Monthly Archives: July 2008

Articles and Books Mac OS X Mac Security

DNS Caching and Apple

In the article at http://www.macworld.com/article/134793/2008/07/apple_dns.html John Welch goes off on Apple for their delay in the whole DNS Poisoning exploit.  It’s kindof amusing…

Active Directory Mac OS X Mac OS X Server

Mac OS X: adplugin and printers

To find all the printers you have available through Active Directory:

dscl ‘/Active Directory/All Domains’ -list /Printers  PrinterURI

Interviewing

Interview Tips: July 2008

Time Management.  Whether they ask during the interview or not, all employers will look kindly on the interviewer who has good time management skills.  Feel free to point out instances where you were able to manage your time effectively to bring success to a given situation.  You can even work this into the answer for various other unrelated questions, although make sure to still answer the questions you were asking about.

iPhone

LoanShark iPhone App

OK, I know this doesn’t really sound like something you’ll need in the field.  Well, it isn’t.  Unless of course you’re in the field in between looking at houses, which I am these days.  So what does this little bugger do?  Well, it can figure up payment, interest, amortization, track progress of mortgages, car loans, credit cards, etc.

http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=286069264&mt=8

Mac OS X Server

Mac OS X: Training Spam Assassin

Mac OS X Server’s built-in spam filter is Spam Assassin (sa).  This article describes methods for teaching Spam Assassin how not to encounter false positives. First, man sa-learn and read about the command in it’s man file.

Once you have done so, here are some tips for using sa-learn:

sa-learn –ham teaches spam assassin that a message is not spam.

sa-learn –spam teaches sa that a message is spam

spam assassin learns based on files.  Files are in the mbx or mbox format.  Append–mbox or –mbx on the command to teach it based on these file types.  To scan a folder for files to use, just use the * key for the wildcard.

sa-learn –backup backs up the sa database

If you teach it a message is ham and it is indeed not you can use the –forget to forget the teachings

sa considers email as interesting tokens.  It adds these to the database

always train with an equal amount of ham as spam or you could teach it to be more or less veracious.

iPhone

iPhone App: Whois

Do a Whois of your (or anyones) domain.  It’s not a terribly complicated app, but then it is a buck…

http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=288162206&mt=8

Mac OS X Mac OS X Server

Mac OS X Server: AutoFS

AutoFS is greatly improved in Leopard.  To set up an automounting sharepoint in Leopard, use Server Admin from /Applications/Utilities.  

We described how to setup a share point in this article:

http://krypted.com/?p=159

Once you have set up your share point then you may want to make it an automounting share, or you may want it to automount and not be visible for users, as in the case of a home directory automount.  To create the automount you would browse to a folder from File Sharing and once shared, place a check mark in the box for Enable Automount.  From here, click on Edit and select a Directory to push the automount from.  Then select your protocol (AFP vs. NFS death match to come) and select the use.  For most cases, the default User home folders will be what you might use.   If you are using home folders then you can click OK and save your settings and enter your Open Directory (or other directory service) administrative password.

To verify it was created properly look at Automounts in Workgroup Manager (WGM).  Here enable All Tabs and Inspector from WGM Preferences.  Then click on the tab with a bullseye (Inspector tab) and choose Automount from the drop-down list.  The newly created automount should appear and you should be able to view any attributes it has.

Windows XP

Windows XP: Deploying Policies for Microsoft Office

You can set various policies for Microsoft Office.  When you install the Office Resource Kit (orktools.exe) you will be able to go into the Start->Programs->Microsoft Office Tools-> Microsoft Office Resource Kit -> System Policy Editor to do so. 

Mac OS X Server Windows XP

Windows XP: Managing Policies for a Single Workstation

Not all environments are Active Directory. If you have a smaller Mac OS X Open Directory environment with a PDC you may want to leverage policies if you don’t have the more complicated needs of AD. This can be setup in your image and then pushed out from there, but will not update dynamically as is otherwise possible when using a netlogon share and adm files. From Windows Server 2003 or Windows XP there are two utilities that can be used to create policy lists. The first is Group Policy Object Editor, gpedit.msc. The second is secpol.msc.   For the purposes of this document we will use gpedit.msc as it provides most of what is available in secpol and far more granular policies for workstation control. To open GPO Editor click on start then click run and then type gpedit.msc. Now you will be looking at two sections, Computer Configuration and User Configuration. Computer Configuration controls global settings such as password policies and Log on Locally. For the most part these can typically be left as-is.

The User Configuration will show a folder called Administrative Templates. Open this and you will see Windows Components, which are Windows XP applications, such as Terminal Services (RDC), Windows Media Player, Windows Update, Windows Explorer, etc. An example of setting these policies is to use the Windows Media/Playback/Prevent Codec Download policy to prevent the downloads of Windows Media Player Codecs. Start Menu and Taskbar can be used to configure settings in the start menu and task bar (seems pretty straight forward, right?). For example, you can use the Remove Run Menu from Start Menu to configure the system not to show a run dialog box in the Start Menu. Some other items you can do here include locking the taskbar, showing users the classic Start Menu, disable history of recently opened documents or remove Run/My Pictures/My Music/My Network Places/Favorites from the start menu.

User Configuration also allows you to configure the Desktop using the Desktop subfolder. For example, the Properties dialog box can be removed from My Documents, My Computer or Recycle Bin. Or you could remove My Computer, My Documents or Recycle Bin from the desktop completely. You can also block users from adjusting desktop toolbars or hide the Network Places and/or Internet Explorer Icon on the desktop.

User Configuration is also where you can allow or disallow specified groups of users access to the Control Panel using the Control Panel sub-set of folders. Control Panel not only includes the Control Panel but also includes Printing, Language, Add/Remove Programs, etc. You can limit which Control Panel items are displayed to end users or just prohibit any users from accessing any Control Panels. You can also perform more finely grained access control for certain Control Panel items. For example, you can allow a user access to the Display Control Panel and allow them to enable a Screen Saver there but disable the ability to change the wallpaper. You could also force a password to wake a system from Screen Saver mode. The Add or Remove Programs sub-folder will allow you to limit users from being able to install software or allow you to limit certain options within the software installation wizard. Through the Printers sub-folder you can limit whether a user can add or delete printers, or limit them from being able to browse to printers. Shared Folders can be used to disable a users ability to share folders. Network can be used to limit users from changing TCP/IP, NIC or other items that involve the network stack. Network can also be used to set offline file caching settings. System has a number of settings that can be configured, including profile quota’s (under User Profiles), login script behavior (under Scripts), Task Manager and computer locking (under Ctrl+Alt+Del Options), the ability to start programs at login (under Logon), GPO controls such as refresh intervals (under Group Policy – although many of these will not be enforceable if you are not using a domain) and finally Movie Maker and HTTP printing (using Internet Communications).

There are a lot of policies. If you’re curious about what a specific policy will do then you can use the Extended view (by clicking on Extended on the bottom nav bar). Using the Extended view, system requirements (version of Windows, etc) will be listed and a description of what the policy will do will be displayed on the left hand side of the screen. If you are comfortable with what a policy will be doing, you can double-click on the policy and configure the settings for it.

Once you have customized the policy to your liking then you can export it for your records. To export a policy, right-click on the Computer Configuration or User Configuration and click on Export List. Save it as a txt or csv using a naming convention that makes sense (for example it might be called creatives, students, teachers, accounting, etc.). You can also export both Computer and User Configurations using the Local Computer Policy as your export point.

Mac OS X Server

Mac OS X Server: Disable Roaming Profiles Globally

To disable roaming profiles you can just edit the smb.conf, adding a blank path to the logon path setting disables roaming profiles.  So just add this line to your global /etc/smb.conf settings:

logon path =