Business IT & Telecom Solutions

24x7 Live US Operators Available Every Day


+1 (904) 825-6708

+1 (800) 899-5350

Contact Us

Home      |  Products      |  ManagedHealthit.com      |  Security Alerts      |  TechSourceNews      |  ShopGenie.me      |  Computers      |  Contact Us    



Flickertel Inc Dashboard












Use TCPing with a speakerphone

Have you ever found yourself trying to run down cables in a mess of criss-crossed spaghetti wiring? Have you ever had to run back and forth between a workstation and a switch just to see if you just killed a domain controller or found the right cable? Use TCPing with “-b 1” at your workstation to ping the box you’re after, call your cellphone from your desk and put it on speaker, mute your cellphone and head into the datacenter. Pull a cable, and if you hear beeping, you got the right one. No beep? Plug it back in quick before anyone notices and try again!


Event Monitoring – An Overview (Part 1 of 2)

Since the dawn of the computer age, computing has been all about the interaction between man and the machine. In the beginning communication with a machine was very limited relying on complex mechanisms such as the punch card but as time went by and technology improved the interaction between humans and machines increased… drastically. Fast forwarding to the present day, computers are now extremely complex machines that can perform an impressive amount of calculations per second and we certainly do not let such power go to waste. Such power and complexity however is not without a price.

A modern system consists of a lot of different software running simultaneously on a wide variety of hardware. When this mix of software and hardware works harmoniously we humans can get a lot of work done but if that balance is upset it can cost us a lot of time and money. Unfortunately there is a lot that can upset this all important harmony from hardware failures to bugs to hacking attacks both internal and external. All is not doom and gloom however because just as our interaction with computers has increased so did their interaction back to us and if we listen, computers will tell us when something has gone wrong.

With a lot of different systems and complexity one can expect a lot of communication going on here and this is in fact the case. Each different system however mitigates this by centralizing this communication as much as possible. In the Windows environment this communication (or better yet logs) is generally centralized in the Windows Event System; on Linux/Unix Operating systems we find logs centralized in the SysLog System and we get Devices communicating to us using SNMP. That’s the general rule for in fact we find devices that use the Syslog System for logging and even application on both Windows and Linux that use SNMP.

Now that we know where to look, what can we actually do with the data? A general misconception one encounters is that logs are only useful if you are doing forensic analysis. While this is obviously one possibility, logs can provide us with details on much more! Other useful information that one can find in logs includes:

  • System Health
    • when hardware such as Hard drives start to fail one can generally find reports in the logging system about this occurrence
  • Machine Performance
    • when system runs out of memory or applications crash there will be log entries regarding this
  • Monitoring Servers
    • All servers be it Mail, Web or Firewalls will log about their own activities and inform the administrator of any failures, lack of system resources or suspicious behavior they encounter
  • User Activities
    • Logs can also provide a picture on how a user is using a system as actions such as reboots, login operations and various system interactions will be logged
  • System Behavior
    • The system will log its own action, from the logs you can find out which services were loaded and when, what devices connected, what services came online or went offline and other such information
  • System Failure
    • While sometimes application failure is quite visual popping up error messages and such to inform the user of the failure, at other times applications, especially servers, might fail silently with the only proof of such failures residing exclusively in the log
  • Compliance
    • A crucial part of compliance is to ensure that monitoring mechanisms are running effectively and are untampered. Such monitoring can only occur at a very low level stage that can generally only be achieved through the operating system logging itself.
  • Forensic Analysis
    • Logs are the central source on which to conduct a forensic analysis. Logs will help the administrator discover what events took place and when.

In the second part of this blog post we will be seeing how one accesses these logs using Windows Events, Syslog and SNMP.



Event Monitoring – An Overview (Part 2 of 2)

In the previous blog post we looked at the importance of event logs and all the useful information that event logs provide us with.

How does one access these logs?

Windows Events

As stated previously on the windows platform the central repository for the logs is the Event system. Once can access this by accessing the Administrative Tools under the control Panel. What we’re looking for here is the Event Viewer


Event Viewer: 5th Option from the Top

When opening the Event viewer we are presented with a huge list of events. This is in fact the first challenge we will need to face. While there is a lot of extremely useful information hidden inside the logs, there are also a lot of events/logs which are of no interest to us. There are two ways to mitigate this, either tweak the system to generate logging that is of interest to you or else use a solution that will filter out the noise and provide you only with events you are interested in.

Once event viewer is opened one will find a large amount of events split into a number of categories. Browse around, you are sure to find something interesting. This can also be a good place to start to debug those hard to track issues, such as your account mysteriously locking up after changing your password. At first glance everything seems to be going fine, no errors have been popping up and if it weren’t for the fact that your account is locked up you wouldn’t even know something is wrong. Browsing through the events you might come across the event illustrated below. Now we know that a particular application is failing to authenticate with the ISA Server probably using the old credentials. From there it is easy to deduce that this application is running a service using your account to access the internet and its failed retries are causing your account to be locked up. This is one of the many possible events that one might come across when investigating the Event log. In some cases they are also the only option to determine what is causing some unexpected behavior by the machine.


Event illustrating failed login attemtps by an application


Syslog is a complex system that allows a lot of flexibility. The syslog echo system consists of three entities:

I.    Syslog Device
II.    Syslog Relay
III.    Syslog Server

The syslog device is basically any system that generates a valid syslog message which it then passes on to a relay or a server.

A syslog relay is a syslog server that instead of storing any received messages relays them on to another Syslog server. This is ideal for either centralizing your logs or for security reasons. Relaying logs instead of storing them locally on the machine generating them helps to protect them in case the machine is compromised.

The syslog server is the end point where the syslog message reaches its destination. Here the message can be stored into a text file, database or even piped into another application.

A default Linux installation generally has a syslog server which stores any log generated on the machine in a text file found at /var/log/messages. A system can also be configured to log different events in different files and logs are generally rotated (archived to a different file and start a new fresh file) however looking into /var/log/ is generally a good bet.

Much like the Windows event viewer opening the file will display a large number of logs generated by different systems.

While the log format can be changed, it generally consists of:
[Date] [time] [host] [application][application pid] [Log Entry]

Browsing through the log one can find a lot of interesting log entries here as well. A log entry such as:
Sep  1 14:15:38 localhost login[5871]: FAILED LOGIN 1 FROM /dev/vc/4 FOR root, Authentication failure

This informs the user that on 1 September at about 2 p.m. someone tried to log on as root (the administrator account) on console and failed his authentication.

Just as with Windows an administrator can be presented with a lot of log entries especially if logs from multiple machines and devices are aggregated in a central location. This problem can easily be mitigated by using applications that can parse and process syslog messages. Many such applications exist from free to commercial.


The final major logging mechanism one will come across is SNMP. SNMP is used mostly by devices such as temperature sensors, Firewalls and other such devices. Its echo system resembles slightly that of syslog. You get the device, an agent running on the device and a manager. The device can be anything from a physical device to a software server and does its own operations which generate logs. The agent is sort of a middle man between the manager and the device. It sits on the device and handles communication. The manager is an application that gets the data from the different agents and presents them to the administrator. Unlike Syslog however, SNMP is bidirectional. Primarily it’s the manager that queries the agent for specific information; however, the agent itself can send notifications to the manager called SNMP traps.

That’s where similarities end however. In order to use SNMP one will definitely need a software solution call NMS (Network Management System).

In contrast to the other systems in SNMP you actively monitor specific things as opposed to going through every log entry. Devices that use SNMP would have various properties such as a standalone mail system where one would find properties like:

  • Inbound/Outbound Queue
  • Mail scanning statistics
  • CPU usage
  • Memory usage
  • Mail delivery successes/failures
  • Other such statistics

Additionally on such a device one would expect traps like:

  • Warning if system is overheating
  • Warning when storage space is running out
  • Warning if too many emails are failing
  • Warning if queues are growing too large
  • Other such warnings

The advantage here is that you’re only monitoring specific items and you can have an automatic notification when certain important events occur provided the devices supports traps for it. The disadvantage is that you will need to set up a software solution to handle SNMP and it can get quite complex to configure properly.

Irrespective of what system Servers, desktops and devices you use in your network it is essential that their logging and events are monitored. It may seem like a daunting task at first, one that is better avoid due to its inconvenience to maintain; however, just like switching off pain would be a very dangerous thing to do, so is ignoring logs. Pain might be an inconvenience but it can save one’s life by telling them when something is wrong. In the same manner, logs may be inconvenient to monitor but they can save your network, and save you time and money when an administrator is able to detect an issue in time and act upon it before much damage is done.






Troubleshooting a Blue Screen


ne of the most annoying things that can happen to an administrator is when at random intervals a PC crashes and generates a so-called blue screen of death. A blue screen can be caused by a number of faults and it is sometimes very hard to pinpoint the cause simply by looking at the blue screen information itself. There are other ways to diagnose a blue screen and, if you have a Memory Dump, you can debug the crash and find out exactly what caused it.


 Generating a Memory Dump:

In the event that your system is not configured to generate a Memory Dump file when a blue screen occurs, you need to enable the functionality before we can proceed with debugging the root cause of the issue. In order to do this you need to do the following:

  • Open the Control Panel
  • Open the System settings
  • Switch to the Advanced Tab
  • Click on the Settings button under the Start-up and Recovery section

A dialog will open with various settings; towards the end there is a section called “write debugging information”.

The first combo box contains the kind of memory you want to dump when Windows experiences a crash. For our purposes kernel memory dump will suffice.  The next edit box contains the location where the memory dump will be stored.


Getting the Necessary Tool:

In order to debug a memory dump we will need a free tool supplied by Microsoft called WinDbg. This is actually a debugger and it can be downloaded for free from the Microsoft website.

Make sure you download the correct debugging tools for your architecture, run the file, install it and you’re ready to debug the blue screen.


Debugging the Issue:

A lot of people are not comfortable debugging a memory dump but the process is simpler than most people think.

The first step we need to do when WinDbg loads is to configure symbols path for the debugger. Symbols comprise information that for efficiency’s sake a compiler strips out of executables. Things like variable and function names are very important to a programmer but not to Windows. For this reason when your compiler compiles your source code this information is kept out of the executable to make it smaller and more efficient. To debug a problem however, symbols are very useful. Luckily for us, Microsoft provides a symbols server which WinDbg can make use of to get symbols as required.

 To configure symbols click on:

  •  The File Menu
  •  Select Symbol Search Path

Now we need to enter the following line:


This will instruct WinDbg to fetch any needed symbols from the Microsoft symbol server and store them locally in the provided folder which in this case is c:\symbols. You can choose another folder if you want.

Click on the OK button and we can start to debug our dump file.

Note: WinDbg will need access to the Internet in order to fetch the symbol files it needs.

We now need to open the dump file itself and we do this by:

  • Clicking on the File Menu
  • Select Open Crash Dump
  • Select the Crash Dump you want to debug and click OK

It will take a short while for WinDbg to open your dump file and load up the symbols required.

In order to do a detailed analysis after the dump file finishes loading, type in the prompt: !analyze –v and press enter.

After some time we’ll get all the information we need to determine what is causing the blue screen.


Information of Interest:

Right below Bugcheck Analysis we’ll get a small report by WinDbg on what error occurred and what information is relevant to that error, such as what parameters where used when the crash occurred.

Process_Name contains the name of the processes where the crash occurred.

BUGCHECK_STR displays the exception code. A list of codes can be found on the msdn site.

DEFAULT_BUCKET_ID displays the category of the error

STACT_TEXT displays the stack trace.

This should give you the information you need to determine the cause of the blue screen and provides you with a starting point you need to solve the problem.



The 21 most common misconfigurations that will come back to haunt you!

Have you ever heard the phrase “if it ain’t broke, don’t fix it”? If you have, then you know sometimes it is best just to leave it alone. But no sysadmin worth their Ethernet cable can resist poking at new things in an attempt to figure out how they work. It is how we all got to the level we are now, and how we will advance to the next level. Sometimes, however, poking at things with a sharp stick can get us into trouble, and this list describes the 21 most common misconfigurations that will come back to haunt you, because poking at things randomly means trouble if you don’t pay attention to the outcome!

1. Anonymous Write and FTP

Anyone that has ever set up an FTP site, allowed anonymous write, and exposed it to the Internet has learned several things. How much bandwidth can they use? How much disk space do they have? How quickly word gets out. Leaving anonymous write enabled ensures that you will start hosting all kinds of pirated software and movies very quickly. Never permit anonymous write, even on the internal network, or you could quickly run out of disk space and bandwidth.

2. Everyone-Full Control

Until recent versions of Windows, any time you shared a directory the default permissions were Everyone-Full Control. Far too many of those older operating systems are still in use, but even worse, far too many admins will set that by default in modern operating systems because they think letting anyone have full control to a directory of data is a good thing! Think least privilege and don’t ever give everyone anything.

3. Reply All

Sending out an email to “Company All” is frequently necessary, but leaving that email so that someone can hit “Reply All” is the fastest way I know of to stress and load test your email system. One guy hits reply all to make some comment, and then you get the next 30 people replying to all that they want to unsubscribe, or asking everyone to stop replying to all, or chiming in with a “me too!” type answer. I’ve seen email servers shut down to stop the madness! Use Rights Management to restrict reply all, and make sure only authorized users can even send email to the largest DLs you have, like “Company All.

4. Leaving Shutdown in the Remote Session options

I once got an unplanned road trip because I went to log off a server in another city and hit shutdown by mistake. Removing the “Shutdown” option from remote desktop settings is default now, but how many 2003 and 2008 servers are still in production? Millions! Use a GPO to remove “Shutdown” from the remote menu, so that if you really do want to remotely kill a box, you have to use the command-line tool “shutdown” to be sure you really mean it. Of course, if you like unscheduled visits to the datacenter, you can leave that as is.

5. Storing cleartext passwords in webpages

Far too often, webmasters save connection strings to databases in their HTML code in cleartext, making it easy for anyone who wants to “view source” to get into the back end systems. Never store credentials in files that end users can access, and if you must store creds anywhere, use secure strings.

6. Not validating input

Buffer overflows, SQL injection, changing prices in shopping carts – all of these are possible when you don’t validate input from end users in your software and on your web pages. Always validate input and reject anything that fails validation before it gets to the point where damage is done.

7. Leaving cleartext protocols enabled

Except for DNS queries, public downloads, and webpages that you want the world to see, there’s really no reason on the Internet to use cleartext protocols at all. But if you are performing any authentication, or providing access to any sensitive data, it is imperative that you use encryption to protect the confidentiality of the data.

8. Not redirecting cleartext to encrypted

But to clarify, we don’t want you to turn off cleartext protocols. Too many users will type in an address without the protocol, and without an HTTP to HTTPS redirect, they won’t get to your site. Take the HTTP and redirect it to ensure users’ data is protected, but so is their experience with your site.

9. Using self-signed certificates

Whenever you train a user to just “click through” a warning without reading it, you are setting them up to be exploited. Nowhere is this more frequently observed than with internal websites that use HTTPS with a self-signed certificate, prompting the users to have to click to accept the danger. End users won’t distinguish between internal and external sites. They will simply recognize the warning and click OK, just like you taught them when accessing that internal application. Build an enterprise CA or purchase a wildcard certificate from a trusted CA, but never make users think it is okay to click through a warning.

10. Leaving sample applications and code on a production system

Sample applications are designed to show you how to do something. They are not written to be secure, nor are they typically updated when you patch an application. When building or deploying a server into production, remove all the sample code and apps to ensure that they cannot be used against you later.

11. Patching without testing

Unless you run nothing but vanilla code from the vendor, patching without testing is asking for trouble. The vendor cannot possibly test every single configuration, and that means that they didn’t test your configuration. That’s your job. You want to patch, but only after you have tested to be sure it won’t break something else in your environment.

12. Autoconfigured (169.254.y.z) IP addresses in DNS

If a server has two ip.addrs in DNS, it will reply to a query with both of them. If one of those addresses is bogus, a client stands a 50:50 chance of trying that bogus address before it tries the legitimate one. This means slow performance, and that means a helpdesk call. If you are not going to use a NIC, don’t connect it. If you connect it, give it a static ip.addr or make sure it is on a VLAN with DHCP. At the very least, untick the box to register a connection in DNS so that you don’t get bogus addresses mapped to legitimate hostnames.

13. DNS Islanding in Active Directory

In Active Directory, Domain Controllers should never point to themselves for DNS; they should point to another DC. When a DC points to itself, it can fall out of sync with the others and not realize it, quickly falling out of date and not being able to authenticate users. If it stays out of sync for too long (60 days by default) you have to flatten it and reinstall to fix the problem. Always make sure that DCs point to other DCs for DNS, and never to themselves, and then you have to use NTDSUTIL to purge bad data out of AD.

14. Not logging enough

Logging is critical, but it is seldom done well. Default logging is usually not enough to truly recreate events to determine what happened, it takes a lot of drive space, and it can be days or weeks after an event before anyone realizes something has happened and that they need to check the logs. Make sure you log thoroughly enough to be able to recreate what happened, and that you keep logs for long enough to be able to go back weeks if necessary to figure out what happened.

15. Not logging centrally

And the default for a system is to log to its local drives. That’s great until the system fails, or is compromised and the attacker wipes the logs. Logging centrally takes more time, money, and storage, but ensures that you have logs to refer to when a system goes down, and makes it much harder for an attacker to hide their tracks.

16. Permissions to ~

Many Linux distros permit READ to users’ home directories for the world. That usually doesn’t mean the entire Internet, but it does mean that anyone on the network may have READ to the admin’s home directory, and in there could be password files and configuration files and who knows what else. Make sure that permissions to every user’s home directory is set to 600 so that users have READ and WRITE to their home directory, but cannot execute programs from there. If you must allow EXECUTE, then 700.

17. Using default SNMP Public and Private community strings

The only security in SNMP v1 and v2 is with the community string, and the default write community string is Private. That makes it a trivial exercise for a malicious user to shut down router interfaces or mirror switch ports if they have network access. SNMP v1 and v2 transmit in clear text, but changing the community string at least makes it harder for an attacker to start messing around with your network. Use SNMP v3 if possible, or don’t use a writable SNMP at all.

18. Dropping ICMP

The RFCs state that hosts MUST respond to ICMP Echo requests, so any admin that drops ICMP is violating the RFCs, which is bad! But more to the point, since the Ping of Death hasn’t been a thing in 15 years, all dropping ICMP does is make it harder for customers to troubleshoot when they cannot get to your website, and leads to helpdesk calls when your users can’t get on the VPN. At least allow pings to your website and VPN endpoint, which is what most tests will be about anyway.

19. Dropping (instead of blocking) anything on the internal network

If you block traffic on the inside that you don’t want, then good admins will see the RST ACKs or ICMP Unreachables and know that the firewall is blocking things on purpose. If you just silently drop on the inside, your fellow admins could waste days trying to figure out why they cannot make something work, will learn to always blame the firewall when anything doesn’t work because they cannot tell the difference, and will at best call you whenever anything doesn’t work, or at worst grow to hate you. Drop on the outside.

20. Leaving systems set to automatically update

Much like patching without testing, letting systems automatically update means they are patching without testing and now without even a maintenance window. Seriously, if you are letting servers automatically update, what do they need you for? You want to control patching both so that you can test, and so that you only take servers down for reboot when expected.

21. Using the local hardware clock for time synchronization

Time synchronization is critical. Logs depend on it. Authentication depends on it. Your users depend on it to know when it is time to go home! So why would you let clocks sync to notoriously inaccurate hardware clocks? All networks should use NTP to keep their clocks in sync, and use a reliable external time source like pool.ntp.org to make sure that not only are all the clocks in sync, but that they are accurate.




Five great ways to stay in control of a mobile workforce

Managing IT systems isn’t simple these days: not that it’s really ever been!

However, even the smallest of firms now tend to have IT assets scattered all over the country, if not the world.

With mobile working widely expected to continue gaining in popularity, IT departments need to know how to maintain control and security of IT infrastructure when they don’t even make physical contact with much of the equipment on a regular basis.

With this in mind, here are five tips to help IT admins get things back under control:

1. Define (and enforce) a policy

If a company allows remote working, it needs a remote working policy – and this should apply to even the smallest of companies.

They need to be strict about how their IT assets are used. Employees do have a tendency to treat company devices as their own, so the only sensible option is to use software controls to enforce the policy.

This means avoiding giving end users admin rights where possible, preventing the installation of unauthorised software, and automating patches and updates.

2. Make sure users understand risks and responsibilities

It’s never a good idea to assume that users really understand IT security issues. If they did, they wouldn’t fall for clumsy phishing sites and social engineering tricks.

It’s the job of the IT team to make sure that users understand IT today, and the constantly evolving risks that face everyone using the Internet.

3. Put the right controls in place

As stated in the first point, it’s best to protect users from themselves, rather than to give them the scope to put the company infrastructure at risk.

There are various things that can help here. Effective inventory management is a good starting point, so the IT team have an eagle eye on everything under their jurisdiction. A reliable anti-malware solution is also a must, and these days it needs to go beyond basic antivirus and cover every possible facet of modern threats. Patching should also be automated, and cover third-party updates as well as those for the core operating systems.

4. Make use of cloud services for IT administration

When an IT infrastructure is spread across multiple locations, it’s harder to centralize administration with on-premise software. Cloud-based IT management tools make things easier, both for the users and for the IT teams.

Centralized administration accessed via a web browser means IT teams are free to work from wherever they like, as well as the users!

5. Find some allies

With employees spread all over the place, IT teams can help themselves by identifying the more technical people, who could assist if something needs doing at a remote location, such as the simple power cycling of a router.

Obviously this needs doing with some caution. As every IT person knows, “a little knowledge is a dangerous thing.” However, identifying the tech-savvy users, especially in branch offices, can save a lot of hassle and a lot of travel time!


Helpful IT hints for managing a modern workforce

IT is nothing like it once was. Ten years ago, staff would usually work in the office on desktop PCs. Laptops were typically the exclusive preserve of senior management and mobile salespeople. As for iPads – um, well, they hadn’t even been invented.

Today’s IT department has plenty of work to do to keep control of this increasingly distributed user base. Thankfully, tools have evolved that make it easier for techies.

Supporting users who work remotely is about far more than having the ability to use remote desktop to react as problems arise.

  1. Users can often have a tendency to treat their company laptops as their own. But all IT professionals know that plenty of end users let their kids play with their company laptops (while they may not admit that out loud!).  Pets can also be hazardous to an unattended laptop!
  2. Remote machines are arguably more susceptible to infection than the machines kept in the close confines of an office environment. Just for starters, laptops are often more frequently connected to public Wi-Fi networks, exposing the machine to myriad threats.
  3. It can prove highly impractical for a user to return a laptop to “base” if something goes wrong, so it’s important to be able to fix as many issues as possible without physical contact with the machine.

IT departments need more than RDP to do manage the workforce.

The solution is something that includes remote support but also handles ongoing monitoring of remote machines and works effectively when fully or partially disconnected from the network in the office. If you need to clean an infected remote laptop, you don’t want the user to open a VPN into the production network so you can fix it!

Remote machines can present a real danger to the network, so the more ‘visible’ they are to you, the better. If unauthorized software has been installed, it’s important that you know straight away. That’s where asset tracking comes in.

It’s also quite easy for a remote user to continually ignore important patches and updates either through negligence (“I’ll do it tomorrow…”) or a simple lack of understanding (“I’m not sure I should click ‘accept’… better not risk it”). For this reason, you need some kind of patch management functionality to check that remote machines are being kept suitably up to date.

If you’ve worked in IT for any length of time, you’ll know that in the “good old days” of IT, it was common to get a laptop back after it had been with a user for some time, and have a small panic attack when you see the state of it.

Non-technical employees often completely ignore error messages if these don’t affect their workflow. An early good intention to “call IT at some point”, soon becomes an issue that’s ignored for months. Meanwhile, the laptop that you so lovingly set up and prepared for the employee is out there masquerading as a notice board for malware that could end up infecting the whole company infrastructure. You know what that means for you (and probably the rest of the IT team) – an entire weekend (or more) repairing the damage.

The more distributed the workforce is, the more crucial it is to have constant visibility of all the company kit that’s floating round out there. A scheduled “back to base” check for each machine is simply not enough – not if you want to avoid unpleasant surprises that cut into your free time.



BYOD: 16 Rules to Avoid “Bring Your Own Disaster”

Productivity is what you want in your business; and productivity increases when your employees are happy in their  jobs. Giving them space and a level of freedom to use their own devices on the company network is one approach that shows trust– and that makes them happy. At the same time, you do not want that ‘freedom’ to negatively impact the hard work that went into standardizing and protecting your system.

If you have already decided that BYOD (Bring Your Own Device) is not for your company, then you may be surprised to know that elsewhere  it’s already happening extensively.  An estimated 37% of information workers in the US use their own devices without their company’s permission. Shocking, right?

So what’s the solution to make everyone – company and employees – happy?

A good, well thought-out, and properly enforced BYOD policy is the answer.

As with any major change to your network, accepting BYOD requires careful planning to be successful. You need to consider how it will affect your business, what you want to achieve with the policy, how it will integrate with other existing IT policies, how it will affect different employees and, once it’s in place, what training is required to ensure it is effectively implemented and enforced.

Sounds complicated? Well, it shouldn’t be.

To give you a feel for the topic, we’ve prepared a list of the 16 rules of BYOD engagement, as well as a whitepaper that looks at each stage of the planning process in more detail.  You can use these to help you quickly grasp the scope of the project and build a roadmap  to giving your employees e the freedom they would appreciate, which in turn, will boost morale and productivity in your business.




10 of the Most Dangerous Things to Have on Your Network

They say the road to hell is paved with good intentions – any sys admin would relate to this.  You have nothing but the best intentions when you install a tool, set up a service, or plug in a device on your network, convinced that that these will be of benefit. Yet how often did you find out that instead of helping to manage or improve the infrastructure, the results were disastrous, security holes were opened, making audits a nightmare and creating other major issues for everyone?

Many of the things on this list could still be a good idea under the right circumstances, and with the right controls, but the risk is still very high. To help you avoid the pain and suffering here are 10 of the most dangerous things to have on your network.

1.       Anything with a DHCP service
Be it a wireless router, personal firewall, or a virtual machine instance on a bridged connection, adding anything that runs DHCP onto a production network can cause problems for everyone on that VLAN. Remember DHCP is a broadcast service, and when a client asks for a lease, it will take the first one it hears offered. What’s going to be faster, the device you just connected, or the overworked three-year-old server?

2.       An open share with all the application installers
It really sounds like a great idea. Create a share, give everyone read access, and put installers for all the different applications you use in that directory so folks can easily find and install what they need, when they need it. If you have a site license for everything in that folder, it is not a bad idea. If you bought ten licenses for Adobe Acrobat, and 100 people find and install it, suddenly it is a compliance and licensing nightmare. Never leave software installers on the network where regular users can get to them unless you are prepared for a massive annual true-up bill.

3.       The second, third, fourth…and Nth  remote control tool
There’s nothing wrong with having a remote control application installed on your workstations and servers so you can assist users and manage systems. The problem comes in when you have eight different admins and they each have their personal favourite. Each remote control app you install on a workstation is another port listening, another memory hog, another app to patch, and another way for an attacker to break in. When you do that to a server, the potential impact is even worse. Choose one, choose wisely, and ban all the rest.

4.       Bulk email tools
What’s the quickest way to get your entire IP range on a blacklist? Leave an open relay. What’s the second quickest? Let someone in marketing  install a bulk mailer application that starts spewing out hundreds if not thousands of emails per hour. Seriously, get in front of this by working with marketing to ensure they have a satisfactory external bulk mailer service so you don’t have to deal with being blacklisted.

5.       Password crackers
While authorized personnel working within the context of security might use a password cracking tool to either audit the network, or attempt recovery of data, a password cracking tool can easily be run improperly, resulting in the lockout of every user account on the network. These tools, in the right hands and run in closed environments, can be very useful, but so too can a blowtorch. Both can cause serious damage when used incorrectly.

6.       Open Guest Networks
An open guest network may seem like a great “tool” both for your guests, and for when you need to test something outside the confines of your corporate LAN, but can be easily misused, and even when separated from your internal network, they usually use the same Internet connection as your corporate network does, which means bad traffic coming from your guest network still comes from your corporate network as far as the rest of the Internet is concerned. Use a captive portal and run IDS on your guest network so you can control who uses it, and make sure they don’t misuse it.

7.       Anything that is out of support
It doesn’t matter how great a job that app does, or how much the business complains that they can neither live without it, or replace it, anything that is no longer supported needs to get the heck off your network. I have seen dozens of upgrades get 90% of the way through, only to encounter that one legacy app no one even remembers setting up, that some group has built their entire mission critical workflow around, and that cannot be upgraded to work with your new system. Make it the 11th commandment – Thou Shalt Not Run Any Unsupported App.

8.       Anything that can send an unlimited number of alerts
This one kills me every time I run into it, and I run into it at practically every customer I work with. Some monitoring systems is set up to send out email alerts when something bad happens, like a server goes down or a service stops, and it is misconfigured such that it sends thousands of email alerts as quickly as it can spawn them. That in turn overwhelms your email system, which slows everything else down, and you spend more time deleting the alerts than you did fixing the problem that caused them. Alerts are good, when they have reasonable limits.

9.       Bittorrent applications
Bittorrent is an extremely useful protocol, that can be used for downloading a variety of different binaries, most good. A misconfigured Bittorrent client uses up a tremendous amount of bandwidth though, so if you are going to use this tool, be very careful how you configure it, and ensure that only authorized users run these tools.

10.   Security auditing software
Okay, before everyone hits the panic button on this, hear me out. Security auditing tools, when installed on a security professional’s workstation, run with the knowledge of what they are for, and the authority to use them, are just fine. When they are run by a Curious George and run against the entire network during the production day, they can wreak havoc, locking out accounts, crashing services, and generally causing everyone a bad day.

These 10 types of tools all have their place, and when implemented properly, can be of great benefit to your network, but, more often than not, I have seen each of these 10 make for a really bad day. If you have any of these already on your network, look closely to be sure you are not dealing with a ticking time bomb. If you are considering whether or not to use any of these, think carefully and choose wisely.




The 24 most dangerous things threatening your network right now

They are out there… or should that be ‘they are in and around your network?’

Yes, at any moment in time, they may infest your network, putting your data at risk; ticking time-bombs waiting to explode, configurations ripe for exploit. And don’t forget those decisions made in the heat of the moment that, had rational thought prevailed, would never have been permitted.

These are some of the threats that surface during a security audit and they are bad. It doesn’t take an elite hacker with a deep knowledge of Assembly or the ability to read and understand raw PCAPs to make the most of these weaknesses. Sometimes it does not even take an intentionally malicious act to get a company to find out just how bad some of these things are. All it takes is a little bit of short-sightedness, bad luck and poor timing to cook up disaster. We’ve put together a list our top 24 threats and weaknesses that could impact your network: how many would you find in a security audit?

1. Default Passwords

There is a really good reason why you should be concerned about using default passwords. A Bing search returns over 64,000 results for a search on “default password list”. It barely takes a second to find the default password for any program or piece of firmware, and most attack programs have those lists ready to go. Always change default passwords to something complex and unique in your environment. And never use the same password… see #11.

2. Administrators running as administrator

When you are logged on with administrative rights, or root rights, or sysadmin rights, or whatever the superuser account is called, then everything you do executes under those privileges. That’s why you should have a standard user account for regular work, and use your admin account only when you need to. Unfortunately, not every admin exercises the same caution… and that’s when the trouble starts. Best practices refresher anyone?

3. Shared accounts

It is important that everyone has a unique account and password as that way they are accountable for their activity on the network (and traceable). If everyone uses the same account, or even just knows the password to a privileged account, you may as well disable logging to save the disk space because you will never figure out who did what.

4. Service accounts with known passwords

It’s not the first time someone needs to log onto a server and their account doesn’t have the necessary rights, so they just log on with the backup software’s service account or the BESADMIN account or some other account that is not theirs, but has the privileges they need and a known password. See 3 above. No accountability.

5. No, stopped, or out of data antivirus software

“Uhm, yeah, well, I stopped the antivirus service because it was using up too much CPU and I needed that server to run faster” – That’s the phrase that usually follows the detection of hundreds of different pieces of malware infecting thousands files on a machine. If antivirus software is slowing a server down, then there is something wrong with how the antivirus software is set up or the server needs looking into as well. Consult the documentation for the antivirus software and the other applications running on a system, and configure the antivirus software with the required exceptions to ensure that the server is not impacted, but it is protected. Of course, if it was a user’s workstation that is now infected because they turned off antivirus, take it away and issue them an etch-a-sketch (picture). You should also be using a centrally-managed AV to avoid users turning AV on and off when they feel like it.

6. Missing operating system patches

In many cases of exploited systems, the number one root cause is often missing patches. Patches are created and rolled out for a reason… there’s a bug that needs to be patched. If you don’t patch the bug, you are a sitting duck just waiting to be exploited. It’s simple: patch early, patch often. Checking for updates each day keeps the bad guys away.

7. Missing third-party application patches

And don’t just assume that operating system patches cover all your bases. Microsoft releases patches on a regular cadence, but patches for third-party applications come out all the time. Workstations need updates for their PDF readers, Flash players, and all the other applications users like to run, but that doesn’t mean servers don’t have this issue. How many third-party applications do you have that depend on Java? Check out our category Patch Central for a monthly summary of third-party patches… worth bookmarking for regular reference.

8. Unlicensed software

If you don’t think unlicensed software is a threat to your network, then you either have all your systems completely locked down with a standard image and site licenses for everything, or, you’ve never had to deal with a licensing audit. If your users can download and install software on their machines; if you have a software share on a network server that admins (or others) can get to, and if you save your EA keys in an Excel spreadsheet that is passed around from admin to admin, then odds are good you have unlicensed software on your network.

9. Default configurations

Default configurations are not recommended configurations or best practice setups and they most definitely are not secure configurations. Whether you are looking at the security logging on a system or the default credentials to access a system, change the defaults. The former are set far too low to give you useable data on any production system and the latter are well known and documented.

Review your domain policy for audit logging and set a policy that provides you with enough data to go back and reconstruct events. Scan your systems for default configurations and credentials and go change them now.

10. Example code

Example code is great for lab and test systems but should be removed from production systems before they go into production. Example code is usually written to show how something works. It is not written to illustrate secure coding practices. Many an exploit has taken advantage of example code to get into a system.

11. OOB SuperMicro BMC controllers

If you have an out-of-band management card that uses a SuperMicro BMC controller, and you haven’t already patched it, then you have a system that can be queried by anyone with network access to obtain the admin credentials with which to log onto the controller. That means they can bounce a system, mount and boot from a virtual ISO, and own your system simply by having network connectivity to it. And if you use the same creds to get into the remote access controller as you do for other things, they now have those creds too. By the way, if you have servers with iLOs or DRACs then you have SuperMicro BMC controllers. The good news is a patch is available. The bad news is you have to find the update, and then go apply it to every server by hand.

12. Cleartext protocols

Anyone on your network with a protocol analyzer could potentially grab cleartext credentials off the wire, but with properly configured switches that is less of an issue. Anyone in Starbucks with a protocol analyzer could potentially grab cleartext credentials out of the air if one of your users stops in with their laptop for a latte. That is a serious issue. Eliminate all cleartext support now, both for your users and your admins. Telnet is done. SSH is where things are at. All email protocols these days have SSL or TLS versions. FTP should be used for anonymous download only. Anything else should use SFTP.


13. Credentials stored in cleartext files

This happens far too often in batch files and scripts, and it needs to stop. Anyone with access to a file storing creds now has those creds and at that point, we’re back in the same situation as #3 and #4. Store creds as encrypted strings, or better still, configure your scripts when possible so that they don’t need to store creds at all, and instead execute in the context of a service account which can securely store creds.

14. Runaway log files

Disk space is cheap, but it is not infinite, and a process that generates huge log files that are never reviewed or cleared can chew up all of your free disk space. When it does, the server comes to a screeching halt. This can become the cause of both accidental and intentional denial of service attacks. Either you shoot yourself in the foot, or an attacker slams endless bad login attempts against your server. End result: the logs fill up and the system crashes. Ensure that logs are reviewed regularly, cleared out when they are no longer needed, and that you monitor systems for disk space.


15. Weak (or no) wireless encryption

If you are using WEP or WPA on your wireless network, or if you aren’t using any encryption at all, then all your network data can be read by any attacker within range. And since “range” can include the parking lot across the street, the hotel next door, or the office on another floor, that includes a lot of space you cannot see, let alone secure. WPA2 Enterprise is really the only valid encryption algorithm you should be using at work, and you should make sure you are using WPA2 at home with strong, complex keys. That way, your neighbor’s kid won’t try cracking your wireless network to impress her friends.

16. Windows XP

Yes, I know it was the best operating system you ever used. I too have fond memories of XP going back to the early 2000s. Let it go. XP is end of life, and that means there are no more security patches. No more updates. No more support. If you still have XP on your network, then you are just making it easy for the bad guys. Remember that there were patches for XP almost every month up until the last month it was supported. Do you really think that there are no more vulnerabilities out there?

17. Legacy firewall rules

For all the review and oversight that goes into opening something on a firewall, it never fails to amaze me the number of legacy firewall rules there are on systems. The servers that they applied to are dead and gone. The services long since transferred to some other platform. And yet, there is still a NAT on the firewall, and a rule permitting inbound traffic. Some day in the future, when a new system is put into the DMZ but before it has been hardened and reviewed, there’s going to be Internet traffic hitting it. I hope it can handle that. Take some time now to review your firewall rules and make sure that all the openings are still valid. Add to your server deprovisioning process and send a notification to the firewall team so that they can remove all the rules that are no longer needed.

18. Legacy group memberships

Just as firewall rules are sometimes no longer needed, not every user needs to be in every group to which they were ever added. Roles change, titles do too, and some users no longer need access to everything they used to need. Review group memberships at least annually to ensure that least privilege is still in effect.

19. Legacy ACLs

And while you are reviewing group memberships, you should also review your ACLs to ensure that they are still current and correct. If users have access to data that they should not, they are going to find it. That’s the 83rd corollary to Murphy’s Law. If that data is sensitive or embarrassing, the impact to the company could be significant. Review ACLs with data owners annually to ensure that they are correct.

20. Access to personal email accounts

When users have access to personal email from work, they can send data out which you have no visibility into, and they can bring data in, potentially including malware. All of that bypasses your filtering systems and DLP systems, and the news frequently reports on data that has been compromised because someone emailed a file to their person account so that they could work on it from home. Access to personal email from work machines may just be too dangerous to permit.

21. Self-signed/internally generated certificates

How many times a day do your internal applications ask your users to see, and click through, this warning? If you are using self-signed certificates, or internally generated certs where your users’ systems don’t trust the root CA, then you are training your users to ignore warnings. You are doing most of the hard work for those using phishing attacks against you. Never use self-signed certs for anything users will interact with, and ensure your internal CA is trusted by all your internal clients, so users never have to think that this is a message that can be ignored.

22. Users who will download anything

There are employees who will download any screensaver or freeware application, or anything they are sent with a ‘this is the coolest/cutest/most helpful life-changing application that you have ever seen’ note attached. Yes, those. Every network has at least one individual. And no matter how many times they have to get their system reimaged, they are just one pop-up ad away from downloading and installing something else.

23. Users who will click on anything

Similar to #23, these users are the ones who will click on anything. Any link in an email, any ad on a webpage, anything at all, and they always click ‘Yes’ when prompted. They aren’t going out of their way to download and install something – they are just really click happy. They are the employees with six toolbars and three search providers in their browser, all their default file associations are messed up and, yes, they do provide their username and password in response to that helpdesk survey they saw on Facebook. And they aren’t even ‘friends’ with the company helpdesk! You are going to have to go the extra step to help these employees kick those habits.

24. Users who believe anything

These are users who really believe a foreign prince or president wants them to help him smuggle millions out of his country. Who really believe the guy with the funny accent who doesn’t know their name actually is from helpdesk and needs their credentials to back up their files before a virus deletes everything. Who have  no clue why Bill Gates wants them to forward an email 20 times, but they are happy to do so in exchange for that free trip to Disney World. These are a danger to the network and need a reality check and a lot of education before they really cause some damage to the company.

A lot of these are familiar to admins but the fast-paced environment we all work in takes its toll on our cautious approach to everything. A regular security audit will help identify most of these danger points and some will need experience and some to filter out. But each one of the threats above must be addressed sooner rather than later. Don’t underestimate the importance of educating (and re-educating) employees. They are the last and most important line of defense on your network because they are the weakest link. Understanding that, and working with that, is a great start.




The top 24 free tools for data encryption

on June 26, 2014

The NSA, Edward Snowden, corporate espionage, corporate snooping, hackers and crackers, the cloud, mind control rays… there is a lot in the news these days that makes you want to take a much more serious look at encryption to protect your privacy and your data. Whether you are coming up with the next big thing in power drink recipes or just want to ensure that if your laptop is stolen no one can access your tax returns, data encryption is something everyone should know about, and use.

In this post, we list our top 24 free tools for data encryption:

Whole disk encryption

1. Bitlocker is available for Windows users running the Pro and Enterprise versions of Windows 8.1 or the Ultimate or Enterprise version of Windows 7. While Windows is not free, if you buy the right version you get Bitlocker for no additional charge so we’re including it here. This can encrypt full volumes using AES-256, and can leverage boot PINs, TPM modules, two-factor authentication, and so on, to secure access to the data on the volume. Bitlocker can be applied to the operating system volume, other volumes individually, or to all volumes on a machine, and can be managed enterprise-wide through GPO. Recovery keys can be stored in Active Directory, making this a very good choice for the enterprise that wants to ensure the company never loses access to encrypted data.


2. DiskCryptor is an open source solution that can encrypt entire volumes using AES 256, Twofish, and Serpent.


File encryption

3. AES Crypt is open source file encryption software that uses AES-256, can run on Windows, Linux, Macs, and even iOS and Android devices. There are even Java and C# modules available for developers to integrate into their software.

4. Challenger can encrypt files and folders on local storage and is available at no charge for personal use, but also with enterprise class features including more options for key length, and the ability to encrypt remote data on network drives. It does not require administrator rights to use.



5. Steg runs on Linux, Windows, and OS X and can be used to securely hide data inside of other files. Steg’s best feature may be that you can evaluate the changes that will be made to the host file so you can determine if they will be obvious to anyone who views the file that something else is going on.

6. Our Secret is another steganography tool that enables you to encrypt and hide files inside of other files.

7. OpenPuff is a great program for securely encrypting and hiding files inside of other files.

Email encryption

8. iSafeguard offers a freeware version that users can use to both sign and encrypt email and attachments.

9. HushMail is a service, but a very useful one when you need to send an encrypted email and/or attachments. There are both free and premium versions of the service available.

10. Sbwave can be used for one-off needs, where all you have to do to send an encrypted mail is use your browser. The recipient needs a valid email address and the password to decrypt the message.

Portable drive encryption

11. Rohos Mini Drive enables you to encrypt and password protect USB drives and local directories using AES-256 and includes portable versions of the software for when you won’t have administrative access. The free version can encrypt up to an 8GB partition, but you can purchase a license for larger disks.

12. Bitlocker to Go is available for Windows users running the Pro and Enterprise versions of Windows 8.1 or the Ultimate or Enteprise version of Windows 7. This can encrypt portable media using AES-256, and can be managed using GPO.

13. SecurStick is another portable media encryption tool that used AES-256 to secure all the data stored on USB drives and removable media. One great feature about SecurStick is that you do not have to be an administrator on your workstation to use it. Another is that it works in Windows, Linux, and Mac operating systems. The website is in German, but there is a link to a Google translation page right at the top. The program itself supports English, German, and Italian.

Data in transit encryption

14. OpenSSL offers SSL and TLS encryption for data in transit. Typically a Linux tool, there are ports for Windows and Solaris as well.

15. Stunnel can be used to provide an SSL transport for any TCP connection that does not support that itself. It is a free, open-source way to secure any TCP protocol.

Remote management encryption

16. OpenSSH is a secure command-line administrative service and client for administering Linux systems. It uses SSHD on the server and OpenSSH on the client to ensure a secure command-line session between systems.

17. PuTTY is a secure command-line client for Windows (and other operating systems) that enables users to connect to SSH services securely.


18. PowerShell is the de facto remote management tool for Windows at the command line. It can use HTTPS to provide session-based encryption, but even connections over HTTP are encrypted using HTTP-Kerberos-session.

19. Remote Desktop Connection Manager is a Windows tool from Microsoft that lets you manage multiple remote connections use RDP to your various Windows servers. RDP connections use encryption and you can also securely store credentials to your servers in encrypted connection files so you can easily and securely remote into your systems.


20. 7-Zip is normally considered a compression program, but what I consider the best compression program can also encrypt files using AES-256. It also integrates into the Windows Explorer menu, can compress-encrypt-email as an attachment in one click, and makes working with all formats of compressed files easy. This a good multipurpose tool with an often overlooked encryption angle.

21. GPG is often just considered the free version of PGP, but it is oh so much more than just that. With command line tools, integration into dozens of other security products, and the ability to encrypt files, directories, volumes, emails, attachments, and to run on Windows, Linux, and Macs and to interoperate with the commercially successful PGP, it’s probably the de facto King of Encryption.

22. Sophos Free Encryption can be used to encrypt files or directories and can also be used to send encrypted attachments to emails. You won’t find much on their website about this tool, but you can download it using the provided link.

23. Cloudfogger is a useful tool for providing file level encryption for cloud storage services like Dropbox, Box, OneDrive, etc. While its main focus is on protecting files stored in someone else’ cloud, it can also be used to encrypt files only stored locally, or stored to portable media, ensuring encryption of all your data.

24. AxCrypt from Axantum is a favorite for its ability to integrate into the Windows Explorer menu so you can right-click to encrypt a file, and also to send as an encrypted attachment to an email. Self-decrypting files can be created so the recipient of an email or USB key doesn’t need the software, only the correct password, in order to decrypt sensitive files. AxCrypt uses AES-128, with AES-256 being considered for a future release.

Did we leave out one of your favorites? Leave a comment then and let us know!


13 things every employee should do before calling the helpdesk

If you work in IT, at some point in your career you formed part of the ‘the helpdesk’ team. You may have started there or you might still be leading the team. In many organizations, the sysadmin fulfils all roles so they can rarely escape those phone calls.

You all had those ‘dreadful’ callers who always seem to have the worst technology day of their lives, demanding you solve the problem yesterday because they have an important meeting or file to print out…

Been there, done that, most of you will say; but is there something you could have done to reduce the number of calls? Yes, there is and it begins when a new employee joins the company. That’s when the training begins.

Here are 13 things every employee should be asked / taught to do before they call or email helpdesk. You will still get the odd call from those who can’t be bothered, but the majority of employees will be happy to try and solve the issue themselves if they are allowed to. These are not fancy command line shortcuts or PowerShell scripts – just steps not all employees know about or think they can perform themselves.

1. Reboot

Face it, odds are you are going to ask the employee to reboot pretty early on since it clears the DNS cache, reestablishes the network connection, forces them to restart all their applications, picks up on new group memberships, and gives you time to undo whatever it is you did. Okay, so if you use rebooting for that last one, you may not want your users to reboot before they call, but for the rest of them, since rebooting really does fix so many things, getting your users to reboot first may cut down on calls by a noticeable percentage.

2. Leave on the screen/write down/screenshot the error message

You can often get the error message from the logs, but that takes time. If the user either left the error where you could see it, wrote it down, or otherwise captured it, you could jump right into fixing their problem instead of first trying to figure out what the problem is. Easiest way to do this is to train end-users to leave errors on the screen if they plan to call support.

3. Their username

They use it to log on every day, but unless they have to type it in, they probably don’t remember it. Make sure that if you are not using UPN and making that match email addresses, users know what their username is.

4. Their computer name

While users may never need to know their computer name, being able to tell you what it is can save a huge amount of time. Show them how to right-click on ‘computer’ in the menu, or how to open a cmd prompt and type in hostname.

5. Their operating system

Unless you are one of the few fortunate enough to really have 100% of your users on exactly the same operating system version, you really need to know which OS a user is running before you start doing much troubleshooting over the phone, since every major release, the vendor moves/hides/changes everything. Make sure users know whether they are running XP, 7 or 8 or OSX before you start talking them through how to do something.

6. How to do an “ipconfig”

Connectivity issues often come down to being on the wrong network, or not getting an ip.addr from DHCP, or using the wrong DNS servers. IPCONFIG/IFCONFIG are incredibly useful and very difficult to get a user to type in correctly, let alone read to you the juicy bits. Make sure they know how to do this, or put a script in place to grab it easily.

Protip: if you use Windows, BGInfo from Microsoft to configure desktop wallpaper, you can put many of the important pieces of data on the user’s screen so that it is easily accessible.

7. Their major application details

At the very least, users should be able to tell you whether they are trying to do something with IE or Chrome, Word 2013 or 2010, ApplicationX or ProgramY, so that you can start with the proper troubleshooting steps. “The Internet” is not a program on most company computers.

8. Confirm Internet access

Since so many calls have to do with reaching a website, getting to email, or other things that come down to Internet access, teaching users how to confirm they have Internet access will also be a big time saver. You could use http://www.whattimeisit.com since it is easy to remember, pays homage to Run DMC, and confirms that the user is not looking at something cached. If you are feeling really lucky, you can also give them a bookmark to http://www.downforeveryoneorjustme.com/ so they can see if a website is down or not. http://isup.me works just as well!

9. Confirm spelling

Until the day address bars, run dialogs, and cmd prompts have a spellcheck function, typos will still be a major root cause of support calls. Check twice, enter once, and we will be happier!

10. Check to see if anyone else has the same problem

One of the first things a support analyst has to do when working an issue is to scope the problem. If the user has already checked with a colleague to see whether the problem is limited to one person or several, a lot of time can be saved and resolution is that much closer. Getting users in the habit of simply asking the person in the next cube to confirm something before calling is a simple thing to do.

11. How to ping a site/server

More advanced users might even be able to handle pinging something first before calling for help, just to see if the system they want is even available. Of course, since many Internet hosts block ICMP, and some companies restrict outbound ICMP this could cut both ways, as a non-responsive server outside your network may still be up, so use your own discretion on this one and consider your own network and security posture (and the employees’ technical abilities).

12. What options are available

Not every issue requires a frantic call to the sysadmin or support desk manager, or even more drastic, a drive by. Make sure your employees know how to open a ticket through email or the web portal, and how to set the severity so you can properly prioritize them.

13. How to leave a voicemail

“Hey, this is Soandsofromofficeso. My system is broken and I need you to call me back right away! <Click>”. Have you ever received a voicemail like that? Unless your voicemail has envelope info and you have the time to go through that, you are just as likely to let the person get impatient and call you back, rather than trying to track them down. Make sure users know how to leave a voicemail that includes enough information for you to be able to identify them, the severity of the issue, and that they slow down when reciting their telephone number so you can understand it, write it down, and actually be able to call them back!

The results could be surprising and if they save you even 20% of the time spent answering calls, you’ve already made huge gains. And a happier workforce too…



The RSAT tools so you never have to kick someone off their RDP session

Far too often I see admins trying to remote into a server in order to perform some administrative task, only to find all the sessions on the first five or six servers they try are taken by other admins. Then they either have to call around to get someone to log off, or kick someone off. Of course, if they had just installed the Remote Server Administration Tools (RSAT) they could run every admin console from their desktop and never have to log onto a server.



Scanning Open Ports in Windows: A Quick Guide (Part 2)


To get started, one tool I thought would be worthy of a brief mention is Telnet. Using the telnet command you can quickly test if a specific port is open on a host in your network. To do this:

  1. Open a command prompt window
  2. Type telnet hostname port_number or telnet ip_address port_number

Replace hostname or ip_address with the name or IP address of the machine you wish to connect to, and port_number with the port number you want to test. You will see a blank screen if the connection was successful (indicating that the specified port is open).


Note: On Windows Vista/7/8, Telnet is disabled by default. To enable it:

  1. Go to the Control Panel > Programs and Features > Turn Windows features on or off
  2. Check Telnet Server and Telnet Client
  3. Click OK to have the features installed.


Another handy tool to add to your collection is CurrPorts. CurrPorts runs as a standalone application that displays all open TCP and UDP ports on your local computer and detailed information about which process opened those ports. Using this tool, you can also:

  1. Close unwanted TCP connections (when run under an admin account)
  2. Kill the process that opened the port
  3. Export the TCP/UDP port information to a file
  4. Filter the information that is displayed to show or hide TCP/UDP ports, ports that are listening, established, closed, and even flag ports that are not associated with a known application.

To open CurrPorts, simply extract the ZIP file and run CurrPorts.exe. It will immediately list information about all currently open ports. Use the Options menu to filter out which port information you wish to view.


The image below shows what a suspicious connection might look like if you were investigating a local machine. In this example, I created a small console application in C# to simulate client/server network connectivity that connects to port 6996 on the local IP address. You can use the “Remote IP Country” column on the far right of the window to give you a quick indication of where the remote server is located.

Note: In the real-world, a malicious process (e.g. botnet) would have a different remote address (for the purposes of this example the client and server processes are running on the same machine).

Whatever it is that you are investigating, look at the process name and port number together to determine if something seems out of the ordinary. Alternatively, if you are looking for a specific open port, sort the “Local Port” or “Remote Port” column and search for the port number in question.


The status bar at the bottom of the CurrPorts window shows the total amount of ports in use and the number of established remote connections.


Finally, similar to CurrPorts is an application called TCPEye. TCPEye also displays a list of all currently opened TCP/UDP ports on your local computer and shows detailed information about the process that opened the port. Like CurrPorts, TCPEye also allows you to:

  1. View which country the remote server is located
  2. Close unwanted TCP connections
  3. Save TCP/UDP port information into an HTML, XML or CSV file.


One standout feature in TCPEye is that if you notice a suspicious process (e.g. one that is connected to an open port and a remote address), you can right click on it and select “Check with VirusTotal” for the process information to be uploaded and analysed by VirusTotal (as shown in the image below).


One thing to note about TCPEye is that it does not run as a standalone application and will require installation first.



Scanning Open Ports in Windows: A Quick Guide(Part 2)


To get started, one tool I thought would be worthy of a brief mention is Telnet. Using the telnet command you can quickly test if a specific port is open on a host in your network. To do this:

  1. Open a command prompt window
  2. Type telnet hostname port_number or telnet ip_address port_number

Replace hostname or ip_address with the name or IP address of the machine you wish to connect to, and port_number with the port number you want to test. You will see a blank screen if the connection was successful (indicating that the specified port is open).


Note: On Windows Vista/7/8, Telnet is disabled by default. To enable it:

  1. Go to the Control Panel > Programs and Features > Turn Windows features on or off
  2. Check Telnet Server and Telnet Client
  3. Click OK to have the features installed.


Another handy tool to add to your collection is CurrPorts. CurrPorts runs as a standalone application that displays all open TCP and UDP ports on your local computer and detailed information about which process opened those ports. Using this tool, you can also:

  1. Close unwanted TCP connections (when run under an admin account)
  2. Kill the process that opened the port
  3. Export the TCP/UDP port information to a file
  4. Filter the information that is displayed to show or hide TCP/UDP ports, ports that are listening, established, closed, and even flag ports that are not associated with a known application.

To open CurrPorts, simply extract the ZIP file and run CurrPorts.exe. It will immediately list information about all currently open ports. Use the Options menu to filter out which port information you wish to view.


The image below shows what a suspicious connection might look like if you were investigating a local machine. In this example, I created a small console application in C# to simulate client/server network connectivity that connects to port 6996 on the local IP address. You can use the “Remote IP Country” column on the far right of the window to give you a quick indication of where the remote server is located.

Note: In the real-world, a malicious process (e.g. botnet) would have a different remote address (for the purposes of this example the client and server processes are running on the same machine).

Whatever it is that you are investigating, look at the process name and port number together to determine if something seems out of the ordinary. Alternatively, if you are looking for a specific open port, sort the “Local Port” or “Remote Port” column and search for the port number in question.


The status bar at the bottom of the CurrPorts window shows the total amount of ports in use and the number of established remote connections.


Finally, similar to CurrPorts is an application called TCPEye. TCPEye also displays a list of all currently opened TCP/UDP ports on your local computer and shows detailed information about the process that opened the port. Like CurrPorts, TCPEye also allows you to:

  1. View which country the remote server is located
  2. Close unwanted TCP connections
  3. Save TCP/UDP port information into an HTML, XML or CSV file.


One standout feature in TCPEye is that if you notice a suspicious process (e.g. one that is connected to an open port and a remote address), you can right click on it and select “Check with VirusTotal” for the process information to be uploaded and analysed by VirusTotal (as shown in the image below).


One thing to note about TCPEye is that it does not run as a standalone application and will require installation first.




The 43 Things Administrators Should Never Do

Administrators have a tough job on their hands to manage, maintain and protect the network they are responsible for. Armed with the latest tools, they do an excellent job; however, at times, often due to pressure, they make mistakes – sometimes easily avoidable. In this post we are going to present the top 43 common mistakes administrators have made, as a reminder of what they shouldn’t do.
They are categorized under networking, configuration, security, and best practices, and are based on firsthand experiences.
Here is the list:


1. Leave the trailing dot off a zone file in DNS
The first and most significant mistake a new BIND administrator can do is forget to end each zone with the trailing dot, leaving their zone dangling in the breeze as clients try to append their own domain name, and fail.

2. Implement HOSTS files instead of fixing DNS
HOSTS files may be necessary for troubleshooting, but should never be used in production to get around a DNS issue. Six months from now, no one will remember that server with the HOSTS file, until they spend a few hours troubleshooting why it keeps trying to connect to an old ip.addr.

3. Implement recursive forwarding in DNS
Forwarding is for when a DNS server doesn’t have the answer to a client query, so it can ask another server who might. Set two servers to forward to one another, and you will quickly take down your network with the resulting UDP traffic that the looping queries generate.

4. Allow unrestricted zone transfers
No sense making a potential attacker’s job any easier. Only permit zone transfers to your DNS servers.

5. Leave out WINS
Eleven years after Windows 2000 came out, Microsoft networks still rely on NetBIOS for several functions. A well designed WINS solution will greatly improve performance, while the lack of one can cause all kinds of client issues.

6. Implement LMHOSTS files instead of fixing WINS
Much like using HOSTS files for DNS, a LMHOSTS file should be used for troubleshooting a specific client, not because your WINS infrastructure doesn’t work.

7. Implement a disjoint namespace
There are many things you can do, but should not. This is one of them. The inconsistencies that can occur when you use a disjoint namespace outweigh any political or legacy reason to do so.

8. Bypass the firewall
Firewalls are there for a reason – to prevent bad things from happening and to separate security zones. Bypassing a firewall makes a bad guy’s job that much easier, and can provide them an express lane straight into your network.

9. Bridge networks
Whether it bypasses the firewall like in point eight, or just starts spewing internal wire traffic over your wireless network, bridging is a good idea that always turns bad.

10. NAT internal traffic
If you think NATing internal traffic to an external address is easier than using a split DNS, you need to reconsider. Between the protocols that can break when NATed and the user issues that can arise when trying to troubleshoot, it is far better in the long run to implement a split DNS. It also makes your firewall configure that much easier to manage.


11. Apply a patch without testing
No vendor can fully test a patch in your environment. That’s your job. Applying an untested patch is marginally safer than not patching, but eventually it will break a critical application. Bite the bullet and build a test environment.

12. Make a change without testing and having a backout plan
Here’s a similar concept. Untested changes will eventually break something, and not having a backout plan in place means downtime.

13. Make several changes concurrently
The first thing you ask when troubleshooting is “what changed?”, because often the easiest fix is to change it back. When the answer is ten items long, it’s much harder to do this.

14. Bounce a box figuring no one will notice
Trust me, they will, and they will scream to high heaven that they were right in the middle of something when you rebooted the server. If you cannot wait for a maintenance window, you need to at least send out an email giving them a couple of minutes notice.

15. Use unsupported characters in any name
Here’s another case of “just because you can do something, doesn’t mean you want to”. Whether it is “$”, underscores, “\”, or spaces, including anything other than letters and numbers, it will eventually break something – be it a script, or a new application.

16. Run services using their own user account
I once saw a case where an administrator installed a cluster service to run using his own account because it was the easiest way to get a new service running. 45 days later, when he went to change his password, the service died. He set his account to never expire, and six months later when he quit and his account was disabled, and the service died again. Give each service its own service account, and never use your own account for anything but your own login.

17. Enable anonymous FTP uploads
Unless you really do want to host illegal warez that will burn your bandwidth and use up all your disk space, never allow anonymous uploads on FTP servers.

18. Configure an open relay
Configuring an open relay is the easiest way to stop your users from sending email to anyone; which is also the fast path to having your mail servers put on every block list on the planet.


19. Leave default credentials intact
Default credentials are published, well known, and scanned for by free tools. One of the fastest ways to get hacked is to leave default credentials alone.

20. Use dictionary passwords
Here’s the second fastest way to get hacked; using dictionary words for passwords. It only takes the simplest of tools a few minutes to run through every word in the dictionary, making password cracking a trivial exercise.

21. Use non-expiring passwords
The main reason we expire passwords is so that, if they have been compromised, eventually that door is closed. Trust me, no matter how good you think your password is, it’s not that good. Change your password regularly the same way as you make your users do it.

22. Use shared/common credentials
Check the log to see who made that change. Who did? The administrator? Great, who knows the administrator password? Every administrative user should have their own set of credentials, and the administrator/root/supervisor account passwords should be locked up and only pulled out in case of emergency. Anything less breaks accountability and any hope for auditing who did what.

23. Run unverified downloads
Checksums are there so you can be sure what you think you downloaded is what you have. Always verify things you downloaded from the Internet before running them, especially when you are going to be running them using privileged accounts.

24. Use outbound permit ACLs instead of a proxy
Do you like herding cats? Me neither, and I also don’t like trying to tighten a screw with a hammer, or driving a nail with a wrench. Outbound ACLs should block things you don’t want all systems to do, like send SMTP or NetBIOS traffic to the Internet. If you want to control web access, use a proxy, which is purpose built for the task and can deal with FQDNs and URLs instead of ip.addrs.

25. Block PINGs
The PING of Death is over a decade old. Blocking ICMP echo and response does almost nothing for security, but breaks a tried and true method for testing connectivity and troubleshooting network issues. It also violates an RFC.

26. Deploy open Wi-Fi networks
Hiding your SSID does nothing to secure your network. Deploying an open Wi-Fi network is as dangerous as running an Ethernet drop into the alley out back of your shop, and is an open invitation for attackers to run amok on your network. At a minimum, implement WPA, and segment your wireless network from your wired.

Best practices

27. Surf the Internet while logged on as an administrator
When you are logged on as an administrator, every program you run is a risk. Unless you have a sandboxed browser, a compromised website could lead to a compromised client, or worse, network. Surf the web using your regular account to reduce your risk from zero-day attacks.

28. Read email while logged on as an administrator
Much like surfing the web, running your mail client with your privileged account runs the risk of compromise from malware attachments, embedded scripts in email, etc. The best antivirus and antispam products in the world still rely on signatures, which can only be developed after a zero-day attack becomes a known attack.

29. Skip documentation
Show me an administrator who likes to document, and I will… well, I won’t have to do anything because no administrator on the planet likes to document, but it is a necessary part of the job. Even you won’t remember everything you did six months later, having documentation to refer to can make the difference between a simple task, and weeks of reverse engineering or reinventing the wheel.

30. Skip change logs
Much like documentation, change logs make it easy to answer that troubleshooting question “what changed?”. This is especially beneficial when that question is being asked by your assistant while you are on vacation. Unless you want to answer the phone while you’re on the beach, document changes.

31. Implement a new system without a scheduled maintenance window
Any new system you deploy, whether a simple file server or a complex application farm, needs to have a maintenance window established so you can do upgrades, patching, etc. Unless you like staying up until 02:00 on a Sunday morning, try to get that window approved for daylight hours.

32. Implement a new system without including redundancy
Having redundancy means never having to get that 02:00 call because a service went down. You may not be able to add redundancy to legacy systems, but anything new you deploy should include redundancy.

33. Run backups without verifying restores
“I don’t care what the backup logs say…” – until you take that tape, restore the data from it, and verify you can access the restored data, you don’t have a backup you can count on. Do you want to tell the CEO that you cannot restore his mailbox because of a bad tape?

34. Skip a patch
I have worked over one hundred security incidents; more than 90 of those have been hacks against known vulnerabilities for which a patch existed, but wasn’t applied. Patch regularly, patch often, and never skip a security patch.

35. Monitor too little
If you rely on users complaining about outages to let you know when a system has failed, you won’t last for long in this career field. Monitoring your critical systems is a vital part of administering a network.

36. Monitor too much
But monitoring too much leads to information overload, and pretty soon you are ignoring all the monitoring emails, which means you miss the important ones that warned you of an imminent failure. It’s going to take a lot of effort to get the right balance, and no two companies will be quite the same, but a good starting point is to get an email alert immediately only for those things that show an actual failure, or a condition that indicates an imminent failure. Anything else should be a daily summary.

37. Email when angry
Whether you are sending out an email bcc all, or replying to an upset user or clueless PM who has riled your feathers, emailing angry does no one any good and can damage your reputation. Take a deep breath, go grab a cup of coffee, or even put it off until the next day, but if you find yourself pounding on the keyboard while you are composing an email, don’t dare hit send.

38. Keep information a secret
If you are the only one who knows how something works, you are not creating your own job security; you are guaranteeing you will get called on your day off, while you are on vacation, and that you will never be able to pass it on to someone else. The best administrators are the ones who share information with others, and cross train them to reduce any human as a single point of failure.

39. Update information inconsistently
Any update is better than no update, but inconsistent information can be confusing, lead to mistakes, and generate even more questions that you will have to answer. Establish a format or template for any information, whether it is for your change log or for user accounts in Active Directory, and make sure all administrators follow it consistently.

40. Violate licensing agreements
Some risks are just too great to take, and knowingly violating licensing agreements not only exposes the company to legal action and financial penalties, it can quickly end your career.

41. Practice other than they preach
Users, junior administrators, and bosses alike, are not nearly as stupid as you may think. Telling them to do one thing, while you do something else, is a very easy way to lose their respect, as well as their trust. Follow the rules and lead by example.

42. Abuse their privileges
It doesn’t matter that you can access that file folder, should you? Administrators are in a position of very high trust, and violating that trust can quickly end your career.

43. Test in production
Even if the only testing you can do is in a VM running on your workstation, you need to test any changes before deploying them to production. Failing to do so is just asking for trouble, will kill your SLAs, and tarnish your reputation – it’s not worth it.






Top 5 Free Rescue Discs for Your Sys Admin Toolkit


1. Hiren Boot CD

The tagline for Hiren Boot CD reads “a first aid kit for your computer” – and that it is! Hiren Boot CD is one of the more popular Rescue CDs out there and contains a wealth of tools including defrag tools, driver tools, backup tools, anti-virus and anti-malware tools, rootkit detection tools, secure data wiping tools, and partitioning tools, amongst others.

Hiren Boot CD is available to download as an ISO for easy installation to a USB or burning to a CD.

The boot menu allows you to boot into the MiniXP environment, the Linux-based rescue environment, run a series of tools or boot directly from a specified partition.


The MiniXP environment, as shown in the image below, is much like a Windows XP desktop. Everything pretty much happens from the HBCD Launcher (a standalone application with a drop down menu containing shortcuts to the packaged applications).



2. FalconFour’s Ultimate Boot CD

FalconFour’s Ultimate Boot CD is based upon the Hiren Boot CD with a customized boot menu and a whole bunch of updated tools thrown in. F4’s UBCD contains tools that provide system information, tools that recover/repair broken partitions, tools that recover data, as well as file utilities, password recovery tools, network tools, malware removal tools and much more.

F4’s UBCD is available for download as an ISO file so you can burn it to a CD or use it to create a bootable USB drive.

Similar to Hiren Boot CD, when you boot F4’s UBCD you are presented with a menu giving you the option to boot into a Linux environment, the MiniXP environment or run a series of standalone tools. As you scroll through the menu, a description of each item is given at the bottom of the screen.


Similar to that of Hiren Boot CD, the MiniXP environment is much like a Windows XP desktop environment, only it’s really lightweight and is pre-packed with a host of diagnostic and repair tools.


Once the desktop has loaded up, choose from one of the available application shortcuts, launch the HBCD Menu or go to the Start menu to get going.


3. SystemRescueCD

SystemRescueCD is a Linux-based package for troubleshooting Linux and Windows systems. The disc contains antivirus, malware removal, and rootkit removal tools as well as tools to help manage or repair partitions, recover your data, back up your data or clone your drives. SystemRescueCD supports ext2/ext3/ext4, reiserfs, btrfs, xfs, jfs, vfat, and ntfs file systems, as well as network file systems like samba and nfs. It also comes with network troubleshooting, file editing, and bootloader restoration tools.

SystemRescueCD is available for download as an ISO file so you can burn it to a CD or use it to create a bootable USB drive.

When you boot the SystemRescueCD, the pre-boot menu gives you a multitude of options, allowing you to boot directly into the graphical environment or the command line.


In the image below, I have booted into the graphical environment and started the chkrootkit application from the Terminal window which searches for rootkits installed on the system. Other applications can be run directly from the terminal in a similar fashion, using arguments and parameters as necessary.



4. Ultimate Boot CD

Ultimate Boot CD is designed to help you troubleshoot Windows and Linux systems using a series of diagnostic and repair tools. It contains anything from data recovery and drive cloning tools to BIOS management, memory and CPU testing tools.

UBCD is downloadable in ISO format for easy installation to a USB or burning to a CD.

Note: UBCD4Win (http://www.ubcd4win.com/) is UBCD’s brother built specifically for Windows systems.

When you boot with UBCD you are presented with a DOS-based interface that you navigate depending on which system component you wish to troubleshoot.



5. Trinity Rescue Kit

The Trinity Rescue Kit is a Linux-based Rescue CD aimed specifically at recovery and repair of Windows or Linux machines. It contains a range of tools allowing you to run AV scans, reset lost Windows passwords, backup data, recover data, clone drives, modify partitions and run rootkit detection tools.

The Trinity Rescue Kit is downloadable in ISO format for easy installation to a USB or burning to a CD.

The boot menu gives you the option to start TRK is different modes (useful if you’re having trouble loading in default mode).


Once you get to the Trinity Rescue Kit ‘easy menu’, simply navigate through the list to choose which tool to execute. You can also switch to the command line if you want more flexibility and feel comfortable with Linux-based commands.



You may also wish to consider…


Boot-Repair-Disk is a Rescue CD primarily designed for repairing Linux distributions but can also be used to fix some Windows systems. It automatically launches the Boot-Repair application (a one-click repair system) which is used to repair access to operating systems; providing GRUB reinstallation, MBR restoration, file system repair and UEFI, SecureBoot, RAID, LVM, and Wubi support.

Windows System Repair Disc

The Windows System Repair Disc lets you boot into the Windows Recovery Environment, giving you the option to detect and fix startup and booting issues, restore to a workable restore point (if you had System Restore enabled), restore the entire machine from a backup image, conduct a memory diagnostics test and use the command line to run utilities like chkdsk.

Additionally, Linux distributions such as PuppyLinux, Ubuntu LiveCD or Knoppix are lightweight bootable versions of Linux that contain a host of handy tools to fix common problems, recover data, transfer data, scan for viruses, manage partitions, etc.

Finally, you could also try a Rescue Disc from a popular Anti-Virus vendor , such as AVG Rescue CD, F-Secure Rescue CD, or Avira AntiVir Rescue System. Although primarily targeted to help with system’s that are infected with Malware, they are worth adding to your arsenal.

Create your own!

If you want more flexibility, why not create or customize your own bootable rescue disc?

You have a couple of options here:

1)      Create your own bootable Live USB

Using applications such as YUMI (Your Universal Multiboot Installer) or UNetBootin, you can create a multi-boot USB drive containing several operating systems, antivirus utilities, disc cloning, diagnostic tools, and more.

2)      Modify a Linux distribution

If you are using a Linux-based Rescue CD / Live CD, you can use an application like Live-Magic (for Debian-based Linux distributions) or Remastersys to create a bootable ISO of an already installed Linux OS. The idea would be to install a clean build of Linux, add or remove applications and make any customizations as necessary and then run the above mentioned applications to capture the build into an ISO.

Alternatively, instead of using an application, you can use a series of shell scripts to do the same thing. Check out http://www.linux-live.org/ for more information.






How to configure remote access to the GFI WebMonitor configuration


Configuring remote access to the GFI WebMonitor console consists of 3 easy steps:

  1. Configure Access Control in the WebMonitor Console while logged into the WebMonitor server giving the remote access user / group / computer access.
  2. On the client machine that is attempting to access the console remotely, ensure the proxy settings of the browser are set to use the WebMonitor server's proxy port.
  3. Use one of the following URLs in the client machine's browser:

  • These URL's are not contained in DNS. They are internally recognized by GFI WebMonitor when the client sends the requested URLs to it's proxy port
  • During evaluation, remote access to the WebMonitor console is disabled

Configuring Access Control

Version 2013

  1. Open the GFI WebMonitor console and access the Settings tab
  2. Under General select UI Access Control
    • Note: If you want to configure the Access Control Policies by Users or User Groups you must select Windows Authentication and authentication must be enabled in Settings > Proxy Settings > General
  3. Configure the Default Authorization Rule
    1. Select the User, Group or IP the rule applies to
    2. Select the Can View Data for: filter to choose data this rules' group of users will have access to view
    3. Select the Access Rights filter to choose which parts of the console this group of users will have access to view
    4. Click Save
  4. Configure additional rules as necessary
    • Note: To delete a rule, click the trash icon next to it
Policies under the Configured Authorization Rules will be applied in order from top to bottom. WebMonitor will check if the incoming user is listed in the first policy's Applies To section. If matched, it will apply that policy only. If not, it will check the next policy in order.

Version 2012

Version 2012 is configured the same way except the settings are found under Remote Access Control.




57 Tips Every Admin Should Know

The longer a person serves as a network admin, the more tips and tricks they are likely to pick up along the way. Some could be shortcuts, others might seem like magic, but all are intended to save you time and help you solve problems. Assume that all of these Windows commands should be run from an administrative command prompt if you are using Vista, Windows 7, or Windows 2008.

Active Directory

1. To quickly list all the groups in your domain, with members, run this command:

dsquery group -limit 0 | dsget group -members –expand

2. To find all users whose accounts are set to have a non-expiring password, run this command:

dsquery * domainroot -filter “(&(objectcategory=person)(objectclass=user)(lockoutTime=*))” -limit 0

3. To list all the FSMO role holders in your forest, run this command:

netdom query fsmo

4. To refresh group policy settings, run this command:


5. To check Active Directory replication on a domain controller, run this command:

repadmin /replsummary

6. To force replication from a domain controller without having to go through to Active

Directory Sites and Services, run this command:

repadmin /syncall

7. To see what server authenticated you (or if you logged on with cached credentials) you can run either of these commands:

set l

echo %logonserver%

8. To see what account you are logged on as, run this command:


9. To see what security groups you belong to, run this command:

whoami /groups

10. To see the domain account policy (password requirements, lockout thresholds, etc) run this command:

net accounts

Windows Networking

11. To quickly reset your NIC back to DHCP with no manual settings, run this command:

netsh int ip reset all

12. To quickly generate a text summary of your system, run this command:

systeminfo | more

13. To see all network connections your client has open, run this command:

net use

14. To see your routing table, run either of these commands:

route print

netstat -r

15. Need to run a trace, but don’t have Netmon or Wireshark, and aren’t allowed to install either one? Run this command:

netsh trace start capture=yes tracefile=c:\capture.etl

netsh trace stop

16. To quickly open a port on the firewall, run this command, changing the name, protocol, and port to suit. This example opens syslog:

netsh firewall set portopening udp 161 syslog enable all

17. To add an entry to your routing table that will be permanent, run the route add command with the –p option. Omitting that, the entry will be lost at next reboot:

route add mask –p

18. Here’s a simple way to see all open network connections, refreshing every second:

netstat –ano 1

19. You can add a | findstr value to watch for only a specific connection, like a client ip.addr or port:

netstat –ano | findstr

20. You can use the shutdown to shutdown or reboot a machine, including your own, in a simple scheduled task like this:

shutdown –r –t 0 –m \\localhost

21. To make planned DNS changes go faster, reduce the TTL on the DNS records you plan on changing to 30 seconds the day before changes are to be made. You can set the TTL back to normal after you confirm the changes have been successful.

22. Set a short lease on DHCP scopes that service laptops, and set Microsoft Option 002 to release a DHCP leas on shutdown. This helps to ensure your scope is not exhausted and that machines can easily get on another network when the move to a new site.

Windows 7

23. Want to enable the local administrator account on Windows 7? Run this command from an administrative command prompt. It will prompt you to set a password:

net user administrator * /active:yes

24. You can do the same thing during install by pressing SHIFT-F10 at the screen where you set your initial user password.

Windows 7 supports several useful new keyboard shortcuts:

25. Windows Key+G

Display gadgets in front of other windows.

26. Windows Key++ (plus key)

Zoom in, where appropriate.

27. Windows Key+- (minus key)

Zoom out, where appropriate.

28. Windows Key+Up Arrow

Maximize the current window.

29. Windows Key+Down Arrow

Minimize the current window.

30. Windows Key+Left Arrow

Snap to the left hand side of the screen

31. Windows Key+Right Arrow

Snap to the right hand side of the screen.

32. To quickly launch an application as an administrator (without the right-click, run as administrator), type the name in the Search programs and files field, and then press Ctrl-Shift-Enter.

Here are some tips that can save you from buying commercial software:

33. Need to make a quick screencast to show someone how to do something? The Problem Steps Recorder can create an MHTML file that shows what you have done by creating a screen capture each time you take an action. Click the Start button and type ‘psr’ to open the Problem Steps Recorder.

34. Need to burn a disc? The isoburn.exe can burn ISO and IMG files. You can right click a file and select burn, or launch it from the command line.

35. Windows 7 includes a screen scraping tool called the Snipping Tool. I have tons of users request a license for SnagIt, only to find this free tool (it’s under Accessories) does what they need.

36. You can download this bootable security scanner from Microsoft that will run off a USB key, which is very useful if you suspect a machine has a virus.

37. A great way to save all your command line tools and make them available across all your computers is to install Dropbox, create a folder to save all your scripts and tools, and add that folder to your path. That way, they can be called from the command line or any other scripts, and if you update a script, it will carry across to any other machine you have.

Windows 2008

38. You can free up disk space on your servers by disabling hibernate. Windows 2008 will create a hiberfil.sys equal to the amount of RAM. This is very useful with VMs that have lots of RAM but smaller C: drives. To disable hibernation, and reclaim that space, run this command:

powercfg -h off

39. You can get to the complete collection of Sysinternals tools online. You can even invoke them from the run command. Use the url: http://live.sysinternals.com or the UNC path: \\live.sysinternals.com\tools.

40. Speaking of the Sysinternals tools, almost any command line in this article can be run remotely on another machine (as long as you have administrative rights) using the psexec command included in the Sysinternals tools.

41. You can kill RDP sessions at the command line when you find that all the RDP sessions to a server are tied up.

regsvr32 query.dll [enter] You only have to do this the first time.

query session /server:servername [enter]

reset session # /server:servername [enter]

42. You can create a list of files and display the last time they were accessed, which is very useful when a network drive is low on space and users swear they have to have that copy of Office 2003 on the network. My advice? If they haven’t touched it in two years, burn it to DVD or write it to tape and then delete it from disk:

dir /t:a /s /od >> list.txt [enter]

43. The Microsoft Exchange Err command is one of the best all around troubleshooting tools you will find, as it can decode any hex error code you find as long as the products are installed on the machine. Download it from here.

44. You can see all the open files on a system by running this command:

openfiles /query

45. You can pull all the readable data out of a corrupt file using this command:

recover filename.ext

46. Need to pause a batch file for a period of time but don’t have the sleep command from the old resource kit handy? Here’s how to build a ten second delay into a script:

ping -n 10 > NUL 2>&1

47. If your Windows website has stopped responding, or is throwing a 500 error, and you are not sure what to do, you can reset IIS without having to reboot the whole server. Run this command:


48. You can use && to string multiple commands together; they will run sequentially.

49. If you find yourself restarting services frequently, you can use that && trick to create a batch file called restart.cmd and use it to restart services:

net stop %1 && net start %1

50. You can download a Windows port of the wget tool from here, and use it to mirror websites using this command:

wget -mk http://www.example.com/


51. You can list files sorted by size using this command:

ls –lSr

52. You can view the amount of free disk space in usable format using this command:

df –h

53. To see how much space /some/dir is consuming:

du -sh /some/dir

54. List all running processes containing the string stuff:

ps aux | grep stuff

55. If you have ever run a command but forgot to sudo, you can use this to rerun the command:

sudo !!

56. If you put a space before a command or response, it will be omitted from the shell history.

57. If you really liked a long command that you just ran, and want to save it as a script, use this trick:

echo “!!” > script.sh

With 57 tips in this bag of tricks, you’re bound to find something useful. Have your own tips to share? Leave us a comment!





Top 10 Free System Troubleshooting Tools for SysAdmins

1. Microsoft Fix It Solution Center

The Microsoft Fix It Solution Center is an online tool that helps you to quickly find and fix common system issues. Once you’ve entered the symptoms, you can either download an executable to automatically fix the issue or be directed to a relevant Microsoft Knowledgebase Article that explains what the cause and recommend workaround is.


To use the Microsoft Fix It Solution Center, simply open http://support.microsoft.com/fixit/ in a web browser, select a problem area from “Step 1”, choose what type of problem you are trying to fix from the list in “Step 2” and then choose which solution you’d like to execute or learn more about from “Step 3”.

2. Problem Steps Recorder

Hidden away in Windows 7 / Windows 2008 and above is a neat little utility called Problem Steps Recorder (psr.exe). The Problem Steps Recorder will record the step-by-step interactions that occur while the user replicates the problem, taking screenshots of every action. It then bundles all this into a report with detailed information and any relevant error logs.

This tool is great if you have a user in your environment who is experiencing an issue that you want to gain more information about and the steps they took to reproduce the problem, or if you want to create a report to send to a third party vendor as part of a support case.


To launch the Problem Steps Recorder, go to the Start menu and type “psr.exe”. Click “Start Record” and the tool will record every interaction from then on. You can add comments during the recording process and then click “Stop Record” to save the report as an *.mht file within a zip archive.

3. Reliability Monitor

Windows Vista / 2008 and above include a tool called Reliability Monitor. This tool provides an overview of overall system stability and details about events that can impact reliability. The idea is to pinpoint any troublesome areas and take steps to improve system reliability based on what you learn (e.g. you might identify a trend in a certain application crashing when opening a certain file type).


To run the Microsoft Reliability Monitor, go to the Start menu and type ‘Reliability’. This will bring up a “View reliability history” shortcut. Clicking on this shortcut will launch the Reliability Monitor directly. You can also launch this tool from the Performance Monitor tool by right clicking on Monitoring Tools and selecting “View system reliability”.

Start by selecting whether you want to view information by Days or Weeks, and then click on a specific area within the graph to view information in the bottom hand pane. Once you’ve viewed reliability history for a specified period, you can choose to save the information to a file, view a list of all problem reports and check for solutions to problems.

4. WELT (Windows Error Lookup Tool)

When troubleshooting issues, you may come across Win32, HRESULT, NTSTATUS or STOP error codes which are likely to mean nothing to you or I. Using WELT you can find out what the error code means in plain English and what it relates to.


To launch WELT, simply execute Windows Error Lookup Tool.exe from the folder where you extracted welt.zip to. Enter the error code in the textbox and the error details will appear automatically.

5. PowerShell Troubleshooting Packs

As I mentioned in my article entitled Windows PowerShell™: Essential Admin Scripts (Part 1) the PowerShell Troubleshooting Packs (bundled with Windows 7/2008 and above) can be really handy when troubleshooting system issues. As such, they are a collection of PowerShell scripts that you can use to diagnose different aspects of your servers, clients or network. Different packages are available to troubleshoot printers, networks, performance, power, Windows Update, etc.


To run a PowerShell Troubleshooting Pack, open a PowerShell command prompt and import the modules associated with the pack by running the “Import-Module TroubleshootingPack” command. Then, run the following command to start the desired Troubleshooting Pack:

Get-TroubleshootingPack <TroubleshootingPackLocation> | Invoke-TroubleshootingPack

6. WinAudit

As part of the troubleshooting process, it is helpful to know as much information as you can about the machine where the problem resides to assist in finding a solution more quickly. WinAudit scans your computer and gathers a whole raft of information about Installed Software, TCP/IP settings, Drives, Error Logs, etc.

Note: At the time of writing, the download link available from the developer’s website was broken. You can download the latest version of this software from a popular application download site like CNET.


To start an audit of your local machine, simply execute WinAudit.exe to start the application and then click the “Audit” icon in the top left hand corner.  Once the audit is complete, you can start to review the information from the different categories in the left hand pane, or save the information as a PDF / CSV / TXT / HTML file.

7. Joeware Utilities

Joeware Utilities are a list of free troubleshooting and system information utilities aimed at making the life of an administrator easier. These tools are built by a system administrator from his own experience of not finding a tool out there that did the job he needed for whatever he was trying to solve. The tools available include anything from tools that dump user information from Active Directory, modify a user account’s expiration flag or perform TCP/IP port connection testing.

Note: Unfortunately Joeware Utilities do not come as a bundled package and will have to be downloaded individually from the website. However, using a small add-on for the NirLauncher application mention below, you can download and categorize the tools ready to be launched from the NirLauncher application itself.

Some of the tools available from Joeware Utilities include:


SidToName is a command line tool that resolves SIDs (Security Identifiers) to friendly display names. You provide it with a valid SID and it returns the object name associated with that SID.



AccExp is a command line tool that you can use to modify or read the expiration date of local user accounts.


8. Nirsoft NirLauncher

NirLauncher is an application that bundles more than 170 portable freeware utilities. The tools available include password recovery tools, Internet tools, programming tools, and system tools – all of which can be used for troubleshooting and information gathering.


Some of the most popular tools bundled with NirSoft NirLauncher include:


USBDeview is a small application that lists all current and previously connected USB devices on a local or remote machine. USB device information includes device name/description, device type, serial number, the date/time that the device was added or last used, VendorID, etc.



CurrPorts displays a list of all currently open TCP/UDP ports on the local machine. Information about which process opened the port, the time the process was created and the user that created it is displayed. Using CurrPorts you can also close open connections and export the information to a file.



Using LastActivityView you can see what actions were taken by a user and what events occurred on the machine. Any activities such as running an executable file, opening a file/folder from Explorer or performing a software installation will be logged. The information can be exported to a CSV / XML / HTML file.


9. Microsoft SysInternals Suite

Microsoft SysInternals Suite is a collection of over 60 lightweight troubleshooting tools all bundled into a single download package. Whatever issue you’re trying to tackle, you are sure to find a tool in this package to help you manage, troubleshoot and diagnose your systems and applications.

Some of the most popular tools bundled in the SysInternals Suite include:


Autoruns allows you to view which programs and services are configured to run at system boot up or login, in the order in which Windows processes them.


Process Monitor

Using Process Monitor you can troubleshoot application and system related issues by monitoring activity related to processes, threads, DLLs, the registry and file system in real-time.



Using AccessEnum you can quickly view permissions of file system directories or registry keys and then save the results to a text file and compare results with a previously saved log.


10. WSCC (Windows System Control Center)

WSCC is not a troubleshooting tool per se, but it does facilitate issue troubleshooting by acting as an inventory for various system troubleshooting tool suites (such as those from Microsoft SysInternals and NirSoft). It allows you to install, update, execute and categorize the entire collection of tools in a single location.


When you launch WSCC for the first time, you are given the option to download and install the latest versions of the entire set of over 270 tools. If you choose not to install them locally, WSCC will download each application when you first click on it and store the file in a temp folder within the WSCC directory. To launch a troubleshooting tool, choose a tool from the category within the navigation pane on the left hand side. You can also add favourite tools to the Favourites folder or search for a utility by name.



The Top 20 Free Network Monitoring and Analysis Tools for Sys Admins

1. Microsoft Network Monitor

Microsoft Network Monitor is a packet analyser that allows you to capture, view and analyse network traffic. This tool is handy for troubleshooting network problems and applications on the network. Main features include support for over 300 public and Microsoft proprietary protocols, simultaneous capture sessions, a Wireless Monitor Mode and sniffing of promiscuous mode traffic, amongst others.


When you launch Microsoft Network Monitor, choose which adapter to bind to from the main window and then click “New Capture” to initiate a new capture tab. Within the Capture tab, click “Capture Settings” to change filter options, adapter options, or global settings accordingly and then hit “Start” to initiate the packet capture process.

2. Nagios

Nagios is a powerful network monitoring tool that helps you to ensure that your critical systems, applications and services are always up and running. It provides features such as alerting, event handling and reporting. The Nagios Core is the heart of the application that contains the core monitoring engine and a basic web UI. On top of the Nagios Core, you are able to implement plugins that will allow you to monitor services, applications, and metrics, a chosen frontend as well as add-ons for data visualisation, graphs, load distribution, and MySQL database support, amongst others.

Tip: If you want to try out Nagios without needing to install and configure it from scratch, download Nagios XI from here and enable the free version. Nagios XI is the pre-configured enterprise class version built upon Nagios Core and is backed by a commercial company that offers support and additional features such as more plugins and advanced reporting.

Note: The free version of Nagios XI is ideal for smaller environments and will monitor up to seven nodes.


Once you’ve installed and configured Nagios, launch the Web UI and begin to configure host groups and service groups. Once Nagios has had some time to monitor the status of the specified hosts and services, it can start to paint a picture of what the health of your systems look like.

3. BandwidthD

BandwidthD monitors TCP/IP network usage and displays the data it has gathered in the form of graphs and tables over different time periods. Each protocol (HTTP, UDP, ICMP, etc) is color-coded for easier reading. BandwidthD runs discretely as a background service.


Installation is easy. Download and install Winpcap version 3.0 or above (you’ll already have this installed if you have Wireshark on the same box), unzip BandwidthD to a specified folder, edit the ../etc/bandwidthd.conf file accordingly, double click on the “Install Service” batch file and then start the BandwidthD services from the services.msc console. Once the service is running, give it some time to monitor network traffic and load the index.html page to start viewing bandwidth statistics.

4. EasyNetMonitor

EasyNetMonitor is a super lightweight tool for monitoring local and remote hosts to determine if they are alive or not. It is useful for monitoring critical servers from your desktop, allowing you to get immediate notification (via a balloon popup and/or log file) if a host does not respond to a periodic ping.


Once you launch EasyNetMonitor, it will appear as an icon in the notification area on your desktop where the IP addresses / host names of the machines you want to monitor can be added. Once you’ve added the machines you wish to monitor, be sure to configure the ping delay time and notification setting.

5. Capsa Free

Capsa Free is a network analyzer that allows you to monitor network traffic, troubleshoot network issues and analyze packets. Features include support for over 300 network protocols (including the ability to create and customize protocols), MSN and Yahoo Messenger filters, email monitor and auto-save, and customizable reports and dashboards.


When you launch Capsa, choose the adapter you want it to bind to and click “Start” to initiate the capture process. Use the tabs in the main window to view the dashboard, a summary of the traffic statistics, the TCP/UDP conversations, as well as packet analysis.

6. Fiddler

Fiddler is a web debugging tool that captures HTTP traffic between chosen computers and the Internet. It allows you to analyze incoming and outgoing data to monitor and modify requests and responses before they hit the browser. Fiddler gives you extremely detailed information about HTTP traffic and can be used for testing the performance of your websites or security testing of your web applications (e.g. Fiddler can decrypt HTTPS traffic).


When you launch Fiddler, HTTP traffic will start to be captured automatically. To toggle traffic capturing, hit F12. You can choose which processes you wish to capture HTTP traffic for by clicking on “All Processes” in the bottom status bar, or by dragging the “Any Process” icon from the top menu bar onto an open application.

7. NetworkMiner

NetworkMiner captures network packets and then parses the data to extract files and images, helping you to reconstruct events that a user has taken on the network – it can also do this by parsing a pre-captured PCAP file. You can enter keywords which will be highlighted as network packets are being captured. NetworkMiner is classed as a Network Forensic Analysis Tool (NFAT) that can obtain information such as hostname, operating system and open ports from hosts.


In the example above, I set NetworkMiner to capture packets, opened a web browser and searched for “soccer” as a keyword on Google Images. The images displayed in the Images tab are what I saw during my browser session.

When you load NetworkMiner, choose a network adapter to bind to and hit the “Start” button to initiate the packet capture process.

8. Pandora FMS

Pandora FMS is a performance monitoring, network monitoring and availability management tool that keeps an eye on servers, applications and communications. It has an advanced event correlation system that allows you to create alerts based on events from different sources and notify administrators before an issue escalates.


When you login to the Pandora FMS Web UI, start by going to the ‘Agent detail’ and ‘Services’ node from the left hand navigation pane. From here, you can configure monitoring agents and services.

9. Zenoss Core

Zenoss Core is a powerful open source IT monitoring platform that monitors applications, servers, storage, networking and virtualization to provide availability and performance statistics. It also has a high performance event handling system and an advanced notification system.


Once you login to Zenoss Core Web UI for the first time, you are presented with a two-step wizard that asks you to create user accounts and add your first few devices / hosts to monitor. You are then taken directly to the Dashboard tab. Use the Dashboard, Events, Infrastructure, Reports and Advanced tabs to configure Zenoss Core and review reports and events that need attention.

10. PRTG Network Monitor Freeware

PRTG Network Monitor monitors network availability and network usage using a variety of protocols including SNMP, Netflow and WMI. It is a powerful tool that offers an easy to use web-based interface and apps for iOS and Android. Amongst others, PRTG Network Monitor’s key features include:

(1) Comprehensive Network Monitoring which offers more than 170 sensor types for application monitoring, virtual server monitoring, SLA monitoring, QoS monitoring

(2) Flexible Alerting, including 9 different notification methods, status alerts, limit alerts, threshold alerts, conditional alerts, and alert scheduling

(3) In-Depth Reporting, including the ability to create reports in HTML/PDF format, scheduled reports, as well as pre-defined reports (e.g. Top 100 Ping Times) and report templates.

Note: The Freeware version of PRTG Network Monitor is limited to 10 sensors.


When you launch PRTG Network Monitor, head straight to the configuration wizard to get started. This wizard will run you through the main configuration settings required to get the application up and running, including the adding of servers to monitors and which sensors to use.

11. The Dude

The Dude is a network monitoring tool that monitors devices and alerts you when there is a problem. It can also automatically scan all devices on a given subnet and then draw and layout a map of your network.


When you launch The Dude, you first choose to connect to a local or remote network and specify credentials accordingly. Click ‘Settings’ to configure options for SNMP, Polling, Syslog and Reports.

12 Splunk

Splunk is a data collection and analysis platform that allows you to monitor, gather and analyze data from different sources on your network (e.g. event logs, devices, services, TCP/UDP traffic, etc). You can set up alerts to notify you when something is wrong or use Splunk’s extensive search, reporting and dashboard features to make the most of the collected data. Splunk also allows you to install ‘Apps’ to extend system functionality.

Note: When you first download and install Splunk, it automatically installs the Enterprise version for you to trial for 60 days before switching to the Free version. To switch to the Free version straight away, go to Manager > Licensing.


When you login to the Splunk web UI for the first time, add a data source and configure your indexes to get started. Once you do this you can then create reports, build dashboards, and search and analyze data.

13. Angry IP Scanner

Angry IP Scanner is standalone application that facilitates IP address and port scanning. It is used to scan a range of IP addresses to find hosts that are alive and obtain information about them (including MAC address, open ports, hostname, ping time, NetBios information, etc).


When you execute the application, go to Tools > Preferences to configure Scanning and Port options, then go to Tools > Fetchers to choose what information to gather from each scanned IP address.

14 ntopng

ntopng (‘ng’ meaning ‘next generation’) is the latest version of the popular network traffic analyzer called ntop. ntopng will sit in the background and gather network traffic, then display network usage information and statistics within a Web UI.

Note: Although originally aimed for use on Unix-based systems, there is a Windows version available for a small fee, or a demo version limited to 2000 packets. If you are comfortable running ntopng on a Unix-based box then you can get the full version for free.


The image above shows the ntopng dashboard after a few minutes of network traffic collection. In this example, I am using the Windows version. After installation, I simply executed the redis-server.exe file from ..\Program Files (x86)\Redis and fired up the Web UI (

15. Total Network Monitor

Total Network Monitor continuously monitors hosts and services on the local network, notifying you of any issues that require attention via a detailed report of the problem. The result of each probe is classified using green, red, or black colors to quickly show whether the probe was successful, had a negative result or wasn’t able to complete.


When you launch Total Network Monitor, go to Tools > Scan Wizard to have the wizard scan a specified network range automatically and assign the discovered hosts to a group. Alternatively, create a new group manually to start adding devices/hosts individually.

16. NetXMS

NetXMS is a multi-platform network management and monitoring system that offers event management, performance monitoring, alerting, reporting and graphing for the entire IT infrastructure model. NetXMS’s main features include support for multiple operating systems and database engines, distributed network monitoring, auto-discovery, and business impact analysis tools, amongst others. NetXMS gives you the option to run a web-based interface or a management console.


Once you login to NetXMS you need to first go to the “Server Configuration” window to change a few settings that are dependent on your network requirements (e.g. changing the number of data collection handlers or enabling network discovery). You can then run the Network Discovery option for NetXMS to automatically discover devices on your network, or add new nodes by right clicking on “Infrastructure Services” and selecting Tools > Create Node.

17. Xymon

Xymon is a web-based system – designed to run on Unix-based systems – that allows you to dive deep into the configuration, performance and real-time statistics of your networking environment. It offers monitoring capabilities with historical data, reporting and performance graphs.


Once you’ve installed Xymon, the first place you need to go is the hosts.cfg file to add the hosts that you are going to monitor. Here, you add information such as the host IP address, the network services to be monitored, what URLs to check, and so on.

When you launch the Xymon Web UI, the main page lists the systems and services being monitored by Xymon. Clicking on each system or service allows you to bring up status information about a particular host and then drill down to view specific information such as CPU utilization, memory consumption, RAID status, etc.

18. WirelessNetView

WirelessNetView is a lightweight utility (available as a standalone executable or installation package) that monitors the activity of reachable wireless networks and displays information related to them, such as SSID, Signal Quality, MAC Address, Channel Number, Cipher Algorithm, etc.


As soon as you execute WirelessNetView, it automatically populates a list of all reachable Wi-Fi networks in the area and displays information relevant to them (all columns are enabled by default).

Note: Wireless Network Watcher is a small utility that goes hand in hand with WirelessNetView. It scans your wireless network and displays a list of all computers and devices that are currently connected, showing information such as IP adddress, MAC address, computer name and NIC card manufacturer – all of which can be exported to a html/xml/csv/txt file.


19. Xirrus Wi-Fi Inspector

Xirrus Wi-Fi Inspector can be used to search for Wi-Fi networks, manage and troubleshoot connections, verify Wi-Fi coverage, locate Wi-Fi devices and detect rogue Access Points. Xirrus Wi-Fi Inspector comes with built-in connection, quality and speed tests.


Once you launch Wi-Fi Inspector and choose an adapter, a list of available Wi-Fi connections is displayed in the “Networks” pane. Details related to your current Wi-Fi connection are displayed in the top right hand corner. Everything pretty much happens from the top ribbon bar – you can run a test, change the layout, edit settings, refresh connections, etc.

20. WireShark

This list wouldn’t be complete without the ever popular WireShark. WireShark is an interactive network protocol analyzer and capture utility. It provides for in-depth inspection of hundreds of protocols and runs on multiple platforms.

When you launch Wireshark, choose which interface you want to bind to and click the green shark fin icon to get going. Packets will immediately start to be captured. Once you’ve collected what you need, you can export the data to a file for analysis in another application or use the in-built filter to drill down and analyze the captured packets at a deeper level from within Wireshark itself.




Use RBackup with online file sync services like Mozy and Carbonite seem to frighten some RBS Partners. But don’t worry! They’re actually really good for our business. Here’s how you can join them instead of fighting them!

You know these guys – Mozy, Carbonite, Dropbox, and now Microsoft’s OneDrive. There are many of them giving away high capacity storage services for free or next to free. They spend a lot of money on advertising, which helps RBS Partners by raising the public’s awareness of  as a safe, reliable means of protecting files.

They are pretty good for backing up personal computers – your pictures and songs – but they absolutely are no good for business backups.

They’re reasonably fast and reasonably reliable, and they have a ton of storage space. So what’s their downside? THEY DON’T HAVE SMART CLIENT SOFTWARE!

Most of them have just a simple file transfer engine that watches a directory and just backs up whatever shows up there. They can back up simple single files that are not locked or in use, and for many of the services, the backed up files are not encrypted.

They are no good at business backups like Exchange, Sharepoint, Active Directory, System State, NTFS permissions, and many other file and database types that your RBackup software is really good at.

Luckily, your RBackup software is REALLY smart, so smart, in fact, that it can send backups to these other services, too, maintaining RBackup’s military grade encryption.

Now you can back up Exchange, Active Directory, locked files, and all – compressed and fully encrypted, digitally signed, and verified – using these cheap services for storage, and your RBS Server for authentication.

In fact, RBackup can use as many online storage services as you like – hundreds if you want, all at the same time, one for each Backup Set. You can actually access hundreds of gigabytes of free storage from multiple services, tying them all together with RBackup.

The RBackup Client’s unique hybrid backup system can send backups to your RBS Server, to a local drive, and to a cloud location, all at the same time. It can also use just one of the locations.

Here’s an interesting application for this capability.

Regardless to which location the Client is sending backups, the Client must always authenticate with the RBS Server to get permission to run. This keeps you in control of your accounts.

Set the Client’s Cloud Backup location to one of the free services. UNCHECK “RBS Server” so the Client will not send its backups to your RBS Server. Now you have a system that makes the Client authenticate with the RBS Server, but send its files to one or more of the free services.

Your RBS Server acts as an authentication server only.

We tested three such services, using RBackup to back up and restore files, using the RBS Server for authentication only, and the free services for backing up files. Here’s how we did it.



DropBox is easy. Install the DropBox application. Set RBClient’s  Cloud Backup Folder to the DropBox location.


Create a directory for Carbonite to sync. We’ll call it “Carbonite Sync”

Install the Carbonite application. Uncheck the default file selections (if asked.)

Open Windows Explorer and browse to your new Carbonite Sync folder. Right-click on it and select Carbonite -> Back This Up.

Set the RBClient Cloud Backup Folder to the new Carbonite Sync folder.


Install the Carbonite Sync&Share application. Uncheck the default Desktop and Documents selections.

In the Carbonite Sync&Share application, browse for your new Carbonite Sync folder and select it.

Finish the Carbonite Sync installation.


Mozy Stash (Mozy Sync)

To back up using Mozy, we have to use a Post Process Command File. This example shows you how to use that file with Mozy, and how to use Post Process Command Files to spread your backups around to as many different online services as you like.

Mozy Sync sets its sync directory to Read Only, so our RBClient application cannot write to it directly. The workaround is to create another directory (we’ll call it “sync”) and set that directory as your Cloud Backup folder.

Then, create a post processing command file that copies your backup files from the “sync” folder to the “Mozy Sync” folder. Here’s an example:

xcopy “h:\ sync\CB_DEMO\*.*” “h:\Mozy Sync” /E /C /I /H /R /K /Y /S /D

In the above example, “CB_DEMO” is a folder that is automatically created inside the Cloud Backup Folder. It always starts with “CB_” and ends with the account name. In this case, the account name is “DEMO.”

Open up Notepad. Type in the above line, changing the file and folder names to match those you have set up on your computer.

Save this as a plain text file to the application folder for your Rbackup Client software, typically C:\Program Files\Remote Backup.

Name the file post-{backupsetname}.bat. Replace {backupsetname} with the name of the backup set you want to run.

For example, if your backup set is named “default” then the post processing command file will be called post-default.bat.

The RBClient software will automatically run this command file after it has done its backup, copying all the backup files to your Mozy Sync folder. The Mozy Sync application will sync all these files with your Mozy account.

If you are testing, remember to remove the post processing command file before you test with other cloud services. This command file will run after each backup that is done with backup set “default.”

You can use the Post Process Command File to back up to other services. Just define a Backup Set for each service you want to use, and give each Backup Set a different name, like “SendtoCarbonite,” and “SendtoDropBox.”

Then create a command file that copies your backups to the appropriate folder for syncing with the online sync service. For Example, name this one post-sendtocarbonite.bat:

xcopy “h:\sync\CB_DEMO\*.*” “h:\Carbonite Sync” /E /C /I /H /R /K /Y /S /D

Here’s a bonus application for using the free storage services with RBackup. (We get extra points for figuring this out!)

Point an RBS Server’s data directory at one or more of the online services to have your RBS Server automatically replicated offsite in free storage space!

Each customer can even have his own individual replication offsite by pointing individual client folders (on the RBS Server) to the sync services.

OK now the caveat – Using the free services like this may violate their Terms of Service, so do it at your own risk.




System and network analysis

1. NTFS Permissions Explorer

Using this MMC snap-in you can quickly visualize the user and group permissions of a local or remote folder or drive in a hierarchical format to help identify problems.


2. Xirrus Wi-Fi Inspector

Wi-Fi Inspector is a powerful Wi-Fi management and troubleshooting tool that allows you to locate and verify Wi-Fi devices, detect rogue Access Points, troubleshoot connections, and search for Wi-Fi networks.


3. Whois

Whois performs a lookup of the registration information of a given IP address or domain name.


4. ShareEnum

ShareEnum allows you to scan and view the security settings of file shares on your network.


5. PipeList

PipeList displays a list of named pipes on your system, including the number of active instances and the instance threshold.


6. TcpView

TCPView allows you to view detailed TCP and UDP connection information in a user friendly format.


7. The Dude

The Dude from MicroTik can automatically scan all devices within a given subnet and then draw and layout a map of your network.


8. Microsoft Baseline Security Analyzer

The MBSA is a tool that can be used to detect missing security updates and typical security misconfigurations.


9. WireShark

WireShark is an interactive network protocol analyser and capture utility. It provides for in-depth inspection of hundreds of protocols and runs on multiple platforms.


10. Look@LAN

Look@LAN allows you to quickly scan your network looking for active nodes. It provides monitoring, reporting, logging and OS detection features.


11. RogueScanner

RogueScanner will scan your network looking for rogue devices and access points, classifying them in a way that allows you to quickly see what’s on your network.


12. Capsa Free Network Analyzer

Using this tool you can monitor, troubleshoot and diagnose issues on your network. It has a Microsoft Office-like user interface.


13. SuperScan

SuperScan is a fast connection-based TCP port scanner, pinger and hostname resolution tool.


14. Blast

Blast is a lightweight TCP service stress test tool that can help pinpoint weaknesses in your network.


15. UDPFlood

UDPFlood is a lightweight UDP service stress test tool that sends out packets to a specified IP or port.


16. IPplan

This tool allows you to quickly and easily track and manage your network IP addresses.


17. NetStumbler

NetStumbler is an application that allows you to detect the presence of a wireless network using 802.11a/b/g. It is useful for detecting rogue access points, finding locations with poor signal, verifying network configurations and determining the cause of wireless interference.


18. PingPlotter

PingPlotter is a lightweight tracert application that generates graphs to help you visualize the route of the packets from source to destination.


19. SolarWinds Free Permissions Analyzer for AD

Using this tool you can quickly visualize the user and group permissions of a folder or shared drive in a hierarchical format. It can track share level permissions, provide a breakdown of share level and file level permissions and help identify why certain users have the permissions they do.


20. Angry IP Scanner

Angry IP Scanner is a fast standalone IP address and port scanner.


21. FreePortMonitor

FreePortMonitor is a tool for monitoring servers and applications on your network.


22. WirelessNetView

WirelessNetView monitors the activity of wireless networks in the area and displays information related to them, such as SSID, Signal Quality, MAC Address, Channel Frequency, etc.


23. BluetoothView

BluetoothView monitors the activity of Bluetooth devices in the area and displays information related to them, such as Device Name, Bluetooth Address, Device Type, etc.


24. Vision

Vision allows you to view all open TCP and UDP ports and then maps them back to the owning process or application.


25. Attacker

Attacker is a TCP/UDP port listener that allows you to define a list of ports that you want it to listen on and it will notify you when a connection is established on that port.


26. Total Network Monitor

Total Network Monitor is a comprehensive network monitoring application that allows you to view the state of your network. It is customizable and has advanced alerting features, letting you know when something is wrong.


27. IIS Logfile Analyser

This tool allows you to analyse your IIS logfiles to determine website statistics such as number of visitors, number of downloads, etc.


28. ntop

ntop uses a web-based interface that allows you to monitor network traffic and statistics.



System testing and troubleshooting

29. Pinkie

Pinkie is a collection of network troubleshooting utilities that allows pinging multiple hosts, forward and reverse DNS lookup, a ping sweeper, and a subnet calculator.


30. VMWare Player

VMWare Player is a multi-platform virtualization solution that can be used to create and run multiple 32-bit or 64-bit virtual machines. Ideal for testing or development environments.


31. Oracle VirtualBox

VirtualBox is a free, multi-platform general-purpose virtualization solution that can be used to create and run multiple virtual machines. Ideal for testing or development environments.


32. ADInsight

ADInsight is a real-time monitoring tool used for troubleshooting LDAP (Lightweight Directory Access Protocol) clients.


33. Process Monitor

Process Monitor allows you to monitor activity related to processes, threads, DLLs, the registry and file system in real-time. Useful for troubleshooting application and system related issues.


34. SpiceWorks Network Troubleshooting

SpiceWorks Network Troubleshooting is an all-in-one tool that allows you to perform routine troubleshooting tasks such as killing processes remotely, access devices remotely, ping, tracert and nslookup, and even compare the status of two devices.


35. RAMMap

RAMMap allows you to analyse physical memory allocation in your system. You are able to determine how much file data is cached in RAM, how much RAM is used by the kernel and device drivers, etc.


36. Autoruns

Autoruns allows you to view which programs are configured to run at system boot up or login.


37. LogFusion

Using LogFusion you can view and monitor log files in real-time.


38. Microsoft Log Parser

Using Microsoft Log Parser you can generate a custom-formatted output file containing the results of multiple log file sources such as XML, CSV, Event Logs, or the Registry.


39. AppCrashView

AppCrashView allows you to view Windows Error Reporting (*.WER) files in a simple user interface and then save the results into TXT/CSV/HTML/XML file format.


40. RootKitRevealer

RootKitRevealer allows you to detect the presence of rootkits that operate by attempting to hide their files or registry entries.



System and network management

41. Bitcricket IP Subnet Calculator

This tool allows you to calculate subnets and CIDR routes automatically using its intuitive interface and auto-discovery feature.


42. EMCO Remote Installer Starter

The free version of EMCO Remote Installer (Starter edition) allows you to perform a software inventory of applications installed on your network. You can retrieve and track changes as well as save reports.


43. ManagePC

ManagePC allows you to create an inventory of all your machines in the domain, including hardware, software, devices, patches, group policies, etc.


44. Pandora FMS

Pandora FMS is a network monitoring solution that allows you to monitor multiple platforms, from Linux machines, to Solaris machine, to Windows machines. It provides alerts and reporting for CPU, disk and memory usage, temperature, or even application values.


45. SNARE Audit and EventLog Management

SNARE (System iNtrusion Analysis and Reporting Environment) allows you to install agents onto your server machines to facilitate the centralized collection of logs, including Windows, Solaris, AIX, ISA Server, IIS Server, SMTP, Exchange, Apache, etc.


46. OCS Inventory

OCS Inventory is an automated inventory and deployment application. It allows you to determine what devices or software are installed on your network and deploy software or configuration scripts using a simple web-based interface.


47. Zenoss Core – Enterprise IT Monitoring

Using the Zenoss Core application, you can monitor systems availability, performance, events and configuration across the network.


48. Unipress Free Help Desk

Unipress Free Help Desk is a simple yet powerful Help Desk solution that allows you to create, assign and receive issue tickets. It contains a web portal and knowledgebase for self-help.


49. SysAidIT Free Help Desk

Using this tool, you can easily manage and service requests and create an inventory of installed software and network devices on your network.


50. Cyberx Password Generator Pro

Cyberx Password Generator Pro allows you to create random highly secure passwords.


51. KeePass Password Safe

KeePass is a lightweight, user-friendly password manager. It allows you to store all your passwords in a central location that is encrypted using military grade encryption.


52. TweakUAC

Using TweakUAC you can quickly enable, disable UAC or set it to quiet mode.


53. Microsoft Application Compatibility Toolkit

The Microsoft Application Compatibility Toolkit allows you to evaluate and mitigate application compatibility issues during the pre-deployment phase of a Windows 7, Windows Vista, or new Internet Explorer version installation.


54. ExtraSpy Employee Monitor

ExtraSpy Employee Monitor allows you to monitor employee activities across your network to help detect misuse of company property or unproductive individuals.


55. NetWrix USB Blocker Freeware

Using this tool you can centrally manage access control of removable media on your network.


56. FileZilla

FileZilla is a cross-platform FTP, FTPS and SFTP client.


57. Wake On Lan 2 .NET

The Wake On Lan 2 .NET tool allows you to manually or automatically power on, restart or shutdown machines or devices over your local network.


58. Speccy

Speccy is a system information tool that allows you to quickly see comprehensive details related to your machine.


59. Active Directory Explorer (ADExplorer)

ADExplorer is an advanced Active Directory viewer and editor tool. It allows you to navigate through an Active Directory database and view and edit object properties and attributes.


60. ADRestore

ADRestore allows you to restore deleted Windows Server 2003 Active Directory server objects.



File and disk management

61. Disk2vhd

Disk2vhd allows you to create a Virtual Hard Disk (VHD) of a live machine, which can then be loaded using Microsoft Virtual PC or Microsoft Hyper-V.


62. Defraggler

Using Defragler you can defrag individual files on an NTFS or FAT32 file system.


63. PageDefrag

PageDefrag allows you to view the defragmentation status of the system Page File and Registry Hives and defragments them. It also allows you to defragment events logs and Windows 2000/XP hibernation files.


64. PsPad

PsPad is a powerful text editor that can be used as a substitute for Notepad and is useful for creating scripts, programming, file comparison, etc.


65. MD5Summer

Using MD5Summer, you can quickly generate MD5 hashes for files within a folder, allowing you to ensure or verify file integrity.


66. Universal Viewer

Universal Viewer is a multi-format file viewer that allows you to view different file types from a single interface. Supported file formats include Text, Image, MS Office, Audio, Video, amongst others.


67. FreeCommander

FreeCommander is a comprehensive file manager that aims to be an alternative to Windows Explorer.


68. Recuva

Using Recuva you can recover files you accidentally deleted from your machine.


69. Steganos LockNote

Steganos LockNote allows you to securely store confidential notes such as license keys, passwords, phone numbers, etc. It uses AES-256 encryption to store your text in a self-executable container that requires a password to open it.


70. Microsoft SyncToy

SyncToy is an application that can be used as a backup utility to synchronized files and folders between two locations.


71. 7-Zip

7-Zip is a powerful file archiving utility with a high compression ratio that supports a multitude of compression formats, including 7z, GZIP, TAR, ZIP, CAB, MSI, etc.


72. PeaZip

PeaZip is a cross-platform file and archive manager that supports volume spanning, high levels of compression and encryption and support for a wide range of archiving formats.


73. Bacula

Bacula is a suite of applications that allow for the backup, recovery and verification of data across a network.


74. Areca Backup

Areca Backup is a file-based backup application that supports incremental, image and delta backups to a local drive or an FTP server.


75. DirSync Pro

Directory Synchronize Pro is a powerful synchronization utility used to synchronize the contents of a directory to a given location. It provides scheduling, filtering, and logging functionality.


76. Amanda Network Backup

Amanda is a powerful multi-platform backup and archiving application that supports tape, disk, and optical media. Using a single master backup server, you can set Amanda to backup multiple clients across your network.


77. WebSynchronizer

WebSyncrhonizer allows you to manually or automatically backup, replicate and synchronize files to an FTP server or across your network.


78. KGB Archiver

KGB Archiver is a file archiving tool with a high level of compression that uses AES-256 for its encryption feature.


79. Iometer

Iometer is a disk I/O performance analysis tool that allows you to perform stress tests and displays the read and write speed of a specified drive.


80. Notepad++

Notepad++ is a powerful text editor that can be used as a substitute for Notepad and is useful for creating scripts, programming, file comparison, etc.


Performance and availability monitoring

81. ManageEngine Free HyperV Performance Monitor

HyperV Performance Monitor allows you to monitor CPU, Memory, Disk and Network utilization of your Microsoft Hyper-V virtual servers. It displays the results in a dashboard.


82. Nagios

Nagios is a powerful network monitoring tool that allows you to ensure that your critical systems, applications and services are always up and running. It provides features such as alerting, event handling, and reporting.


83. ManageEngine Free Exchange Health Monitor

Exchange Health Monitor allows you to monitor CPU and memory resource utilization, mail queue status, POP/IMAP performance counters, mailbox users, etc of your Microsoft Exchange 2003/2007/2010 servers. It displays the results in a dashboard.


84. Kratos Exchange Monitor

Kratos Exchange Monitor will continuously monitor your Microsoft Exchange Servers and provide a real-time view of its health, including mail queues, CPU and memory utilization, hard drive space, etc.


85. ManageEngine Free Windows Health Monitor

Windows Health Monitor allows you to monitor CPU and memory resource utilization, disk usage and I/O, running applications, etc of your Windows Client and Server machines. It displays the results in a dashboard.


86. ManageEngine Free Ping Tool

Free Ping Tool monitors the availability of servers, routers, switches, mail servers and web servers using the power of ICMP ping. It displays the results in a dashboard.


87. ManageEngine Free SQL Health Monitor Tool

The SQL Health Monitor Tool will monitor the performance and availability of your Microsoft SQL Server 2005 and 2008 servers. It can monitor CPU, memory and disk usage, as well as SQL specific parameters such as page reads/writes and buffer cache. It displays the results in a dashboard.


88. ManageEngine Free VM Configuration Tool

Using the VM Configuration Tool you can configure VMWare ESX virtual servers options like increasing or decreasing RAM and allocating more CPUs. It also monitors the performance of the virtual machines, reporting on CPU, memory, disk and network utilization.


89. Kratos Network Device Monitor

This tool allows you to monitor any SNMP devices on your network, ensuring their availability and performance.


90. IxChariot QCheck

QCheck is a small yet powerful network performance management tool that allows you to quickly check network response times, TCP/UDP throughput, streaming traffic, and troubleshoot wireless network performance problems.


91. EasyNetMonitor

A small, lightweight tool for monitoring local and remote hosts to determine if they are alive or not.


Remote management

92. Remote Desktop Manager

Remote Desktop Manager is a tool that allows you to centrally manage your remote connections. It support RDP, VNC, TeamViewer, FTP, SSH, Telnet, etc.


93. TightVNC

TightVNC is a cross-platform lightweight application used for remotely administering clients and server machines.


94. Microsoft RDCMan

RDCMan allows you to manage multiple remote desktop sessions from a single interface.


95. Terminals

Terminals is a secure multi-tab remote connection management client. It supports both terminal services and remote desktop client and allows you to better manage multiple connections from a single interface.


96. PsFile

PsFile displays a list of files on a system that are opened remotely and allows you to close them.


All-in-one toolkits

97. Net Tools 5.0

Net Tools is a comprehensive set of monitoring, network scanning, security and administration tools packed into an intuitive and user friendly UI. It includes 175 utilities including an Advanced Port Scanner, TCP Packet Sniffer, Bandwidth Monitor, Hash MD5 Checker, Fast FTP Client, and Standard Encrypter.


98. ManageEngine Free Windows Tools 2

The ‘Free Windows Tools 2’ kit contains a set of free Windows tools for Network Administrators, including the Remote Task Manager Tool, Wake on LAN, Software Inventory Tool, Remote Command Prompt Tool, GPO Update, Shutdown/Restart Tool, Join/Unjoin Computer Tool, Currently Logged On User, Hard Disk Space Detector Tool, Local Users/Groups List Tool, Network Share Browser Tool, and Laptop Battery Power Monitor Tool.


99. Axence NetTools Pro

NetTools Pro is a set of tools that network administrators can use for monitoring, network scanning, security and administration.


100. Free IP Tools

Free IP Tools is a collection of common tools used to troubleshoot network applications and services in a single interface. It includes tools such as PortScan, TraceRoute, Shares, SNMPAudit, etc.


101. PsTools

PsTools is a suite of tools that help you to administer your systems. The tools including in the package allow you to display, execute and kill processes remotely, retrieve system and logon information, and control account passwords and services.


Here are 20 of the best free tools that will help you conduct a digital forensic investigation. Whether it’s for an internal human resources case, an investigation into unauthorized access to a server, or if you just want to learn a new skill, these suites and utilities will help you conduct memory forensic analysis, hard drive forensic analysis, forensic image exploration, forensic imaging and mobile forensics. As such, they all provide the ability to bring back in-depth information about what’s “under the hood” of a system.

This is by no means an extensive list and may not cover everything you need for your investigation. You might also need additional utilities such a file viewers, hash generators, and text editors – checkout 101 Free Admin Tools for some of these. My articles on Top 10 Free Troubleshooting Tools for SysAdmins, Top 20 Free Network Monitoring and Analysis Tools for Sys Admins and Top 20 Free File Management Tools for Sys Admins might also come in handy since they contain a bunch of tools that can be used for Digital Forensic Investigations (e.g. BackTrack and the SysInternals Suite or the NirSoft Suite of tools).

Even if you may have heard of some of these tools before, I’m confident that you’ll find a gem or two amongst this list.


The SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu based Live CD which includes all the tools you need to conduct an in-depth forensic or incident response investigation. It supports analysis of Expert Witness Format (E01), Advanced Forensic Format (AFF), and RAW (dd) evidence formats. SIFT includes tools such as log2timeline for generating a timeline from system logs, Scalpel for data file carving, Rifiuti for examining the recycle bin, and lots more.


When you first boot into the SIFT environment, I suggest you explore the documentation on the desktop to help you become accustomed to what tools are available and how to use them. There is also a good explanation of where to find evidence on a system. Use the top menu bar to open a tool, or launch it manually from a terminal window.

02 ProDiscover Basic

ProDiscover Basic is a simple digital forensic investigation tool that allows you to image, analyse and report on evidence found on a drive. Once you add a forensic image you can view the data by content or by looking at the clusters that hold the data. You can also search for data using the Search node based on the criteria you specify.


When you launch ProDiscover Basic you first need to create or load a project and add evidence from the ‘Add’ node. You can then use the ‘Content View’ or ‘Cluster View’ nodes to analyse the data and the Tools menu to perform actions against the data. Click the ‘Report’ node to view important information about the project.

03 Volatility

Volatility is a memory forensics framework for incident response and malware analysis that allows you to extract digital artefacts from volatile memory (RAM) dumps. Using Volatility you can extract information about running processes, open network sockets and network connections, DLLs loaded for each process, cached registry hives, process IDs, and more.


If you are using the standalone Windows executable version of Volatility, simply place volatility-2.1.standalone.exe into a folder and open a command prompt window. From the command prompt, navigate to the location of the executable file and type “volatility-2.1.standalone.exe –f <FILENAME> –profile=<PROFILENAME> <PLUGINNAME>” without quotes – FILENAME would be the name of the memory dump file you wish to analyse, PROFILENAME would be the machine the memory dump was taken on and PLUGINNAME would be the name of the plugin you wish to use to extract information.

Note: In the example above I am using the ‘connscan’ plugin to search the physical memory dump for TCP connection information.

04 The Sleuth Kit (+Autopsy)

The Sleuth Kit is an open source digital forensics toolkit that can be used to perform in-depth analysis of various file systems. Autopsy is essentially a GUI that sits on top of The Sleuth Kit. It comes with features like Timeline Analysis, Hash Filtering, File System Analysis and Keyword Searching out of the box, with the ability to add other modules for extended functionality.

Note: You can use The Sleuth Kit if you are running a Linux box and Autopsy if you are running a Windows box.


When you launch Autopsy, you can choose to create a new case or load an existing one. If you choose to create a new case you will need to load a forensic image or a local disk to start your analysis. Once the analysis process is complete, use the nodes on the left hand pane to choose which results to view.

05 FTK Imager

FTK Imager is a data preview and imaging tool that allows you to examine files and folders on local hard drives, network drives, CDs/DVDs, and review the content of forensic images or memory dumps. Using FTK Imager you can also create SHA1 or MD5 hashes of files, export files and folders from forensic images to disk, review and recover files that were deleted from the Recycle Bin (providing that their data blocks haven’t been overwritten), and mount a forensic image to view its contents in Windows Explorer.

Note: There is a portable version of FTK Imager that will allow you to run it from a USB disk.


When you launch FTK Imager, go to ‘File > Add Evidence Item…’ to load a piece of evidence for review. To create a forensic image, go to ‘File > Create Disk Image…’ and choose which source you wish to forensically image.

06 Linux ‘dd’

dd comes by default on the majority of Linux distributions available today (e.g. Ubuntu, Fedora). This tool can be used for various digital forensic tasks such as forensically wiping a drive (zero-ing out a drive) and creating a raw image of a drive.

Note: dd is a very powerful tool that can have devastating effects if not used with care. It is recommended that you experiment in a safe environment before using this tool in the real world.

Tip: A modified version of dd is available from http://sourceforge.net/projects/dc3dd/ – dc3dd includes additional features that were added specifically for digital forensic acquisition tasks.


To use dd, simply open a terminal window and type dd followed by a set of command parameters (which command parameters will obviously depend on what you want to do). The basic dd syntax for forensically wiping a drive is:

dd if=/dev/zero of=/dev/sdb1 bs=1024

where if = input file, of = output file, bs = byte size

Note: Replace /dev/sdb1 with the drive name of the drive you want to forensically wipe and 1024 with the size of the byte blocks you want to write out.

The basic dd syntax for creating a forensic image of a drive is:

dd if=/dev/sdb1 of=/home/andrew/newimage.dd bs=512 conv=noerror,sync

where if = input file (or in this case drive), of = output file, bs = byte size, conv = conversion options

Tip: For additional usage info, from a terminal window, type “man dd” without quotes to bring up the help manual for the dd command.


CAINE (Computer Aided INvestigative Environment) is Linux Live CD that contains a wealth of digital forensic tools. Features include a user-friendly GUI, semi-automated report creation and tools for Mobile Forensics, Network Forensics, Data Recovery and more.


When you boot into the CAINE Linux environment, you can launch the digital forensic tools from the CAINE interface (shortcut on the desktop) or from each tool’s shortcut in the ‘Forensic Tools’ folder on the applications menu bar.

08 Oxygen Forensic Suite 2013 Standard

If you are investigating a case that requires you to gather evidence from a mobile phone to support your case, Oxygen Forensics Suite (Standard Edition) is a tool that will help you achieve this. Features include the ability to gather Device Information (Manufacturer, OS Platform, IMEI, Serial Number, etc.), Contacts, Messages (Emails, SMS, MMS, etc.) and recovery of deleted messages, Call Logs, and Calendar and Task information. It also comes with a file browser which allows you to access and analyse user photos, videos, documents and device databases.


When you launch Oxygen Forensic Suite, hit the ‘Connect new device’ button on the top menu bar to launch the Oxygen Forensic Extractor wizard that guides you through selecting the device and type of information you wish to extract.

09 Free Hex Editor Neo

Free Hex Editor Neo is a basic hex editor that was designed to handle very large files. While a lot of the additional features are found in the commercial versions of Hex Editor Neo, I find this tool useful for loading large files (e.g. database files or forensic images) and performing actions such as manual data carving, low-level file editing, information gathering, or searching for hidden data.


Use ‘File > Open’ to load a file into Hex Editor Neo. The data will appear in the middle window where you can begin to navigate through the hex manually or press CTRL + F to run a search.

10 Bulk Extractor

bulk_extractor is a computer forensics tool that scans a disk image, file, or directory of files and extracts information such as credit card numbers, domains, e-mail addresses, URLs, and ZIP files. The extracted information is output to a series of text files (which can be reviewed manually or analysed using other forensics tools or scripts).

Tip: Within the output text files you will find entries for data that resemble a credit card number, e-mail address, domain name, etc. You will also see a decimal value in the first column of the text file that, when converted to hex, can be used as the pointer on disk where the entry was found (i.e. if you were analysing the disk manually using a hex editor for example, you would jump to this hexadecimal value to view the data).


Bulk_extractor comes as a command-line tool or a GUI tool. In the example above I set the bulk extractor tool to extract information from a forensics image I took earlier and output the results to a folder called “BE_Output”. The results can then be viewed in the Bulk Extractor Viewer and the output text files mentioned above.


DEFT is another Linux Live CD which bundles some of the most popular free and open source computer forensic tools available. It aims to help with Incident Response, Cyber Intelligence and Computer Forensics scenarios. Amongst others, it contains tools for Mobile Forensics, Network Forensics, Data Recovery, and Hashing.


When you boot using DEFT, you are asked whether you wish to load the live environment or install DEFT to disk. If you load the live environment you can use the shortcuts on the application menu bar to launch the required tools.

12 Xplico

Xplico is an open source Network Forensic Analysis Tool (NFAT) that aims to extract applications data from internet traffic (e.g. Xplico can extract an e-mail message from POP, IMAP or SMTP traffic). Features include support for a multitude of protocols (e.g. HTTP, SIP, IMAP, TCP, UDP), TCP reassembly, and the ability to output data to a MySQL or SQLite database, amongst others.


Once you’ve installed Xplico, access the web interface by navigating to http://<IPADDRESS>:9876 and logging in with a normal user account. The first thing you need to do is create a case and add a new session. When you create a new session you can either load a PCAP file (acquired from Wireshark for example) or start a live capture. Once the session has finished decoding, use the navigation menu on the left hand side to view the results.

13 LastActivityView

I briefly touched on LastActivityView when pointing out the NirSoft suite of tools in my Top 10 Free System Troubleshooting Tools for SysAdmins article. LastActivityView allows you to view what actions were taken by a user and what events occurred on the machine. Any activities such as running an executable file, opening a file/folder from Explorer, an application or system crash or a user performing a software installation will be logged. The information can be exported to a CSV / XML / HTML file. This tool is useful when you need to prove that a user (or account) performed an action he or she said they didn’t.


When you launch LastActivityView, it will immediately start displaying a list of actions taken on the machine it is being run on. Sort by action time or use the search button to start investigating what actions were taken on the machine.

14 Digital Forensic Framework

The Digital Forensics Framework (DFF) is a digital forensic investigation tool and a development platform that allows you to collect, preserve and reveal digital evidence. Amongst others, DFF’s features include the ability to read RAW, EWF and AFF forensic file formats, access local and remote devices, analyse registry, mailbox and file system data and recover hidden and deleted files.


When you launch DFF, you first need to load an evidence file (i.e. a forensic image you acquired previously) or open a device ready for analysis. You can then process the evidence file or device against one of the in-built modules to begin analysing data.

15 Mandiant RedLine

RedLine offers the ability to perform memory and file analysis of a specific host. It collects information about running processes and drivers from memory, and gathers file system metadata, registry data, event logs, network information, services, tasks, and Internet history to help build an overall threat assessment profile.


When you launch RedLine, you will be given a choice to Collect Data or Analyze Data. Unless you already have a memory dump file available, you’ll need to create a collector to gather data from the machine and let that process run through to completion. Once you have a memory dump file to hand you can begin your analysis.

16 PlainSight

PlainSight is a Live CD based on Knoppix (a Linux distribution) that allows you to perform digital forensic tasks such as viewing internet histories, data carving, USB device usage information gathering, examining physical memory dumps, extracting password hashes, and more.


When you boot into PlainSight, a window pops up asking you to select whether you want to perform a scan, load a file or run the wizard. Enter a selection to begin the data extraction and analysis process.

17 HxD

HxD is one of my personal favourites. It is a user-friendly hex editor that allows you to perform low-level editing and modifying of a raw disk or main memory (RAM). HxD was designed with easy-of-use and performance in mind and can handle large files without issue. Features include searching and replacing, exporting, checksums/digests, an in-built file shredder, concatenation or splitting of files, generation of statistics and more.


From the HxD interface start your analysis by opening a file from ‘File > Open’, loading a disk from ‘Extras > Open disk…’ or loading a RAM process from ‘Extras > Open RAM…’.

18 HELIX3 Free

HELIX3 is a Live CD based on Linux that was built to be used in Incident Response, Computer Forensics and E-Discovery scenarios. It is packed with a bunch of open source tools ranging from hex editors to data carving software to password cracking utilities, and more.

Note: The HELIX3 version you need is 2009R1. This version was the last free version available before HELIX was taken over by a commercial vendor. HELIX3 2009R1 is still valid today and makes for a useful addition to your digital forensics toolkit.


When you boot using HELIX3, you are asked whether you want to load the GUI environment or install HELIX3 to disk. If you choose to load the GUI environment directly (recommended), a Linux-based screen will appear giving you the option to run the graphical version of the bundled tools.

19 NetSleuth

NetSleuth is a network forensics analysis tool that identifies devices on your network. It operates in ‘live’ mode (where it will actively capture network packets and interpret device information) or in ‘offline’ mode where it will process a PCAP file that you import.

Note: At the time of writing, NetSleuth is in BETA. It is not recommended that you run this in a production environment. It made this list because it promises to be a handy addition to your forensic toolkit. The author of this tool is currently asking for feedback from the community so now is your chance to contribute!


When you launch NetSleuth, you can either initiate a ‘live’ analysis from the Live Capture tab, or load a PCAP file from the Offline Analysis tab. Once NetSleuth has identified at least one device, you can double click on it to open the Device Information window.

20 P2 eXplorer Free

P2 eXplorer is a forensic image mounting tool that allows you to mount a forensic image as a physical disk and view the contents of that image in Windows Explorer or load it into an external forensic analysis tool. P2 eXplorer supports images in RAW, DD, IMG, EX01, SMART and SafeBack format, amongst others.


When you launch P2 eXplorer, choose an available drive letter to mount the image to and click ‘File > Mount Image…’ to choose the image to mount. Once the image has been mounted, double click on the associated drive letter to view the contents of that image in Windows Explorer.


Top 20 Free Disk Tools for SysAdmins

Here are 20 of the best free tools for partitioning, cloning, diagnostics, repair, recovery, encryption, wiping or drive information. This list is intended to supplement the list provided on 101 Free SysAdmin Tools. Even if you may have heard of some of these tools before, I’m confident that you’ll find a gem or two amongst this list.

1. TestDisk

TestDisk allows you to repair boot sectors, recover deleted partitions, fix damaged partition tables, and recover deleted data, as well as copy files from deleted/inaccessible partitions. It works on a number of different file systems including FAT/NTFS/exFAT/ext2.

Note: Bundled with TestDisk is a companion application called PhotoRec. PhotoRec recovers photos, videos and documents from different storage media by going beyond the file system and looking for specific data blocks (i.e. clusters) belonging to the missing file(s).


When you first run TestDisk you are asked to choose whether you want a log file to be created. You are then given a list of partition table types to choose from (this will allow the application to use the correct signature when reading the partitions on all available disks), before being presented with a list of available hard drive partitions to perform a selected action on. The choice of actions you can perform on each partition include:

(1)    analysing the partition for the correct structure (and repairing it accordingly if a problem is found)

(2)    changing the disk geometry

(3)    deleting all data in the partition table

(4)    recovering the boot sector

(5)    listing and copying files

(6)    recovering deleted files

(7)    creating an image of the partition

2. Parted Magic

Parted Magic is a Linux-based bootable CD/USB that contains a series of HDD/SSD disk management tools such as GParted, GSmartControl, Disk Eraser and CloneZilla.


When you boot the machine using Parted Magic you are presented with a menu asking which GUI version you’d like to load (xvesa or xorg), as well as whether you want to load Parted Magic directly from RAM. Once Parted Magic has loaded, the UI is much like a Linux operating system – all you need to do is select which tool to run and go from there.

3. WinDirStat

WinDirStat is a disk usage and clean-up utility that allows you to visualize how data is distributed across a disk and what types of data or which locations are hogging up most space.


Once you’ve loaded WinDirStat and chosen which drives you’d like to analyse, you are presented with a tree view of the files and folders contained on each drive as well as a graphical representation showing which files are taking up most space. Clicking on a box within the graphic will display the file in question within the tree view on the left hand pane of the window.

4. CloneZilla

CloneZilla is a disk imaging and cloning tool that is also packaged with Parted Magic but originally available as a standalone tool in two versions; CloneZilla Live and CloneZilla SE (Server Edition). CloneZilla Live is a bootable Linux distribution that allows you to clone individual machines and CloneZilla SE is a package that you install and configure on a Linux distribution that allows you to push images to multiple clients simultaneously over the network.


5. OSFMount

Using this utility you can mount image files as drive letters and then browse the data directly. OSFMount supports image files such as DD, ISO, BIN, as well as VMWare Images (*.VMDK) and Nero Burning ROM Images (*.NRG). A neat additional feature of OSFMount is its ability to create RAM disks, useful if you want additional security (since everything within RAM will be flushed when the machine is shutdown) or need to store data that requires fast access times (such as browser cache, database files, etc.).


After you run OSFMount, go to File > Mount new virtual disk… to get started. Remember to leave “Read-only drive” checked, otherwise you risk overwriting data within the image you’ve just mounted.

6. Defraggler

Defraggler is a lightweight yet powerful defragmentation tool that allows you to defrag whole drives or selected files/folders. It has an intuitive interface that helps you to quickly visualize how much of the drive is fragmented and which files are causing most fragmentation.


Once you’ve performed an Analysis of the drive, you can use the Drive map to see which files are fragmented. Hover your mouse over a particular square on the map and click on it to display the files associated with that particular colour (e.g. fragmented, not fragmented, etc.).

7. SSDLife

SSDLife displays information about your SSD drive, its health status and estimated lifetime – all useful for helping you to plan ahead and take action accordingly.


SSDLife automatically detects the model of your SSD drive and displays information about it instantly upon loading the application.

Tip: Each SSD manufacturer should have their own SSD drive management software which gives information similar to SSDLife Free. For example, the “Intel SSD Toolbox” can be used with the SSD shown in the screenshot above to display health status, detailed device information, and estimated life remaining.

8. Darik’s Boot And Nuke (DBAN)

DBAN is a bootable application that forensically wipes hard drives to prevent identity theft. This tool is useful when you are recycling or decommissioning a server/workstation.


The two main options in DBAN are Interactive mode and Automatic mode. Interactive mode allows you to select which drives to wipe and which options to use when wiping them. Automatic mode will automatically wipe all discovered drives – no questions asked!

9. HD Tune

HD Tune can measure the read/write performance of your HDD/SSD, scan for errors, check the health status and display drive information.


Once you start the application, select the drive from the drop down list and navigate to the appropriate tab to view the information you need or start a scan accordingly.

10. TrueCrypt

TrueCrypt is an open-source encryption application that can encrypt entire drives/partitions. It can also create an encrypted volume that appears as a normal file but is only accessible when mounted via TrueCrypt using the provided password. TrueCrypt allows you to select from a list of encryption algorithms that all use a 256-bit key size.


When you open the TrueCrypt application, select a drive letter and click the “Create Volume” button to get started. This will launch the TrueCrypt Volume Creation Wizard which walks you through the process of encrypting a partition or creating an encrypted container file.

11. CrystalDiskInfo

CrystalDiskInfo is a hard drive health monitoring tool that displays drive information, disk temperature and monitors S.M.A.R.T attributes. CrystalDiskInfo can be configured to trigger an alert (i.e. write to the event log, send an e-mail or make a sound) when a certain threshold is reached, so it can be left to actively monitor the HDD and notify you automatically.


The bar at the top displays all active hard drives. Clicking on each one will display the information for that drive. The Health Status and Temperature icons change colour depending on their value.

12. Recuva

In a few simple clicks, Recuva allows you to recover files from your computer that were accidentally deleted or that have become damaged or corrupt. The Quick-Start Wizard walks you through the recovery process by asking a couple of simple questions about what you want to recover and where you want to recover it from and then initiating a quick scan. You can skip the wizard and go straight to the application if you wish.


From the Recuva interface, select the drive to scan from the drop down box on the left hand side, choose a pre-defined file type filter from the drop down box on the right hand side and then click “Scan” to get started. The filters can be edited to add or remove file types by extension. The Options button allows you to modify options such as enabling a Deep Scan (instead of a Quick Scan), changing the viewing mode, as well as increasing the secure overwriting method (how many times to overwrite a block of data).

13. TreeSize

An alternative to WinDirStat is a lightweight application called TreeSize. TreeSize quickly scans drives or folders and displays the folder sizes in descending order (by default) to help you pinpoint which folders are taking up most space. The NTFS Compression flag can be enabled directly from within the application.

Once installed, TreeSize can also be started from the context menu by right clicking on a drive or folder and selecting “TreeSize Free” which will automatically open an instance of the application and display the details for that drive or folder.

Note: When you have Defraggler, Recuva and TreeSize installed at the same time, you can initiate the Defraggler and Recuva features directly from within TreeSize for a given folder – all three applications integrate seamlessly.


Using the menu bar or the icons across the taskbar you can select options such as sorting by size or name, showing values in GB/MB/KB, displaying the percentage/file size/file count of the listed folders, and choosing which drives you wish to display details for.

14. HDDScan

HDDScan is a hard drive diagnostic utility used to test for disk errors, show S.M.A.R.T attributes, monitor disk temperature and perform a read/write benchmark.


When you launch HDDScan, select the drive you wish to perform an action on from the drop down box on the left. Once selected, click the icon in the middle to get started.

15. Disk2vhd

Disk2vhd allows you to create a Virtual Hard Disk (VHD) of a live machine for use with Microsoft Virtual PC or Microsoft Hyper-V. This is a great tool for simulating your live environment within a virtual environment for testing purposes or if you wish to have a virtualized backup of your live environment for redundancy purposes.


Use of this tool is simple. Choose a name and location for the VHD file to be stored, select which volumes to include and click “Create”. Disk2vhd also has some command line options, allowing you to script the creation of VHD files.

16. NTFSWalker

NTFSWalker allows you to perform a low-level analysis of all records (included deleted data) within the MFT table of an NTFS drive. You can examine the properties of each record and extract its contents out to a file.


When you load NTFSWalker, you are first asked to select a disk to scan. Once you select the disk and confirm which partition you wish to view, the MFT records are displayed on the left hand pane and the details are displayed on the right hand pane. From the right hand pane, you can view the record properties, preview the file or review the contents in raw format (Hex Data).

17. GParted

GParted is an open-source application for managing partitions. Using GParted you can manipulate partitions (i.e. create, delete, resize, move, copy) and attempt to recover data from lost partitions on a vast amount of file systems.


GParted comes as a bootable CD which loads a Linux distribution containing the GParted application. When you download the ISO file you will need to burn the image onto a CD or follow the instructions to install it onto a bootable USB drive. When you launch GParted, you are presented with a list of partitions to choose from. Select the desired partition and choose an option to perform by right clicking on it, pressing an icon on the taskbar or navigating to an option on the menu bar.

18. SpeedFan

SpeedFan is a useful diagnostic utility that allows you to view details about the health of your machine, including hard disk temperatures and S.M.A.R.T (Self-Monitoring, Analysis and Reporting Technology) attributes.


When you launch SpeedFan, the main tabs you will use for hard drive information are the Readings tab and the S.M.A.R.T tab. The Clocks tab can be used to compare temperature, voltage or fan speeds between two or more objects.

19. MyDefrag

MyDefrag is a disk defragmentation and optimization utility that offers fast performance with little overhead and a number of actions tailored towards different disk uses (e.g. an action specifically for defragging the system disk, an action specifically for defragging flash memory drives, or the ability to only analyse the disk). MyDefrag also allows you to create or customize your own scripts and has a command line version so you can schedule the running of the application at given times.


When you launch MyDefrag, you are presented with a series of scripts to choose from. Each script performs a given action against the disk(s) chosen from the bottom pane. Once you’ve selected a script and checked the desired disk(s), hit “Run” to initiate the action.

20. DiskCryptor

An alternative to TrueCrypt is DiskCryptor. DiskCryptor is an easy-to-use open-source application that allows you to encrypt whole partitions using the TwoFish / AES / Serpent algorithms, or a combination of any of the three. DiskCryptor supports FAT12, FAT16, FAT32, NTFS and exFAT file systems, allowing encryption of internal or external drives.


When you launch DiskCryptor, select a partition and click “Encrypt” to get started. You will then need to select which encryption algorithm to use and will be asked to enter a password. The encryption process will begin as soon as you press “OK”.



Network sysadmins

The DNS Tool Dig
Nichols Fong ported the dig tool from Unix to Windows, and it is a great cmd-line way to check A, MX, TXT, PTR, and other DNS records without having to use a website.

The DNS Tool Whois
Included in the download of dig is a whois command, which can help you identify the responsible party for a domain in case you have problems sending to, or receiving from, or just want to query the authoritative nameservers for that domain.

The OpenSSL tools are great when you need to troubleshoot certificates, or convert them between Microsoft and other standard formats (like when you want to use a cert from your Exchange server with a new loadbalancer or SSL accelerator).

The iPerf tools suite
Need to test bandwidth and network performance between servers? The iPerf tools include client and server, and can run sustained tests to find network issues.

Simply the best protocol analyzer around, and the price can’t be beaten.

Network Monitor
Microsoft’s own protocol analyzer grew up with version 3.0, and many admins might find less resistance

The security sysadmin

Microsoft Safety Scanner
Microsoft also has a free online security scan that can help you clean up after an accident.

Attack Surface Analyzer
This tool is a self-check vulnerability analyzer that helps you quantify a system’s specific attack service as a part of evaluating risk.

While the list above should keep you occupied for hours, there’s no way we have listed all your favorites. Leave us a comment with your favorite tools and we’ll share them with our readers and sysadmins.


PowerShell Collection
Not a single tool, but a collection of modules for PowerShell all in one place.
Microsoft Remote Desktop Connection Manager
There’s no way I want to RDP into systems without a clean, simple interface that can sort, group and keep everything in one window. This is that tool.

18 Free Security Tools for SysAdmins

Here are 18 of the best free security tools for password recovery, password management, penetration testing, vulnerability scanning, steganography and secure data wiping.

01 BackTrack

BackTrack is a free bootable Linux distribution that contains a plethora of open source tools that you can use for network security and penetration testing. The tools are organized into different categories such as ‘Information Gathering’, ‘Vulnerability Assessment’, ‘Exploitation Tools’, ‘Privilege Escalation’ and ‘Maintaining Access’, amongst others.


When you boot into BackTrack, you are taken to a Linux shell where you will need to enter “startx” to load the GUI. When the BackTrack GUI has loaded, click the ‘Install BackTrack’ shortcut on the desktop to initiate the BackTrack installation. Once complete, reboot the machine and access the tools from Applications > BackTrack.

Kali Linux

Note: When BackTrack was taken over by a commercial entity, they remained committed to sustaining an open source security and penetration testing distribution and re-built BackTrack from the ground up into what is now known as Kali Linux. Kali Linux is another useful addition to your security toolkit and will eventually render BackTrack redundant. Download it from here and try it out for yourself.

02 Cain & Abel

Cain & Abel allows you to recover passwords by sniffing the network, cracking encrypted passwords, recording VoIP conversations, decoding scrambled passwords, and revealing password boxes, amongst others. It also contains an Access Database password decoder, RDP password decoder, VNC password decoder and Hash Calculator.


When you launch Cain & Abel, start by exploring the Decoders tab and the Cracker tab – this is where you can set Cain & Abel to decode and display passwords for various protocols or applications. You should also check out the Sniffer tab – this is where you can capture usernames and passwords as they travel across the network between different hosts.

03 Password Safe

Password Safe allows you to create an encrypted database container for listing all your usernames and passwords, which can only be accessed by means of a “master password”. The encrypted database container file can be backed up and transferred between locations for convenience.


When you load Password Safe for the first time, you’ll first need to create a new Password Safe Database and then enter a Safe Combination which will be used to encrypt the database. The Safe Combination will be used every time you wish to gain access to the list of passwords. Once you’ve created the database, right click on a blank area within the main window and choose “Create Entry” to create a new entry – here, you’ll be able to store a username, a password and any relevant notes.

Tip: Password Safe contains an in-built Password Generator which you can access from Manage > Generate Password, or by using CTRL + P.

04 Eraser

Eraser allows you to completely remove data from your hard drive by overwriting each data block several times using an erasure method of your choice.


To get started, open Eraser, right click anywhere on the blank section of the main window and click “New Task”. You will be asked to select when the task should be run, the data you wish to remove and the erasure method to be used (e.g. US Air Force 5020 (3 passes) or Gutmann (35 passes)).

05 Security Onion

Security Onion is a Linux distribution tailored for use as an IDS (Intrusion Detection System) and NSM (Network Security Monitoring) toolkit. It contains tools like Snort, ELSA, Xplico, and NetworkMiner and the in-built setup wizard makes it easy to use.


When you boot from the Security Onion ISO file, you are given the option to launch the live system or system installer. If you choose to launch the live system you will be taken to an Ubuntu-based Linux interface with a series of tools available for you to use. You will also have the ability to launch the Security Onion setup wizard.

06 Rapid7 MetaSploit Community Edition

Metasploit Community Edition allows you to simulate attacks on your network to uncover security issues. Features include the ability to discover network assets, conduct basic penetration tests and exploit individual vulnerabilities.

Tip: Rapid7’s Nexpose Vulnerability Scanner (Community Edition) integrates with MetaSploit Community Edition to offer increased functionality.

Note: MetaSploit also comes in a “Framework” edition which is the original open source platform for manual exploitation and brute forcing via a command line interface.


When you launch the MetaSploit Community UI, you’ll first need to create an account and enter a product licence key (which you can obtain for free when downloading the installation package). You can then get going immediately by performing a network discovery from the Overview tab.

07 WinDump

WinDump is essentially TcpDump for Windows. TcpDump is a powerful network packet analyser for Linux that can be used for network debugging and security monitoring. Using WinDump allows you to have the same functionality as TcpDump in a Windows environment.


WinDump requires WinPcap 3.1 or above to be installed. Once you’ve installed this, simply execute windump.exe from a command line to initiate the packet capture process. Unless you wish to perform a live analysis, dumping the results to a text file is recommended. To do this, type “windump >> c:\folder\textfile.txt” in the command prompt, and replace the text file location with one of your choice.

08 Network Security Toolkit (NST)

Network Security Toolkit (NST) is a bootable live CD containing a wealth of open source network security tools that can be used by security professionals for network security analysis, validation, testing and monitoring.


When you boot from the NST ISO file, you first choose whether you wish to launch the command-line version or the GUI version. If you choose the command-line version, you’ll need to run the tools manually by issuing a series of commands and parameters. If you choose the GUI version, a Linux type environment will load giving you the option of installing the NST tools to disk or running them directly from the “Activities” menu.

09 OpenVAS

OpenVAS is an open source Vulnerability Assessment System that offers a selection of tools and services for vulnerability scanning and vulnerability management. The security scanner feeds off an online database of over 30,000 network vulnerability tests and is updated regularly.


When you launch the OpenVAS web UI you can launch a quick scan against an IP address or hostname or create a new task manually from the Scan Management tab. When the scan is complete you can view the results and download a report detailing the open ports, vulnerabilities found and the information log.

10 OpenPuff

Steganography is all about hiding in plain sight. Essentially you are hiding data within data. OpenPuff is a steganography tool with features that include multi-level encryption, pseudo random number generator based data scrambling, whitening, and encoding which make for a strong steganography algrithm. OpenPuff also includes the ability to add a decoy password to reveal decoy data (in case you were ever suspected of receiving a steganography file and asked to reveal the data) as well as the ability to split the hidden data over multiple files (carriers).


To initiate data hiding, launch OpenPuff and press the “Hide” button. Follow the four step process to enter a password, add the secret data, add the carrier files, and choose the level of bit selection to be used. Optionally, add decoy data and then click “Hide Data!” to begin.

11 Freeraser

Freeraser is a data shredder tool that permanently deletes data by overwriting the data blocks with random data multiple times. Freeraser offers three options for data destruction – a ‘fast’ option which uses 1 round, a ‘forced’ option which uses 3 rounds and an ‘ultimate’ option which uses 35 rounds of overwriting with random data.

When Freeraser is open, a large recycle bin icon will appear on the desktop. To erase files, simply drag them to the icon. A warning message will pop up stating that the data will be permanently destroyed if you continue. You can also choose which files to remove by right clicking on the icon and selecting “Select File to Destroy”.

12 OpenStego

OpenStego is a basic easy-to-use steganography tool that takes any ‘secret’ message file as input and embeds it into a cover file to create a resulting image. You are given the option to compress and encrypt data and control the algorithm used in the steganography process.

Note: OpenStego is built using Java so you will need to run it on a machine that has Java installed.


The first thing you need to do is select the steganography algorithm to be used and the ‘secret’ message file you wish to be hidden. You then select the cover file (the image to be used to conceal the secret message file within it) and the output filename. Once you are done, click “OK” to start the obfuscation process.

13 Retina Network Community

Retina Network Community is a free vulnerability scanner for up to 256 IPs that offers powerful vulnerability assessment across operating systems, applications, devices and virtual environments within your network using a comprehensive vulnerability database that is updated regularly.


When you launch Retina Community, start by setting up your Audit from the Audit section at the top – here, you can choose what credentials to use, which targets to scan, which ports to detect, which audit types to run, and what information to obtain from each target. Once you’ve done this hit the “Scan” button to initiate the scan and view the results at the bottom of the window.

14 OWASP Mantra

OWASP Mantra is a browser based security framework which includes a selection of integrated and online tools that can be used for penetration testing and web application testing. There is everything from online network and information gathering utilities to an integrated SSH client.


When you launch the OWASP Mantra browser you are presented with a Welcome page with a splash screen similar to the Windows 8 interface. From here you can browse to the “Hackery” or “Gallery” pages to discover the available online tools. On the left hand side of the browser is a selection of icons which launch the integrated tools.

15 KeePass

KeePass is a light-weight user-friendly password manager that allows you to store username and password combinations in a highly-encrypted database. Access to the database is secured using a master password or key file.


When you first launch KeePass you’ll need to enter a “Master Key” which is used to prevent access to the password database. You can then start to create groups for categorization and password entries for each group. KeePass also has a search facility in the top menu bar for quick access to a certain password or to help you find a password entry if you can’t remember it – this saves you navigating through each group.

16 Nmap

Nmap allows you to perform network discovery and security auditing, including tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Note: The Nmap package comes with Zenmap (a front-end GUI for Nmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).


Zenmap can be used to control Nmap from a GUI rather than a command-line. Upon launching Zenmap, enter the target to be scanned and choose a scan profile before clicking “Scan. Results will be displayed in the “Nmap Output” tab with a further breakdown available in the Ports/Hosts, Topology, Host Details, and Scans tabs.

17 PuTTY

PuTTY is a lightweight application that allows someone sitting at a Windows machine to remotely connect to a Linux server using the SSH, Telnet and Rlogin network protocols. The PuTTY family of tools also consists of PSCP (an SCP client for secure command-line file copy), PSFTP (an SFTP client), PuTTYtel (a Telnet-only client), Plink (a command-line interface to the PuTTY back ends), Pageant (an SSH authentication agent) and PuTTYgen (an RSA and DSA key generation utility).

Note: On the server side, you will likely have an SSH implementation such as OpenSSH (http://www.openssh.org/) which encrypts all traffic transmitted across the network and is useful for securing protocols like telnet, rlogin and ftp (which transmit data over the network in plain text).


Once you enter the connection details and click Open, a command prompt type window will appear asking you to login to the specified server. Once you do this, you can issue commands directly to that server.

18 RANDOM.ORG – Random Password Generator

The Random Password Generator from random.org does just that – it generates random passwords for you based on a set of criteria you provide. Unlike some websites, the generated passwords are delivered to you over an SSL connection for added security (last thing you want is a rogue on your network capturing packets and discovering all your newly generated passwords!).


Simply navigate to http://www.random.org/passwords/ and enter the required criteria to get started. If you want more criteria to be considered when generating a password, try using the Random String Generator at https://www.random.org/strings/.



The top 23 free data recovery tools

our fault, my fault, nobody’s fault… it doesn’t matter. When a file you need is gone, all you really want to do is get it back: as quickly and as painlessly as possible. Deleted by accident? Formatted by mistake? Drive corrupted by the latest attempt at quadruple-booting? Plugged in the power to a non-hot swappable drive? Dragged a DVD across the gravel parking lot? Ran the USB key through the wash? We’ve heard, seen, and even done most of them, and along the way we have found a number of great tools to bring our data back from the dead.

These 23 free data recovery tools run the gamut. There’s bound to be a tool in this list that can bring your dead data back too. As long as the drive is not physically dead, there is a chance. Try one of these tools out.

1. Recuva

With both free and pay editions, Recuva is an incredibly powerful tool for recovering data from Linux and Window partitions. With support for all Windows versions from XP through Windows 8.1, this is a great tool to bring dead data back to life. It is one tool that has saved me multiple times over the years.


2. Pandora Recovery

With a free version for recovering data from secondary drives, and a pay version you can put on a USB key to recover an operating system drive, Pandora Recovery has a versatile offering that can bring back most data without issue.

3. PC INSPECTOR File Recovery

Completely free, PC INSPECTOR File Recovery is a great recovery tool for Windows systems. It can recognize data types even when the header is missing, so you can recover from deletions, formatting, or even total volume loss.

4. PC INSPECTOR Smart Recovery

Also free, Smart Recovery is a tool focused on recovery files from external media, like flash drives and SD cards. It’s a bit older than File Recovery, but still works great and can handle proprietary file formats.

5. FreeUndelete

The name of this tool from OfficeRecovery says it all. It’s free for personal use, and it undeletes files that you have deleted, even if you SHIFT-DEL or empty the Recycle Bin. What it lacks in fancy features it more than makes up for in efficiency and simplicity.


6. ADRC Data Recovery Software Tools

This suite of tools includes undelete, copy, raw copy, imaging, and boot sector repair.


NTFS.com Data Recovery Software Tools include several standalone products that can handle almost any data recovery scenario. In addition to the free versions, there are pay versions with even more features. You can download a free trial of a bootable ISO with all of the tools on one image from http://www.boot-disk.com. Make sure you look closely at each tool’s free version, as they include a lot when you get into the details. The set includes…

7. Active File Recovery

This is probably the first tool to try, as it can handle undeletes, deletes that bypass the Recycle Bin, formatted or corrupted files, lost partitions, and more.

8. Active Partition Recovery

This tool can help you to recover a formatted or repartitioned drive in its entirety. It can also fix lost MBR and GPTs and can read from VMware virtual disk images.

9. Active UNDELETE

This tool can run on Windows and recover data from non-Windows file systems including Linux Ext#, UFS, EFS, and HFS+.

10. NTFS Data Recovery Toolkit

Built specifically for NTFS volumes, this toolkit includes a disk editor, partition manager, and recovery tools. It also has great instructions on how to use each tool.

11. Unformat

For all your external drive needs, Unformat can recover entire disks including external USB, thumb drives, and SD cards that you’ve accidentally deleted.

12. Active UNERASER

This tool can be used to recover data lost due to damaged, formatted, or deleted partitions and includes several other tools including a partition manager, a disk monitor, and more.

13. Active Boot Disk Lite

Sometimes the data is not lost; it is just inaccessible because the operating system won’t boot. This tool is a bootable operating system image that can be used to gain access to the hard disk when the installed operating system won’t boot, so you can copy off data to external media before reinstalling.


14. WinHex

A multitasker that includes a disk editor, imaging software, encryption and checksumming, format converter, and more. It is more targeted towards investigation and forensics than simple data recover, and has several different levels of licensing, depending upon required features. It has an evaluation version that is free to try for as long as you need.


15. TestDisk

Software designed to recover lost partitions or repair drives that are no longer bootable. It can repair most file systems (NTFS, FAT, EXT) and also recover data from deleted partitions. OpenSource, it can run under most versions of Windows, Linux, BSD, and Mac operating systems. It also can be deployed as a bootable image to recover from unbootable systems.


16. Wise Data Recovery

A freeware application to recover data from hard drives and removable media. It is simple to use and fast to find data, making it an excellent choice when you need your files back quickly.

17. Data Recovery Wizard

This tool can recover data that has been deleted, formatted, or from drives that have been corrupted. The free version has a 2GB cap, but often the data you are trying to save is much smaller than that, so most users can do a lot with a 2GB trial. It has both Windows and Mac versions.

18. EaseUS MobiSaver Free

This tool offers hope for mobile devices too, with a free data recovery tool for both iOS and Android platforms. This app can recover specific data types from iOS devices and most files from Android devices.

19. SoftPerfect File Recovery

Also from EaseUS, this tool can restore deleted files from FAT and NTFS partitions on fixed and removable media. It is a self-contained executable and runs on everything from XP through Windows 8.

20. Puran Data Recovery

This tool can read files from damaged physical media, like corrupted flash or scratched optical drives. If your operating system can show the files, then this tool will read them off, ignoring any bad sectors to recover as much usable data as possible.

21. Puran File Recovery

Another tool that goes after deleted files and brings them back from the dead. There is a portable version that can be put on a flashdrive or bootable disk like BartPE, and it supports both FAT and NTFS partitions.

22. CD Recovery Toolbox

Designed to recover data from damaged CDs and DVDs. If they are scratched or smudged or faded, but there is still some readable data on the disk, this is a tool that can bring back as much salvageable data as possible.

23. UndeleteMyFiles Pro

It may sound like a pay-for edition, but it is absolutely free and comes with a collection of tools for data recovery, including File Rescue, Media Recover, Deleted File Search, Emergency Disk Image, and Mail Rescue. It also has a secure file wipe utility, showing it plays both sides.


Wi-Fi glossary -71 terms you need to know


With the growing popularity of Wi-Fi and its increasing prominence in corporate networks, it is important to understand the various terms, acronyms, and standards that are rapidly becoming a part of the lingo. To that end, we’ve put together this glossary of common terms that are used.

20 MHz Channel

The default bandwidth used by 2.4GHz wireless networks. When a Wi-Fi access point and all associated clients can support a 40 MHz channel, higher throughput is possible by combining channels. Whenever another access point that does not support 40 MHz channels is present, or if a legacy client is present, then all devices must use 20 MHz channels.

40 MHz Channel

Newer access points and clients can use 40 MHz channels in the 2.4 GHz range to obtain higher throughputs. As long as all devices within the network can support this then the network can use 40 MHz channels, but if any legacy device is present, the entire network must fall back to using a 20 MHz channel.


The IEEE committee and the set of standards maintained by the IEEE for wireless networking.


The IEEE standard for wireless networking in the 5 GHz range. 802.11a networks can support up to 54 Mbps throughput and operate in the UNII bands.


The IEEE standard for wireless networking in the 5 GHz range. 802.11ac networks can support up to 1 Gbps throughput using multiple channels, 500 Mbps using a single channel, and operate in the UNII bands. It will use 80 and 160 MHz channels and MIMO to achieve higher throughput rates.


The IEEE standard for wireless networking in the 2.4 GHz range. 802.11b networks support up to 11 Mbps throughput and operate in the ISM band.


The IEEE standard for wireless networking that addresses the Media Access Control (MAC) layer to comply with rules in each country.


The IEEE standard for wireless networking Quality of Service (QoS) on 802.11 a, b, and g networks.


The IEEE standard for wireless networking in the 2.4 GHz range. 802.11g networks support up to 54 Mbps throughput and operate in the ISM band.


The IEEE standard for wireless networking that sets the requirements for Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC) so that Wi-Fi devices can coexist in the same UNII frequency ranges as other 5 GHz devices.


The IEEE standard for wireless networking security, using AES encryption, authentication using 802.1x, and data integrity.


The IEEE standard for wireless networking to meet the legal requirements within Japan. These include power, frequency, and operational characteristics of wireless networks.


The IEEE standard for wireless networking that can use both the 2.4 GHz and 5 GHz ranges, with MIMO. 802.11n compatible access points and clients can support throughput rates of up to 600 Mbps, and clients are backwards compatible with older access points that can only do 802.11 a, b, or g.


An IEEE standard for port-based authentication to the network. It can be used in Ethernet switches to restrict access to the wired network as well as in wireless access points to restrict access to the Wi-Fi network. 802.1x can use username/password or certificates to authenticate to the network. It is typically used in combination with wireless encryption schemes to provide confidentiality and integrity.

Access Point

A device that acts as the bridge between wireless clients and the wired network. Often abbreviated as AP.

Ad Hoc Mode

A peer to peer mode of networking using Wi-Fi networking but no access point. Ad Hoc networks can include more than two devices.


The Advanced Encryption Standard is a symmetric block encryption protocol used in WPA2 and other protocols to encrypt data with a high degree of protection and a low CPU overhead.


Combining multiple channels (even across bands) to obtain higher overall throughput. See also channel bonding.


Abbreviation for Access Point.


The process a client goes through to begin exchanging data with an Access Point. A client will listen for beacons from an AP for the SSID that it wants to use, and then will exchange hello packets with the AP with the strongest signal and/or supported data rates. Association can be open, or can require a pre-shared key. Once associated, the client may be required to successfully authenticate before the AP will pass data between the client and the rest of the network.


A client may be required to authenticate to the wireless network before it can pass data between itself and other hosts. Authentication can be open, but can also require a certificate, username/password, or pre-shared key.


A beacon is transmitted by an AP ten times per second, and advertises the existence of the AP on a particular channel or channels. It includes information needed by clients to associate and may include the ESSID, the supported channels and data rates, and whether it is open or requires authentication.


A standard for short range wireless connectivity between devices, used with mice, keyboards, mobile phones, printers, speakers, and more. Bluetooth uses frequencies in the same ISM band as 802.11b and g Wi-Fi networks.


A network device that interconnects two dissimilar network types. An AP can act as a bridge between the wired and wireless networks, but can also serve as a wireless connection between two wired segments. See Workgroup Bridge.


BSSID stands for Basic Service Set Identifier and is the MAC address of the AP.

Captive Portal

In wireless networking, a captive portal is a process running on an AP that can intercept and redirect clients who have associated to a web page where they must agree to terms of service, provide a password, or even purchase access. These are common in hotels, airports, guest networks, and other locations that offer Internet access but want to charge a fee, restrict it to authorized users, or require the user to accept their AUP. See hotspot.


A channel is the network path for wireless transmissions. Each Wi-Fi standard has numerous channels, each of which is a central frequency. There are 11 channels in 802.11b and g networks in the United States and Canada; 14 in most other countries. There are 9 channels in 802.11a networks in the United States, with various counts for other regions of the world. Some countries including the US can have additional channels in the 5 GHz range if they employ DFS. Channels have a bandwidth-the greater the bandwidth, the greater the potential throughput. See 20 MHz and 40 MHz channels.

Channel Bonding

In 802.11b and g networks, multiple channels can be combined to obtain greater throughput when all access points and clients can support it. See also aggregation.

Closed Network

A closed network requires users to have authentication information before they can get onto the network.

Collision Avoidance

Collision avoidance (CA) is the method wireless devices typically employ to ensure data transmissions do not interfere with others. CA schemes can use a Clear to Send/Ready to Send (CTS/RTS) scheme where they signal readiness to transmit data, but must wait to be acknowledged by a central controller (AP) before transmitting actual data. Contrast this with Ethernet and its collision detection (CD) scheme where hosts transmit and then listen to see if others are also transmitting, and then sending a jamming signal to indicate a collision, and falling back a random period of time before trying again.

Concurrent Operation

Also called Dual Band, APs that can use both 2.4 and 5 GHz bands are capable of concurrent operation. These can offer 802.11n capabilities to compatible clients while also servicing legacy clients using 802.11 b, g, and a.

Direct Sequence Spread Spectrum (DSSS)

DSSS is the modulation technique used by 802.11b networks to transmit data. It is resistant to interference, and permits sharing of a channel amongst multiple purposes, however it requires more bandwidth to transmit than the actual data being transmitted.


Using multiple antennae to reduce interference and improve both transmission and reception of signals.


See Concurrent Operation.


The Extensible Authentication Protocol (EAP) can be used to provide authentication to the wireless network when employing WPA-Enterprise and WPA2-Enterprise.


EAP-FAST is Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling. It is one possible EAP scheme used in wireless networks for authentication. It is being promoted by Cisco as a replacement for LEAP.


EAP-TLS is Extensible Authentication Protocol-Transport Layer Security. It is one possible EAP scheme used in wireless networks for authentication, and uses client certificates. It is widely deployed across most major Wi-Fi vendors.


EAP-TTLS/MS-CHAPv2 is Extensible Authentication Protocol-Tunneled TLS using MSCHAPv2. It is one possible EAP scheme used in wireless networks for authentication, and uses a username/password (typically authenticated by Active Directory) to provide authentication.


The Extended Service Set Identifier is the “name” of the wireless network, and is used by all APs that provide access to the same infrastructure in an ESS. It can be advertised by APs in their beacons, or suppressed so that clients must ‘know’ the ESSID before associating with an AP. See ESS.


An extended service set (ESS) refers to a network with two or more APs working cooperatively. They share access to the same VLAN, use the same SSID, and can support fast handoff between clients that move from the coverage range of one AP to another.

Frequency Hopping Spread Spectrum (FHSS)

FHSS is the modulation technique used by Bluetooth and other technologies that use the same frequency ranges as 802.11 networks. Transmissions hop across multiple frequencies several times per second, and can work well at short ranges even in the presence of multiple competing systems trying to use the same frequency ranges.


An AP set up specifically to provide Internet access to users. Hotspots are popular in coffee shops, restaurants, and other publicly accessible locations, and usually do not require any authentication or offer any encryption. They provide the convenience of free Internet access to attract customers.

ISM Band

The Industrial, Scientific, and Medical frequency bands are unlicensed bands used by a variety of devices for wireless connectivity. In the 2.4 GHz ISM band, 802.11b and g network devices, Bluetooth devices, NFC devices, baby monitors, and microwave ovens all compete for bandwidth.

Lightweight Extensible Authentication Protocol

LEAP was developed by Cisco to provide authentication to networks using WEP for encryption. It is vulnerable to dictionary attacks and has been replaced by EAP-FAST.

MAC Address Filtering

An approach to restricting access to a wireless network by only permitting clients to connect if their MAC address is on a list. MAC address filtering is not scalable, and since most wireless NICs can be configured to use any MAC, easily defeated by anyone within range that can pick up transmissions from an authorized client and simply use their MAC address.


Multiple Input/Multiple Output signaling that uses several transceivers and antennae to improve throughput and range of the wireless network. Both APs and clients can use MIMO, though it is most often a feature of APs.

Network Name



Near Field Communication is a technology used most often with mobile devices to exchange data based on proximity, or even physical contact. NFC technology is being built into mobile phones for data transfer, touch to pay technologies, and smartcard reading. NFC is also being incorporated into some APs to make setting up a client easier. See WPS.


Orthogonal frequency-division multiplexing is used by 802.11a, g, n, and ac standards using multiple carrier frequencies. It is especially useful at obtaining higher throughput and overcoming interference in discrete frequencies.

Open Network

An open wireless network permits association and authentication without requiring a passphrase, certificate, or credentials. Open networks are often called hotspots and provide free Internet access to anyone within range. Many coffee shops and restaurants will deploy these to attract customers. They may still incorporate a captive portal. See hotspots.


A password or combination of words used to provide authentication to a wireless network WEP uses fixed 40 or 104 bit passphrases, while WPA and WPA2 can use arbitrary length passphrases.

Pre-shared Key

A pre-shared key (PSK) is a passphrase that is shared ahead of need. PSKs are typically used in WEP, WPA, and WPA2 protected networks, where each client that wishes to join the network has the same PSK.


Quality of Service enables networks to prioritize certain traffic types above others, so that things which are mission critical or latency sensitive gain preferred access to the network over things that are lower priority or can tolerate delay. This is especially useful in Wi-Fi networks using voice or video; the quality of both suffer when encountering latency. APs that offer QoS can provide more access to clients that need it than to those that do not. See 802.11d.


The distance between an AP and a client (or between two APs, see Workgroup Bridge) over which Wi-Fi transmissions can be successful. The greater the range, the greater the attenuation of a signal and the lower the overall throughput will be.


A wireless network device that receives signals and retransmits them, without providing direct access to the wired network. Repeaters are typically used to increase the range wireless networks can cover.


In a wireless network with multiple APs, a client that is moving from the coverage area provided by one AP to that provided by another is roaming. It must disassociate from the first AP before it can associate to the next AP.


A rogue client is one that attempts or succeeds in accessing a wireless network without authority to do so. A rogue AP is one installed onto the wired network without authority, and can be a maliciously placed device by someone attempting to penetrate the network, or by a non-malicious user who simply wanted to get wireless access to the wired network but did not involve IT or go through appropriate processes.


In the context of SOHO, a wireless router is an AP that also performs Internet connection sharing, and can run a DHCP service, a captive portal service,


The Service Set Identifier (SSID) is the name of the wireless network. It can be contained in the beacons sent out by APs, or it can be ‘hidden’ so that clients who wish to associate must first know the name of the network. Early security guidance was to hide the SSID of your network, but modern networking tools can detect the SSID by simply watching for legitimate client association, as SSIDs are transmitted in cleartext.


The Temporal Key Integrity Protocol was developed as a replacement for WEP but is no longer considered secure and has been removed from 802.11 standards. See WPA.


Transport Layer Security is a protocol designed to encrypt and authenticate all kinds of network traffic at the transport layer, and is the successor to SSL. It uses certificates to exchange public keys, which are then used to encrypt session keys.


The Unlicensed National Information Infrastructure radio bands include frequencies in the 5 GHz range used by 802.11a, n, and ac standards.


WAP can refer to the Wireless Application Protocol, or can be used to mean Wireless Access Point.

War Chalking

War chalking is a hobbyist pursuit using sidewalk chalk to “mark” areas of wireless network access. War chalking uses a series of pictograms or icons to represent open and closed networks, and includes the SSID and sometimes the information needed to access the network.


War Driving

Another hobbyist pursuit, war drivers will use their cars, wireless equipment, and mapping software to map out the wireless coverage of an area. Some groups have collaborated to map out entire cities. The resulting map may be shared amongst group members or published to the Internet and will identify, as closely as possible, the location of APs, their SSIDs, and whether the networks are open or closed.


Wired Equivalent Privacy is the original encryption scheme implemented in wireless networks. Using RC4 and either a 40bit or 104 bit pre-shared key, WEP provides about the same level of privacy as using a hub does on a wired network. Easily broken, WEP is typically only deployed in home networks.


The WAN or community deployment of wireless networking, WiMax was initially started by Intel and is now designated by the IEEE as 802.16. WiMax offers ranges measured in miles and bandwidth of up to 1 Gbps. WiMax deployments are limited at present, but can include last mile services, regional mesh networks, and municipal access for entire cities.

Workgroup Bridge

A pair of APs that provide connectivity between two different wireless segments are a workgroup bridge. Entire offices can be connected wirelessly using workgroup bridges, or small office on another floor of a building, or across the street from the main office, may be connected using workgroup bridges rather than by running cables. These are extremely popular in downtown areas where offices are spread out across multiple buildings that are still close together, and where the cost of running fibre or copper cables is excessive.


Wi-Fi Protected Access is a security protocol for wireless networks that was designed to replace WEP. It uses TKIP to encrypt data and is much more resistant to attacks that WEP is, but still has cryptographic vulnerabilities that make it undesirable for use. WPA was an IEEE 802.11i draft. WPA Personal typically uses an initial PSK to establish authentication, but the protocol has been extended to use EAP methods where available.


Wi-Fi Protected Access v2 is currently the strongest encryption protocol available to wireless networks, and is the current 802.11i standard. It uses AES encryption for data and is considered cryptographically strong. WPA2 Personal uses a PSK to establish initial authentication, but WPA2 Enterprise can use various EAP methods to ensure a strong authentication without the need for a PSK.


Wi-Fi Protected Setup makes it easier for users to add Wi-Fi clients to WPA and WPA2 protected wireless networks. It was intended to help non-technical home users deploy WPA security, but is vulnerable to a brute-force attack and should not be used. WPS can use a PSK, encryption settings transferred using a USB key, a PIN, NFC, or with a simple push button approach.



How to repair PST files

One of the biggest problems users encounter when using PSTs is that they can corrupt. Because there are countless messages within a PST that could easily be lost when the file becomes corrupt, knowing how to repair PST files is highly important. Of course, it would be even better if you knew how to avoid the need to repair PST files in the first place.

Let’s start with the initial point: what to do if you need to repair PST files. Here are three points:

Inbox Repair Tool

If you have a corrupt PST file, you will see this error message when you try to open it:

Errors have been detected in the file <file_path>. Quit all mail-enabled applications, and then use the Inbox Repair Tool.

Every current version of Outlook comes with a version of the Inbox Repair Tool called scanpst. Scanpst.exe can be found in either drive:\Program Files\Common Files\System\Mapi\LocaleID\scanpst.exe or drive:\Program Files\Microsoft Office\Office14 (Outlook 2010.) The scanpst.exe tool can scan a PST file for damage, and can recover it in many cases.

OST Crop Tool

When a PST has grown past its maximum supported size, the Inbox Repair Tool may not be able to repair it. If you run the scanpst. exe and it cannot repair the file, you may want to use the OST Crop Tool. This will not recover all of your email, but it will truncate the corrupt file down to a size that may be accessible. You can download that tool from http://www.microsoft.com/downloads/details.aspx?FamilyID=B33B1DFF-6F50-411D-BBDF-82019DDA602E&amp;displaylang=en

Third party PST repair tools

The market is full of PST repair tools from several third party sources. Some offer free versions, while others cost money up front. There are too many to list in this short article but a search on Google for ‘repair PST’ will serve you well. Read them carefully, and I strongly suggest making a copy of the PST to be repaired just in case, but that advice is good even if you are using the Microsoft tools above.

But what if you didn’t have to worry about repairing PST files in the first place?

Why do your users have PST files anyway? Is it because they have a small inbox limit, or is it because the system automatically deletes email over a certain age? Whatever the reason, knowing the problems that might arise, requiring PST repair and placing data at risk, is only half of the equation. You do need to provide an alternative and that is where email archiving software comes into play. A good email archiving software eliminates the need for PST files by creating an archive that can be accessed even when Exchange is offline, and that can provide virtually unlimited mailboxes. There are also tools like the PST Exporter that can transfer messages from PST files into the archive, ensuring ongoing access to email and eliminating the risk and performance impact from PSTs on the network.



3 Very Good Reasons to Monitor Internet Usage in the Workplace


How to Control Cyber Slacking

Cyber slacking is a term used when employees use their work internet connection for personal reasons for excessive amounts of time. Cyber slacking can cause a number of problems, from the obvious loss of productivity to legal liability as well as virus infection.

Employees browsing the web during working hours are not just a productivity issue; such employees might download illegal music and/or software or visit disreputable sites which will try to infect their visitors with Trojans.

However, there are a variety of ways to handle cyber slacking within an organization:

Passive Monitoring

Tools can be employed to monitor the internet activity of users. Reports can then give an accurate picture of what sites an employee has visited and how much time the employee spent browsing. This method is not really ideal because while it is adequate to tackle an employee’s time wasting it can be too late for other security related issues, such as a malicious site infecting the victim’s computer with malware. By the time the administrator gets to review the report and discovers one of the employees has been visiting sites known to infect visitors with malware, the infection would likely have already happened and had ample time to spread.

Active Monitoring

More advanced tools will not only monitor and record user activity but take action depending on the monitored data. Some advanced tools also allow for classification of web sites as this would allow an administrator to really tweak the system for optimum effect. Website Classification coupled with scheduling can also help maintain employee morale which could be negatively affected when implementing such measures.

Setting up policies that would always block malicious sites but allow access to news, social networking and gaming sites during the employees’ break would secure the business against security threats, prevent cyber slacking yet still allow employees to access work unrelated sites during their free time.

Proactive Monitoring

Proactive monitoring would be the next step after active monitoring. Such a system would not only monitor but also take action depending on what it encounters. The system would scan downloaded files for any viruses, block certain types of files as well as drop connections that are not allowed – for example, instant messaging with people outside the company. Advanced systems can also detect attacks being transmitted through the networks and proactively stop them.

One thing to always keep in mind is that even when using advanced systems such as proactive monitoring it is still important to keep an eye on reports. No system is infallible and users are generally resourceful and sometimes manage to find workarounds or visit sites that are not yet correctly categorized. Keeping an eye on the logs would make sure the Administrator identifies these instances and takes prompt corrective action.



Yet another sysadmin’s compendium of cheat sheets

Our Sysadmin compendium of cheat sheets was a real hit with our readers and by popular request we’ve added yet another compendium of cheat sheets, quick references, and general quick hits. This time round, we’re including some reader requests, including SCCM and System Manager, as well as expanding on some of the other topics we covered in rounds one and two. Have a look and see what new bookmarks you can add to your browser.

System Center Configuration Manager

By reader request, some cheat sheets on SCCM/ConfigMgr and related products. This is a field rather lacking in one-pagers, so if you know the product, there’s an audience out there for your blog!

Cheat Sheet for SCCM Software updates Error codes http://windowsandsms2003.blogspot.com/2012/05/cheat-sheet-for-sccm-software-updates.html

WMI in PowerShell 3.0 http://blogs.msdn.com/b/powershell/archive/2012/10/28/wmi-cheat-sheet-for-ps-users.aspx

SC VMM 2012: PowerShell Cheat Sheet http://blogs.technet.com/b/jonjor/archive/2012/04/04/sc-vmm-2012-powershell-cheat-sheet.aspx

Quick reference for SCCM 2012 site system role placement http://technet.microsoft.com/en-us/library/64aa34e1-c465-4eb8-820b-5c1702ab55ae#Plan_Where_to_Install_Sites

System Center 2012 Self-Study Guide http://social.technet.microsoft.com/wiki/contents/articles/12726.system-center-2012-self-study-guide-complete-edition.aspx

Web Development

For those of you working on the web, these should come in handy. Just make sure you have enough ink before you print out a couple of these.

WordPress Cheat Sheet http://www.cheat-sheets.org/saved-copy/wpcs.png

HTML 5 Pocketbooks http://adactio.com/extras/pocketbooks/html5/

HTML5 Security Cheatsheet http://html5sec.org/

HTML 5 Browser Support Cheatsheet http://www.inmotionhosting.com/img/infographics/html5_cheat_sheet_browser_support.png

HTML 5 Tags Cheatsheet http://www.inmotionhosting.com/img/infographics/html5_cheat_sheet_tags.png

HTML 5 Event Handler Cheatsheet http://www.inmotionhosting.com/img/infographics/html5_cheat_sheet_event_attributes.png

HTML 5 Canvas Cheat Sheet http://www.nihilogic.dk/labs/canvas_sheet/HTML5_Canvas_Cheat_Sheet.png

HTML 5 Quick Reference Guide http://www.smashingmagazine.com/wp-content/uploads/images/html5-cheat-sheet/html5-cheat-sheet.pdf


The networking field is full of great cheat sheets, and we find more every time we look. Here is another group that you should find to be very useful!

tcpdump Cheat Sheet http://packetlife.net/media/library/12/tcpdump.pdf

nmap Cheat Sheet http://www.cheat-sheets.org/saved-copy/Nmap5.cheatsheet.eng.v1.pdf

netcat Cheat Sheet http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf

TCP/IP Cheat Sheet https://onedrive.live.com/view.aspx?resid=C952FBF391F5AFA1!934&ithint=file%2cxlsx&app=Excel&authkey=!AKz8LXBgsqQy6wo

The Art of the Subnet Cheat Sheet And Other Subnetting Tips & Tricks http://quest4.org/ccna/subnet_cheat_sheet.htm

Subnet Mask Cheat Sheet http://www.aelius.com/njh/subnet_sheet.html


If databases are your game, these should come in handy! They helped me finally figure out how to spell SQL.

Mysql cheat sheet http://csnipp.com/s/510/-MySQL-Cheat-Sheet

SQL in One Page http://www.sql.su/

(My)SQL Cheat Sheet http://cse.unl.edu/~sscott/ShowFiles/SQL/CheatSheet/SQLCheatSheet.html

Syntax Diagram for SQLite http://www.cheat-sheets.org/own/sqlite/Syntax.Diagrams.For.SQLite.html

Oracle SQL Reference Card http://www.cheat-sheets.org/saved-copy/oracle_sql_reference.pdf

PostgreSQL Cheat Sheet http://www.cheat-sheets.org/saved-copy/postgresql-cheat-sheet.pdf


You’d think the way some of them talk, Linux SysAdmins wouldn’t need a cheat sheet, they would just apropos everything. Fortunately, there are plenty of great Linux cheat sheets out there. Here are a few more.

Linux Security Cheat Sheet http://www.digilife.be/quickreferences/QRC/Linux%20Security%20Quick%20Reference%20Guide.pdf

Linux Admin Quick Reference http://www.digilife.be/quickreferences/QRC/LINUX%20Admin%20Quick%20Reference.pdf

Unix Toolbox http://cb.vu/unixtoolbox.xhtml

Graphical vi/vim Cheat Sheet and Tutorial http://www.viemu.com/a_vi_vim_graphical_cheat_sheet_tutorial.html

GDB Debugger Cheat Sheet http://refcards.com/docs/peschr/gdb/gdb-refcard-a4.pdf

Regular Expressions Cheat Sheet v2 http://www.addedbytes.com/cheat-sheets/download/regular-expressions-cheat-sheet-v2.pdf

Bash History Cheat Sheet http://www.catonmat.net/download/bash-history-cheat-sheet.pdf

Linux Command Reference http://www.pixelbeat.org/cmdline.html

Ubuntu Cheat Sheet http://www.cheat-sheets.org/saved-copy/ubunturef.pdf

Unix/Linux Shell Cheat Sheet http://www.cheat-sheets.org/saved-copy/shellscripcheatsheet.pdf

We hope you enjoy the third compendium of cheat sheets. We’re always looking for more so please do tell us if we’ve missed something.




How to protect against ransomware in three easy steps

A second wave or second-generation Ransomware has appeared in the wild, with researchers describing it as more dangerous than its predecessor. This week, Synology experienced a targeted attack, crippling customers’ data, while Trend Micro report a potential successor to CryptoLocker called CryptoBlocker.

Ransomware is not a new technique but over the past 18 months it has become a serious threat because data is now at risk of being lost – for good – unless…

Ransomware is a type of malware designed to disable a computer, laptop or mobile device, typically by encrypting the data in such a way that prevents the user from accessing the device or data. The malware does allow random notices to appear, telling the victim what the solution is.

The main purpose of ransomware is to make money for the cybercriminals. Once the data on an infected machine is encrypted, the victim is told that unless they pay a certain amount, they will not be able to get their data back.

This type of malware is constantly under development and makes the most of the latest technologies. The first instances of ransomware date back to 1989 with the AIDS Trojan. This piece of malware misled users into believing their software licenses had expired, it encrypted file names on the hard drive and asked for payment to be sent to a particular bank account. In 2010, WinLock did something similar by blocking the victims from accessing the user interface of their operating system and asking for payment via SMS to unlock it.

Last year, ransomware came back with a vengeance, using anonymity networks (TOR) and asking for Bitcoins instead of real money. This made it even harder for the authorities to identify the cybercriminals (CryptoLocker). The newest breed of ransomware (Critroni) uses military-strength encryption to make sure user files can be recovered. The malware is supported by a cloud-based infrastructure designed to make it easier for the victims to pay the ransom (and more money to make its way into the criminals’ pockets). It also introduces a new and important element – stealth, as the malware avoids most antivirus engines. This latest outbreak highlights the importance and need for more security layers and alternate ways of mitigating this risk.

Let’s have a look at how ransomware works

a) Initial ransomware infection: typically via an email attachment, a malicious download or installed by other malware;

b) Getting comfy: ransomware alters the relevant registry keys and files to make sure its code is running when the computer runs;

c) Calling home: malware calls the attacker’s server to get encryption keys and register the attack;

d) Doing the dirty work: it then proceeds to encrypt the user’s files using the key obtained from the attacker’s server;

e) Making some noise: ransomware displays ransom notices and links that allow the victim to access websites accepting payment in Bitcoins.

Although ransomware is becoming even more sophisticated by the day, that doesn’t mean users are help to prevent these infections.  Here are three, easy-to-follow steps to protect your device against ransomware:

1. Scan all emails and web downloads with at least two antivirus engines

This ensures that the initial infection has a much lower chance of propagating over the corporate network. Multiple antivirus engines help to mitigate zero-day threats and increase the likelihood that the malware is identified and stopped before it enters the network.

2. Block user access to malicious or vulnerable websites

Apart from email, ransomware can propagate itself via malicious and vulnerable websites. Vulnerable websites are a major concern because they are legitimate websites that users trust and use regularly. However, these sites can be used as an accessory for a ransomware infection because the attackers will have exploited vulnerabilities, like XSS, to execute code on the user’s machine, and instruct the browser to download the malicious payload. The ability to prevent user access to trustworthy, but vulnerable, websites as well as dangerous, malicious websites greatly lowers the risk of a ransomware infection.

3. Monitor and block outbound connections to TOR / anonymity networks

If a ransomware infection occurs, in spite of advanced perimeter antivirus protection, having the capability to monitor web traffic will help to identify the infection and its source. Furthermore, the capability to automatically block traffic to anonymity networks, used by the ransomware to get the encryption keys, will prevent the malware from applying strong file encryption. Without an encryption key, the malware will not work, the infection will not be registered thus preventing the attackers from knowing if the malware infiltrated the corporate network or (and therefore launch other attacks on the corporate network).

These are important steps to take however it is impossible to monitor traffic manually 24/7. Automation is a sysadmin’s much-loved word. At GFI, we have been monitoring these latest outbreaks and with GFI WebMonitor, ransomware can be kept at bay.

Here’s how GFI WebMonitor does this:

  • Antivirus scanning with up to three engines will ensure that no ransomware is downloaded from the internet, including zero-day threats;
  • Robust security features provide layers of protection when users are accessing malicious or vulnerable websites, further reducing the risk of infection;
  • If antivirus and security features fail, advanced web filtering technology will prevent the ransomware from connecting to the attacker’s servers on anonymity networks, thereby rendering the malware ineffectual because encryption of data cannot take place.



The 13 most important skills for sysadmins to develop

Sysadmins are awesome. There’s no denying that at all, but inside every sysadmin is that drive to become even better. That’s why you do what you do, starting way before 9am and working way past 5pm. That’s why you give up your weekends, and spend your time on the beach reading certificate study guides instead of your favorite book. Every sysadmin has a great set of skills, but most sysadmins probably want to develop more. To help you, who so often help us, we’ve scoured the net, including articles from the top job boards, recruiters and head hunters, and we’ve collected a list of the skills that are most important to sysadmins, no matter what their specific focus is. We’ve listed them in no particular order, and included some links to help you start learning these skills online at your own pace.

1. Visio

This should be the only skill on this list that is vendor specific, but it is also a skill that every sysadmin should have and so few do. Good diagrams not only make understanding and troubleshooting a system easier, they support good documentation. Most sysadmins’ Visio diagrams look worse than smartphone camera pictures of a whiteboard. We all need to get better at Visio. Check out http://office.microsoft.com/en-us/visio-help/training-courses-for-visio-2013-HA104032123.aspx for free training from Microsoft on Visio.

2. Networking

You don’t have to be the network engineer to understand networking. If you admin a system, it uses the network and you need to understand what it requires so you can work with the firewall sysadmin to get the ACLs correct, and the network sysadmin to ensure performance. There is an awesome collection of training videos on networking at http://blog.pluralsight.com/free-computer-training-videos/free-networking-training-videos.

3. Identity and Access Management

IAM (Identity and Access Management) is going to become a critical part of every system in the coming years. It is already going from niche skill to hard requirement in so many projects and IAM gurus are in high demand. There are videos online from virtually every vendor in the IAM space to help you get started. See http://www.bing.com/videos/search?q=free+identity+management+training+and+tutorials&qpvt=free+identity+management+training+and+tutorials&FORM=VDRE for a collection of them.

4. Cloud services

If you’re new to this whole cloud thing, check out http://www.thecloudtutorial.com/ for a great place to start; then focus on the resources from the vendor or vendors who offer services you want. Amazon, Google, Microsoft, Salesforce and others all have good resources for their specific offerings.

5. Scripting/automation

If you are in a Windows enterprise, PowerShell is the way to go. Check out Don Jones’ awesome collection of training content on PowerShell at http://powershell.org/wp/category/training/. Of course, if Linux is more your thing, or you would prefer not to use PowerShell and want an alternative, Perl may be for you and there is some great content at http://www.perl.org/books/beginning-perl/ to help jumpstart this skillset for you.

6. Security

Security is an extremely broad category, but it needs to be baked into every sysadmin’s repertoire. The SANS Institute is on a mission to raise the security IQ of every sysadmin, and they share some great resources at http://www.sans.org/security-resources/.

7. Business analysis

A critical skill for any sysadmin, see http://ocw.uci.edu/cat/oo/getPage.php?course=OC1305015&lesson=1&topic=1&page=1 for a free course from University of California at Irvine on this.

8. Mobile Device Management

With mobile devices touching everything and in many cases surpassing the PC in importance to their users, MDM (Mobile Device Management) skills will be a hot commodity and sysadmins need to know how to manage the devices that will be accessing their systems. There are various training resources from the specific vendors, and Airwatch is a great place to start. See https://secure.air-watch.com/ for this. It requires registration, but that is free and fast.

9. Monitoring

Whether you use SCCM, Nagios, Splunk, or other solutions, the art of good system monitoring is key. See http://www.microsoftvirtualacademy.com/training-courses/overview-and-infrastructure-changes-in-sccm-2012 for SCCM, http://exchange.nagios.org/directory/Tutorials#/ for Nagios, and http://www.splunk.com/view/education-videos/SP-CAAAGB6 for Splunk.

10. Project management

While most companies will have dedicated project managers, understanding more about their job will improve your worth and also make them easier to work with! See http://www.projectmanager.com/project-management-training for a huge collection of free training videos.

11. HTML

Every sysadmin has, at some point, needed to write some basic HTML. Rather than hunting and pecking, see http://www.w3schools.com/html/default.asp for some great beginner HTML training.

12. Javascript

And once you have HTML down, Javascript is the next step on your path to the darkside, er, to web enlightenment. And just like HTML, there are some great beginner Javascript training resources online. See http://www.w3schools.com/js/default.asp for this.

13. ITIL

As more and more companies want to operationalize their IT, ITIL continues to be an in demand skill. See http://www.freeitiltraining.com/ for a great start towards understanding, and perhaps even becoming certified in ITIL.

What skills are you trying to add to your sysadmin repertoire and what resources are you using to learn them? Leave a comment and show some appreciation for your fellow sysadmins!



The 30 best free tools for sysadmins

To show our appreciation of all the work sysadmins like you do, and to try to make your work days (and nights) just a little bit easier, we’ve put together a post of links to some of the best free tools any sysadmin could use. Whether dealing with logs or scripts, debugging or troubleshooting, one-time requests or daily tasks, there should be a free tool in this list that can help you out. Many are downloads, but some are online.

General tools for any sysadmin

One cloud storage solution to bring them all together and in the cloud to bind them. There are lots of cloud storage solutions out there, but nothing beats Dropbox for simplicity, cross-platform compatibility, and performance.

The best, easiest and most functional compression tool on the planet.

There are lots of text editors on the market, but this one is my favorite. Take a look at the simplicity, the number of filetypes it works with, tools including diff and lorem, and the extremely small memory footprint, and you will see why it is my go-to editor.

PuTTY is a free implementation of Telnet and SSH for Windows and Unix platforms, along with an xterm terminal emulator.

Windows sysadmins

SysInternals Tools
Whether you’re an IT Pro or a developer, you’ll find Sysinternals utilities to help you manage, troubleshoot and diagnose your Windows systems and applications.

The one tool every Active Directory admin must have; it can find, fix, and update practically anything in AD and handle single changes as easily as it does global changes.

RSAT Tools
There is no reason to RDP into a server once you have the RSAT tools installed. You can manage any aspect of your Windows infrastructure using these tools, and use RunAs if you need to log on as a different user.

Remote Desktop Connection Manager
There’s no way I want to RDP into systems without a clean, simple interface that can sort, group and keep everything in one window. This is that tool.

PowerShell Collection
Not a single tool, but a collection of modules for PowerShell all in one place.

ActiveRoles Management Shell for Active Directory
The ActiveRoles Management Shell for Active Directory is a set of free, predefined commands for Windows PowerShell designed to help administrators automate common, repetitive and bulk management tasks for Active Directory, such as creating, removing or updating objects in AD.

Darik’s Boot and Nuke (DBAN)
The best, fastest, and easiest way to wipe a disk so nothing comes back, short of physical destruction.

Email sysadmins

MailRadar Open Relay Test
Here are 19 separate tests that try every possible way to fool your server into relaying. Pass all 19 and you should be good to go.

MailTester.com VRFY Test
Enter an email address into this form, and the server will validate your MX records, connect to your server, request your server to verify an address, and display the results. Typically, you don’t want your server to VRFY addresses, as this is a reconnaissance method used by spammers.

Microsoft’s SPF Record Wizard
Sender Policy Framework (SPF) uses TXT records in DNS to identify servers that can send email on behalf of a domain, and Microsoft’s wizard will help you set up the right information to add to those records.

This site contains a wizard-based creator for SPF records.

WebSitePulse Email Validation
It’s always a good idea to make sure your MX records are properly set up. This site prompts you for your email address, and then performs a DNS lookup for the associated MX records and displays the results. It can test from three global locations so you can test whether changes have replicated throughout the DNS.

MailRadar’s RBL test
This page will test 22 different DNS-based email blacklists (DNSBL) for your server to see if any of them lists your MTA.

Microsoft’s Exchange test Suite
Exchange admins will love this site. You can test ActiveSync, Outlook Web Access, Outlook Anywhere and SMTP flow. Set up a valid user account on your system first so you can test things that require authentication.

Microsoft Exchange Server Error Code Tool
Originally built for Exchange, this is a great tool to have on any system you might use when looking at error logs.

Ever needed to selectively remove autocomplete names that were wrong from Outlook? They are stored in an NK2 file, and this app lets you do just that.

This tool allows you to access message stores using a GUI, which can reveal all the rich data usually only accessible to Exchange.

Blat is a great command line utility you can use to enable scripts or batch files. It isn’t dependent on Exchange or Outlook, but it is too useful to leave out of any list of tools for email.

Network sysadmins

The DNS Tool Dig
Nichols Fong ported the dig tool from Unix to Windows, and it is a great cmd-line way to check A, MX, TXT, PTR, and other DNS records without having to use a website.

The DNS Tool Whois
Included in the download of dig is a whois command, which can help you identify the responsible party for a domain in case you have problems sending to, or receiving from, or just want to query the authoritative nameservers for that domain.

The OpenSSL tools are great when you need to troubleshoot certificates, or convert them between Microsoft and other standard formats (like when you want to use a cert from your Exchange server with a new loadbalancer or SSL accelerator).

The iPerf tools suite
Need to test bandwidth and network performance between servers? The iPerf tools include client and server, and can run sustained tests to find network issues.

Simply the best protocol analyzer around, and the price can’t be beaten.

Network Monitor
Microsoft’s own protocol analyzer grew up with version 3.0, and many admins might find less resistance

The security sysadmin

Microsoft Safety Scanner
Microsoft also has a free online security scan that can help you clean up after an accident.

Attack Surface Analyzer
This tool is a self-check vulnerability analyzer that helps you quantify a system’s specific attack service as a part of evaluating risk.



Flickertronics 2012 Radio Spot

Microsoft Remote Desktop for Android and for iOS
Cisco AnyConnect  app provides encrypted network access to mobile devices for corporate access. Cisco AnyConnect provides remote access for business emails, virtual desktop sessions and more for business-level application connectivity with high-level encryption.
Chrome Remote Desktop for Android.

IFIXIT Repair Manuals


Problem Steps Recorder

For users that have ever had a help desk headache that just couldn't be explained or reproduced, Problem Steps Recorder allows them to create an HTML slideshow of step-by-step actions so an IT admin can figure out exactly what the problem is and how to reproduce it.

The Microsoft tool is buried in Windows 7 and Windows 8. To unearth it, users need to go to their Windows Start menu and Windows 8 Start screen and type in "psr." Click the "psr" tool and follow the step-by-step instructions for recording an issue.

Install and Update All Your Programs at Once



Crud Removal For Uninstalling Programs
Crud Removal For Uninstalling Programs
Backup A Smartphone To Dropbox
Super Safe Web Browser For Locking Out Hackers
Chrome Remote Desktop
Lockdown Your Laptop And Track It Down If It Gets Stolen