Archive for August, 2005

Driver Updates From Microsoft? Please Pass.

August 30, 2005

To have a stable and secure system, you need to keep your software current. This includes downloading and updating both Microsoft, and third party, software.

Microsoft provides the Windows Update, and Automatic Update, facilities. On a monthly basis (or sometimes more often), Microsoft will issue recommended updates to the Operating System, to Microsoft applications, and even to third party drivers which may be relevant to your computer.

Whether you enable Automatic Updates, or retain control and monitor recommendations by Windows Update, is not the question here. Both have their advantages. But please, whatever you do, don’t download third party drivers from Microsoft.

If there is a third party driver update that’s relevant to your system, get it directly from the vendor – that’s what Microsoft does. Sometimes, what Microsoft may have available thru Windows Update is out of date, or is simply defective. You can get anything that’s available directly from the vendor, whenever you need it.

Use Windows Update to keep your computer up to date with Microsoft products, but take its driver update notices simply as reminders. Then, if appropriate, follow the reminder, and get updates from the vendor, observing vendor recommendations.

Advertisements

Better Protection – Hardware or Software Firewall?

August 26, 2005

A firewall is a specialised computer which has but one purpose – to prevent bad network traffic from passing between an untrusted network, like the Internet, and a trusted network, like your LAN, your computers, and the programs that you run on them.

A hardware, or appliance, firewall runs on a separate piece of equipment, and provides perimeter protection, to a group of computers. A software, or personal, firewall runs on a host computer, and protects only that computer. There are variations which may use the hardware of a personal computer, and provide perimeter protection.

Please don’t confuse the concept of a firewall with that of a router – NAT router, or enterprise network router. A firewall is neither of those.

Both hardware and software firewalls require an operating system, or some interface between the user and the hardware.

The hardware firewall contains a stripped down operating system or code processor of some type, that provides the ability to examine, filter, and / or pass packets between the interfaces (WAN and LAN). It may also contain a small web server or configuration processor, so the user can change the filtering. The software firewall runs under an external operating system, that also lets you use your computer for non-firewall purposes, and lets you change how you use your computer.

There are advantages and disadvantages to both. Saying that one is better than the other is like saying Coke is better than Pepsi, or Chevrolet better than Ford. You can only compare the two, when considering the specific environment where protection is needed.

Hardware Firewall

Advantages:

  • A hardware firewall filters malicious incoming traffic, before it hits the protected computers. This lessens the load on the protected computers, and their filtering and logging software.
  • A hardware firewall has a dedicated processor, and dedicated storage. This further reduces the load on the protected computers.
  • A hardware firewall is smaller and more efficient. It contains just the code to filter network traffic, and to let the administrator make changes to the filtering. If it uses a web interface for changes, it needs only network connections, no video, keyboard, or mouse connections.
  • A hardware firewall contains minimal code that can be misused. It does not contain a web browser, word processor, multimedia player, or other accessory that can be exploited by malware.

Disadvantages:

  • A hardware firewall filters malicious network traffic only, and only at the perimeter. If your LAN uses only perimeter protection, any malicious activity that gets onto the LAN in any way will be unstoppable. All computers on the LAN are vulnerable.
  • A hardware firewall, and its dedicated processor, and dedicated storage, is finite in capacity, and must be carefully chosen for the intended workload. If the firewall is overloaded, it can do only one of two things:
    • Fail closed. When overloaded, the firewall may simply pass traffic, unfiltered.
    • Fail open. When overloaded, the firewall may simply drop traffic.

    Neither of these solutions are desirable. Any specialised hardware protection, such as a hardware firewall, MUST br carefully chaosen to fit your network. It must provide the capacity, and the functionality, needed, by YOUR network.

  • A hardware firewall can’t effectively filter outgoing traffic, as it has no knowledge of what programs are running on the protected computers.
  • A hardware firewall requires one more power connection, and one more network cable. If you have limited resources, space or power, you may find this a problem.
  • A hardware firewall may not be easily upgradable, except by replacing the firewall itself. Capacity upgrades may require a different model device. Code changes may require replacement of internal components. Firmware upgrades must be done when the network is offline.

Software Firewall

Advantages:

  • A software firewall is more configurable. Since it sits on your desktop, you can make changes to its filtering, at will.
  • A software firewall installs components into the operating system, so it knows what programs are running there, and can protect you accordingly.
  • A software firewall provides individual protection to its host. If one computer in the LAN gets infected with malware, all computers running a software firewall are protected.
  • A software firewall is easily upgraded. Any necessary capacity upgrades can be made, by adding hardware to the host computer. Any necessary code changes can be made by reinstallation of its drivers, or other components.

Disadvantages:

  • A software firewall is more configurable. Since it sits on your desktop, you can make changes to its filtering, at will. A CKI Fault can make you instantly vulnerable, as Mark Russinovich discovered, when he busted Sony.
  • A software firewall can be exploited, thru its many features. Since you control it, bad advice can cause you to disable one or more filters, leaving the host computer unprotected against exploits.
  • A software firewall filters malicious incoming traffic only after it hits the host computer, and the operating system.
  • A software firewall uses processor power, and storage, which may compete with use of the host computer. This causes tuning needs, and the temptation to disable various features.

Now none of these points are 100% significant by themselves. Some hardware firewalls are more versatile, and more configurable in hardware and software. And there are hooks in software firewalls that restrict exploits, and make them less vulnerable. But these are the key differences between the two classes of protection.

Hybrid Solutions
There are variations in the distinction between hardware and software. Some security experts like to promote a third model, which they call a software firewall. They will take a surplus desktop computer, add a second network card, remove all non-essential accessories like a sound system, and make a perimeter protection device out of it.

The experts who like to build these custom perimeter protection devices claim that they have the advantages of both a personal and perimeter firewall, and none of the disadvantages. But examine these custom devices more closely, and you will find subtle disadvantages.

There is also the possibility of a hardware firewall, sitting inside your computer. The nVidia nForce is probably the first, but surely not the last, device of this type.

A well designed security strategy uses both perimeter and personal protection, and more.

Networking Your Computers

August 24, 2005

Setting up a computer network, whether to share files, or Internet service, can be a lot of fun. It’s more fun, though, if you set it up properly, from the start. I’ll try and make that possible, if you work with me.

With the basic issues out of the way, you can get detailed instruction from plenty of websites, that will give you illustrated instructions. Here are but five, listed in alphabetical order.

And if you’re planning to install cables in your home, you’ll need to know about about home construction. Bob Catanzarite’s Structured Wiring How To website provides an excellent primer on this subject.

If you have properly chosen and setup your equipment, advice from any one of the above should get your network in order. The various guides are written by different organisations, and each has a different style, so check them all out if possible. Find the one which works best for you.

Solving Problems
If you’re here because you have problems, please start by reading Solving Network Problems.

Now, what is your specific problem? Is it accessing the Internet? Then read Troubleshooting Internet Connectivity. Or is the problem with File Sharing? Then read Troubleshooting Network Neighborhood (Windows Networking).

One major issue that the websites listed above won’t help you with, if your problem is with file sharing, is the browser. Now when I mention the browser, don’t start with “My Internet access is not a problem”. The browser is the program that provides the contents of Network Neighborhood on your LAN. It’s frequently involved in problems when “I can’t see the other computers”, or “I get access denied when I try to access another computer”. Please read my article Windows NT (NT/2000/XP/2003) and the Browser.

Do you have a LAN with both Windows 9x (95, 98, ME) computers and Windows NT (NT, 2000, XP) computers? Then you should read Windows 9x (95/98/ME) and the Browser.

In Conclusion
All of the above articles link to dozens of other articles, so read carefully. And be patient with me, as I add to this blog almost daily. Check back here periodically. Or write to my Guestbook.

Solving Network Problems – A Tutorial

August 20, 2005

Networking computers is a pretty complex process, and there are a lot of possibilities for problems. When you have a problem, the symptoms may not always point immediately to the problem. You may be able to avoid solving the problem – maybe you can blame it on somebody else, or maybe you can use a different network technique. But you’re better off, in the long term, with finding and solving the problem.

One of the more common symptoms of a networking problem is the dreaded “access denied” error, which is where I started this website long ago. Now access denied, as reported by Windows, can be caused by anything from “I can’t identify the address of the resource (server or file) requested” to “The server says that I may not access this file”.

Sometimes you have multiple problems, causing your inability to access the other computer. Maybe the cable between your computer and the other computer is bad, AND the other computer is setup so you may not access the file. You have to solve each problem, one at a time.

If you see “access denied”, you check the server, and notice that your account is specifically set to not have access, fine. You fix the “you may not have access” setting, try again, and still get “access denied”. So now, there are 3 scenarios.
1) You just fixed one problem, and there is another problem.
2) You truly found a problem, but didn’t fix it properly.
3) You didn’t find the problem, and may have caused another problem by the change you just made.

With scenarios 2 and 3 weighing heaviest in your mind, you reverse the change you just made, since “that didn’t fix anything”. You then start looking for other possibilities, and find a broken network cable. You buy a new cable, try that, and still get “access denied”. Now totally frustrated, you get into the forum of your choice, and whine about “I tried everything, and still have a problem”. And you’re right – you do have a problem. And the biggest one is that you don’t know how to solve problems.

  1. Solve Network Problems From The Bottom Up
  2. Test Each Component, and Problem, Individually
  3. Test Using Previously Tested Components
  4. Look For Relational Patterns
  5. Look For Historical Patterns
  6. Use Diagnostic Aids and Tools
  7. Research The Problem
  8. Exercise Patience and Persistence, and Publicise Your Results

>>Top

Rule One – Solve Network Problems From The Bottom Up

Computer networking is best defined in layers, as you can see from the OSI Network Model. Logical networking, like TCP/IP, connects to physical networking, like Ethernet or WiFi. Server Message Blocks (aka SMBs) provide file sharing, which is what you frequently need help with; and SMBs connect to the logical network in a variety of ways.

If there’s a problem with your Ethernet connection, you have to fix that first. In order to fix it, you have to be able to test it. Don’t just replace the Ethernet cable, wait a few minutes, and look in Network Neighborhood for everything to become visible. That might work once, but it won’t work that way all of the time.

Always diagnose a network problem, one layer at a time.

>>Top

Rule Two – Test Each Component, and Problem, Individually

When you have a network problem, test each component individually. A physical connectivity test may be simple, such as observing the lights on the router and the network card. Or you may have to get a network tester. Those pretty blinking lights are functional, so use them. And Read The Manual, to find out what diagnostics are available for any product.

But please don’t test a physical network problem by looking at Network Neighborhood. There are dozens of possible problems with Network Neighborhood – and physical problems are just one possible cause.

Find out what diagnostics are available for each network component. Test each component, one by one.

>>Top

Rule Three – Test Using Previously Tested Components

If you have more than one computer, having a spare (never used) network cable, and other components, is not at all a waste of money. Having a spare cable, which you can try at 2:00 in the morning, or when your friends drop by unexpectedly, is well worth the extra expense.

Unfortunately, any unused (totally new) component may not always work – anything you buy may be defective. Worse yet, it may work partially – it may send but not receive. Whenever possible, use components that you have tested. Buy a new cable, if you wish, but take a known good cable from another setup, and put it into the problem setup. Put the new cable into the currently working setup, and test it there first.

If the known good cable (used, from the previously working setup) doesn’t work, when used in the currently not working setup, put it back where you got it. Make sure that it continues to work in the previously working setup. It’s always possible that you broke it when removing it from the previously working setup. If you now have TWO non working setups, you’re going to have to apply these principles to both problems, but separately. Be aware of the possibilities here.

Take the new (previously spare) cable, and test IT in the previously working setup. If it works now, then you can use it in the current problem setup for testing. Then you’ll need a second spare, and this discussion could go on still further.

Maybe you have multiple problems. A defective router port, and a bad network cable, is always a possibility. Use known good components, and test one component at a time, when troubleshooting a problem.

>>Top

Rule Four – Look For Relational Patterns

Diagnosing a network problem can be tricky. If two computers can’t communicate, how do you know where the problem is? Is it the first computer, that isn’t sending? Or is it the second computer, that isn’t receiving? Or could it be both computers (again, compound problems)?

If you have three computers, you’re much better off. With three computers, which computer is working differently? Can you access Computer A from Computer B, but not from Computer C? Then look at Computer C first. Or, if Computer A can’t be accessed from either B or C, look at Computer A first.

If the problem is intermittent, and involves connectivity interruption, use PingPlotter, running on all computers simultaneously, to look for relational patterns. For Internet Service problems, set PingPlotter pinging a host on the Internet, maybe your ISPs DNS server, or http://www.yahoo.com. For a LAN problem, ping your router. Compare the output from all computers, periodically. Look for similarities in connectivity interruption.

>>Top

Rule Five – Look For Historical Patterns

When did the problem start? Did you just apply system upgrades? DOHH. Google for “885250”, as an example, to see where this leads.

Does the problem come and go? Is there any pattern there? A time of day, or day of week pattern? Maybe a problem is connected to the weather. Broadband connectivity is not weather transparent – all of the wires involved can be affected by cold / heat, and by dryness / moisture. Maybe the problem is related to your electrical use in your house – coming home, and running the microwave oven, for instance.

One way to look for historical patterns, objectively, is to use Ping Plotter. For Internet Service problems, set PingPlotter pinging a host on the Internet, maybe your ISPs DNS server, or http://www.yahoo.com. For a LAN problem, ping your router. Examine the output from PingPlotter, and see when and where the problems are occurring.

If PingPlotter shows loss of connection between your router and your IPSs gateway, you have to get your ISP involved. And you don’t have to listen to them telling you to fix your computer, because the problem is not between your computer and the router. A picture can be worth a thousand words, if you have to deal with your ISP.

>>Top

Rule Six – Use Diagnostic Aids and Tools

In order to diagnose a problem, you have to have tools to help. I have a small, carefully chosen suite of software tools, which I inventory in My Personal Toolbox. Other helpers have their own favourites. Find which ones work for you, and always look for others.

Besides software tools, use diagnostics provided by the equipment, and hardware tools, if you have them. The lights on the router, and on the network cards, are a start. Having a network tester is a good idea too.

One of the simplest tests for Internet Protocol connectivity is the ping utility. Whenever you have a problem, almost any expert will eventually ask you to “Ping one computer from the other”.

I use CDiag for comprehensive and repetitive testing between multiple computers. CDiag performs simple tests, in combination, between each computer and each other on the LAN, and makes it simpler to assemble all of the symptoms into one report. CDiag is pretty simple – but it can be very useful.

>>Top

Rule Seven – Research The Problem

With a computer problem, you have a major advantage over a non-computer problem. Computer owners frequently use the web to get help. Unless you live totally on the edge, the chances are that any problem YOU have has already been experienced, and written about, by somebody else. So Google for it. Or ask for helpbut ask intelligently.

>>Top

Rule Eight – Exercise Patience and Persistence, and Publicise Results

If you have a problem, be patient when dealing with other people who help, and in with yourself as you learn. You won’t solve any problem by giving up, nor will you get help any faster from someone else. Trust those who try and help you, and provide the diagnostic information that they request, and as they request it. Be tolerant of the diagnostic process, and work with the helpers.

But be persistent too. Followup with anybody who promises to help you. Don’t just ask for help, and go away. Wait a while, and ask again.

And be objective – whether you are getting help from a volunteer online, a Tech Support person employed by your employer, or a vendor of a product or service.

If you follow this guide, and you find and fix one problem, but everything still doesn’t work, be persistent. Start again from the beginning, and question everything. Go thru this guide in more detail, and look for another problem. And ask for help again, maybe in a different forum.

Come back here from time to time. I write, and rewrite, this blog constantly. That’s the advantage of a web document (website) over a book – this is a dynamic medium, and this blog is constantly changing.

And publicise your results. When you get results, or when you don’t, let folks know. Everybody benefits from collaboration, and sometimes knowing what doesn’t work is as useful as knowing what does.

The Internet is huge, and growing all of the time. Keep at it until everything works, and don’t give up. Well, persist to a limit, anyway.

Browsing Across Subnets

August 6, 2005

One of the causes of browser problems is a backup browser server being separated from the master browser. As I stated in my main Browser article, The NT Browser…

Anytime that a backup browser realises that there is no master browser present on the domain, the browser is authorised to hold an election to determine a new master browser.

This behaviour is for 2 reasons.

  1. There must be a master browser available at all times, for browsing to work.
  2. There must be a master browser available on each subnet, for browsing to work.

Why is this relevant? It’s because browser relationships, in general, do not pass from subnet to subnet. Browser communications, from a server to a backup or master browser, are by broadcasted datagrams. Broadcasted datagrams are sent to all computers on a subnet, but nowhere else. Routers drop broadcasted datagrams, so server advertisements, which are what the master browser depends upon to know that a server exists, stay on each subnet.

The master browser on the subnet assembles all of the server advertisements into the browse list for the subnet. If a domain is segmented, by either multiple subnets or just having multiple master browsers, it is the job of the domain master browser to collect the browse list from each segment master browser, aggregate the lists, and pass the aggregated list back to each segment master browser.

Here is one instance where a workgroup will not perform as well as a domain. If a workgroup is segmented, there will be no domain (workgroup) master browser, and no ability for servers on one segment to be seen from another segment. Segmented workgroups simply can’t be browsed across segment boundaries.

Do you maybe have two (or more) routers, but would prefer to have one subnet? If so, then read about File Sharing On A LAN With Two Routers.

Re Install Your Network Hardware

August 5, 2005

Sometimes, even after repairing the network connection, fixing your LSP / Winsock, and / or re setting / re installing the network protocols, your problems continue. The next step is to fix a problem which may be in the bindings between the protocols and the network hardware.

First, always check with the hardware vendor, and find out if there’s any driver updates available. Your problem may be something just resolved by the vendor, so download and install any driver updates, from the vendor.

If driver updates aren’t available, or if installing them didn’t fix the problem, then it’s time to re install the hardware. Make sure that you have a good copy of the drivers, in an available location, before starting this procedure. If this is your only computer, back up any network resources, maybe print key articles in this blog, before taking your computer offline.

  1. Un install the drivers for the network hardware.
  2. Restart the computer, with the new drivers easily available.
    • Let the system discover the hardware again, or
    • Restart Device Manager yourself, and re install the drivers.
  3. Restart the computer once more.

Un Install Security Products Carefully

August 3, 2005

If you decide to un install any personal firewall or security product, please be aware that many products may create components in the operating system itself, that are not easily removed by a simple un install wizard. Symantec and Zone Labs products (Norton and ZoneAlarm, respectively) are well known for this. If you have any antivirus or personal firewall product, and wish to un install it as part of a diagnostic procedure, please include these steps in your procedure:

  1. Research un install procedures with the vendor of the product in question.
  2. Enable firewall before un installing. Do not un install a firewall while it’s disabled.
  3. Carefully follow all instructions from the vendor.
  4. Check for LSP / Winsock corruption after un installing, if any more problems are seen.

Setting Up A Domain Or A Workgroup? Plan For The Future

August 3, 2005

If you have just one computer, you have the beginnings of a network. With two computers, you definitely have a network. With three computers, you have a workgroup. Beyond that? Consider the benefits of a domain.

Look at the members (people) in your workgroup. Remember that the purpose of networking computers is to share resources (data and / or printers). Do you have a group of people who trust each other, totally, with all shared resources? If so, then you can setup an open workgroup, with no reservations. And you can, generally, use Guest authentication.

If you can’t trust everybody with all shared resources, you will have to setup non-Guest authentication (who is this person?) and authorisation (should this person access this resource?). Without a domain to provide authentication, you have to setup an account for each person on both one or more clients, and one or more servers. With a domain, it’s simply a matter of adding one more domain account.

Account and password maintenance, in a workgroup environment, can be a real experience.

  • You have to create an account, with an identical password, on each client and on each server.
  • You have to change a password on each client, and each server, simultaneously. The account owner has to be logged off on each client, while you do this, or face password conflicts.
  • When somebody leaves the group, you have to delete their account on each client and server.

With a domain, again just add an account, change the password, or delete the domain account.

Will you possibly have people sharing each others computer from time to time? Will you have people accessing shared resources on more than one computer? Will you have group turnover, where one person leaves the group, and is replaced by somebody else? Will you have staff sharing each others account / password (you know folks shouldn’t share passwords, but eventually they will).

For that matter, how does a workgroup member change his / her password, on the servers? Surely you wouldn’t want each person walking up to the server, and logging themself in, locally, for a simple password change?

And how about the need for one person to have unrestricted access to each computer? Any LAN of any size needs an administrator. The administrator account has to be on each computer. Proper security procedures demand regular changing of the administrator password – but how do you do that on each computer?

Besides the people related issues, how about the network layout? Is your workgroup likely to span multiple subnets? If so, you will need a domain. Be aware of issues involved with Browsing Across Multiple Subnets.

There is one show stopper here. If you have computers running XP Home, you might as well stick with the workgroup. Computers running XP Home can’t join a domain.

Now, setting up a domain shouldn’t be done casually. The initial expense, and setup, of a domain, is significant. Minimally, you need:

  • A dedicated server (not shared as somebody’s desktop computer).
  • A server Operating System.
  • Server administration techniques. Since the server is depended upon by each person, it is proportionally more important to keep it secure and stable.

Setting up Server 2003, and a domain, is a lot more work than setting up a single Windows XP host. Maintaining a server is a little more work than maintaining a single personal computer. But, as soon as you see how simple it is to add or update a new person in a domain, compared to adding or updating multiple clients and servers in a workgroup, you’ll see that it’s worth the initial and ongoing complications.

In short, a workgroup setup makes sense for a group that is:

  • Trusting of each person.
  • Small.
  • Doesn’t share multiple resources.
  • Static.
  • Mostly computers running XP Home.

My personal experience? If you have more than 4 or 5 computers or people, you will, eventually, end up with one or more problems with the limitations listed above. You can maybe work around each of those limits procedurally; and if you have enough time and patience (by the staff, and whoever maintains the LAN), none of them will matter too much. But, if you have ever administered a workgroup of any size, with any staff turnover, secreting of data, and / or sharing of computers, you will know that a domain, with a simple procedure to setup and maintain each account, makes more sense in the long run.

If You Ever Feel Like Experimenting

August 1, 2005
  1. Setup 2 computers, a client and a server. Use NBT and TCP/IP, initially, on both.
  2. Get file sharing working (opening files from the client) using NBT only, no NetBEUI.
  3. Install Zone Alarm on the server, and configure it so the client can access shared files on the server, and can ping the server.
  4. Engage the ZA lock, so the client can NOT access files on the server, nor ping the server.
  5. Unbind File Sharing from NBT on the server, and install NetBEUI. Leave TCP/IP working, but NBT disabled.
  6. See if the client can ping the server.
  7. See if the client can access files on the server.
  8. Disengage the ZA lock on the server.
  9. See if the client can ping the server.
  10. Change the ip address of the server to a different subnet.
  11. See if the client can ping the server.
  12. See if the client can access files on the server.