Getting Started with AppLocker

I am only running this in audit mode and I am already finding benefits of using it.  AppLocker allows you to white list applications.  If you were to use this on workstations that did not grant administrator access, you could probably stop all malware without any other protection.  It turns out to be a lot easier than I thought. 

The idea of white listing every application felt like a daunting task.  There are a set of rules you can use to make this easier. Running the default rules in audit mode can give you a good idea of how much work it will take. If you use a consistent image for every workstation deployment and install everything in Program Files, then this gets very easy.

First we needs to enable the Application Identity Service. I enabled it in the same policy that I plan on configuring the rules in.

This should start on the next reboot. The next step is to configure auditing mode.

Now we need to create some rules.  Right click on Executable Rules and create default rules. This will create 3 important rules for you to prevent you from locking users of the computers.  The first is the Administrator rule allowing admins the ability to run anything.  The other two cover the Windows and Program Files folder.  Any file in those locations are allowed to run.

If your users are not local administrator on the workstations, then the only things that can be in those folders were programs installed as an administrator. This is a very important point that highlights why this works so well. The only rules you need to add are ones for non-standard programs that don’t run from Program Files. Hopefully this is a short list. 

There are three types of rules you will deal with.  Path rules, publisher rules, and checksum rules. The built in wizard does most of the work for this.  Just point it at your installed application and it will do the rest.  You have the option to make adjustments by hand if needed.

Now apply this policy to computers in Active Directory. Give your computer plenty of time to get a reboot and a few days of activity.

Idea of annual Windows releases is very interesting

The idea of annual Windows releases is very interesting.  The corporate customer of today gets stuck on a release and never changes.

In the past there have been issues.  But the move from Vista to Windows 7 to Windows 8 is fairly painless.  Except that nobody used Vista, so the move from Windows 7 to Windows 8 was painless as far as application compatibility was concerned.  I have more issues with IE10 than Win8.

I already know what I don't want.

I don't wan't a separate corporate version from a consumer version.  We had that back in 2000.  We end up with home users using the corporate version and the corporate users mixing in the home version.  It confuses everyone when at the end of the day it is still Windows.  I don't want to be stuck waiting for features to show up in the corporate version.

I also don't want to be supporting 10 different installations of Windows.  Now that I am installing x86 and x64 machines that I expect to be in service for about 5 years, I could easily end up with way too many versions to keep track of.  That just kills automation.

I also don't want any more drastic or confusing changes that users will not understand.  If you are going to release yearly, I do not want to retrain my entire user population on Windows basics every year.  Not deploying Windows 8 because a single feature requires user training is annoying  I would have rolled out Windows 8 to 10% of my workstations already if it wasn't for the start menu.

Here is how I see the landscape.

Upgrades would need to be smooth as a Service Pack.  I am an advocate of fresh installs every time.  I have advocated that for a long time.  Windows 8 is the first release where I feel comfortable doing the upgrade and trusting the results.  So they are already on the right track.

But I am still stuck in yesterdays environments with all of these thoughts.  I see companies clinging to XP for no good reason as they rob themselves of all the advances that Windows 7 brought us.  But that decade is over.  Looking forward, the landscape is very different.

The transition to VDI is happening very fast.  This presents us with something very unique. Especially when yearly updates come into play. Depending on your set up, a OS refresh could be almost instant.  Users could leave one day and when they return the next day, they are running Windows Next.

Microsoft's Hyper-V

If you look at how fast Microsoft is changing Hyper-V, we want to the OS to change just as fast.  Microsoft nailed it for virtualizing servers.  They want to move into the VDI game and a yearly OS refresh just fits into that so well.  I can't wait. The more I think about it, it will be the corporate VDI customer adopting Windows Next quickly.

Tick Tock Windows Blue

I just saw an article talking about Microsoft releasing a new OS every year.  I think it is a great idea.  But I already hear the rumble of seperating corprate customers from the pack. This was what we had in the beginning.  Windows 95,98,ME for the home user and NT, 2000 for the business user.  What we ended up with was business users with Windows 98 and Home users with 2000.

I do not wan't to go back to that. I think a Tick Tock release schedule would be much better. The idea is that the Tick releases have major functionality changes and the Tock releases is where its refined. Use the Tock release to appeal to the corprate customer.

SQL backups revisited. Just use Ola Hallengren's Scripts

I made a quick post about sql backups not that long ago. Take it for that its worth, but there is a much better way to deal with back ups.  Ola Hallengren has a set of maintenance scripts that could not be easier to use.  I can't tell you how much time I have spent tweaking and adjusting my scripts in the past.  I knew of his scripts but never took the time to look at them.

All you do is run the script and then add a schedule to the jobs it creates.  The jobs are very clear in what they do.  If you review his site, he even gives a suggested schedule and job order that will fit most people.  Those scripts handle many special cases.  It knows if your database needs log back ups or not. It even takes into account Always On backup priorities.

I don't know why I never looked into them before, but I will use them on every database I administrate now.

My time is way over budget

I was reviewing my list of projects and I realize that its gotten way too long. I have too much time debt. It may sound strange to call it that. I look at it like I do finances. If you are collecting too much debt, you need to analyze how you are collecting it.  With my checking account, I can easily just pull a list of all my transactions.  It's a little harder when we talk about time.  There is no record being generated automatically.

In order to analyze my time, I need to start tracking it. I read about several ways to do it and I settled on something fairly simple.  I opened up Excel and made a table with these headings.  Day, Time, Minutes, Description, and Category.  Every time I change tasks, I write down the time and a short 2-3 word description.  I try to write down the number of minutes I spent at the same time, but I don't care if I miss a few.  It is easy enough to calculate after the fact.

I am using very broad categories. I want a high level view of where my time is spent. I think I have about 7-9 things that I am tracking but they roll up into 3 large buckets.  Support, Other, and My Projects. At the end of the day, I will make sure to date all the entries to assist in later analysis.

The whole point of me collecting this data is to analyse it. The results have been interesting so far. A strong third of my day is end user support.  This is a measure of overflow from the help desk.  Ideally we have enough support staff to handle support issues. The next third of my day is meetings, reviewing items with the rest of the team, and email.  The last third of my day is me working on my projects.

These results are interesting because I am not getting as much work done as I thought I was. I am busy all the time, but not enough of that it going toward my projects. I initially estimated my project list at 56 weeks. With these new metrics, its more like 3 years worth of stuff.

I am going to keep tracking my time to see if I am able to improve these numbers.

Windows 8 and Juniper RDP VPN unstability

I have been dealing with an interesting issues with Windows 8.  I loaded the beta way back when it was first released.  Once issue that I had issues with was my VPN connectivity at work.  It was very unstable.  I could get 2-5 minutes of work done at a time before it would drop.  I wrote it off as a beta issue and went on my way.  I didn't need to work from home as much as I was, so it was not that big if a deal.

I was a little disappointed when I installed the RTM and the issue continued.  I could deal with it if I was just checking in on servers.  But if I needed to any real work, it was just too much.  It felt like it was dropping more and more often. 

This weekend I actually needed to work on some things and my connection would only last a few seconds.  So it was time to solve the issue. I had enough.  I didn’t have any quick access to any computers that were not running Windows 8 or Server 2012.  I thought it was a good time to finally enable Hyper-V on my desktop.

I enabled the feature and after the reboot, I started installing Windows 7.  As I waited for the install to run, I was reminded at how much faster Windows 8 installed.

The good news is that it worked.  I was able to connect to my VM to use my VPN.  I did find it interesting though.  I would RDP into my VM, to RDP into my work desktop, to RDP into my servers.

If anyone else is having the same issues I am, here is one solution.  I think the issues I am having are more the way our VPN is deployed. We use a Juniper client that has its own rdp client.  I think if our admins had configured things a little different, I could use a different RDP client.  But this works well enough.

100 projects and counting

I sat down and listed out all my tasks and projects in a spreadsheet. I wrote down everything that came to me.  All the things that people expect me to do or would like me to do.  I put down things that I should be doing but never get to.  I listed all the things I know I will never do but should be on the list anyway.

I needed to clear all of it out of my head. Get it down someplace so I am not wearing myself out thinking about it.  I just kept going as far as I could go.  In the end, I had over 100 items listed in my spreadsheet. That kind of caught me off guard when I saw that number.  I do this every so often and it usually helps me recharge a bit. But this time it showed me how far behind I really am.

I took a bit of time to put time estimates with each item to get a better picture.  The running total was just over a years worth of work.  Assuming that nothing else came up, I could be caught up in 56 weeks.  

I decided to take a look back at the last few times I recorded all my projects. My lists from 6 months ago and 12 months ago were the only one's I had time estimates on all my items.  When I chart the time estimates  for all 3 time periods (today, 6 months, and 12 months ago), it shows that my list is getting longer.  Its growing much faster that I can clear items off of it.

There is no way I can take care of that list alone.  I't very apparent that I either need a team of my own to tackle these things or I need to start turning people down. But now I have some data to back me up when I bring it up.