Best Practice Ezine #32 Good Guys and Bad Guys
Actors often say that playing a villain or baddie is far more fun than playing thegood guy. After last week’s ezine, I know how they feel. Let me explain. When Ideclare that OWA is a wonderful feature, I get no reaction. However, when I pronounce that circular logging should be banned, then I get an avalanche of mail saying how wonderful circular logging is. I have to agree with the actors, it is more fun playing the bad guy.
This week’s theme is: Good Guys and Bad Guys.
I have for you, 4 tips for programs that I love and two tips for programs which I dislike, but other techies tell me are wonderful.
With any utility tips that you get, no matter what the source, always ask: �Where does this executable come from? Unless stated otherwise, this week’s tools are built-in to Windows 2003 server.
Guy Recommends: The Free IP Address Tracker (IPAT)
Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets. IPAT cracks this problem of allocating IP addresses in networks in two ways:
For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges.
For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker
New Ipconfig switches.
A wild guess, you are already familiar with Ipconfig /all. However, you may be less familiar with the new family of switches for Ipconfig in Windows 2003 and XP. For example, /displaydns.
Another prediction, one day Ipconfig /flushdns will get you of a pickle. Take the situation where you are trying to connect to a server, but you keep getting errors like ‘No network provider accepted the given network path’. Or the simple ‘Cannot find server’. Now this could have been your typo, but when you are certain that you have spelt the name correctly and that that server is up and running efficiently, then you start getting frustrated. What may have happened is this, a DNS name or setting has changed recently, therefore the cause of your problem is a stale DNS cache. Now is the time for Ipconfig /flushdns to ride to your rescue.
As an appendix to this tip, /flushdns actually reads the host file and reloads its entries into the DNS cache. I challenge you try another switch, Ipconfig /displaydns. Next I invite you to add records to your host file in the %systemroot%\system32\drivers\etc folder, then issue Ipconfig /flushdns followed by Ipconfig /displaydns.
Another command I feel sure that you know is ping. I thoroughly recommend that you check out Tools4Ever’s site and get a copy of freeping v2. With FreePing you can add numerous machines to server, and have the utility ping them automatically, ideal for troubleshooting connectivity or testing routing.
This Certutil command is a paradise for those who love command line tools.
** Warning ** Naturally you have to install Certificate Services before you get any output action with Certutil. Examples of Certutil:
Certutil -ping. Try this command first, just to see if your server is running. Note you just need the -ping (not -ping 126.96.36.199). If you do want a distant machine then try: Certutil -ping -config \\ machinename for a remote certificate server.
Certutil – dump. This outputs information about your public key.
Certutil -template. This displays a list of all the certificate templates.
Certutil -backup C:\ backup. Note -backup needs a local path. For security you will be prompted for a password.
Where next? Try your Windows 2003’s built-in help. There are zillions more switches for certutil.
Here is a ‘blast from the past’. Syskey is a simple tool with just one role, that role is to encrypt the passwords in the SAM database. This tool has all the hallmarksof a ‘good guy’, simple to use, easy to understand with no downside.The only people likely to be upset with syskey are those with their passwordcrackers, because after you run syskey, they cannot decipher your administrator’s password.
Perhaps you are thinking, ‘while there is a SAM database on a member server, there are no SAM user accounts on a domain controller’. Things are not quitewhat they seem, do you remember that Administrator account which is used for Recovery Console? Syskey will encrypt that Administrator’s password even on a domain controller.
When you run syskey, check the UPDATE option.
I have taken against secedit. My dislike of Secedit goes back to Windows 2000; when you wanted to refresh a group policy you needed the long-winded, secedit /refreshpolicy machine_policy /enforce. When XP introduced the simple gpupdate to refresh group policies, I thought that I would never need secedit again. However, secedit lives on and some die-hards use it to import and export group policy templates. Me, I use the security analysis snap-in.
I have to say this for NetSH it does supply a comprehensive set of tools. But I am afraid I prefer to call for a GUI rather than type in NetSH commands in a DOS box. One suspects that NetSH stands for network shell. Should you be tempted to try NetSH, the key concept is – context.
To begin with, just type NetSH at the command prompt. You see
Next type in the context, for example DHCP or Routing or WINS. You see
To finish on a note of fair play, NetSH would be ideal for scripting. NetSH and its contexts would provide hooks for VBScript or even batch files.
See more interesting DNS, DHCP and IP articles