Archive
Too much protection?
So, I had someone make a comment the other day:
“My IT staff are all over us about security and viruses. They keep upgrading our security, and it feels like I really have to work to get anything done anymore. Do we have too much protection?”
There are many ways to look at security. I happen to be a believer in a layered approach. Each layer has a function and purpose. Sometimes those layers seem to replicate each other, but if implemented correctly they will not adversely affect the person sitting at their desk just trying to do their job.
Take anti-virus for example. This is a security feature every computer should have, and it should ALWAYS be up to date. In a business environment, you will likely have this feature built into your firewall or another device that protects your network from the dangers that are on the internet. Does this mean that you don’t need a good anti-virus solution on each desktop computer in the company? NO! You need the protection on the computers to protect you from the times a coworker or client (we’ll call him Bob) brings in a flash drive with a file they worked on at home. The anti-virus in your network firewall does not protect you from malware that could be on that flash drive. And if Bob doesn’t have adequate protection on his home or office computer, then you would potentially be introducing a virus or other malware into your office computer and possibly the entire office network. However, with anti-virus on your office computer, it would alert you if there was something bad on the flash drive.
You can have “too much” anti-virus if you have more than one anti-virus program installed on your computer. The programs are known to occasionally see each other as a threat and then cause problems. They also all use some of the same “hooks” in the operating system to provide their security. If two or more try to use the same hook at the same time, then you have a major conflict. This has been known to cause crashes, and at the very least extremely poor performance on the computer.
“What about add-on applications that look for other threats, not just viruses, and malware,” you ask? I’ll give you my approach. It may not be the best for you and your situation, but as a consultant that goes to multiple business locations every day, sometimes locations that are known to have an active infection (the reason they called me), it is proven and works great for me.
Personally, I use a stand alone anti-virus product, not a suite. I have found the suites to be…how to put it nicely…a little heavy handed and sometimes extremely resource intensive. There are many good anti-virus products out there. Over the years I have used Avast!, Symantec Endpoint Protection, BitDefender and a few others. My current weapon of choice is BitDefender. It gets frequent updates, is reasonably light weight (meaning not resource intensive) and I have yet to see anything sneak past it, even in environments that are known to be actively infected.
To round out my personal protection, I have a subscription to Malwarebytes. This program does not look for viruses in the way a tradition anti-virus does. It targets active malware. When I go into a client situation where I know they are actively infected and I need to clean them up, Malwarebytes is able to detect in an incoming request from the source computer and actively block the activity, even before my anti-virus needs to get into the loop. This makes my computer not have to work as hard to protect itself (since the infections never get to the computer at all), and sometimes makes it easier to identify the source computer on the network.
Additionally, I make sure I have a firewall on my laptop that keeps out connections I have not specifically authorized. A firewall on each computer in a business is not always a feasible approach. It can complicate the administration of the network in many ways. If you decide to check your firewall and see that it is not on, don’t panic! Call or email your network administrator and ask if this is by design. Most of the time you will hear yes. Here is where I may get a little flack… I use third party software for all of my protections…except the firewall. Here I simply use the Windows firewall. My experience shows that this is adequate protection. In a business environment, it is also easy for you network administrator to manage and maintain policies on. I have never been a fan of the built-in anti-virus protection, but as things stand right now I am comfortable with the Windows firewall.
The answer to the original question “do we have too much protection?” is a combination of yes and no. You really can’t ever have enough, if it is done right. You can have poorly configured, poorly managed, and poorly implemented solutions. You can have too many protection programs installed. But overall, if implemented in a layered fashion where each piece does not trample on the other, you can never have “too much” protection.
As a side note: I DO NOT recommend that you test your personal computer protection by connecting to networks that you know have problems. Sometimes there are threats that can get past even the best defenses. I do this because it is part of my job. I have many years of experience and the knowledge to deal with the threats, which is why I am a consultant with many happy clients.
DISM upgrade from Server 2008 Standard to Enterprise Caused Havoc
Don’t want to read the story? Jump to the Solution!
So, I had a client that was needing to increase the amount of RAM beyond 32GB on a SQL Server. I start researching ways to make that migration and ran across the Microsoft endorsed method of using DISM to do an in-place upgrade from Standard to Enterprise or Datacenter. Well, my client is licensed for Standard and Enterprise, so this method sounded like a great way to resolve the RAM limitations of Standard edition.
It’s a fairly straight forward process. The instructions can be found here, and directly from Microsoft here. I will mention a small caveat… If your licenses are volume, then you need to use the Microsoft Public KMS key to change editions. After the upgrade, you put your key back in. The other qualifier is that the target server CAN NOT be a DC.
On with the story. All went well with the upgrade, including the insertion of the proper key and subsequent activation of Server 2008 R2 Enterprise using the clients key. Everything looked fine and seemed to be running properly. No errors in the event log, and the areas I checked out looked good.
The next morning, I get a call from my client telling me they cannot print from remote sessions (this is also an RDS server). I connect to the server and get the exact same results. An error message that ends with “Could not create print job”. A few minutes later I get a call from their controller, who is trying to do payroll, and cannot get the application to open properly. I suggest they start by contacting the vendor of the app and we’ll go from there. I continue troubleshooting the printing issue, and discover the Print Management cannot open the snap-in MMC component.
Then I get a call from the accounting vendor. We troubleshoot his app for a bit and find the it accesses some if it’s components via IIS, which looks to be running but not serving data. We decide to reboot. As soon as that reboot is complete, we no longer have even the basic RDS services. I’m down to using an alternate method to connect and admin the server. I check all the basics. Firewall is off. UAC is disabled. IP address and network settings have not changed. No events in Event Viewer. The server appears to be alive and completely healthy.
We troubleshoot a bit longer and determine that there must be some sort of connectivity or communication issue internal to the OS. I decide to work at it a bit more, but ultimately decide to engage MS Support. I also decide to work on this from the comfort of home, as it would likely be a long night.
I create the MS Support request once I get home. I know I have a while to wait (supposedly no more then two hours), so I decide to find some dinner and let my brain veg out on some TV. Two hours passes and no phone call, but I start thinking of other things to look for. A brain break will do the IT guy good sometimes.
I remember from searches earlier in the day that there was at least one person that gave up and reloaded his server from scratch. For me, that is not an option. I start making simpler queries. These lead me down the path of discovery. I see several people with this issue that found temporary fixes, as well as some apparently untested suggestions. I start researching each of these and find more useful information. With each of these threads, strings and nuggets of information, I started to formulate a solution.
It turns out that the component that was broken was licensing. Windows was reporting that it was “Genuine” and activated, but in reality the license management module thought it had an invalid key and had told all the vital components to cease their function until they were licensed again.
I want to save others from hours of time and turmoil (not to mention a hefty MS Support bill)and make sure that the complete solutions gets out to those that may need it. Here it is, as concise as possible.
First I removed any and all traces of the license keys:
slui –ckms (This clears any KMS entries)
slui –upk (The removes installed product keys)
After running these the desktop will go to BLACK and tell you that your version of windows might not be genuine. DO NOT REBOOT YET!
Next, navigate to the Microsoft Windows Validation site. This process will reinstall/repair your damaged licensing components. For me, it reinserted a generic key and validated my Windows Server 2008 R2 as Genuine.
Reboot!
After the reboot, if you look at system properties, you will likely see that Windows only has 4GB available of however much you have installed. In my case, I had 4GB of 28GB available. At this point, I clicked “Change Product Key” on the properties page and pasted in my proper key for Server 2008 R2 Enterprise.
This completed and activated and told me to reboot to activate all the features.
After the reboot, all components, applications and sub-systems were working exactly as they should.
At that moment, I finally received my phone call from MS Support, 3.5 hours after opening the support request with the promise of a call within two hours. I thanked them for the call, and informed them that the problem was already resolved without their assistance.
I don’t believe Microsoft would have come up with a solution to this problem. This took too much research and was such an odd problem that I believe they would have eventually told me to format and reload my server. I found instances of others that faced this problem, and ultimately did completely reload their servers. Hopefully I can save someone that fate with this information.
Techie Guru 