K12IT

In addition to developement and maintenance, the Application Team here provides support for our SharePoint installation. Our current configuration includes a several public facing websites in addition to our intranet. Of course the public sites require that any elements we want to publish will require unauthenticated -- anonymous -- access. As you may be aware, SharePoint is all about permissions and one the most time consuming and tedius processes in SharePoint administration is setting up access for users, in large part beause there doesn't seem to be any cohesive native tools for broad based maintenance. Now you would think that settting up a site as anonymous access -- everybody can see anything without having to log in -- would be easier than trying to maintain the permissions configuration for 200 Active Directory users and in some ways it is.  I thought this too until working on a new website revealed that Microsoft's implementation of "anonymous" included some of those nefarius "features" you hear jokes about. Don't get me wrong... I am not an MS basher. I develop in a Microsoft centric environment. But if it quacks .... well, let me give you a link to something that explains it better than I could. It was also the solution to the problem I was encountering and has been the solution on more than one occasion.

"The Truth Behind Anonymous Access in SharePoint 2007"

Have you ever tried to open an attachment in Outlook and received an error message instead?  If you received the error message below, this posts for you!  "Cannot create file: file name. Right-click the folder you want to create the file in and click Properties on the shortcut menu to check your permissions for the folder."

When opening an attachment Outlook places the file in the temporary internet files folder. When closing the attachment, it is then removed from this folder. When this issue arises the attachments remain in the temporary folder and do not get removed. Over time they build up until the program cannot place any more items in this folder.

This issue applies to Microsoft Outlook 2003, 2007, and 2010 running on Microsoft Windows XP, Vista, and 7. Microsoft acknowledges that this issue exists and provides instructions to alleviate it. While their instructions help with the issue, they do not resolve it entirely as it tends to occur multiple times for the same user.

Click here for Microsoft KB #817878 that describes where that folder is located in the temporary internet files. This location varies depending on your operating system and version of Microsoft Office.

Once you have located that folder and deleted the contents within, I recommend creating a shortcut to it on your desktop. This will make cleaning out this folder much easier since it will most likely happen again!

Windows 7 auto-tune function in the IP stack breaks RDP connections. It took me two months to come to that conclusion, maybe this story will save you the same hassle.

It all started innocently enough. A school district joined the IU 13 WAN and suddenly some of their users began getting disconnected at random times from a remote server. This server at another IU was hosting an application that users accessed via RDP (Remote Desktop Protocol) from their desktop and laptop computers.

The problem began as soon as they connected to the IU 13 WAN. So clearly it was a network problem, except that not all users in this district experienced it and if they took their laptop home it worked just fine there. The problem is that there were others already using the application successfully on the WAN for some time. So maybe it wasn't a network problem.

First we tried a computer connected directly to the WAN hand-off switch at the district. This would eliminate the district network as the culprit. Users from there get disconnected too. Next we tried to find a pattern of users experiencing the problem. Each user had their own RDP account and only some users had the problem so it seemed like a good step. We had a user who had the problem and one who did not, swap RDP accounts. The problem stayed with the user. 

It must be a local machine problem or possibly an application problem. Each user logged into the application on the server with their own credentials once the RDP session was connected.  We were still not convinced that the network was not the problem because they never had the problem before. The next step was to try a machine at IU 13 which worked just fine.

About this time a new user suddenly began to experience problems. Their computer was just upgraded to Windows 7. The machine we had used to test from IU 13 was Windows XP and the one that was used to test at the district was Windows 7. The next step to confirm Windows 7 as the culprit was to place the district machine at IU 13 and test from there. That machine experienced the disconnects! We are finally getting somewhere. But what is different in Windows 7 that could cause random RDP disconnects?

The one other bit of information that I had from the service provider was that some users on networks where VOIP was in use sometimes had this problem. A few well selected keywords in google turned up this article about Windows 7 TCP auto-tune and broken RDP sessions.http://blog.tmcnet.com/blog/tom-keating/microsoft/remote-desktop-slow-problem-solved.asp As I read through it all the pieces fell into place.

This was my "ah-ha" moment like on the medical mystery TV shows. Prior to this nothing seemed to fit and everyone was just guessing. Suddenly all the random bits of data formed a complete picture.

Windows 7 uses aggressive TCP window scaling to get better performance on fast networks. This works great on "short" "fat" networks, such as from your desktop to a server on your local LAN. It also works great "long" "skinny" networks, like from your desktop across the Internet. When the network is "long" and "fat", like a school district connecting across PAIUnet (a gigabit statewide network) to a server, the aggressive nature of the window scaling causes problems.

So the problem was the network, it was too fast. The solution was to configure each of the Windows 7 clients to be less aggressive with the window scaling. Here is the command.

netsh interface tcp set global autotuninglevel=highlyrestricted 

If you want more details on this, take a look at this Microsoft Technet article. http://technet.microsoft.com/en-us/magazine/2007.01.cableguy.aspx

Employers seeking to insulate themselves from harassment lawsuits prompted by employees' use of social media websites need to establish and enforce practical social media and anti-harassment policies, while at the same time being mindful of worker privacy rights, according to employment analysts interviewed by BNA.

"Given the lack of guidance from the courts on harassment and social media use in the workplace, employers need to be very careful about their workplace policies," Michael S. Cohen, a partner with Duane Morris in Philadelphia, said.

"Facebook and MySpace are here. If employers don't already have a social media policy, they are late to the game and need to put one in place," Cohen told BNA.

"In particular these cases [involving social media use] are really going to highlight issues about when and where the workplace begins and ends," Marc J. Scheiner, also with Duane Morris in Philadelphia, told BNA. "But it is just a matter of using different modes of communication; bad conduct is still bad conduct."

Cohen recommended that employers be especially cautious because of the lack of well-developed case law on social media issues. "We are probably still a year or two from seeing litigation related to social media harassment allegations get through the litigation process, “Cohen said.

Scheiner and Cohen represent employers in workplace-related litigation and train human resources professionals on discrimination issues.

Respecting Worker Privacy Rights. A professor at Ohio State University's Moritz College of Law focused on the risk to employees' privacy rights in overly broad social media monitoring policies and criticized employers that justify such policies by raising the specter of workplace harassment.

"Many people think that there is a conflict-that if employees have privacy rights it creates a greater risk of harassment," L. Camille Hebert, who teaches employment discrimination law, told BNA. "The defense attorneys I talk to say the monitoring is necessary to prevent harassment, but I don't think the monitoring being done is random."

Hebert emphasized that she does not think overly invasive monitoring of employees' social media use should be done "just in case" of potential harassment.

She added that such monitoring likely is unnecessary in the wake of the U.S. Supreme Court's decisions in Faragher v. Boca Raton (524 U.S. 775, 77 FEP Cases 14 (1998)) and Burlington Industries Inc. v. Ellerth (524 U.S. 742, 77 FEP Cases 1 (1998», which provide an affirmative defense for employers in harassment lawsuits HUMAN RESOURCES REPCRT ISSN 1095-6239 filed under Title VII of the 1964 Civil Rights Act. Under Faragher/Ellerth, liability for a supervisory employee's misconduct may be avoided if the employer shows that (a) a tangible employment act, such as a discharge or demotion was not involved, (b) it took reasonable care to prevent and correct promptly the harassment, and (c) the plaintiff-employee failed unreasonably to take advantage of the preventive or corrective opportunities offered.

"After [those decisions] I don't think employers are going to be held liable for social media harassment unless they knew about it and failed to act," Hebert said.

She added, however, that once an employer is put on notice that an employee has been receiving "inappropriate or racy e-mails," that employer has a legal obligation to investigate and promptly address the allegations.

Hebert said that employees need to accept that their social networking use may affect their privacy rights in the workplace.

"When employees put information on public social media sites, then they are going to give up some privacy rights," Hebert said. "People put crazy things on their social media sites but once they make them public then they have given up some rights."

Employees who use social media sites such as MySpace, Facebook, and Twitter should carefully consider what they post to these sites, cautioned plaintiffs' attorney Michael Latimer, a partner with Harkins, Latimer & Dahl in San Antonio.

"Plaintiffs' attorneys should counsel their employee clients to be very careful, very discreet about what they post on their social networking sites such as Facebook," Latimer said.

He added that popular social networking sites such as Facebook and Twitter are "just another means for one employee to subject another to harassment or discrimination."

Employer Liability Questionable. Employee rights advocate Lewis Maltby said that employers cannot be expected to control harassing conduct that is occurring through an employee's third-party wireless provider unless the complaining employee has kept the allegedly harassing images or messages and can give them to the employer to substantiate the complaint.

"Under the federal Stored Communications Act it is hard to conclude that employers have access to third party wireless service records," said Maltby, president of the Work rights Institute in Princeton, N.J. "From the employer's standpoint, I would not be too nervous about [employees' personal mobile device] activity because the employer can't be expected to control conduct that is not happening on its company's server."

"If the employee sending the objectionable or harassing content is not a manager but is someone down the ladder, the question is, did the employer know, should the employer have known?" Maltby said. "[T]he employee has to complain to the employer before they can start suing for harassment," he added.

Maltby emphasized that employers should avoid overly broad or restrictive social media policies and should respect workers' privacy rights in drafting and enforcing such policies.

"The problem is that official policies always say employees have no expectation of privacy, but in practice most employers fail to live up to their own expansive social media monitoring policies," Maltby said. "It really is not fair right now because there is almost always such disparity between the company's official standard and their real, practical standard."

Maltby predicted that the U.S. Supreme Court ruling in Ontario v. Quon (U.S., No. 08-1332, 6/17/10; 28 HRR 649, 6/21110) would likely have some repercussions for private sector employees. He explained that a court's common law analysis of a private sector employee's reasonable expectation of privacy is "almost identical" to that applied to public employees under the Fourth Amendment.

In its decision reversing a ruling by the U.S. Court of Appeals for the Ninth Circuit in Quon (26 HRR 749, 7/7/08), the high court found that the city of Ontario, Calif., did not violate police officer Jeff Quon's Fourth Amendment privacy rights by reviewing his text messages and disciplining him for using the city pager for his personal business while on duty.

Reacting to the decision, Maltby told BNA that if advising employers, he would recommend they "think before they monitor" employees' personal communications and that they establish "strict guidelines" for information technology employees who might be tempted to look at co-workers' messages. He added, "It would be helpful if somebody would set standards" governing workplace privacy rights, suggesting Congress, the courts, or individual states as potential regulators.

"Employers are just being lazy-if they sat down for a few hours and really thought about what they wanted these policies to accomplish, it would be easy to put in place realistic policies, [but] employers see this as too much work," Maltby said.

Management attorney Scheiner voiced a similar opinion, stating that an employer with an overly restrictive social medial policy that it does not enforce may be worse off than if it lacked a social media policy.

"For instance, if an employer has a policy that prohibits all use of all social media but then doesn't block [access to] the sites-is it really enforcing the policy or are [its] managers perhaps enforcing such policies selectively or inconsistently?" Scheiner asked.

EEO Policies Should Explicitly Address Social Media. Cohen and Scheiner said they urge employers to make very clear that their equal employment opportunity -(EEO) and anti-harassment policies apply to employees’ social media use.

"Regarding EEO policies, I am advising and encouraging employers to give tangible examples of what social media use is and is not allowed in the workplace," Scheiner said. "They should link social media policies to real-world examples so employees know what is prohibited and what is not."

Scheiner said that standards of appropriate workplace conduct are constantly changing and emphasized that it is an employer's responsibility to clarify what constitutes acceptable workplace use of social media sites. "I think the trend is towards defining what conduct is appropriate given that social medial access exists. It is less about whether the conduct is on a work computer and more about whether the conduct is inappropriate," Scheiner said.

Cohen emphasized that although social networking is both popular and prevalent, employers need to decide what is best for their organization, and what level of social media access is appropriate for their employees. "It boils down to an employer deciding 'do we allow or do we not allow access to Facebook and Twitter at the workplace? " Cohen said.

"An argument against allowing such access to social media sites is that it is a monumental waste of time and might have implications for workplace harassment issues," Cohen said. "But it is going on and it depends on the organization ... on what benefit the employer reaps from allowing social media use in the workplace."

"Workplace harassment is not about social media use, it is really about interaction between employees," Hebert said. "Employers need to have a strong EEO policy in place."

By JANET CECELIA WALTHALL

7-19-10 COPYRIGHT'" 2010 BY THE BUREAU OF NATIONAL AFFAIRS, INC. HRR ISSN 1095-6239

Web services provide a means of distributed computing over the internet, by allowing clients and servers to invoke server processes on other machines. They are software applications that can be accessed remotely by clients by sending and/or receiving XML messages that typically follow the SOAP standard.

 

A web service can be thought of as a server program with one or more procedures/methods with input and output parameters. These procedures can be accessed by clients by sending a SOAP message to a URL. A SOAP message is an XML message which follows the SOAP standard. The SOAP message will specify which procedure has to be executed and contain the value of the input parameters. The program then executes the procedure and if there are any output parameters, respond back to the client with a SOAP message containing these parameters. The server and the client will need a SOAP message generator as well as a SOAP message parser.

 

An alternative to the SOAP approach is to use REST (representational state transfer) in which clients uses URL’s and the HTTP operations GET, PUT etc. to manipulate resources that are represented in XML.

 

Web services can use a variety of communication patterns like request-reply, solicit-response, one-way, notification etc. and can either be synchronous or asynchronous.

 

Web services are designed to support distributed computing over the internet, in which a variety of programming languages are used. They are independent of any particular programming paradigm. They differ from the distributed object model in that remote objects cannot be instantiated and therefore remote object references cannot be returned back to the client.  

 

The main advantage of web services is in the area of interoperability. Since the web services model is based on sending and receiving XML messages in the SOAP format, the hardware , operating system on which the client and the service runs do not have to be compatible. The location of the client or the server doesn’t matter since the communication is over the internet and neither does the language in which either is programmed in.

 

The components of Web Services are 

SOAP

SOAP originally was an acronym for Simple Object Access Protocol, but now is considered a specification name and no longer as an acronym.

SOAP is designed to enable synchronous as well as asynchronous interaction over a network like the internet. It is a specification for using XML to represent the contents of request and reply messages as well as a scheme for communication of documents.

There are various SOAP Engines (Software that creates and parses SOAP messages) available with a free license.

 

XML (Extensible Markup Language)

XML is the language on which all Web services Languages are built on. XML is a tool for constructing self-describing documents. SOAP, WSDL, UDDI are all XML based languages.

In addition XSD (XML Schema definition) is the XML schema used in SOAP, WSDL and UDDI

And it is a set of rules to which an XML document should conform to, to be considered valid according to the schema.

WSDL (Web Services Definition Language)

Interface definitions allow clients to allow to communicate with services. A service description provides an agreement between the client and the server about the services on offer. It assembles all the facts concerning a service that are relevant to the client and is generally used to create client stubs that implement the correct behavior for the client. The interface definition language for a web service (similar to IDL for CORBA) that is most commonly used is the WSDL specification.

The Web Services definition language is a specification which describes web services in a structured way. A WSDL document is an XML document that describes in a machine understandable way all the information that is required to connect to a web service. These include definitions, types, message, interface, bindings, services etc.

The WSDL document is logically divided into two different groupings – the concrete and the abstract descriptions. The concrete description consists of those elements that are used to bind the client to the service physically. The abstract description consists of the elements that describe the capabilities of the web service.

 

UDDI (Universal Discovery Description Integration)

The Universal Discovery Description Integration specification describes how a client of a web service can learn about its capabilities. The WSDL for the web service is available to be downloaded here. UDDI registries can be public where there is no restriction on anyone to do a lookup, private where it exists in an organization’s network behind a firewall and is only accessible to clients who have access to the network or semi-private where it available to a limited number of outsiders.

Fun Fact: It’s possible to use SSRS with a Non-MSSQL back end.

I was once tasked with creating a web front end to a directory that we used internally. It seemed like a perfect job for .NET and Sql Server Reporting Services (SSRS), both of which we were already using extensively, but there was a hitch in the plan: the directory was stored in FileMaker.

Fortunately, it’s possible to use SSRS with ODBC datasources and, in turn, any other database system you can connect to via ODBC. It’s as simple as creating a Data Source through Windows Administrative Tools then choosing “ODBC” as the type in your SSRS Shared Data Source. I’ve used this method to connect SSRS to both FileMaker and MySQL back ends.

Lampeter-Strasburg School District

Information Technology Department

Lester S. Stoltzfus

Director of Technology

Our philosophy of implementing enterprise level solutions in each major area of our infrastructure technology and using industry standard products and services from tier one vendors was applied in a big way with servers, storage, and backup. Dell was selected as our vendor to standardize with servers, and all servers that were purchased since 2005 were Dell PowerEdge servers. Likewise, when evaluating storage vendors, EMC was selected as our vendor of choice for enterprise level, high capacity, high performance storage. Additionally, after evaluating over 12 venders that provide backup systems, we choose CommVault to handle our backup, deduplication, and replication needs. In the end, CommVault was our preferred backup system vendor because of their ability to backup a virtual server/storage environment and to deliver deduplication and replication functionality that outperformed the other vendors.

 

Dell – Dell has a solid story around servers and end-user computers, and since 1984, Dell has been making technology more accessible to people and organizations around the world. Dell ships more than 110,000 systems every day to customers in 180 countries. As of January 2011, Dell has over 96,000 employees, with annual revenue of $15.4 billion. Dell has a clear focus on the education market through its “Connected Classrooms and Virtual Labs” initiatives, designed to help administrators, teachers, and students harness the power of technology to advance learning. This focus has resulted in more school districts and universities than ever deploying Dell education-specific technology solutions, making Dell the top provider of laptops and desktops to schools in many major markets around the world. Overall Dell is the number one technology vendor in the public sector, medical field, and large enterprise and does business with 98 percent of the Fortune 500 corporations.

 

EMC – EMC employs approximately 40,000 employees and is the leading provider of enterprise infrastructure storage. EMC has received an unprecedented number of awards and recognition for being the leader in enterprise storage and enjoys a major market share of enterprise storage systems.

 

CommVault – Founded in 1996 with over 12,000 employees, CommVault was one of only two data management software companies to receive the highest rating bestowed by Gartner in their 2008 Enterprise Backup/Recovery Software MarketScope. Many leading technology companies have formed strategic partnerships with CommVault, including Dell, Microsoft, VMware, Oracle, HP, and others. CommVault understands the importance of data (information) and is the leader in meeting the growing storage needs of the data center. CommVault is very aggressive in its approach to staying ahead of the curve with new technologies, such as compatibility with Vmware and VMDK in a virtualized server and storage environment, as well as deduplication and replication functionality.

With a specific plan and a strategic strategy, Lampeter-Strasburg School District built a NOC/Server Farm/MDF that will support our current and future needs and allow us to deliver to the desktop data, audio, video, television, and voice traffic. By consolidating all of our servers and all of our storage for our voice, data, and video systems in a single room (NOC), we were able to leverage significant savings in many areas and take full advantage of virtualization. We have implemented several VMware vShpere 4 Enterprise Plus ESX server clusters allowing us to consolidate over half of our nearly 60 servers and save approximately $200,000 over two years. These server clusters and fibre channel (SAN) storage has positioned us to fully implement a virtual desktop/thin client computer environment and move forward with a private and public cloud computing strategy. With this infrastructure in place, we are able to now look at how we can potentially embrace a new set of student computing devices, such as cellphone computers, tablet computers, netbook computers, and handheld computers all in a monitored, managed, and secure environment that is CIPA and eRate compliant.

 

With the high degree of dependency on technology, there is an incumbent need to have a backup system that meets the needs of today and tomorrow and is reliable and scalable. In our case, the amount of raw disk storage needed for nearly 4,000 staff and students quickly made tape backup an undesirable option.  The amount of data we need to backup forced us to look at new technologies, such as deduplication, to shrink the backup disk storage capacities. CommVault’s backup software called Simpana performs a nightly backup and an efficient deduplication, as well as replicates the data to an off-site location. With this backup strategy, Lampeter-Straburg School District benefits from a disk-to-disk-to-disk backup, deduplication, and replication. This results in a nightly backup of our data, retaining the data for four months and having it stored on-site and off-site. This strategy meets our backup needs and our disaster recovery needs and eliminates the use of any tape. A nightly process is performed automatically with no operator intervention or the need to deliver tape(s) to an off-site location. The backup system gives us the capability to easily restore files that are inadvertently deleted, lost, or corrupt. We can restore files for staff within minutes, saving multiple days of work it could take to recreate the file(s) manually. Finally, this backup system satisfies the requirements of our auditors and goes a long way in meeting the needs of a huge component of our disaster recovery requirements.

 

The off-site location of our backup is at Lancaster-Lebanon Intermediate Unit 13 and is leveraged over the network connection from the WAN Service. Below, under Matador Backup System, is a description of the components of this backup strategy:

 

Dell Servers – Our server farm of approximately 60 servers is built with server class Dell PowerEdge Servers. The newest servers are R710 model servers, and many are 2950 model servers. Most of our servers are virtualized with VMware vSphere 4 Enterprise Plus. The only servers that are not virtualized are servers running applications that cannot be virtualized, such as VoIP servers, Lightspeed Rocket Appliance Servers, Matador CommVault Appliance Servers, etc.

 

EMC SAN – Our data storage system is an EMC CX300 Fibre Channel Storage Area Network (SAN) with four enclosures fully populated with 60 hard drives that provide us with over 22 TB of raw storage capacity. This advanced storage technology fibre channel SAN installation includes multiple server and battery backup units within the SAN array itself.

 

Matador Backup System (Dell/CommVault) – Our data backup system is an appliance called Matador from Dell, Inc., and CommVault, Inc., that utilizes Dell DL2100 Servers and Dell MD1000 disk arrays with CommVault Simpana 8.0 software. This data backup system allows us to perform nightly backups of our data, disk-to-disk-to-disk (primary storage to backup storage to off-site storage at IU13). This nightly process involves backup, deduplication, and replication technologies. Files that are inadvertently deleted, lost, or corrupt can be restored quickly

According to Wikipedia, "social engineering is the act of manipulating people into performing actions of divulging confidential information, rather than by breaking in or using technical hacking techniques." What makes social engineering successful is our innate willingness to want to help another person. Attacks depend on our compassion and are able to use it to gain access to secure environments.

While much time and energy is spent physically securing our equipment and protecting it from outside (or even inside) attacks, we often overlook the human aspect. No matter how secure your systems are, if someone hands out the password, an attacker is able to bypass all of your defenses. It is imperative that there be some training against social engineering for all employees and enforcement of policies protecting passwords and other vulnerable data. There are a few simple ways to make an attacker's job more difficult. Using generic email addresses on your website, such as Accounting@school.edu instead of your Accountant's real name or email address and removing employee names, job titles and phone numbers from the website are just two examples. Also, there need to be policies in place that will allow you to confirm the identity of an employee that has lost or forgotten their password. Resetting a password over the phone is quick and easy, but it also allows for someone to impersonate another employee to gain access to secure areas. The alternative may end up being a pain for both parties, but it will reduce the damage this type of attack could cause. There needs to be a balance struck between security and ease of use. If a task is too complicated, employees will be more willing to bend the rules to solve a problem. One final example of social engineering bypassing security measures is the act of holding a door open for a coworker. If you are entering your work and you scan your ID badge to get into the building, but you see someone carrying a heavy box, would you just let the door close in their face or would you hold it open for them? This tactic is used by many penetration testers to gain entrance to a building. In many buildings, once you are inside, you no longer need an ID badge to unlock doors.

I would urge you to review your password reset policies and do some general training on ways to minimize potential damage caused by these attacks. Including the entire organization in this training will be a great benefit to your network security.