity end-user experience so that they can get what they need at home? What have you done on your home/home office network to give it all the functionality of an enterprise setup? If you use Windows Server 2008 R2 at home, let me know!

Let me know! Send me a note at dshinder@windowsnetworking.com and I'll share your comments.

See you next month! - Deb.

By Debra Littlejohn Shinder, MVP
dshinder@windowsnetworking.com

2. ISA Server 2006 Migration Guide - Order Today!

3. WindowsNetworking.com Articles of Interest

• SteadyState Alternatives for Windows 7
• Community Test Lab Guide - Demonstrate Windows Server 2008 R2 VPN Reconnect
• 7 Steps To Successfully Troubleshoot A Windows Network
• Diagnostic and Recovery Toolset (Part 4)
• Configuring the Active Directory Lightweight Directory Services (Part 6)
• Barracuda Spam & Virus Firewall - Voted WindowsNetworking.com Readers' Choice Award Winner -
  Anti Spam Hardware
• Using Third-Party 802 1X Clients in Windows
• Cloud Security - Five Things that Should Never Go Into the Cloud (Part 1)
  

4. Administrator KB Tip of the Month

Identify a Failing Laptop Battery using Powercfg

Here's a tip on how you can use the Powercfg command in Windows 7 to identify a laptop battery that might be failing. Simply run the following command in a command prompt window:

powercfg -energy

Doing this will generate a report that can help you identify any issues with regard to your computer's power management settings. Typical output will include a Battery section that might look something like this:

Battery: Battery Information
Battery ID 00860 2009/02/13Hewlett-PackardPrimary
Manufacturer Hewlett-Packard
Serial Number 00860 2009/02/13
Chemistry LIon
Long Term 1
Design Capacity 73440
Last Full Charge 53480

Look at the last two lines of this section of the command output. If the Last Full Charge value is significantly less than the Design Capacity value, then that's an indication that your battery isn't holding enough of a charge anymore and may be starting to fail.

For more administrator tips, go to WindowsNetworking.com/WindowsTips

5. Windows Networking Tip of the Month

A Dynamic Host Configuration Protocol (DHCP) split-scope configuration using multiple DHCP servers allows for increased fault tolerance and redundancy over using only one DHCP server. The new Split-scope Wizard in Windows Server Ž 2008 R2 replaces the more error prone manual split-scope configuration method used in earlier versions of Windows Server. Check out this great step by step guide on how to test the new split scope wizard here.

6. Windows Networking Links of the Month

• Legislation seeks death penalty for web sites accused of piracy
• Adobe Flash update makes it easier to clear Flash cookies
• Disabling WebGL
• Can a ban on consumer devices make your organization less secure?
• Google Chrome PWNed
• Microsoft Security Essentials
• Critical update for Windows Server coming next week
• Sysinternals tools get better
• Fraudulent Digital Certificates Fix
• Cyber Europe 2010

7. Ask Sgt. Deb

QUESTION:

Hey Deb,

If I had the theoretical "ten dollars" to spend on security, how should I spend it? Should I spend most of it on network centric security devices or should I spend it on security operating systems or should I spend it on creating processes and procedures and systems of measurement and accountability?

Thanks! - Randy.

ANSWER:

Hi Randy,

Your question is really topical because a lot of firms are looking at the same problem. Historically, admins were faced with either buying a nice new shiny piece of network hardware or maybe upgrading their operating systems in order to feel as if they've made a significant impact on network and computer security. It certainly made the sales guys happy! However, as our industry has matured, it's clear that it's often not what type of network gear you have or what operating system you're running that matters most; it's the processes and procedures that you have in place and how seriously you take the task of enforcing them. Focusing on processes and procedures makes it clear that the security issue is never "solved," rather it's a journey. I'd say you should spend $1 on new network hardware, $4 on upgrading your operating systems, and $5 on ITIL or MOF training. Put most of it into procedures and processes and you'll be a lot more secure.

TechGenix Sites