Brandon's questions

In an IIS7 web application (ASP.NET) where we don't have control over source code, anyone visiting that application from the internet is presented with the login page.

To comply with security audits, the login page (a specific URL) must be locked down to internal IP network ranges only. In other words, internet users should be able to do everything except get to this login page.

It's easy to block/allow an entire site, but how can security for a specific page or URL be accomplished within IIS configuration?

Getting some random bouncebacks on e-mail processed through an IIS6 SMTP service acting as a smart host (outbound mail gateway).

Configuration example... For domain example.com we there is a Root A record set to 1.1.1.1, a www A record set to 1.1.1.1, and a single MX record set to mail.thirdpartyhostingcompany.com. Nothing else. An e-mail is sent to [email protected]...

Normal behavior would of course be looking up mail.thirdpartyhostingcompany.com and sending mail to that server, but here's the weird part... In the logs we are getting OutboundConnectionResponse log entries listing 1.1.1.1 as the mail server IP address.

This behavior is random, and re-sending the message usually causes it to be delivered to the proper place with no issue.

Does IIS6 SMTP fallback to a domain root A record in a certain scenario? Why would this behavior occur?

Every few hours, Web Farm Framework takes my farm down with a 502 error and the 2 WFE's in the farm are marked as Unhealthy.

I have no Validation URL set up in Health Monitoring, and everything is fine for another few hours if I manually 'Make Server Available', then same thing.

WFF is load balancing an ASP.NET application. How can I find out why they're getting marked as unhealthy, or just disable the health detection so the WFE's will only go offline in a deployment error?

EDIT: This is the latest Web Farm Framework on IIS.net as of yesterday.

I need to prototype a solution using Amazon VPC - what's the least expensive option available to create a VPC gateway on our side for the test lab?

I realize there are probably free VPN gateways (Vyatta comes to mind) but being that I'm not a VPN ninja, just looking for the easiest, nearly cut-n-paste way to get the connection set up, then just add the routing entries on our LAN to get started.

I've had a lot of experiences lately with application downtime, from both vendors and my own applications. This has got me thinking and as best I can google there isn't really a good or standard way of managing customer communication during downtime incidents.

I've seen this handled a lot of ways from the "blame everyone but us" approach to the "we screwed up and we're sorry" approach.

So my questions are... when you screw up with an app and cause downtime:

1. Do you admit fault immediately? (Should you, legally?)
2. How much info do you give the customer regarding what went wrong? ("An issue" vs. "A code syntax error in one of our SQL queries")
3. Do you come back with a follow-up prevention plan, or just leave it at "this has been resolved"?
4. Do you provide real-time updates? How often? Via Twitter or public-facing website?

Any other best practices for this that you've found successful?

I have a common server administration account shared by a group of users in a Terminal Services Administrative environment.

Sometimes when logging on and all sessions are full, we'll just get the "Maximum number of connections" error.

Other times, it will log the other user off, give them the "Another user has connected to your session" error, and let them in.

What are the conditions that decides whether the other user will get logged off vs. max # of connections error?

For outsourced professional IT remote support, one habit most new technicians get into is the "instead of getting the user to start up remote support each time, I'll go ahead and install LogMeIn / GoToMyPC / Remote Desktop / whatever so that if they call again, I can just jump on and help them".

This of course opens up a potential liability because a client PC on a network that we don't own is being accessed without a user explicitly providing permission by clicking a "Yes, allow technician to control my PC" option.

I realize the rules totally change when you're an IT admin over a network that you "own", but this is outsourced IT support. Just curious what others' policies are. Is this an acceptable practice for convenience and I'm turning into one of those "security is more important than anything" people, or is this really a liability?

Need to ship a device to a remote non-technical user for connecting a device that only supports an ethernet cable, and no physical port in the same room.

Some of the Linksys devices (Powerline adapters) have been discontinued... any recommendations for the best zero-config device to bridge physical ethernet connections over 802.11 or power line?

Is there a good way to solve the following?

• Domain has an AD security group called "Workstation Administrators", for users that should not be domain admins, but should have local administrative control over all workstations in the domain
• Technicians frequently forget to manually add this group after joining a PC to the domain and wastes time later on having to diagnose, go back and do it

Anybody know an automatic way of adding this group, or running a script on domain-join? Or would we need to run an automated audit process every so often after the fact?

This is a 2-part question:

1. Is there anything in a Windows Server 2003 domain environment that would cause accounts granted Log On As A Service rights to lose those rights after a few hours?
2. And if not, am I just going insane?

2 accounts used for Office Communication Server on a Windows 2003 OCS server. Services start fine, then after stopping them, on next start, they are not granted the Log On As A Service right. Grant them, and the services start again.

... and then we repeat. What in the world would cause this?

I'm not really an Office Communications Server expert, but just trying to resolve some seemingly minor issues with a new install...

The following error is occurring in the OCS event log, and when I try to visit https://servername:444/LiveServer/MCUFactory in Internet Explorer to test the address, I just get a "page cannot be displayed" error. I can telnet to port 444 on the server and verify that the port is open and listening. Any ideas?

Event Type: Error
Event Source:   OCS MCU Infrastructure
Event Category: (1022)
Event ID:   61013
Date:       7/28/2009
Time:       8:47:42 AM
User:       N/A
Computer:   COMM2
Description:
The process DataMCUSvc(1284) failed to send health notifications to the MCU factory at https://servername:444/LiveServer/MCUFactory/. 
Failure occurrences: 29, since 7/28/2009 8:40:27 AM.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I'm reconfiguring some mail architecture and wondering about this...

For the purposes of avoiding blacklists and maintaining a good MX reputation, is it better to have:

• One public IP / SMTP server dedicated to outbound only e-mail
• Another public IP / SMTP server dedicated to inbound only e-mail

Or both incoming/outgoing on one IP?

I guess these are the kinds of things I think about on the weekend...

When I was growing up (not that long ago) my parents always taught us to wait 30 seconds after shutting down the computer before turning it back on again.

Fast forward to today in professional IT, and I know a good number of people that still do the same.

Where did the "30 second" rule come from? Has anyone out there actually caused damage to a machine by powering it off and on within a few seconds?

What would generally be your expectation for SLA uptimes across the following services in a given month for a 'normal' scenario?

I'm including my expectations... the purpose of this question is to find out what the standard baseline should be in 2009 for setting SLA goals in an IT infrastructure. (Again, in a normal scenario - we're not talking Amazon or Google, but then again we're not talking Billy Bob's Web Site hosted on home DSL either.)

1. Power (100%)
2. Network / Core Routing / Switching (99.999%)
3. Static Files Hosting (99.99%)
4. Application Hosting [Single Server / DB] (99.95%)
5. E-Mail Hosting (99.95%)
6. Complex Application Hosting / Platform [Multiple Servers / DBs / Services] (99.9%)

(For reference... SLA Calculator)

And finally... How much maintenance time is acceptable within a month?

Looking for a fingerprint reader recommendation that meets the following requirements:

1. Can be used for logon with machines on domain (rules out MS Fingerprint Reader)
2. Stores passwords for logon for web sites with IE and Firefox
3. API support (for custom applications / reads)
4. USB

Situation: Windows Server 2003 - Users all have a mapped network drive to a common "Shared Files" file share...

• File Share
  • Level 1 ("Projects" folder)
    • Level 2 (Files in the project folder)

Users have been accidentally moving Level 1 folders into other Level 2 folders. What's the magic combination of permissions to achieve the following:

• Users should be able to CREATE folders at Level 1.
• Users should have full control (create/modify/delete) at Level 2.
• Users should not be able to RENAME, DELETE, or MOVE folders at Level 1.

Edit: The trick here is that after a user creates a folder at level 2, they should automatically have full control at that level; any way to use "this level only' at Level 1 and achieve this?

Say you have a server with a 25GB C partition, and a 450GB D partition - the C drive is running out of space.

I've used some products that offer repartitioning but "up to" 300GB drives. Any good repartition tools out there that can handle large drives at a reasonable price?