Example of Active Directory Service Account Naming Scheme For Schools

Standard

In the last two blog posts in this series we looked at bad uses of the domain administrator username and how some schools I’ve come across have implemented a whole networking with the domain administrator.  This is a big issue and by changing the password of that user it can bring down the school network.

 

I thought I would share with you what my naming scheme is for the different applications I have installed into schools.  Some of these have special permission and are easy for me to remember so when administrating and troubleshooting I know what I’m looking for.

Naming Scheme

Most people have their own naming scheme and to me I have my own set that I use.  Each product I implement I first create a two letter acronym that will identify product for me.

  • SharePoint = SP
  • Exchange = EX
  • Moodle = MD

You could use what ever naming scheme you want but keep it relevant to the product so if someone else is looking after your network they understand what the product might be.  Here are some other examples.

  • SharePoint
    • SPS
    • SHAR
  • Exchange
    • EXC
    • EXCH

If you are looking at how your network evolves over the next 5 to 10 years you may want to use a naming scheme that reflects the version of the product so you know which user is for which application.

  • SharePoint 2007 = SP07
  • SharePoint 2010 = SP10 or SP2010

I personally then like to break the name up by adding a underline after product so it becomes

  • SP_
  • EX_
  • MD_

This is just a personal thing as it helps me to read the name of the user easily.

Each product will require some king of administrative permission to implement the software on the local machine.  To me this is the administrative account for that piece of software.  When implementing SharePoint or Exchange I create an admin user so these are used to implement the software on the required server.

  • SP_admin
  • EX_admin

I now know that these users were the users who implemented the software, no issues with resetting the domain administrators password now as it does not affect these products.  These admin accounts are only given permission when and where required allowing these user accounts and my network to be secure.

Service Accounts

Products such as SharePoint and SQL Server allows you to use different domain user accounts for the different services.  It is best practice to create the different users that it requires.  SQL should have an admin account which manages the product which there is another that run the services.

image

SharePoint requires a lot more accounts, running it on a single account such as the domain administrator or any user is bad practice.  It should be implemented with several accounts and I’m sure depending on who you talk to they will recommend more or less.  When implementing SharePoint I usual start of with 4 accounts.  These are the admin account it will be installed with, one for application pool, one for Search and another for the User Profile Sync.  Each of these users has different permissions either in your Windows/Active Directory environment or SharePoint.

This means for these 2 products I start off with 6 accounts.

  • SQL Server
    • SQL_admin
    • SQL_services
  • SharePoint 2010
    • SP_Admin
    • SP_Services
    • SP_Search
    • SP_UPS

When implementing SQL Server you are asked which user accounts will run the SQL services allowing you to enter your SQL Server service (SQL_services) account and password.  Depending on your requirements you don’t need a single user for each service as you’re most likely implementing it in a school with only one or two databases.

image

As discussed in the Moodle 2.0 with Microsoft technologies eBook you may require a user to read Active Directory or even write back.  In the book we created this user as md_ldap (Moodle and LDAP) and the user has delegated permission to use the Active Directory OUs required for that user.  The user is not a domain administrator nor is a enterprise administrator allowing it to have write permission to Active Directory, it only has permission to where it requires.  This user does not require local administrator rights and does not have permission, it only has delegated rights to the organisational units it requires.

Passwords

Its all great having these naming schemes but there is not point if you are using the same password for each.  Ensure each password has a complex password, the admin accounts need to be complex while the service accounts can be even more complex. Example

  • SP_Admin
    • Password: Ty8jF!4
  • SP_Search
    • Password: Y8I9kjsd(!@fj39

The point here is that you don’t need to log in as any of the service accounts so you can make them even more complex so they are more secure.

SharePoint 2010 has got this so right.  With selected service accounts you don’t need to know the password to run or manage SharePoint so why know the password at all.  Built into SharePoint is managed accounts which is where you can managed each of the accounts and you can set a password policy to certain accounts.  You have to set these up manually but when configured, the password for the accounts can be reset by SharePoint and you aren’t give a prompt or any information what the password is.  If you do need to change the password for this account for troubleshooting you do this in SharePoint as it will then change the password in all the place it requires such as the application pool for the windows service.

image

Conclusion

As mentioned in the previous two posts the most important part before deploying any software is to read the implementation guide and find out how the software runs, what its requirements are and what you need to provide the software for it to work.

If you do this properly you will find that you all of a sudden have lots of admin accounts and service accounts for different software and to remember the right username and password can be difficult unless you have a good naming scheme.

During this post we looked a just one naming scheme but consider what your is, are they all consistent and do you remember them all.  The next time you are implement any software ensure you have created yourself a user and they have the minimum amount of rights to install the product.

Don’t use the domain administrator to install software or you’ll have trouble…

Standard

In my previous blog post we discussed the use of the domain administrator user at schools and how this username and password is known by so many people within the team and can cause security risks.  I feel like schools need to have this cultural changes from using the user as any other user and being the most securest user possible that no one uses.

I spent a bit of time thinking about why the user is used so much.  Is it lack of understanding of the power of the domain admin account, lack of training provided to the user or laziness?  The more I think about it the more I actually things it’s all of these but the main issue I believe that doesn’t help, is the implementation of the network and products using the domain administrators username to implement all of these.

I was recently at a school looking at a few of their issues and noticed that the only technician at the school had implemented every piece of software using either the domain admin account or his username which was also part of the domain administrators group.  This is a big no no even more so when you find that he has implemented Exchange using his own username and SharePoint has been implemented and the System Account is running as the domain administrator.

This is a serious sign of bad practise and I’m sure some of your are thinking how bad this really is.  The main problem here is password of the domain administrator being used in different applications.

In the setup of this school the reason why he was having so many problems was because they changed the domain administrator password.  As services in Exchange started to connect to other services, servers were restarted and it all failed.  You tried to start the service manually and you got an error due to the wrong password.

LogonFailure

When implementing a new product, first read the implementation and guidance documents.  It will give you information on how to setup the product properly and the type of users required and how the product has dependent services.  Microsoft have loads of whitepapers and information on TechNet which will give you a lot of information and if you’re not sure ask the online community, use forums or twitter.

Ask yourself this question.  Does the user/username who will implemented the software require domain administrator rights?  Can you give them just local administrator rights?

I personally create a new user and give them local administrator rights to install the product.  Depending on the product you may be required to create different users for services, usually I would create a group of all these users and add the group to the local administrators group for the servers they are required.

Some products don’t require local administrator access so don’t give that user permission, only give them permission when required.

For products such as Microsoft Exchange, SharePoint and SQL Server they all require many users with different permissions.  They have local service accounts that require a domain users, an implementation that might require to write to Active Directory or even their own authentication type so you don’t have to use Active Directory.

Conclusion

Create yourself a new user when implementing software such as Microsoft Exchange, SQL, SharePoint or Moodle.  It’s important that your network stays in good shape and does not rely on a single user to run.  Each user should only have the permission that is requires to install and then run.

Read the information that is provided by the software company as they will guide you in the type of requirements for a user and do not install anything using your own username!

eBook:Moodle 2.0 with Microsoft Technologies

Standard

A month or two ago I thought about all the content there is currently available on the internet regarding Moodle 2.0 and Microsoft technologies.

There this isn’t very much so I’ve spent the last month or two writing and writing and writing putting together an ebook together looking at 7 different areas.  The book is available in 3 different formats PDF, epub and mobile.

You can purchase the book from the BFC Networks Shop at £15.00 by clicking on the image below.

FrontPagePreview

http://www.bfcnetworks.com/products-page/moodle/ebook-moodle-2-with-microsoft-technologies/

  • Chapter 1: Install Moodle 2.0 on Windows Server, SQL Server Express, IIS and PHP
  • Chapter 2: Install Moodle 2.0 on 2 web front ends, SQL Server Cluster with IIS and PHP
  • Chapter 3: Configuring mail in Moodle 2.0 with Microsoft Exchange
  • Chapter 4: Configuring Moodle 2.0 authentication with Active Directory
  • Chapter 5: Configuring Active Directory Attributes for Moodle users
  • Chapter 6: Configuring Kerberos authentication for Moodle 2.0
  • Chapter 7: Configuring Single Sign On with Moodle 2.0

Can you view the content of the book by clicking here

Who should know your Domain Administrator password at your School?

Standard

One of my many passions is Microsoft technologies in the education sector.  This is one of the reasons why I decided to start my own business in implementing them into schools.  I love working in schools and guiding them in their implementations ensuring that they are getting a well managed network, implemented to best practice but also getting value for money.  Over the next few weeks I’m going to go through some of my best practises that I see in businesses that should be implemented in schools.

The first of these is the use of the administrator user.

Previously I have given all of my IT Pro team the username and password for the administrator but over the past few months I’ve wondered whether this was the right thing to do or not.  They would also have domain admin rights with their user so why would they need two domain admin users?

image

Its not really a best practice for the domain administrator user password to be known by a whole group of people, all it takes is for one of those member of your team to accidently give out the password by a student looking over their shoulder or by a new member of the team writing it down as its a bit complex and forgetting the piece of paper ever exists.

Should anyone know the domain administrator password?  I think its a good question really but when implementing a network you shouldn’t really implement it using the domain administrator user.  Yes you will use it at first to implement Active Directory roles and supporting features but you should use different admin accounts to implement software such as Exchange and SharePoint and then have different user for their respected services to run.  This will be another blog post in the future but how do some medium and larger organisations conquer this issue?

Medium and larger companies are run completely different to schools.  This is mainly to do with budgets as a company with 1000 computers will have an IT budget of around £1 millions while a school with the same number of devices is around £100,000 (including staff costs).  30 staff to 3 staff are managed differently with a IT Director for the company with a lot of influence in the business while a Network Manager at a school can get told by the school senior leadership what the decision is and they have to make the system work according to that requirement.

In a business team of 30 staff there may be a set of many different teams, one for their internet/network connectivity, another for user management including all of Active Directory, another for email and another for document management.  If you were the IT Director for this company would you let every one of these have the domain administrator password?  Each of the teams would have permission to their respected software allowing them to only control what they are employed to do.

But in a school a Network Manager would control it completely different with each member of the team having access to everything so they can deal with the issue when required for that member of staff or student but do they actually require the administrator username to do this.  No not really.

Lets create a scenario that involves everyone knowing the admin user at a school.  One of your technical team has shutdown the MIS server during registration and now no form tutors can register their students which is a legal requirement.  The head teacher is on to you and they aren’t happy and want to know who it was who shutdown the server.  You check the event log to see who it was and it was the administrator.  You ask your team who it was and no one admits to doing it.  You’re now in a sticky situation that you have to tell the head teacher that you don’t know as you have a security issue with your network.  Can you prove that it isn’t a student who knows the password or maybe it was one of your team who actually went to log off and shut it down by mistake.  If each member of your team used their own username to connect to MIS server the event log will soon tell you what each of the users are doing.

image[5]

Yes you can perform other checks to find out who it maybe but there are also implementing a whole network under one username means your event log will be full of administrator created logs for all applications.  Wouldn’t it be nice to be able filter by username for that application and help with security.

So what is the answer?  A user should have their own user account.  One that is for them to use as a normal user that is mapped to their email account and the folders they require permission to and another that is elevated and controlled to their requirements in a network.  Thanks to @benrobb for this input.

I hope this makes you think about who and how your use your domain administrator username.

Implementing Moodle 1.9 on a Microsoft Highly Available Environment

Standard

In this whitepaper you will be instructed on how to install a Microsoft SQL Server 2008 R2 Cluster, 2 Web Front End Servers running Moodle 1.9 which are network load balanced and the configuration to run Moodle from a remote storage area.

Following the 2 other whitepapers released back in April, I have written another based on how to install Moodle 1.9 on a Microsoft High Available Environment using Microsoft Cluster and load balancing services.

Microsoft have a set of products that are designed to stay online for the maximum amount of time they can by either having a standby servers or sharing the load with another server.

Microsoft Clustering allows for 1 server to be running the services, in this case SQL Server 2008 R2 and have a server on standby ready to pick up those services.  The network load balancing role in Windows Server 2008 R2 allows for multiple servers to share the load of the website running on this set of servers.

image

Click here to download the document

If you are interested in reading on how to implement Moodle on a single Windows Server you can find more whitepapers here.

Implementing Moodle 1.9 on Windows Server 2008 x86

Implementing Moodle 1.9 on Windows Server 2008 R2 x64

Installing Moodle on Windows Server, SQL, IIS

Standard

Like me you might find implementing Moodle on a LAMP (Linux, Apache, MySQL and PHP) a little tricky and I personally want it on Windows Server, SQL Server and IIS.

A Windows System can scale differently to anything like MySQL and you can manage it in a high availability environment with Microsoft SQL Clustering and Mirroring.

Here is a whitepaper that I have put together on how to installing Moodle 1.9 on Windows Server 2008 x86, PHP5, SQL Server 2008 and IIS.

image

In the near future I will be releasing a whitepaper on how to install Moodle on Windows Server 2008 R2 which is a x64 bit system.

Silverlight 2 Application to enable/disable your proxy server in IE

Standard

I’ve been playing around a lot with Silverlight 2 recently, I’m find it a lot easier to code than version 1.

In many of the schools I have been to, they have had a proxy server for all their internet traffic.  I created a bat script that wrote to the registry and asked the user to either type 1 to turn the proxy on or 0 for off.  It worked great but wasn’t easy on the eye and one network I went to it stopped the users from using command lines.

@echo off

Echo.
echo.
Echo                     Please type the following
echo.
echo —————————————————————-
echo —————————————————————-
Echo —      Proxy server must be enabled to work in school      —
echo — Type ‘1’ if you wish to enable internet access in school —
echo —————————————————————-
Echo —       Proxy server must be disabled to work at home      —
Echo —     Type ‘0’ If you wish to disable the proxy server     —
echo —————————————————————-
echo —————————————————————-
Echo.
Echo.
Set /p inet=   Type ‘Number 1’ or ‘Number 0’ here:

reg add "HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /t REG_DWORD /v ProxyEnable /d %inet% /f
pause

So I thought it was time to create something that was more graphical.  It would also solve the issue of a user typing 2 on the above script and causing errors in the registry.

So this is what we are going to create

 Proxy1

Download the Microsoft Expression Blend 2.5 March Preview (available at time of writing this post).

Create a WPF Application and call it ProxyEnableDisable

Add 2 buttons and name one Proxy On and the other Proxy Off

 proxy2

Now we want to let our users know what this silverlight application can do so we’ll provide them with some instructions

 Proxy3

We’ve done everything we need to now in Expression Blend so we need to move the project over to Visual Studio.  Make sure you save your project.

Over on the write hand side you will see Solution ‘ProxyEnableDisable’. Right click here and click on Edit in Visual Studio.

 proxy4

This should have now opened up Visual Studio.  You will see the same layout above, down the right hand side.  Double click on Windows1.xaml.  This is the silverlight coding.  If your using Visual Studio 2008 you will see the xaml code and a graphical view of our project.

We need to start adding come code to the buttons.  We’ll give it a x:name and then add a click handler for both of the buttons.

Find the line of code for the button with the content that is equal to Proxy On and add x:name="On".  Also type click and click on <NewEventHandler>.  This will allow us to add come C# handling code to this button.

Your line of code should now read

<Button HorizontalAlignment="Left" Margin="105,201,0,193" Width="150" Content="Proxy On" x:Name="On" Click="On_Click" />

Do the same for the Proxy Off button but instead of giving the x:name the value of On – call it off

This is the last bit of XAML coding for this project.  The window1.xaml should now read

<Window
    xmlns="
http://schemas.microsoft.com/winfx/2006/xaml/presentation"
    xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
    x:Class="Proxy_Enable.Window1"
    x:Name="Window"
    Title="Window1"
    Width="640" Height="480">

    <Grid x:Name="LayoutRoot">
        <Button HorizontalAlignment="Left" Margin="105,201,0,193" Width="150" Content="Proxy On" x:Name="On" Click="On_Click" />
        <Button HorizontalAlignment="Right" Margin="0,201,145,193" Width="150" Content="Proxy Off" x:Name="Off" Click="Off_Click" />
        <TextBox Margin="105,78,145,0" VerticalAlignment="Top" Height="101" Text="For you to use your laptop away from school you require the proxy server to be turned off.  Click on Proxy Off.&#xd;&#xa;&#xd;&#xa;For you to use your laptop at school you require the proxy server to be turned on.  Click on Proxy On." TextWrapping="Wrap"/>
    </Grid>
</Window>

Expand the Windows1.xaml and click on windows1.xaml.cs

We’re now going to add some C# coding that will write to our registry to either add turn the proxy on or off depending on which bu
tton the user clicks on.

 prox5

We need to add a reference to our C# code.  At the top add Using Microsoft.Win32;

The below code will turn the proxy server on.  The 4th line down is where you are telling the registry to either have the proxy server enable or disabled.  The value of 1 will turn the proxy on where 0 will disable it.  Add the line of code to both of your button event handlers remembering to change that 1 to 0 for proxy off.

RegistryKey RegKeyWrite = Registry.CurrentUser;
           RegKeyWrite = RegKeyWrite.CreateSubKey("SoftwareMicrosoftWindowsCurrentVersionInternet Settings");
           RegKeyWrite.SetValue("ProxyEnableScript", "TRUE");
           RegKeyWrite.SetValue("ProxyEnable", 1);
           RegKeyWrite.Close();

           RegistryKey RegKeyRead = Registry.CurrentUser;
           RegKeyRead = RegKeyRead.OpenSubKey("SoftwareMicrosoftWindowsCurrentVersionInternet Settings");
           Object regSuccessful = RegKeyRead.GetValue("ProxyEnableScript");
           Object regAttemptNumber = RegKeyRead.GetValue("ProxyEnable");
           RegKeyRead.Close();

           if ((string)regSuccessful == "TRUE")
               Console.WriteLine("Succeeded on attempt # {0}", regAttemptNumber);

If you press F5 now you will be able to turn your proxy server on and off with a simple application

 proxy6

Now its all yours to be customised.

Don’t forget to install Silverlight 2 on your clients before rolling it out.

Click here to download the bat file

Click here to download the application

Click here to download the source code

Technorati Tags: ,

Windows Media Services 2008 and Media Player Web Part

Standard

My team and I have been playing with Windows 2008 Server RTM and have been playing with the downloadable feature from Microsoft which is Windows Media Services 2008.

It’s a very easy program to download and we are going to be using it to stream videos made in our school and also sound tracks made by our podcasting team and music department.

Back in July I published Steve Sofian Media Player web part for him as his blog was down and would like to thank him again for his work.

I just added the Media Player Web Part to a site and in the source field for the video location added the media streaming URL something which is like mms://mediaserver.domain/video100

It worked fine. 

Useful Links

   

Windows Server 2008 TSApps WebPart for SharePoint

Standard

Was looking through a few web pages and came across a document that will show you how to get the terminal server apps webpart for Windows 2008 into your SharePoint environment.

Problem is you have to have SharePoint on the same server as your TSapps on your Windows 2008 box.  Can't wait for someone to come up with the webpart to be on a remote SharePoint server.

http://download.microsoft.com/download/b/1/0/b106fc39-936c-4857-a6ea-3fb9d1f37063/Step_by_Step_Guide_to_Customizing_TS_Web_Access_by_Using_Windows_SharePoint_Services.doc