The biggest concern I'd have with single disks is that disk fail. Regularly.
I can see the point of wanting to store to disk - plenty of space, easy to use, and fast. But I'd really want some kind of redundancy. Have you thought about buying an external raid array? Possibly the easiest to use is the Drobo - just fill it with as many disks as you want, and it'll ensure your data is protected:
They're more expensive than just buying disks (£300 empty), but that's well worth it if you'd like your data to still be accessible when you come back to use it.
Here's the point - if they're offering to buy you, they may well be doing you a favour. They could almost certainly do this on their own, and out-compete you.
You can tell by this move that they're interested in what you're doing, and if they have the kind of money you're implying to set up a team working on this, that money is there whether you guys come on board or not. So, much as you like being independent, can your little startup compete against a well funded competitor with a big name behind it?
Have a long hard think about that question, and try not to get emotionally attached to your company as you answer it.
As much as you like being independent, it may be better to take this opportunity, and move onto other things if you find it doesn't work out.
What I would suggest is to make a list of the things you really enjoy about being independent, and speak to this company about them. See if they are amenable to you guys having autonomy and control over this project. Find out what their long term goals are for it, and whether they align with your own. Get them to put in writing their commitment to the project and their goals, and to having you guys in charge - that way you should at least have a few years whereby you know where you stand, and can be confident of running the project the way you want, in the direction you want.
If that can work out, see this as a huge opportunity. Firstly you get the money and a bigger team to drive your project forward faster than you could have done before. You'll also get to make some good contacts, and probably learn a lot about how to run things like this, oh, and you get the cash too (depending on how big you think this will be, it might be worth insisting that your deal is partly profit related)
Then, if it does go titsup in a few years, and you don't like the way things are going, you're all in a good position to leave the company and startup on your own with a new project.
Exactly, Microsoft's behaviour killed the market, removing a damn good product from us customers. Sure, Stac made some money out of it, but we'll never know what we lost as a result.
I used to use Stacker regularly after finding that it coped with disk errors better than Microsoft's FAT filesystem, or Microsoft's Doublespace. Errors that would routinely loose entire disks with Microsoft's code were quietly fixed with Stacker, allowing me to move data to new disks. I was even able to recycle known bad disks since Stacker could handle the bad sectors just fine.
In contrast, Microsoft's Doublespace could loose data on good drives, it was truly, truly awful.
Microsoft's behaviour effectively removed one of my favourite software tools from the market, and they've done it many, many times since to other programs. I may be a Windows network admin, but I am definitely not a fan of their business practices or their software.
Yup, damned impressive worm, if you read some of the detailed writeups it really highlights just how professional these things are now.
It's doing us the world of good here - we've got pretty good security already, and getting budget for the next set of steps I want to take should be a whole lot easier now. All I'm having to do is point out just how widely Conficker spread, show some of the big names it hit, and then point out just how long it took them to clean their networks after the fact.
All of a sudden a few pounds spent protecting the network look like a good idea:)
If you don't have the budget to be buying rugged systems, you might want to look into IP rated enclosures (http://en.wikipedia.org/wiki/IP_Code).
IP56 or IP67 would probably work for you, you can buy IP rated industrial computers, but you might even be able to just buy a big cabinet and stick regular computers inside it.
So how did that happen exactly? No DRM I can understand. No control over who connects to your servers is just dumb.
It's not exactly difficult to have a serial number inside each copy of the game, and register that to the user account. It's even possible to build that mechanism in a way that allows resales.
Voila! No DRM, and no pirates on your servers either.
Perhaps because they've done the studies that show calorie intake is actually wildly different according to the bacteria present, regardless of the food eaten. Seriously, go read the articles attached to the original slashdot story, they're fascinating reading.
I for one am watching this with interest since it's the first research I've seen that adequately explains why somebody like myself can eat without putting weight on, while other have to carefully monitor their intake.
I eat absolute garbage, in quantity, and do little exercise, yet haven't put on more than a stone in the last 15 years. For the best part of a year I bought lunch from the chip shop 5 days a week, and ate that on top of regular snacks (2-3 bags of crisps, chocolate bars & fizzy drinks), plus a full breakfast and dinner every day, without putting on any weight at all. I eat more than double the amount of food my boss consumes, yet he's a good 3-4 stone heavier than me, goes to the gym every morning, and still struggles to keep weight off.
Yup, and I'd love to see how it manages an emergency stop!
A far better design would be two electric drive wheels at the front and a simple free steering wheel at the back. You've got all the advantages of this when it comes to size & simplicity (no complex steering rack), but you then don't need all that complex balancing software, it's more stable both at rest and in motion, it uses less power, and has far better emergency brakes.
Oh, and it doesn't fall on its arse when the battery runs flat.
If you look though, I don't think there are many screws in that design, both the power supply and the hard drives seem to use a velcro fixed strap, which looks to be an inspired idea. And I've heard before that google don't service servers in place, if one goes bad, they simply pull it out, fit a replacement, and send the bad one off to a dedicated repair desk.
Interesting. SCSI CD by any chance? I've tried every trick I know to get things responding better with both ATA and SATA drives, nothing has ever worked.
Tell me about it. You burn a CD and watch your entire system grind to a halt while it happens. Until last year I actually thought that was a limitation of the hardware, I just couldn't believe they'd make us live with something that bad if it was fixable in software. It's so bad we actually had to buy an extra computer at work for doing our DVD archiving.
And then I installed Linux. My god. I can burn a CD without even noticing it's going on.
Linux may have started as a hobby, but in many, many ways it makes Windows look amateurish.
Why even buy a computer? Upgrade your machine to 4GB or so and download VirtualBox. It runs on pretty much every OS out there, and it'll run almost anything as a virtual machine too.
If you find it's a bit slow, buy yourself a faster machine, or add more memory. That's pretty much all you need.
I wouldn't trust any manual clean these days, not after finding a virus a year ago that still ran in safe mode. Sure, you might clean up one or two, but can you guarantee they haven't installed any others, that you might not have found?
I've been manually removing viruses for years. Wouldn't even attempt it now.
Well, I don't know a lot about Linux virtualisation, but I'm starting to think the same. Everywhere I look, companies are moving to KVM. Red Hat just announced their new virtualisation stuff, yet if you speak to them you'll find that they're already looking at migrating to KVM.
And the whole KVM approach seems tons better - make use of the standard Linux kernel, and take advantage of all the development that's going on there, leaving the virtualisation developers to focus on just that. Sounds like a win/win approach to me, I'd be surprised if it doesn't overtake VMware in the long term.
Unfortunately for them, today was the day we migrated every single computer over to PDF-XChange. Barring any major problem, I can't see us using Adobe products for a long while. I'm not interested in sticking with any vendor that takes 9 months to fix a show stopping bug like that.
>I imagine you're going to get lots of replies here saying "just use nfs!", and I'd be inclined to go >with that myself. The usual way this is handled in my experience is to have the home directories on a >remote server and that auto mounted with nfs when you log on to a machine. This sounds like what you >describe apart from the part with a profile being copied to the local machine. I'm not sure I >understand the benefit of that, could you clarify?
Yeah, I think NFS will probably do it. The local copy of the profile is I suspect more a limitation of the Windows way of doing things than anything else - part of the profile is the users registry setting, so that always gets copied locally as you log in.
However, one benefit to copying it locally is that it means laptop users can just take their machines away with them and retain their settings - we've configured windows to cache the last 5 logons, so even while off the network the staff (and genearally network admins too) can log in and work as normal. It works hand in hand with the Windows Offline Files feature too, I'm not sure how you can achieve all that when users have NFS home folders.
>> **Remote Support**
>Agreed, VNC is a bit clunky. I use nomachine nx for remote access and it's the bees knees. This >doesn't let you connect to an existing user session if that's what you mean by "remote access to >any users desktop" though.
Yes, I do want access to the desktops. If I have to, I'll try VNC, but my experience of it has been that it's horribly slow to use, even over 100Mb. I can use Dameware to control machines of users that have dialed in from home, and it's still more than quick enough. It also has nice features like auto-reconnect that'll keep pinging a rebooting machine and automatically connect back up to it as soon as it's available.
Yeah, that's kind of my feeling to some of this too. It's great that I can do this in Linux, but a lot of the application management tools look like some kind of programming language, and I just don't have the time to learn to use that well, nor to maintain my skills. And I dread the thought of having to debug an error in an application deployment script that I just rolled out to 100+ machines.
A simple management GUI has a lot going for it, not least of which are the rapid learning curve, and the simplicity which reduces mistakes. While I accept that we've got a relatively complex network here, and that I know windows well, I don't think I could comfortably manage 130+ applications for 120 users this easily on Linux, even if I did know the tools.
It's not stopping me trying though, in the long term we're definitely favoring Linux over Windows 7, only time will tell if that actually becomes a feasible change.
I'll come out in the open first and say that I'm a long term windows admin, I've spent that last 8 years running windows networks, and 5 years before that building, configuring and troubleshooting windows PC's.
Managing a windows network is second nature to me, but until today I didn't think that half the things I can do in windows was even possible with Linux.
Now I know some of it can be done, I'm wondering just how much of this is ready now. Googling has never turned up anything before, but it's now looking like it's a terminology problem as much as anything else - without knowing the Linux tech, I didn't know what to search for to find my answers.
So, with that said, can anybody tell me if there's a Linux equivalent for:
**WSUS server** I can download patches from Microsoft for 90% of our software, can test those patches on a small set of machines, and roll them out at will to our entire organization, with reports telling me of any problem machines. I appreciate I can run my own repository, but I want to enforce the installation of updates, I don't want users choosing to install them, is this possible?
**Group Policy Software Deployment** Rolling out new software is just a case of adding a new group policy object and asking users to reboot. Software is deployed based on the department the machine is assigned to in Active Directory. Is there any simple way to install new software, or software updates to Linux machines? Also, removing software is just a case of removing the policy, is there any equivalent to that?
**Securing the Web Browser** I'm probably going to get shot for saying this, but right now, Internet Explorer is more secure than Firefox for us. Using Group Policy we've enforced security zones, so IT get to say which sites can and can't run scripts, and users have no way of changing that. We've looked into Firefox, but on windows there's no way to centrally manage or update it, nor is there any way to enforce which add-ons are installed. So we could roll out firefox with NoScript, but unless we can stop users removing NoScript we're stuck. NoScript does have corporate configuration options, it's Firefox we're stuck with.
**Roaming Home Folders** It sounds like this is possible, but can anybody point me to a basic guide as to how to do this. Also, how big do these get? In Windows you can configure Roaming Profiles which get copied to the client computer at logon, but can also direct things like application settings and users home folders to a central server, so the profile itself is never too large. Can I do something similar with Linux?
**Offline access for laptops** We use Offline Folders so windows always keeps a cached copy of documents users open, as well as everything on their desktop, or in their document folders. Is there any equivalent of this for Linux?
**Preventing access to Executables** In Windows, we block executables at the firewall, email server, and on the desktop, but it's still pretty easy for users to get around this. It sounds like removing the execute flag on linux desktops is a much better approach, but I can't find a simple guide as to how to configure this. Can anybody point me at some documentation for this, so I can configure it without worrying about missing something vital?
**Remote Support** In Windows, we use Dameware Mini Remote Control to get remote access to any users desktop quickly and easily. I know we can use VNC, but it's always seemed slow and clunky. What are the best options for remote support of Linux desktops?
**Central Installations** I hear all this talk of configuring a standard linux desktop and rolling it out. How exactly is this done? In Windows you just run a RIS (or now WDS) server, and roll out desktops with all the patches, drivers, etc that you need.
**Partitioning** Linux partitions confuse the hell out of me. Do you really need separate partitions for all these things?
**Screen Saver policies** We enforce locked screensaver
The stuff you put in bold? Absolutely, 100% agree with you. I don't want *any* application fiddling with other programs unless I specifically allow it.
Years ago I suggested to Microsoft that they implement application signing to restrict exactly this. Have applications signed by the creators, and you can easily restrict applications so that while they can modify themselves, and work with suites of software from the same company, each program is protected from others. You can also add extra layers of security, restricting what applications are allowed to do, and which types of file they can modify, all of which is under the users control.
It would stop most viruses in their tracks
- Modifying startup settings wouldn't be allowed
- Modifying files they don't own is not possible (no cross infection)
- You can't even damage documents that you've not been granted access to.
And even when a virus tries to spread by a vulnerability in word, acrobat, etc, it's not going to go far. That program isn't allowed to write.exe files, so that's out. It can't modify your system startup settings, and it can't modify any documents other than.DOC or.PDF files.
And you can do all of it with just signatures for files and processes, and a bit of enhancement to process and file security.
It gives you two checks each time a program tries to do something:
- Does the user have permission to do this?
- Does *this program* have permission to do this?
While it'll cause problems for some software, the majority of programs will be fine with it, and it would have a massive effect on security. Far more than UAC on its own imho.
Go google Winternals Protection Manager sometime. That *was* UAC (and then some) for Windows XP.
Strangely enough, a couple of months after it launched, Microsoft bought the company producing it, and promptly buried the product. After all, you can't have good security getting in the way of Vista sales.
That's yet another example of Microsoft making my life harder, and putting marketing ahead of good tech. I might be a Windows admin, and I've been running, supporting and recommending Microsoft products for a while, but I am *not* impressed with Microsoft these days.
Yup, Microsoft have a real fight on their hands retiring XP. I think Windows 7 is a huge improvement over Vista, I really like the thought that's gone into the new task bar (and can name probably a dozen users at our company who will benefit as they never did grasp the difference between a button to launch a program, and one to switch to the existing copy).
The new drive encryption stuff sounds promising too, as does AppLocker (provided you don't look too hard at it...).
But then I found that we don't get drive encryption without the full blown enterprise product, and associated subscription costs. AppLocker sounds painfully hard to implement, and while the task bar is nice, it's not really £50+ per user nice. So even though I think they're finally getting things right with Windows 7, I still can't see any good reason for us to upgrade. So far there's absolutely nothing that we can't achieve with XP.
And that's the crux of the problem: This is a business decision, it's straightforward cost/benefit analysis. Right now I can't see any benefit that even comes close to justifying the cost of the upgrade.
Slashdot Mirror
The biggest concern I'd have with single disks is that disk fail. Regularly.
I can see the point of wanting to store to disk - plenty of space, easy to use, and fast. But I'd really want some kind of redundancy. Have you thought about buying an external raid array? Possibly the easiest to use is the Drobo - just fill it with as many disks as you want, and it'll ensure your data is protected:
http://www.drobo.com/
They're more expensive than just buying disks (£300 empty), but that's well worth it if you'd like your data to still be accessible when you come back to use it.
Authoritative comments, on Slashdot? Are you sure you're on the right site?
Here's the point - if they're offering to buy you, they may well be doing you a favour. They could almost certainly do this on their own, and out-compete you.
You can tell by this move that they're interested in what you're doing, and if they have the kind of money you're implying to set up a team working on this, that money is there whether you guys come on board or not. So, much as you like being independent, can your little startup compete against a well funded competitor with a big name behind it?
Have a long hard think about that question, and try not to get emotionally attached to your company as you answer it.
As much as you like being independent, it may be better to take this opportunity, and move onto other things if you find it doesn't work out.
What I would suggest is to make a list of the things you really enjoy about being independent, and speak to this company about them. See if they are amenable to you guys having autonomy and control over this project. Find out what their long term goals are for it, and whether they align with your own. Get them to put in writing their commitment to the project and their goals, and to having you guys in charge - that way you should at least have a few years whereby you know where you stand, and can be confident of running the project the way you want, in the direction you want.
If that can work out, see this as a huge opportunity. Firstly you get the money and a bigger team to drive your project forward faster than you could have done before. You'll also get to make some good contacts, and probably learn a lot about how to run things like this, oh, and you get the cash too (depending on how big you think this will be, it might be worth insisting that your deal is partly profit related)
Then, if it does go titsup in a few years, and you don't like the way things are going, you're all in a good position to leave the company and startup on your own with a new project.
Exactly, Microsoft's behaviour killed the market, removing a damn good product from us customers. Sure, Stac made some money out of it, but we'll never know what we lost as a result.
I used to use Stacker regularly after finding that it coped with disk errors better than Microsoft's FAT filesystem, or Microsoft's Doublespace. Errors that would routinely loose entire disks with Microsoft's code were quietly fixed with Stacker, allowing me to move data to new disks. I was even able to recycle known bad disks since Stacker could handle the bad sectors just fine.
In contrast, Microsoft's Doublespace could loose data on good drives, it was truly, truly awful.
Microsoft's behaviour effectively removed one of my favourite software tools from the market, and they've done it many, many times since to other programs. I may be a Windows network admin, but I am definitely not a fan of their business practices or their software.
Yup, damned impressive worm, if you read some of the detailed writeups it really highlights just how professional these things are now.
It's doing us the world of good here - we've got pretty good security already, and getting budget for the next set of steps I want to take should be a whole lot easier now. All I'm having to do is point out just how widely Conficker spread, show some of the big names it hit, and then point out just how long it took them to clean their networks after the fact.
All of a sudden a few pounds spent protecting the network look like a good idea :)
If you don't have the budget to be buying rugged systems, you might want to look into IP rated enclosures (http://en.wikipedia.org/wiki/IP_Code).
IP56 or IP67 would probably work for you, you can buy IP rated industrial computers, but you might even be able to just buy a big cabinet and stick regular computers inside it.
The only problem then is cabling into it, but it's definitely possible to get IP rated cable glands:
http://www.industrial-enclosures.com/html/cable-glands.htm
Your biggest problem may be heat. You'll almost certainly need either active cooling inside the cabinet, or a decent size heatsink as part of it.
So how did that happen exactly? No DRM I can understand. No control over who connects to your servers is just dumb.
It's not exactly difficult to have a serial number inside each copy of the game, and register that to the user account. It's even possible to build that mechanism in a way that allows resales.
Voila! No DRM, and no pirates on your servers either.
Perhaps because they've done the studies that show calorie intake is actually wildly different according to the bacteria present, regardless of the food eaten. Seriously, go read the articles attached to the original slashdot story, they're fascinating reading.
I for one am watching this with interest since it's the first research I've seen that adequately explains why somebody like myself can eat without putting weight on, while other have to carefully monitor their intake.
I eat absolute garbage, in quantity, and do little exercise, yet haven't put on more than a stone in the last 15 years. For the best part of a year I bought lunch from the chip shop 5 days a week, and ate that on top of regular snacks (2-3 bags of crisps, chocolate bars & fizzy drinks), plus a full breakfast and dinner every day, without putting on any weight at all. I eat more than double the amount of food my boss consumes, yet he's a good 3-4 stone heavier than me, goes to the gym every morning, and still struggles to keep weight off.
You're on the right lines, but when it comes to Microsoft, you're probably closer with:
"That's no puppy, it's a sodding crocodile, look, it just tore your arm off!"
Microsoft fans remind me of Monty Python's Black Knight: "It's just a scratch..."
Yeah, right. You might want to update your knowledge on 3 wheelers a little:
http://www.youtube.com/watch?v=38TFetQAe2o
Yup, and I'd love to see how it manages an emergency stop!
A far better design would be two electric drive wheels at the front and a simple free steering wheel at the back. You've got all the advantages of this when it comes to size & simplicity (no complex steering rack), but you then don't need all that complex balancing software, it's more stable both at rest and in motion, it uses less power, and has far better emergency brakes.
Oh, and it doesn't fall on its arse when the battery runs flat.
If you look though, I don't think there are many screws in that design, both the power supply and the hard drives seem to use a velcro fixed strap, which looks to be an inspired idea. And I've heard before that google don't service servers in place, if one goes bad, they simply pull it out, fit a replacement, and send the bad one off to a dedicated repair desk.
Interesting. SCSI CD by any chance? I've tried every trick I know to get things responding better with both ATA and SATA drives, nothing has ever worked.
Tell me about it. You burn a CD and watch your entire system grind to a halt while it happens. Until last year I actually thought that was a limitation of the hardware, I just couldn't believe they'd make us live with something that bad if it was fixable in software. It's so bad we actually had to buy an extra computer at work for doing our DVD archiving.
And then I installed Linux. My god. I can burn a CD without even noticing it's going on.
Linux may have started as a hobby, but in many, many ways it makes Windows look amateurish.
Why even buy a computer? Upgrade your machine to 4GB or so and download VirtualBox. It runs on pretty much every OS out there, and it'll run almost anything as a virtual machine too.
If you find it's a bit slow, buy yourself a faster machine, or add more memory. That's pretty much all you need.
I wouldn't trust any manual clean these days, not after finding a virus a year ago that still ran in safe mode. Sure, you might clean up one or two, but can you guarantee they haven't installed any others, that you might not have found?
I've been manually removing viruses for years. Wouldn't even attempt it now.
Well, I don't know a lot about Linux virtualisation, but I'm starting to think the same. Everywhere I look, companies are moving to KVM. Red Hat just announced their new virtualisation stuff, yet if you speak to them you'll find that they're already looking at migrating to KVM.
And the whole KVM approach seems tons better - make use of the standard Linux kernel, and take advantage of all the development that's going on there, leaving the virtualisation developers to focus on just that. Sounds like a win/win approach to me, I'd be surprised if it doesn't overtake VMware in the long term.
Well, I was just about to whinge that this still doesn't help those of us stuck on version 8, but I see that today Adobe have finally fixed the 9 month old bug that stopped us upgrading: http://kb.adobe.com/selfservice/viewContent.do?externalId=kb404597&sliceId=1
Unfortunately for them, today was the day we migrated every single computer over to PDF-XChange. Barring any major problem, I can't see us using Adobe products for a long while. I'm not interested in sticking with any vendor that takes 9 months to fix a show stopping bug like that.
>> **Roaming Home Folders**
>I imagine you're going to get lots of replies here saying "just use nfs!", and I'd be inclined to go >with that myself. The usual way this is handled in my experience is to have the home directories on a >remote server and that auto mounted with nfs when you log on to a machine. This sounds like what you >describe apart from the part with a profile being copied to the local machine. I'm not sure I >understand the benefit of that, could you clarify?
Yeah, I think NFS will probably do it. The local copy of the profile is I suspect more a limitation of the Windows way of doing things than anything else - part of the profile is the users registry setting, so that always gets copied locally as you log in.
However, one benefit to copying it locally is that it means laptop users can just take their machines away with them and retain their settings - we've configured windows to cache the last 5 logons, so even while off the network the staff (and genearally network admins too) can log in and work as normal. It works hand in hand with the Windows Offline Files feature too, I'm not sure how you can achieve all that when users have NFS home folders.
>> **Remote Support**
>Agreed, VNC is a bit clunky. I use nomachine nx for remote access and it's the bees knees. This >doesn't let you connect to an existing user session if that's what you mean by "remote access to >any users desktop" though.
Yes, I do want access to the desktops. If I have to, I'll try VNC, but my experience of it has been that it's horribly slow to use, even over 100Mb. I can use Dameware to control machines of users that have dialed in from home, and it's still more than quick enough. It also has nice features like auto-reconnect that'll keep pinging a rebooting machine and automatically connect back up to it as soon as it's available.
Yeah, that's kind of my feeling to some of this too. It's great that I can do this in Linux, but a lot of the application management tools look like some kind of programming language, and I just don't have the time to learn to use that well, nor to maintain my skills. And I dread the thought of having to debug an error in an application deployment script that I just rolled out to 100+ machines.
A simple management GUI has a lot going for it, not least of which are the rapid learning curve, and the simplicity which reduces mistakes. While I accept that we've got a relatively complex network here, and that I know windows well, I don't think I could comfortably manage 130+ applications for 120 users this easily on Linux, even if I did know the tools.
It's not stopping me trying though, in the long term we're definitely favoring Linux over Windows 7, only time will tell if that actually becomes a feasible change.
I'll come out in the open first and say that I'm a long term windows admin, I've spent that last 8 years running windows networks, and 5 years before that building, configuring and troubleshooting windows PC's.
Managing a windows network is second nature to me, but until today I didn't think that half the things I can do in windows was even possible with Linux.
Now I know some of it can be done, I'm wondering just how much of this is ready now. Googling has never turned up anything before, but it's now looking like it's a terminology problem as much as anything else - without knowing the Linux tech, I didn't know what to search for to find my answers.
So, with that said, can anybody tell me if there's a Linux equivalent for:
**WSUS server**
I can download patches from Microsoft for 90% of our software, can test those patches on a small set of machines, and roll them out at will to our entire organization, with reports telling me of any problem machines. I appreciate I can run my own repository, but I want to enforce the installation of updates, I don't want users choosing to install them, is this possible?
**Group Policy Software Deployment**
Rolling out new software is just a case of adding a new group policy object and asking users to reboot. Software is deployed based on the department the machine is assigned to in Active Directory. Is there any simple way to install new software, or software updates to Linux machines? Also, removing software is just a case of removing the policy, is there any equivalent to that?
**Securing the Web Browser**
I'm probably going to get shot for saying this, but right now, Internet Explorer is more secure than Firefox for us. Using Group Policy we've enforced security zones, so IT get to say which sites can and can't run scripts, and users have no way of changing that. We've looked into Firefox, but on windows there's no way to centrally manage or update it, nor is there any way to enforce which add-ons are installed. So we could roll out firefox with NoScript, but unless we can stop users removing NoScript we're stuck. NoScript does have corporate configuration options, it's Firefox we're stuck with.
**Roaming Home Folders**
It sounds like this is possible, but can anybody point me to a basic guide as to how to do this. Also, how big do these get? In Windows you can configure Roaming Profiles which get copied to the client computer at logon, but can also direct things like application settings and users home folders to a central server, so the profile itself is never too large. Can I do something similar with Linux?
**Offline access for laptops**
We use Offline Folders so windows always keeps a cached copy of documents users open, as well as everything on their desktop, or in their document folders. Is there any equivalent of this for Linux?
**Preventing access to Executables**
In Windows, we block executables at the firewall, email server, and on the desktop, but it's still pretty easy for users to get around this. It sounds like removing the execute flag on linux desktops is a much better approach, but I can't find a simple guide as to how to configure this. Can anybody point me at some documentation for this, so I can configure it without worrying about missing something vital?
**Remote Support**
In Windows, we use Dameware Mini Remote Control to get remote access to any users desktop quickly and easily. I know we can use VNC, but it's always seemed slow and clunky. What are the best options for remote support of Linux desktops?
**Central Installations**
I hear all this talk of configuring a standard linux desktop and rolling it out. How exactly is this done? In Windows you just run a RIS (or now WDS) server, and roll out desktops with all the patches, drivers, etc that you need.
**Partitioning**
Linux partitions confuse the hell out of me. Do you really need separate partitions for all these things?
**Screen Saver policies**
We enforce locked screensaver
The stuff you put in bold? Absolutely, 100% agree with you. I don't want *any* application fiddling with other programs unless I specifically allow it.
Years ago I suggested to Microsoft that they implement application signing to restrict exactly this. Have applications signed by the creators, and you can easily restrict applications so that while they can modify themselves, and work with suites of software from the same company, each program is protected from others. You can also add extra layers of security, restricting what applications are allowed to do, and which types of file they can modify, all of which is under the users control.
It would stop most viruses in their tracks
- Modifying startup settings wouldn't be allowed
- Modifying files they don't own is not possible (no cross infection)
- You can't even damage documents that you've not been granted access to.
And even when a virus tries to spread by a vulnerability in word, acrobat, etc, it's not going to go far. That program isn't allowed to write .exe files, so that's out. It can't modify your system startup settings, and it can't modify any documents other than .DOC or .PDF files.
And you can do all of it with just signatures for files and processes, and a bit of enhancement to process and file security.
It gives you two checks each time a program tries to do something:
- Does the user have permission to do this?
- Does *this program* have permission to do this?
While it'll cause problems for some software, the majority of programs will be fine with it, and it would have a massive effect on security. Far more than UAC on its own imho.
Go google Winternals Protection Manager sometime. That *was* UAC (and then some) for Windows XP.
Strangely enough, a couple of months after it launched, Microsoft bought the company producing it, and promptly buried the product. After all, you can't have good security getting in the way of Vista sales.
That's yet another example of Microsoft making my life harder, and putting marketing ahead of good tech. I might be a Windows admin, and I've been running, supporting and recommending Microsoft products for a while, but I am *not* impressed with Microsoft these days.
Yup, Microsoft have a real fight on their hands retiring XP. I think Windows 7 is a huge improvement over Vista, I really like the thought that's gone into the new task bar (and can name probably a dozen users at our company who will benefit as they never did grasp the difference between a button to launch a program, and one to switch to the existing copy).
The new drive encryption stuff sounds promising too, as does AppLocker (provided you don't look too hard at it...).
But then I found that we don't get drive encryption without the full blown enterprise product, and associated subscription costs. AppLocker sounds painfully hard to implement, and while the task bar is nice, it's not really £50+ per user nice. So even though I think they're finally getting things right with Windows 7, I still can't see any good reason for us to upgrade. So far there's absolutely nothing that we can't achieve with XP.
And that's the crux of the problem: This is a business decision, it's straightforward cost/benefit analysis. Right now I can't see any benefit that even comes close to justifying the cost of the upgrade.
Christ knows why this got -1, I'd mod you up if I got the chance.
If this turns out to be even part of the reason why so many foreign workers are being employed, heads need to roll.