Bryley Systems continues to grow: Welcomes George Butler to Service Team

GBakerMr. Butler has over 20 years of experience in IT infrastructure support, most recently as a Systems-Network Engineer for Baesis, Inc. of Northborough, MA. He holds a MSMgt (Applied Management) from Lesley University, Cambridge, MA and a BSBA from Nathaniel Hawthorne College, Antrim, NH.

Bryley Basics: Apps to scan business cards into your smartphone

Melissa J. Perenson of ComputerWorld recently updated her review of seven apps in the article: “Tired of Losing Business Cards? With These Apps, Your Smartphone Can Do the Heavy Lifting.”

Business-card apps scan a business card via your smartphone’s camera; once scanned, the image is converted into text and then placed into the appropriate fields within a contact manager.  These apps are generally available for both Google Android-based and Apple iOS-based smartphones.

Of the seven tested, these were preferred:

  • ABBYY Business Card Reader – Free version and $9.99 full version
  • CamCard – Free version and full version from $2.99 to $11.99
  • WorldCard Mobile – Free version and $6.99 full version

CamCard’s free version worked well, but all others required the paid, full version to offer meaningful capability; it was also Ms. Perenson’s top choice.

Honorable mentions were given to ABBYY (easiest to navigate with most-accurate scans) and WorldCard (which provides International support with seven on-board languages).  Both were considered good, but not quite as good asCamCard.

Recommended practices – Part-7: Resource management via Active Directory

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

Active Directory is an integral component of Microsoft Windows Server; it is a powerful utility to manage both end-users and shared resources on a network.

It can scale to match the needs of any organization, from small to Enterprise size.

User management via Active Directory was discussed in January 2015 Bryley Tips and Information. Resource management is reviewed below.

Resources (servers, computers, folders, printers, scanners, etc.) should be located strategically to provide capabilities where needed.  They can be setup to support either groups of computers (IE:  all counter-based PCs in a retail store) or groups of users (IE:  all tellers at a specific branch office of a bank).

Resources are published within Active Directory to assign access.  For example, these are the basic steps to publish a new printer for a group of computers:

  • Create a new Group Policy within the appropriate Container*
  • Select the desired Computer Configuration settings
  • Setup Location Tracking (as needed)

*Active Directory uses Containers to provide segmentation and organizational structure; Containers are usually Forest, Tree, Sites, Organizational Units, orDomains.

If you prefer to setup access for a group of users rather than a group of computers, you would select User Configuration rather than Computer Configuration when publishing a resource.

Once published, resources within Active Directory need periodic attention to adjust access as needs change and to remove decommissioned resources.

Active Directory has a well-established set of best practices; these can be enforced through the Active Directory Best Practices Analyzer, which identifies and reports deviations from best practices.

William R. Stanek provides an overview on Active Directory features and capabilities in his article “Using Active Directory Service” from Chapter 5 of the Microsoft Windows 2000 Administrator’s Pocket Consultant.

Recommended practices – Part-6: Manage end-users via Active Directory

This is a multi-part series on recommended IT practices for organizations and their end-users. Additional parts will be included in upcoming newsletters.

End-users and their equipment (PCs, tablets, mobile devices) need access to network resources (servers, printers, scanners, etc.); basically, a network administrator connects the end-users with the appropriate resources while matching that access to the needs of the organization.

For example, Human Resources would typically be granted access to sensitive, employee information stored on a server, while the shipping department would be denied this privilege. And, since Human Resources has this access, they would be held to higher security standards designed to protect this information.

One could create an account within each resource mapped to the end-user device, but a more practical solution would be to use a network-wide tool to manage these accounts and their relationships: Active Directory, included within Windows Server, is a robust, rules-driven set of services and processes to facilitate one-site login and to enforce desired behavior. (Visit Wikipedia’s write-up on Active Directory.)

Methods within Active Directory to manage end-usera

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

End-users and their equipment (PCs, tablets, mobile devices) need access to network resources (servers, printers, scanners, etc.); basically, a network administrator connects the end-users with the appropriate resources while matching that access to the needs of the organization.

For example, Human Resources would typically be granted access to sensitive, employee information stored on a server, while the shipping department would be denied this privilege.  And, since Human Resources has this access, they would be held to higher security standards designed to protect this information.

One could create an account within each resource mapped to the end-user device, but a more practical solution would be to use a network-wide tool to manage these accounts and their relationships:  Active Directory, included within Windows Server, is a robust, rules-driven set of services and processes to facilitate one-site login and to enforce desired behavior.  (Visit Wikipedia’s write-up on Active Directory.)

Methods within Active Directory to manage end-users include:

  • Enforce password use and complexity
  • Require periodic password changes
  • Lock screen after time-out
  • Restrict access
  • Grouping

Enforce password use and complexity

Passwords should be required for all end-users, regardless of their function.

A password’s complexity is also important:  A password should have a minimum length of at least nine characters and should have a mix of characters (numeric, upper and lower-case alphabetic, and at least one special character like $, #, @, etc.) that are not easily guessed.  (Please see “Simple Passwords = Disaster” in the January 2013 edition of Bryley Tips and Information.)

Require periodic password changes

Passwords become stale and should be changed periodically to discourage theft.  (We require password changes every 90 days.)  When changed, the end-user should be forced to enter a new, unique password rather than recycle an old one.

Lock screen after time-out

Computer screens are easily viewed by passing employees; highly sensitive employee data might be in open view when a payroll administrator leaves their desk.  To alleviate, many organizations define a time-out period, after which a computer screen is forced to lock and requires a password to refresh.

Restrict access

Network resources are available to all, 24 hours a day, seven days a week.  However, you might not want to enable 24-hour access to all employees and you might want to limit access to specific folders by granting one of these access rights:

  • Read – Allow access to a file
  • Change – Permit adding, modifying, and removing a file
  • Full Control – Change permissions settings in a file
  • Deny – Override all other access settings to prevent access

Read, Change, and Full Control work on a “most permissive” basis.  For example, all users may have Read access to a policy document, and the Human Resources group is granted Change access.  Since one of the groups they are a part of is granted Change access, Human Resources personnel can modify the policy document or replace it with a new one.

Deny work differently than the others, since a Deny overrides all other permissions to prevent access. Inexperienced administrators often use Deny improperly – setting Deny on payroll data for users, for example, and preventing everyone from accessing the payroll data – including the Payroll group, whose Change permission is ignored because they are a member of a group that has Deny set.  (We use Deny sparingly, since there must be a separate group for users who should not have access.)

Preventing access in Windows is achieved by removing the default Read right granted to users.

Grouping

Grouping also simplifies management; rather than manage end-users separately, group them by function, department, division, or organization to enable specific privileges across a group.

s include:

Enforce password use and complexity
Require periodic password changes
Lock screen after time-out
Restrict access
Grouping
Enforce password use and complexity

Passwords should be required for all end-users, regardless of their function.

A password’s complexity is also important: A password should have a minimum length of at least nine characters and should have a mix of characters (numeric, upper and lower-case alphabetic, and at least one special character like $, #, @, etc.) that are not easily guessed. (Please see “Simple Passwords = Disaster” in the January 2013 edition of Bryley Tips and Information.)

Require periodic password changes

Passwords become stale and should be changed periodically to discourage theft. (We require password changes every 90 days.) When changed, the end-user should be forced to enter a new, unique password rather than recycle an old one.

Lock screen after time-out

Computer screens are easily viewed by passing employees; highly sensitive employee data might be in open view when a payroll administrator leaves their desk. To alleviate, many organizations define a time-out period, after which a computer screen is forced to lock and requires a password to refresh.

Restrict access

Network resources are available to all, 24 hours a day, seven days a week. However, you might not want to enable 24-hour access to all employees and you might want to limit access to specific folders by granting one of these access rights:

Read – Allow access to a file
Change – Permit adding, modifying, and removing a file
Full Control – Change permissions settings in a file
Deny – Override all other access settings to prevent access
Read, Change, and Full Control work on a “most permissive” basis. For example, all users may have Read access to a policy document, and the Human Resources group is granted Change access. Since one of the groups they are a part of is granted Change access, Human Resources personnel can modify the policy document or replace it with a new one.

Deny work differently than the others, since a Deny overrides all other permissions to prevent access. Inexperienced administrators often use Deny improperly – setting Deny on payroll data for users, for example, and preventing everyone from accessing the payroll data – including the Payroll group, whose Change permission is ignored because they are a member of a group that has Deny set. (We use Deny sparingly, since there must be a separate group for users who should not have access.)

Preventing access in Windows is achieved by removing the default Read right granted to users.

Grouping

Grouping also simplifies management; rather than manage end-users separately, group them by function, department, division, or organization to enable specific privileges across a group.

How to tweak Windows 8 for business use

Anna D, Account Executive at Bryley Systems, reveals how she overcame some frustrations with Windows 8 and set it up for business use.

“My experience with Windows 8 started out a little bumpy, but with a few tweaks, I was able to customize the OS (operating system) to be more suitable for my business needs.

The first thing I noticed when I booted Windows 8 were the tiles, which can be compared to app icons for Android and Apple devices.  Personally, I only like navigating app icons on a touch-screen-capable device, and find it inefficient in my everyday business-computer needs.  For instance, when I am using an app on my phone, I am only using that one app.  At work, I am constantly multitasking, and moving back and forth from one application to another.  In order to solve this problem, I changed the settings so my computer will boot into desktop mode.  (For details on this procedure, please see Bryley Basics later in this post.)  I can still access the tiles with my Windows key, if I wish.

Once I changed the boot settings I came across another hurdle.  My Windows Start Button was missing and was replaced with a Windows key that brought me back to the tiles.  So, I went to Windows Store to restore the Windows Start Button.

The first option that was presented to me was Classic Start Button, but I decided to go with Classic Start 8, because it was the closest resemblance to the Windows 7 Start Button. (For details, see Bryley Basics later in this post.)

I am now much happier with Windows 8.  I can understand the direction that Microsoft was going towards in creating a single operating system for all devices, but the OS still needs to be tweaked based on how you will use it.  The nice thing is I have the option and ability to customize Windows 8 for either business or fun.  At work I am more efficient using Windows 8 like a Windows 7 computer.  At home I much prefer the tiles, especially with a touch-screen-capable Ultrabook, which is how I imagine Microsoft envision we use it.

I have more tips on tweaking Windows 8.  Next month I’ll let you know how to change the default photo-viewing application, Photos, back to the old Photo Viewer.  Those of you running Windows 8 have probably experienced the new Photos app, which opens the image in the full-screen, hiding everything else on the screen.  It is really inconvenient for me, and I am guessing I am not the only one.”

Bryley Basics: Anna’s Windows 8 procedures

Setup your Windows 8 PC to boot to Desktop Mode:

    1. Click the “Windows” key on keyboard to access the “Start” screen.
    2. At the Start screen, select the tile named “Desktop”.
    3. Once at Desktop, go to the bottom taskbar (circled below), place your cursor on the taskbar, right-click, and then select properties.
  1. A pop-up screen named “Taskbar and Navigation Properties” will appear. Select the “Navigation” tab, check-on the desired items (and check-off the undesired items), and then click OK.

Add a Start Button to you Windows 8 Desktop Mode:

    1. Click the “Windows” key on keyboard.
    2. Go to “Store”.
    3. Type “start button” in the search bar at the top-right.
    4. Select “Classic Start 8”.
    5. Select “Get app from publisher” on the upper, left-hand side.
    6. Select the “FREE Download Now!” icon.
    7. Follow the prompts.
    8. The new Windows Start Button is now added to you Desktop!

Bryley Basics: Scammer YGDNS.org

We received a seemingly legitimate email from YGDNS.org professing to square-away the ownership use of our domains, Bryley.com and Bryley.net, in China; the email was marked “urgent” and came with a person’s name, business address, etc.

I queried Mike Carlson, our CTO, who gave this reply:  “No serious problems, but certainly a scam. If you reply you will be offered the opportunity to register the domains along with other overpriced services.

Google search of “ygdns.org.cn” finds a couple well-written articles that indicate that this ygdns group has been doing this for a while, and if you respond take the extra step of calling. The calls are of the type “This needs to be fixed today!”; hoping to get a “yes” from whomever answers the phone by stressing the perceived urgency.

Note the fact that it was sent…with “Please forward… …this is urgent” line. Any legitimate registrar conducting a legally or procedurally required inquiry would send the request directly to you, to me, or our shared network operations mailbox. These are the publicly-available addresses associated with the bryley.com and bryley.net registrations. I’ve checked my mailbox, junk mail folder, and done the same on the network operations mailbox. Nothing from this company.”

So, we did not respond to any inquiries from YGDNS.org and advise the same to all.

Merchants should get ready for EMV credit cards in 2015

The aging, magnetic-stripe credit cards are being replaced by EMV, a new standard with an embedded microchip that stores encoded user credentials with an optional PIN.  These two capabilities combine to reduce fraud by making EMV cards harder to clone and more difficult to use if stolen.

However, retailers and other merchants will need to upgrade credit-card processing hardware to comply with EMV.  Plus, validation and payment approval occur in separate, consecutive steps, which may require rewrites to existing Point-of-Sale (PoS) software.

Other considerations for retailers and merchants:

  • Cards are dipped, rather than swiped, which slows the process
  • EMV-processing applications/certifications takes time; apply early
  • PINs can enhance security, but at the cost of being slower to process
  • Training staff will be necessary for high-volume, credit-card processors

After October 15, 2015, many credit-card issuers (MasterCard, VISA, etc.) will not cover fraudulent issues generated with non-EMV cards; a not-so-subtle statement on complying with the EMV standard in 2015.

Recommended practices – Part-5: Software updates and patching

This is a multi-part series on recommended IT practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

In general, software manufacturers update their products for these reasons:

  • Resolve problems
  • Fix vulnerabilities
  • Make easier to use
  • Provide new features

The first two are of significant concern, particularly with operating systems (Microsoft Windows, Google DROID, Apple iOS, etc.) and with commonly used applications like Microsoft Office, Adobe Reader, etc.

Many operating-system manufacturers, especially those with large user populations (Microsoft, Google, Apple), release patches to address problems and security concerns.  These patches are typically small applications that either replace a portion of the operating system or update specific components (files) of the operating system.

Unfortunately, particularly with Microsoft Windows, patches that resolve an issue can often lead to unforeseen and unintended consequences; some patches actually designed to fix one area can break things in a different area.  Also, security updates are often time-sensitive; once released, it is important to apply them promptly.

Like operating systems, many popular applications require occasional updating.  Applications are typically not updated as often as operating systems, but their patching can critical to fix vulnerabilities.

The IT department or IT-outsourcing partner (i.e.:  Bryley Systems) of many organizations typically perform patch management with the objective “…to create a consistently configured environment that is secure against known vulnerabilities in operating system and application software.”2  These groups perform their patching in a cyclic fashion, often taking these steps:

  • Verify that the patch has a reasonable purpose in the environment,
  • Investigate its stability and usefulness by checking user forums,
  • Delay (if needed) deployment to ensure wide-spread acceptance,
  • Test it in the environment before deploying, and
  • Deploy and then validate this rollout.

If a rollout fails, procedures are in place to roll-back the operating system or application to its pre-patched state.  Periodic auditing and assessment is useful to ensure that the process is current and appropriate; audits should also identify systems that are not in compliance with the organizations patching standards.

Often, a Remote Monitoring and Management (RMM) tool – GFI, LabTech, Kaseya – or a patch-management tool – PatchLink, SolarWinds, Tivoli – is used to automate and centrally manage the process:  These tools permit the timely, managed deployment of patches and updates to groups of computers.

Notes:

2 Quote taken from the article by Jason Chan of PatchManagement.org “Essentials of Patch Management Policy and Practice”, but actual article is an excellent, in-depth treatise on this subject.

Other resources:

  • Visit TechTarget for an informative presentation on patch management and the security implications by Diane Kelley.
  • See http://en.wikipedia.org/wiki/Patch_(computing) for a patching overview at Wikipedia.

Bryley Systems’ President Gavin Livingstone Interviewed On Chamber Exchange

Tim Murray (President/CEO of the Worcester Regional Chamber of Commerce and former Lieutenant Governor of the Commonwealth of Massachusetts) interviewed Gavin Livingstone (President of Bryley Systems Inc.) on Charter TV3 earlier this year.
 

Bryley Basics: Fixed-disk drive recycling and destruction

Fixed-disk drives are located in most personal computers, servers, and even some copiers and printers; they store business data and confidential information.  When retired, they require special handling and recycling to ensure that this information is not available to others.  In addition, compliance and military standards dictate specific procedures regarding erasure and destruction.

Most fixed-disk drives house spinning disks within a metal enclosure; a read/write head passes over these disks to retrieve/record information.  Erasing the spinning disks is a good first step; physically destroying the spinning disks is also good since it then renders these disks unusable.  (Of course, someone can always try to put a disk back together, but the complexity and cost of this effort makes it extremely difficult and unlikely.)

When we recycle personal computers and servers, we take these steps to obliterate the contents of all fixed-disk drives:

  • When mounted within a computer, we run a multiple-pass cleanup utility that not only erases existing data, but also rewrites nonsense data back onto the drive to overlay previous data.
  • We then smash the drive into insignificant pieces.

Our Manual Disk Drive Crusher quickly and easily destroys fixed-disk drives by crushing them in half.  The remnants are then recycled with confidence.