Windows 10 Memory Compression's Impact on VMware VDI

Windows 10 now includes the memory compression feature.  This changes the I/O and RAM utilization profile of Windows when used as a virtual machine.  While this feature stands to bring an overall performance gain for Windows 10 machines, it should be given extra consideration when used in a VMware Horizon View environment.

In order to better understand the implications of Windows 10's memory compression, it's important to understand why it's being used in the first place.  There are two different benefits to this technology.  The first is mobility.  As users move more and more to laptops, tablets, and 2-in-one devices, there is increased pressure to extend battery life lessen device form factors.  This can achieved by making the operating system more energy efficient.  Memory compression acts as a buffer between regular active RAM and the page file.  I/O typically consumes more power than using existing RAM.  More efficient use of RAM can allow a device to use less of it, requiring less power for normal operation.  The other side to this technology is enabling users to multitask better, allowing more programs to remain open at any given time.  Users typically only actively use a small number of programs or files at any given time, but having others open and at their fingertips can lead to improved user productivity and response time.  These benefits can be applied to virtualized OSEs as well as their hardware-based

This adds some considerations to planning VDI pool images.  It may be possible to achieve similar VM performance using somewhat less RAM, or to provide a buffer for power users with more inconsistent workloads.  When profiling RAM utilization for users during image design, it's important to observe RAM utilization over the course of the day, not just during initial program launch.  Since memory compression kicks in over time, it's particularly important to note that it does not help compensate for boot storms and initial program launches.  Of course, each environment and set of users is unique, so gains will vary from environment to environment.  The goal is to set the RAM on VMs small enough to cause enough pressure to realize gains from compression, but yet leave enough available to avoid guest OS swapping or performance degradation.

On the VMware side, it is worth noting that utilization of memory compression will typically lead to more efficient memory usage.  This can be observed as an overall higher percentage of active RAM within a guest VM.  Because of this, the percentage of active RAM is a less viable KPI when determining proper RAM size.  Host RAM utilization is also impacted.  Memory compression results in somewhat less per-VM unique pages for a host to compress.  However, with as much shared information in RAM as VDI VMs have, especially with linked clones, there remains ample memory for a host to deduplicate.

Taking in the factors above can help plan for memory compression in VMware Horizon View environments running Windows 10.  Properly leveraging this technology can lead to better performing, more efficient VDI, and even increase VM density in some environments.

 

Microsoft Intune Blocks Windows Insider App

Symptom:

When installing the Windows Insider app on Windows 10 Insider Preview, the Optional Features menu returns the message, "No features to install."

 

Cause:

The updating mechanism in Windows Intune prevents Windows from checking for optional features properly.

Workaround: 

Uninstall Microsoft Intune.

Microsoft Outlook for iPad Poses Security Risk

Recently, I tried out the Microsoft Outlook for iPad app.  One of the first things I noticed was that remote images are automatically displayed.  There is no way to turn this off.  While most people wouldn't notice this, the impact is that spammers will have the ability to determine if/when you've opened the email, as well as perform other analytics.  Spear phishers have the opportunity to inject malicious images into email messages.

Overall, while the risk posed isn't very high, this does have the potential to cause an increase in spam.  Because of this, security-conscious companies should consider blocking this app from their environments.

Domain Controller Shows "Unidentified Network"

Issue:
In some cases, a Windows Domain Controller may show a network connection as "Unidentified Network", even on systems with a single network connection. 

Resolution:
While there may be other factors that lead to this, I've found that it's often caused by a missing or incorrect DNS suffix on the connection.  Ensure that in the Advanced TCP/IP properties window, the "DNS Suffix for this connection:" box is filled in with the proper DNS suffix for your domain.

Applies to:
Windows 2008, Windows 2008 R2, Windows 2012, Windows 2012 R2

 

Jawa Appearance Revealed

In A rather off-topic post for this blog, the long-awaited answer to what a Jawa actually looks like can be answered.  In the iTunes version of Star Wars Episode IV, the Cantina Rough Cut deleted scene shows a regular Jawa with a partially-unhooded Jawa at about 1:02 into the scene.

After seeing this, I can't help but wonder if we'll be seeing more Jawas.  They're much cooler-looking than I'd imagined.  Have you seen this scene yet?  What do you think?

Google Acquires Softcard, App is Discontinued

Late last month, Google acquired the mobile payments provider Softcard.  While this is great news for folks with the Android operating system, it also deals a heavy blow to Windows Phone users.  Effective March 31, the Softcard app for Windows Phone will be discontinued.  Softcard was the primary method for users of Windows Phone to pay with their phones using tap-to-pay.  At the time of writing, there is no successor available to replace Softcard.  With Windows 10 phone edition currently in a technical preview, this would be a welcome time to bake in this functionality in the OS. 

Alternatively, this may be a good opportunity for an app developer to make use of Windows 10's Continuum feature to create a payment platform that has not only the mobile payment features, but also hooks into the desktop OS to function as a payment provider for other apps.  At this point, only time will tell. 

Are you a Windows Phone Softcard user?  What are your thoughts on the subject?

vSphere Client Pauses When Selecting Hosts

Issue: When clicking on an ESXi host in the vSphere client, the interface hangs for 5 to 10 seconds.  This behavior occurs in both the traditional and web vSphere client editions. 

Cause: ESX host DNS settings are incorrect.  

Solution: Point host DNS settings on affected hosts to valid DNS servers. For environments without DNS, remove host DNS settings.  

vCenter 5.5 Web Console Fingerprint Mismatch

Issue:

When trying to open a virtual machine's console via the vSphere web client, I was receiving a fingerprint mismatch. 

Cause: There was an existing DNS entry with the same name as the vCenter appliance.

Solution:

The vSphere web console uses DNS to connect back to vCenter.  Ensure there is a DNS entry for your vCenter that matches the hostname of the vCenter server. 

Note: This will be more common with the vCenter appliance, but may also impact vCenter installable.

Is Zetta Faster Than Backing up to DIsk?

A while ago, a representative from Zetta made the claim that Zetta can back up systems faster than backing up to disk.  The conversation can be found at:

http://community.spiceworks.com/topic/352281-we-can-back-up-to-the-cloud-faster-than-to-disk

 

The Challenge

 

The goal of this test is to test backup performance between Zetta and another backup-to-disk solution in a controlled environment.  To test this out, I built out a test environment in my AWS lab.  It consists of 3 identical, instances.  The stats are:

  1. AWS EC2 Medium Instance (Single-core CPU (2ECU, 3.7GB RAM)

  2. 45GB Hard Drive

  3. Windows Server 2012, fully patched, same WSUS server

  4. Same Subnet, same domain, same domain controller, same availability zone

  5. Gigabit networking including local and Internet

  6. Standard IOPS and networking profiles

  7. No antivirus/antimalware software to interfere, as this is a disposable test environment.

The backup payload consists of a single 74.7MB assets file from the video game RIFT.  I chose the file due to its slightly larger than normal yet manageable size and unusual file type.  This should prevent the backup software from running any file/type specific compression or transmission algorithms.  The file should provide a large enough transmission window to be able to time the difference between systems.  In addition to Zetta, the baseline backup solution is CrashPlan PROe, with the destination server on the same subnet using the third AWS instance.

The Test

For each backup client instance, I created an folder at c:\tobackup and set up the backup set to only back up that one folder.  I performed a backup, rebooted the server, and allowed the server to settle after booting.  From there I copied the test file into the backup folder and kicked off a backup.

The Results

The results of the test had Zetta at 1 minute, 4 seconds.  CrashPlan took 14 seconds.    That's 78% quicker.  Most of the speed came from the very quick backup job start and completion compared to Zetta, which took a bit to gain its momentum.  In prepping the test, the file copy to each test server took less than 2 seconds to complete; this is the speed one would expect to see from Robocopy or other straight-up copy to disk tools.  Sorry Zetta, you weren't faster.

Closing Comments and Observations

After the test, I ran some larger data scenarios in order to get a better feel for the performance characteristics of how each engine runs.  What I saw was Zetta grabbing the files and tossing them upstream as fast as it possibly could.  At times, I was seeing upload speeds around 43Mbps, which may have been able to spike higher, except for the CPU utilization was the bottleneck.  CrashPlan analyzes and compresses/encodes the files prior to transmission through the use of temporary files.  The end result is that it uses less bandwidth, but consumes extra I/O operations in the process.  I was seeing transfer speeds upwards of 20Mbps at times, but disk I/O was a noticeable bottleneck.  In short, consider the pros and cons of each system and how they would fit into your environment.

Using Siri and Things as a GTD Capture Point

One of my biggest GTD challenges has been capturing my thoughts when I’m in less-than-ideal situations, such as when I’m driving or when I don’t have the ability to jot something down quickly.  Sure, I could have had a tape recorder or such, then transcribe the recordings when I get home, but that adds a certain layer of complexity that is prohibitive at best.  I need something easy that I don’t have to think about using.  Cultured Code’s Things now imports items from the iOS Reminders app, and this provides the perfect setup for me.

Prior to this point, Siri allows me to create reminders quickly, such as, “Remember to insert 3 more slides into the deck.”  It then creates the item in the Reminders app.  The problem had been getting the reminder into a more usable format.  The Reminders app gives some base functionality, but not quite what I need overall.  I have my reminders going to Exchange by default, but still, I need to get the items out of Outlook/Mail.app and into Things, which I use for GTD.  

Recently, Cultured Code integrated Reminders into Things as an option (not on by default).  It hooks into the Reminders, and lists them all in Things’ Inbox.  From there, it’s a single click, and the item’s imported into Things’ inbox and removed from Reminders.  Now, when I randomly create a reminder using Siri, it’s available for import the next time I go into Things.  Because of this, I can now easily collect ideas wherever I am.

Afterthought:  This also allows for some other ease of use scenarios.  For example, I can create a task from my CRM, and have it save it in Outlook’s tasks, thereby importing it into Things.  The possibilities are endless.  Do you use the Reminders integration as well?  How do you use it with your system?

Using Office 365 as a Disaster Recovery Tool

When a company’s faced with a disaster, communicating with customers, as well as coordinating the restoration efforts, are both high on the priority list.  Some of the first steps include contacting customers to alert them of the situation, contacting vendors and contractors to pull in the needed materials and services, and tracking a list of action items to ensure the other needed steps actually get done.  Office 365 enables companies to do this, and can be set up quickly and without any upfront cost.

In the case of a complete site failure, such as flood, fire, structural collapse, etc., key personnel need to be able to communicate with each other and with 3rd parties.  Chances are that they’re at remote sites, working from home, or even from a coffee shop.  Walking down the hall and having a chat isn’t an option.  They also need to share, store, and edit documents in an efficient manner.  Setting up an Office 365 trial account, configuring the users, and redirecting mail flow takes less than an hour.  Users will be able to instant message, share screens, audio chat, and video chat with Lync.  They can share and store documents, as well as manage project tasks, in SharePoint.  They’ll be able to email each other and their outside contacts with Exchange.  The trial’s good for 30 days for up to 25 users, which gives the business time to either rebuild their IT infrastructure or just stay on Office 365.

Another case where Office 365 is useful as a DR tool is when a company’s only email server crashes/dies.  Rather than taking many hours to recover the information store(s), just set up an Office 365 trial account and hook the users up to that.  If all the computers were running Outlook in cached mode, exporting their old mail to PST, then importing to Office 365 is a simple task.  The only things that would need to be recovered off the old server are the public folders, if they’re even being used at all.  The 30 day trial period would give the company time to recover their original server, build a new one, or stay on Office 365.

Having the ability to quickly and easily set up a communications platform in Office 365 makes it a great option for disaster recovery.  Businesses may want to consider incorporating this as part of their Business Continuity Plans.

Deploying LogMeIn Via Group Policy

LogMeIn, in its free and Pro2 forms, can be deployed via Group Policy/GPO.  In order to do this, you'll need to subscribe to LogMeIn Central.  Once subscribed, you will find a Deployment section, in which an MSI file can created.  This installer package can not only automatically install LogMeIn, but assign it to a subscription (Pro or Free) and place it in the computer group of your choosing.  Once the package has been created, place it in a readily accessible file share and create a Group Policy Object to install it.  Alternatively, this same MSI file can be deployed with other deployment solutions, such as SCCM.

Take Back Your Inbox: How to Manage Your Email

With an ever-increasing amount of email, employees are spending more time not only reading and replying to messages, but managing them as well.  As the now common standard for intra-business and inter-business communication, email now needs to be organized, referred to, and often times kept for various business purposes.  These new requirements require a new system to manage email.  While the examples given can 

Types of Email

Before we can manage email, we need to understand the different types of email there are.  Most people classify email automatically without even thinking about it.  The different types of email are: 

  1. Junk
  2. Action Required
  3. Feedback Required
  4. Informational

  5.  

 Junk is just that - email that we don't need to act on, forward off, or keep for later.  This can be some random newsletter from some company no one ever heard of before, the daily updates from online communities and forums, and the usual dating/pharma/fast cash spam.  Action Required email can encompass items such as requests from one's supervisor to perform a certain task, some fire that needs to be put out, or action items that need to be handled.  Feedback Required items are messages that require a basic answer, such as lunch orders, status requests from a supervisor, and the "What do you think of..." emails.  Informational emails are generally ones worth reading and are typically worth keeping around for future reference.

Common Email Management Techniques

Over the last 10 years of managing email for different companies, I've worked with over 500 users. Some trends develop in users' email habits over time, regardless of the company or the user's computer skill level.  The next section will discuss some of the more common ways people handle their email, as well as note their strengths and weaknesses.

The Monolithic Inbox: This is where almost all of us have started, and many of us still are.  Emails come in, are handled, and then left in the inbox.  The major positive side to this method is that it's the most simplistic method of handling mail, and can trace its roots back to the original mail servers of the early 1990's and prior.  It's a starting point for any other email management type.  The challenge with this system is that items that need to be addressed are inter-mingled with ones that have been addressed, as well as the items that are being kept for later.  It's easy to lose track of a message with this method of email management.

Mark it as Read: At some point, a smaller group of users realizes that there's a need to differentiate messages that need to be addressed(whether it's read, replied to, or some other sort of task).  They then mark messages read that they need to address at a later time.  This has the distinct advantage of identifying what needs to get done as opposed to that which doesn't.  Its disadvantages are re-reading messages that had been read but later marked as unread, as well as possibly skipping over new messages(that come in as unread), thinking that they have already been read and marked as unread.

Caution! Flagger Ahead: This is perhaps the best-intentioned email management technique that rarely works as desired.  Some email systems give the user an option to 'flag' or set due dates on messages.  Users realize a need to note messages that need to be acted on and also tracked separately from new messages.  With this in mind, they flag items that need handling, and set due dates to have reminders pop up to review the item.  For the occasional message, it can be quite useful.  However, as the number of flags and due dates add up, the efficiency of the system decreases.  I can recall a few users that upon opening Outlook, were greeted by over 100 reminders.

Folders-'R-Us.. You Sort 'em, we Store 'em:  Almost every email system on the market today, software-based or web-based, has the ability to separate messages into folders.  This allows us to file messages according to our own filing/categorization methods.  Keeping a finite number of folders is perhaps the most effective way to handle messages in general.  The key with folders is to be careful to limit the number of folders.  Having too many folders can turn an email system into a "folder-fest", a heaping pile of folders that takes more time to find messages in than it does to actually do anything with them(as is often the case with customer-facing employees such as sales).

Making it Happen

Now that we've covered the types of email and some of the ups and downs of other email management techniques, let's set up a system that's easy to implement, simple to use, and requires minimal upkeep.  It uses only 6 folders, and is based on a variation of the Getting Things Done(GTD) system by David Allen.  Let's get it set up!

  1. Create the following email folders:
    1. Next
    2. Waiting On
    3. Someday
    4. Completed
  2. If your email program has a Favorites section or something similar, add those folders to it for easy access.
  3. Go into your Deleted Items/Trash.
    1. Are there any items in there that need to be kept for future reference?
      1. If so, move them to Completed.
    2. Empty your Deleted Items/Trash.

How it Works

The way this works is to Do it, Defer it, Delegate it, or Delete it.  Look at an item in your Inbox.  Is it actionable?  If it is, and will take less than 2 minutes or so, just do it.  When it's done, move it to Completed.  If it will take more than 2 minutes and needs to get done, move it to Next, as it's a next action.  If it will take more than 2 minutes and needs to get done at some point later in time(not right away), move it to Someday.  If it's actionable, but you aren't the appropriate person to do it, forward it to the proper person and move it to Waiting On.  If it's not actionable but needs to be kept for reference, move it to Completed, otherwise delete it.  Confusing? It isn't, though it may sound that way.  Here's a few examples:

From: Fast Freddie's Office Supplies - Subject: Cheap paper
This is Junk.  It's not actionable, and there's no reason to keep it for reference.  Delete it. 

From: Your supervisor - Subject: Charge Flux Capacitor
This is an action required email.  Is it actionable? Yes.  Will it take less than 2 minutes? Probably not, unless someone has 1.21 gigawatts of power ready to go.  Move it to Next.

From: HR - Subject: New Mental Health Plan
This is an informational email.  Is it actionable? No, but it might be a good idea to keep it for reference.  Move it to Completed.

From: Your supervisor - Subject: Is the sky green?
This is a Feedback Required email.  Is it actionable? Yes.  Send the reply, then move the message to Completed.  Recommend supervisor to read HR's email. 

From: Operations - Subject: New Assembly Line
Bob's in charge of that project.  Forward the message to Bob, then move it to Waiting On. 

Results

At this point, your Inbox should now be empty (yes, EMPTY!).  The things that you need to do are all located in Next, things that you should do someday are in Someday, and everything you've delegated is in Waiting On.  Congratulations!  You've taken back your Inbox and are once again in control of your email destiny.

 Keeping it Running

As I mentioned earlier, this system requires minimal upkeep.  Using these 5 main steps, your system will continue running smoothly long-term, and you'll be able to go home with an empty Inbox:

  1. Daily/Ongoing
    1. Process the entire Inbox at least twice a day(I've found that first thing in the morning, before lunch, and the end of the day work best for me).
    2. Move items from Next to Completed as they are finished.
  2. Twice per week - Go through Waiting On for items that need to be followed up on. (Tuesdays and Thursdays tend to work well.)
  3. Weekly (I find Mondays to be good for this.)
    1. Move items from Someday to Next when they're ready to be worked on. 
    2. Empty Deleted Items/Trash

The exact schedule for the above items isn't set in stone or anything, but those items do need to get done at some point to keep things running smoothly.

Q&A

Q: I have over 3000 items in my Inbox.  Do I have to process them all at once?

A: While going through your entire inbox at once for the first time is the most effective overall, processing more items than were received that day will eventually get you there.

Q: Won't everything eventually end up in the Completed folder?  How do I find things?

A: Your email should have some type of search function.  Use that to find the info you need.  If you properly word the items you send, you'll have better luck finding them later.

Q: How does this compare to the typical GTD system?

A: Certain features, such as Projects and Scheduled/Tickler have been removed in the interest of streamlining it for email-only use.  This system could be converted to fully use GTD with only a few slight modifications.

 

Disclaimer: This is a personal interpretation derived from over 10 years of email management for myself and for others, as well as application of some of the basic GTD techniques.  For more information about Getting Things done, please visit http://www.davidco.com 

Steps for a Reduced-Paper Workplace

There's much buzz about having a "paperless office".  Many companies look at the vast amount of paper that they create and think that it would be a worthwhile goal, but feel that it would not be a practical achievement.  Rather than trying to eliminate paper, focus on reducing it.  Enter the concept of a reduced-paper workplace.  The goal of the program is to streamline business processes to not only reduce paper usage, but to increase productivity and technology ROI.  This is accomplished by re-tooling existing processes and procedures, meeting employees' needs, and adapting corporate culture.

In most cases, once a procedure or policy is set up and working in a company, it has a tendency to morph itself into a set-in-stone law, rather than a guideline for normal operations.  Often when an employee is asked why they're performing a task a certain way, the response is along the lines of, "That's what the procedure is."  Policies and procedures by nature can be amended and otherwise changed to fit the company's needs as long as they meet the requirements of applicable governing bodies' standards (ISO, FDA, SEC, etc.).  With that in mind, look at a process that generates paper and see how the printing is involved with the procedure.  Does the procedure specify to print a copy of a document for retention, or is it just used in an intermediate step and later scrapped?  Most archival printing output can be captured and turned into PDF files without ever being printed in the first place.  The files can be stored on a server and get backed up for disaster recovery purposes.  Most intermediate printouts are either used for copy typing or transportation purposes.

Copy typing is one of the ways that paper is generated for intermediate or otherwise short-term uses.  Typing courses have for many years primarily taught typing skills by having students look at typed or handwritten letters and type them using their keyboards.  This results in workers gaining a natural comfortability with transcribing data from a written source by typing.  How can this be focused towards using non-paper techniques?  If a user is used to copy-typing, having a second monitor to read and copy-type from can reduce the number of printouts generated for that purpose.  Yes, a second monitor may consume additional desk space, but will be offset by the reduced need for paper to clutter the real estate of the employee's desk.  Another short-term printout type is the printing of a(sometimes large) report for the ending summary or group total information.  Printing the report to a PDF file will gain the visibility without the paper.  Exporting the report to Excel or other analysis software will allow the user to manipulate the data real-time as they see fit, again without generating paper.

One of the biggest challenges in a reduced-paper implementation is the necessary change in culture to facilitiate the implementation.  This is at the employee, management, and even overall corporate level.  Most companies have the tools in place to run with reduced paper, but need to start thinking about paper conservation and how to boost productivity rather than continue on with "business as usual".  At times, users may need an occasional nudge to start the process.  For example, consolidating smaller individual printers into larger workgroup ones will start to encourage smaller copy and paste operations rather than printing smaller jobs because of the physical trip to the printer that would be required.  Once the idea has been seeded, the progression will gradually spread to larger items and other areas.  A similar technique can be applied to encourage employees to email PDF attachments rather than fax printed documents.

The question has been posed about what to do with existing printouts in the organization.  That varies from company to company.  The easiest solution would be to wait it out.  The documents will eventually pass their retention period and be recycled.  Digitizing the existing documents would make them easier to manage and retrieve, though does have a cost associated with it.  Companies that pay for document storage or are limited on space would be more likely to do the latter than other companies.

Guide for Home PC Security

At least once a week, I'm asked by someone about how to keep their home computer or network secure.  I do my best to explain it as simply as possible, but it's quite a bit of info to take in all at once.  Because of that, I decided to write it down for reference.

Security is a group of things working together, as well as how we approach our computer activities in general.  Adding each layer of security together adds up to a more secure computer and network.  This layered approach is known as "Defense in Depth".  Please note that no system, no matter how complex, is never 100% secure against every possible threat.

Security starts with you, the computer user.  By being observant and questioning what you see, most security issues can be headed off before they become problems.  Phishing (pronounced the same as fishing) is a technique that crooks have been using for many years to gain information from people and companies.  They get people to give out information that they normally wouldn't give a stranger.  This isn't  just limited to computers; questionable companies and crooks have been phishing by postal mail for years.  One example of many that I've seen is the mail from random companies trying to get you to renew your factory warranty on your vehicle.  It looks professional and genuine, but really isn't the real deal (Anecdotally, one time, they tried to get me to renew the warranty on a 13-year old car that I was the 4th owner of).  The same can be applied to email and web pages.  If you get a message from Facebook, Twitter, etc. saying you have a new message or friend, it might actually not be from Facebook.  It could be a crook sending a real-looking message in attempt to get your account info.  The safest thing to do is to go directly to facebook.com, twitter.com, etc. and log in that way.  The same applies to eBay, PayPal, and other accounts.

Sharing computers can be a security risk.  You might feel willing to let a friend use your computer, but are you certain that they know how to use it safely?  They could inadvertently browse an infected web page or accidentally install some malware that came in their Hotmail/Gmail/Yahoo Mail.  On the flip side, using someone else's computer can be just as hazardous.  If you use someone else's infected computer, there is a chance that any account you log into or any information you give out while on that computer might be intercepted by a third party.  Treat computers like a toothbrush; do you let other people use your toothbrush, and do you use other people's?

Use different passwords for different things.  The usual response that I get to this is that it's hard to remember all the different passwords.  Yes, it's a challenge.  However, it helps a great deal.  Let's think of this example: Bob uses the same password for his email and Twitter.  His twitter account gets hacked, and the thieves find his email address.  Using the email address and the password from Twitter, the attacker get into Bob's email.  Taking a peek through Bob's email, they see his bank's monthly newsletter.  From there, they log into Bob's bank account and siphon off his money.  Was keeping his passwords the same and easy to remember worth his savings?  Most likely not.  Try to make passwords complex.  In many cases, you can use phrases instead of words.  For example, "I don't like having to use complex passwords!" is more secure than "Newpassword123".  Your email password is the most important to keep safe, as most accounts use the contact email to send password reset requests to.

Let's take a look at the network side of computer security, starting from the outside.  Think of your network as a house, as many security basics apply to a network as well as a house.  Your hardware-based firewall(often your router) is like a front door.  It allows our data out when we need, and only allows traffic in that we want to have come in.  Without this, we might as well just leave our computer on the front lawn overnight and see what happens.  Not sure if you have a hardware firewall?  If you have more than computer accessing the Internet at the same, you more than likely have one.  In addition to the hardware firewall, a software-based firewall is greatly recommended.  All current versions of Windows come with the Windows Firewall, which is turned on by default.  Why do we need another firewall?  We need them for two reasons: 1) There's always a chance that something could get past the first firewall and 2) If an attacker or infected computer is on the home network, they're on our side of the front door.

Many home networks use wireless networking.  It's important to secure it by using a wireless key on it; if there isn't one, someone can access your network and potentially your computers.  Think of it as a lock on the door.  People with the correct key can get in; others can't.  There are a few different types of ways to secure(encrypt) your wireless network.  WPA2 is the current best encryption method.  Other methods, such as WPA and WEP, are less secure.  In fact, WEP's about as useful as an old-fashioned skeleton key.

 Anti-malware (including antivirus) is an important part of computer security.  Traditionally, antivirus was enough to secure a computer, but in today's environment, threats come about much more quickly, and in smaller numbers.  It's important for a computer to have not only antivirus for existing threats, but anti-malware that can observe what programs are doing on a computer and identify unwanted behavior.  There are several products on the market, all of which have their strong and weak points.  Of the paid products, I've had incredible Luck with Webroot.  It gives solid protection for computers, as well as takes up very little resources when running.  There are free alternatives as well.  Microsoft puts out Microsoft Security Essentials, which is a blend of Windows Defender, Windows Firewall, and antivirus.  This is included in Windows 8.1 and later.  Panda Cloud Antivirus, when coupled with Windows Defender, provides balanced protection against both new and existing threats, as well as behavioral detection.

Updates are your friend.  Most major products (Windows, Adobe Reader, Firefox, Chrome, etc.) put out updates on a regular basis, usually to patch security holes.  Keeping all the software up to date on your computer reduces the risk of your computer being compromised by a software vulnerability.  Most software manufacturers update to a new version of software within 3-4 years.  After a new version comes out, updates to the older versions are often few and far between.  With that in mind, expect to update software that you purchase every 3 or 4 years.

Don't use your computer as an administrator.  Out of the box, Windows sets up the default user as an administrator, able to make major system changes.  This is useful for setting up software and such, but isn't good overall for keeping security.  Change the default user's password and create a standard user for normal computer use.  That way, if the normal user gets infected, it's less likely that the entire computer will get infected as well, resulting in much easier cleanup.

Lastly, it's up to you to notice problems when they happen.  If your computer's acting strangely, there's probably a reason why.  Most of the modern malware is designed to not be noticed, but there is sometimes a general slowing of the computer.  Other ones pop up messages trying to get you to pay money to 'disinfect' your computer, when really it's the virus that's telling you you're infected.  To put it simply, anything out of the ordinary might in fact be something else.

Takeaway: Using a multi-layered approach to security, along with awareness, goes a long way.  Do you have any useful tips or habits not mentioned here?  Leave some feedback and discuss.

(Updated 2015-01-01 for relevancy)

Review: Spiceworks

Three years ago, if someone told me there was a piece of software that could set up an email and web-enabled helpdesk, manage my computer inventory, track vendor contracts, manage a purchasing list, proactively alert me to potential issues, and map my network, I would have said they were crazy.  If they mentioned that it was free, I would have recommended they seek professional help.

Well, two years ago, I found Spiceworks.  At the time, I was looking for an email-enabled helpdesk system.  I was doing consulting and didn't have an easy way to centrally manage and track user requests and other issues.  Did I miss a client issue in between system notifications?  Was Bob's request complete, or still sitting in my inbox?  Spiceworks allowed me to set up an email-based helpdesk system that generated tickets for new requests, tracked existing ones, and also keep the user informed each step of the way.  No more emailing me and wondering if I'm working on the issue.  The system notified the users that the ticket was received, when I took ownership of it, and organized the replies in a clear and structured way.  I couldn't have been happier.

In 2009, I went back to an employee basis at a company with around 200 computers, as well as a multitude of other devices.  They were using LANDesk to manage the network.  It has good patch management and remote control capabilities, but the inventory and alerting portions just weren't entirely too intuitive.  User requests were rolling in via phone, walk-by, email, sticky-notes, and even written-on napkins on my keyboard.  Computers I didn't know existed were breaking down, and I didn't have a good picture of the network in general.

After getting the green light from the IT Director, I installed Spiceworks.  The first hurdle was setting up and using the helpdesk system.  I set up the helpdesk in less than an hour.  From there, I set up a company policy that all IT issues where the user is able to send email get submitted to the helpdesk.  The tickets started to roll in almost immediately.  Using Spiceworks' Helpdesk, I was able to visualize the open issues and tackle the ones that had the biggest business impact first.  As I started going through the issues, I was able to review the existing open tickets and perform followups on them.  The users were thrilled because their concerns were not only being addressed, they were being confirmed as up and running.  Spending less time managing tickets meant spending more time resolving the issues, and ultimately led to a quicker turn-around time on most IT issues.  In the first year, the helpdesk enabled me to move over 1000 tickets.

The second major hurdle that Spiceworks was able to clear without effort was a network inventory.  I created a Domain Administrator account for the scan, and within 20 minutes, had initiated the first network scan.  The details I started to get back were astounding.  I could see not only the computer name and IP address, but also important info such as OS type, RAM, disk space, installed software packages, and much more.  I decided to try setting up a monitor.  I turned on two monitors.  One was for any drives that are less than 10% free to generate an alert, and one for any server drives that are less than 10% free.  Within moments, 15 alerts were generated and 3 emails were in my inbox.  It gave me the ability to remedy the issue proactively, rather than wait for the call to come in that either a user's computer is full or that the email's down because there's no disk space.  

The software has so many more features and options that I'm always discovering some new way to improve and automate IT at my company.  Whether it's visibility into router interface stats, ESXi server health, or a network map, Spiceworks always manages to impress.

Ok, so what's the downside?  Spiceworks is ad-supported.  Before thinking that it's hokey, the ads are sponsored by good, real companies such as CDW, Intermedia, Symantec, and many other IT brand headliers.  Many of the 'ads' aren't even ads and are actually white papers published by various vendors and service providers.  The ads are placed in unobtrusive locations such that an end-user is aware of them, but they don't hinder the operation of the software in the least.  The only other downside to the software is that the inventory side of Spiceworks doesn't handle networks with over 1000 devices all that well.  However, the helpdesk module can still be implemented in a larger organization.

Overall, I couldn't be happier with Spiceworks.  It's professional grade, constantly updated, and free.

Source: http://www.spiceworks.com

Phishing and Non-Native Speaking Users

Events over my past week brought to light a notion that phishing has a greater likelihood of being more successful against someone who isn't a native speaker of the language the phishing attempt is written in.  Late last week, I had a user come to me and ask me why a video wasn't playing.  I went to the user's desk while he explained to me that this guy he knows sent him a video that he 'needed to see'.  It turned out to be a link from a 'so-and-so made $x in 3 months while not doing any work' type scam.  The video pretended to play, but really wanted him to buy into the scam to find out more.  The user himself is highly intelligent, but his English skills are a bit sub-par(English is his third language).  Unfortunately, he wasn't able to discern the contents of the email for what they were, and considered it to be a business-related message. Looking back, this wasn't the first time I've seen a language barrier run up against spam.

This got me to wondering that if language skills can present a barrier in interpreting spam, what is the case with phishing?  Most modern phishing attempts at first look appear to be genuine.  Some, but not all, have small wording or grammar differences.  Someone who has less-than-average skills with a language should be generally less able to notice the differences that would set off a red flag from a native speaker.  In 2009, an article was published analyzing data from a list of thousands of accounts and passwords that were presumably phished.  It's been speculated that the phish was targeted towards an Hispanic demographic.  I'm challenging the notion such that it might have been the users with less acute English skills that fell for the phish in the first place.

Don't get me wrong - This isn't just for English phishing.  On a more personal note, I'm in the process of studying German.  I subscribe to a couple German TV stations.  If I got a related phish, it would be difficult for me to determine the legitimacy of the message by wording alone.  Verifying the original sender and the true destination of links and sources of downloaded images/files is something that I'd look at, but most users would not be aware of or know how to do so.  

I welcome comments and an open discussion.  If someone has an additional case study, it would be most welcome.

Common Update Security System

Here's an idea for Microsoft and other companies to streamline and centralize product updates, the Common Update Security System (CUSS). As a framework of sorts, it would check for 3rd party product updates in a single, controlled environment. Here's how it might work:

Using Adobe Reader as an example, when it's installed, it will create a registry key under CUSS with a GUID for that product.  When CUSS runs, it will look for those keys, and pull the patch info from The Microsoft Update server. After scanning, it will download necessary patches from Adobe's server instead of Microsoft. The patch is then applied, and life is good. No more chasing down patches!

iPhone ActiveSync on an Alternate Port

Since iPhone OS 2.0, many companies have been introducing the iPhone to their mobile Exchange client list.  However, not all companies run their Outlook Web Access (OWA) server on port 443.  In these cases, an iPhone can in fact use ActiveSync on an alternate port here's how:

1. Set your Exchange settings on the iPhone as normal.

2. Put a colon with the port number after the server name.  It should look something like mailserver.company.com:4645

3. Enjoy your email.

(Updated 2015-01-01 to include screenshot)