PS â The new theme for jaredheinrichs.com should be up within the next two weeks.
Archives for September 2010
Internet Explorer 9 Beta Download
I just wanted to send out a quick post on where one can download it!
Hope this helps!
http://windows.microsoft.com/en-US/internet-explorer/download/ie-9/worldwide
How to give a tune-up to your Active Directory Database
This post will go over tuning up your Active Directory Database. I will specifically going over Active Directory in a Windows 2008 Server environment.
Why would you want to do this?
- Running regular maintenance on the Active Directory Database recaptures disk space, makes the database file more efficient (faster) and checks for any weirdness.
- When stuff gets deleted out of your active directory database, the file does not get any smaller.
*NOTE* – These items will be done using âNTDSUTILâ under the âFilesâ context. Three items this post will go over will be âCompactâ, âIntegrityâ as well as âSemantic" Database Analysisâ.
Getting ready to type the commands
Go and Open command prompt.
- Type. ântdsutilâ.
- Type âActivate Instance NTDSâ
How to Defrag / Compact the Active Directory Database
* NOTE * You canât compact the actual Active Directory Database! You will have to compact it to another location. Then copy the new file over the old version manually. This is the #1 concept issue I see people have. Most of the time they think just by running the command the database is defragged. Unfortunately this is not the case.
- You need to âSTOPâ the âNTDS Serviceâ before binding to the Active Directory database".
- Go to âAdministrator Toolsâ and select âServicesâ.
- Right click âActive Directory Domain Servicesâ and tell it to âStopâ. Windows will prompt you to tell you there are other services that will be stopped as well.
- Go back to the command prompt that you opened at the beginning of the how to video. You might get an error about not being able to stop it. This is because replication is going on. You will just have to try stopping it again in a few seconds until it stops.
- Type âFilesâ. IF you didnât stop the NTDS Service in step 3 you will be alerted here with an error.
- Type âcompact to C:\â or where ever you want to create a copy of the compacted Active Directory Database.
- Verify that a copy copy of the Active Directory Database file has been created @ âC:\ntds.ditâ
- Type âQuitâ and âQuitâ. This will get you back to the command prompt.
- Type: copy âC:\ntds.ditâ âC:\Windows\NTDS\ntds.ditâ
- Type: del âC:\Windows\NTDS\*.logâ
How to Check the Active Directory Database Integrity
* NOTE * – After compacting the database you should always check the Integrity of the database. If you donât still have the command prompt window go back to âGetting ready to type the commands sectionâ.
- Type âFilesâ
- Type âIntegrityâ
- This will make sure there is no issues with the with the compacting of the Active Directory Database
- Once this command completes there will be a message recommending to you to run the âSemantic database consistencyâ check as well.
How to run the Semantic Database Consistency util
Still in the NTDS util run:
- Type "quitâ to go up one level in the NTDSutil instance structure.
- Type âsemantic database analysisâ
- Type âVerbose onâ
- Type âGo Fixupâ
Remember to restart âActive Directory Domain Servicesâ. All those services that were also stopped during the process of stopping the service will also be started.
How to setup Active Directory auditing
There are many reasons to setup Active Directory Auditing. The most common reason is to track changes to user/computer accounts in Active Directory. There are two things you have to do in order to setup Active Directory auditing.
- You have to enable Auditing Policy (specifically Audit Directory Service) on either the domain Controller Policy or the Default Domain Policy. I recommend the Domain Controller Policy.
- You have to turn on Auditing component on the Object(s) you want to audit.
How to setup/Enable Audit Directory Service
Here are the steps to Enable the Audit Directory Service.
- Right click the Domain Controller Policy. Select. âEditâŚâ
- Go to âComputer Configurationâ â âWindows Settingsâ â âSecurity Settingsâ â âLocal Policiesâ â âAudit Policyâ
- Double click âAudit Directory Service Accessâ
- All the boxes should be selected. ie. âDefine these policy settinsâ. Audit These attempts âSuccessâ & âFailureâ.
How to turn on Auditing on specific Active Directory Objects
Here are the steps to turn on Auditing on AD obejcts:
- Open Active Directory Users and Computers
- Go to View and make sure âShow advance featuresâ is enabled.
- Right click âBase OUâ where you want to audit and hit Properties.
- Click on Security Tabâ. (If you donât see this go back to step #2)
- Click âAdvancedâ button near the bottom of the Window.
- Click on âAuditingâ tab in the new Window.
- Click on âAdd..â button
- Select âAuthenticated Usersâ group
- Check off Successful and Failed for the Write all Properties. Make sure that âThis object and all descendant objectsâ is selected.
- Click âOkâ
- Click âOkâ
How to View Active Directory Auditing Logs
Now that youâve set this up you might be wondering âWhere do I go to see all this auditing now? If you did you would have asked a really good question.
To view the Active Directory Auditing logs you need to open âServer Managerâ â âDiagnosticsâ â âWindows Logsâ â âSecurityâ
- 4726 Message â This code is for deleting a user account. The user who did it will also be logged.
- 4720 Message â This code is for creating a user account. The user who did it will also be logged.
You might want to try and filter the events based on these messages.
Ford first with Assembly line Wi-Fi capability for delivery of software to vehicles via sync
After hearing about this news I was really excited and worried about the technology. I knew that if they didnât do it correctly there would be all sorts of issues. I was able to ask several interview type questions and post them here on my blog. Iâve included some links for more information at the bottom of the page.
What steps has Ford done to prevent drive by hackers to prevent further uploading of software on the road?
There are multiple measures in place to prevent any type of hacking:
- Only Ford approved (signed through encryption) software can be installed at any point using this process.
- This functionality is disabled once the vehicle leaves the factory.
- A physical controller area network (CAN) connection or user initiated button press starts the process in the factory. It cannot be initiated remotely and no WiFi connection is formed until the process is started locally.
- Standard Wireless security mechanisms are in use (e.g. WPA2) even in the factory.
- A network firewall is in place to prevent outside connections.
Here are the protections when the vehicle is out on the road:
- There are two firewalls present on SYNC.
- A network firewall similar to your home WiFi router that limits inbound network connection attempts from public networks.
- A separate vehicle CPU that prevents unauthorized messages from being sent to other modules within the vehicle.
- All software on SYNC requires a Ford digital signature to be installed
Specific controls around the WiFi "Hot Spot" Feature (where we share out a USB Broadband or other connection)
- WPA2 WiFi security mode
- a unique SSID
- secure passphrase of 10-15 characters
- Consumer can override and degrade these settings, but can never completely disable security.
- Uses the network firewall mentioned above to limit connections inbound
How does Ford install the SYNC software for the vehicles? Is it through PXE?
- We have a basic http download of signed installation components. The components are very similar to what the consumer or dealer would install via USB today. We don’t use PXE.
If they used a technology like PXE to install software and Ford were to disable PXE before the car gets sold to the consumer, could a mechanic turn it on without a driverâs knowledge? If so, is there something a person could do to check to see if they susceptible to this kind of attack? If not, are there any plans to allow security conscious consumers to check for this kind of thing?
- See answer above. The ability to modify the car’s software is disabled once it leaves the factory . But, just as we have on the current generation of SYNC, we have the ability to add new features through USB download.
Are there any plans for making SYNC a SaS (Software as a Service) type model? For example, if SYNC gets updates would it be possible to upgrade to the newest version of the software to older vehicles because they have been paying the service fee?
- No. The software between SYNC generation 1 and generation 2 (MyFord Touch) are not compatible.
Does each car have a static IP address? Could this be ever traced by a rouge Ford employee. For example, if each car has a static IP address, could that IP address be tied to car/person and then tied to their personal information?
- No,
Any plans for SYNC to have a wirelessly capability to have an onboard internet connection or to use a tether cell phone to get a data line?
- Connectivity, MyFord Touch provides in-vehicle Internet access through wireless data providers, using broadband modem via the media hub, which turns the vehicle into a mobile hot spot for passengers while the vehicle is in motion.
If they used a technology like PXE to install software and Ford were to disable PXE before the car gets sold to the consumer, could a mechanic turn it on without a driverâs knowledge? If so, is there something a person could do to check to see if they susceptible to this kind of attack? If not, are there any plans to allow security conscious consumers to check for this kind of thing?
- The dealer does not have access to re-enter the factory provisioning mode once it has been exited.
- While in this factory mode, the normal 4-corners screen is not shown and a simplified GUI is shown (that makes it pretty obvious that it is in a special mode).
Does SYNC update itself? Is there any way of updating SYNC wirelessly after a person buys car to enable more features?
- No, SYNC does not update automatically. Yes, it is possible due to the factory-installed WiFi capability, but we’ve not implemented the infrastructure or process to do so yet.
Does SYNC ever âcall homeâ?
- Today the Vehicle Health Report feature does call home, but only when requested by the user. ( In the US only- we don’t have this feature available in Canada)
- In general Ford is committed to protecting consumer privacy and generally would inform consumers if any data is transferred from Sync back to Ford.
- We also work to protect private information via the Master Reset feature which will purge all consumer-level data.
Are there any plans for making SYNC a SaS (Software as a Service) type model? For example, if SYNC gets updates would it be possible to upgrade to the newest version of the software to older vehicles because they have been paying the service fee?
- That is not currently supported, but we wouldn’t rule anything out on the consumer side.
I noticed the IP address on the screen in the car is blurred. While I am assuming Ford just doesn’t want people to know their internal IP address scheme, I was wondering if the IP addresses given to the cars are static or dynamic.
- The IP addresses are dynamically assigned (via DHCP within the plant).
What kind of steps has Ford taken to ensure a person’s identity remains their own? When I say identity, I mean personal information like home address, phone number, etc. SYNC has the ability to get information on the driver like cell phones for hands free calling.
- Ford takes security issues very seriously as we add and improve connectivity features. As customers expect to be connected, but secure, when home or in the office, there should be no difference when in the car. SYNC does not require access to personal information for functionality. There are several precautions that we take to protect information, as well as advise owners on several steps to take of their own. Please see the press release for more information:http://media.ford.com/article_display.cfm?article_id=32181
Any plans for SYNC to have a wirelessly capability to have an onboard internet connection or to use a tether cell phone to get a data line?
- Our strategy from the beginning with SYNC has been about âbringing your own deviceâ and making it work seamlessly in the car, thus extending the capability of those devices when inside the car. With MyFord Touch, with the factory WiFi chip, you can create a mobile hotspot using an owner-supplied USB broadband modem, turning a single access point into a broadcast that up to 5 people can access. Tethering a phone is possible with MyFord Touch, but will be a future capability.
If so, the next most logical question to me would be is there any thoughts of being able to tie SYNC to say Microsoft Live services?
- Itâs possible, but not in the plans currently.
Since Microsoft allows you to save files like MP3’s to the cloud, any word/thought on if we’ll be able stream MP3’s that way we don’t even then need to plug in an MP3 device in our cars?
- Sure, thatâs another possibility. We already have Bluetooth streaming capability, so internet radio can be played in the car, such as Pandora
Well there you have it. As promised I am going to include some other really good info about relating to these subjects: