Secure my laptop Best Practice idea requests

Similar Messages

• Is Adobe Connect part of Adobe Creative Cloud? Are there any best practices ideas from people who use Connect and Creative Cloud?

  Is Adobe Connect part of Adobe Creative Cloud? Are there any best practices ideas from people who use Connect and Creative Cloud?
  I have an Adobe Connect account and I'm are also in the early stages of developing a webinar. I am looking for any tips and advice from anyone who uses both of these services.

  As the £27, was an introductory offer. Upon the completion of one year, the price will change to the normal creative cloud cost which is at £46.88. However if you have the previous versions of the creative suites like CS 3, 4, 5, 5.5 or the CS 6. You can avail the offer at £27.34 per month incl. VAT. However this Requires annual commitment; billed monthly.

• ASA 5505 Best Practice Guidance Requested

  I am hoping to tap into the vast wealth of knowledge on this board in order to gain some "best practice" guidance to assist me with the overall setup using the ASA 5505 for a small business client.  I'm fairly new to the ASA 5505 so any help would be most appreciated!
  My current client configuration is as follows:
  a) business internet service (cable) with a fixed IP address
  b) a Netgear N600 Wireless Dual Band router (currently setup as gateway and used for internet/WiFi access)
  c) a Cisco SG-500-28 switch
  d) one server running Windows Small Business Server 2011 Standard (primary Domain Controller)
       (This server is currently the DNS and DHCP server)
  e) one server running Windows Server 2008 R2 (secondary Domain Controller)
  f) approximately eight Windows 7 clients (connected via SG-500-28 switch)
  g) approximately six printers connected via internal network (connected via SG-500-28 switch)
  All the servers, clients, and printers are connected to the SG-500-28 switch.
  The ISP provides the cable modem for the internet service.
  The physical cable for internet is connected to the cable modem.
  From the cable modem, a CAT 6 ethernet cable is connected to the internet (WAN) port of the Netgear N600 router.
  A Cat 6 ethernet cable is connected from Port 1 of the local ethernet (LAN) port on the N600 router to the SG-500-28 switch.
  cable modem -> WAN router port
  LAN router port -> SG-500-28
  The ASA 5505 will be setup with an "LAN" (inside) interface and a "WAN" (outside) interface.  Port e0/0 on the ASA 5505 will be used for the outside interface and the remaining ports will be used for the inside interface.
  So my basic question is, given the information above of our setup, where should the ASA 5505 be "inserted" to maximize its performance?  Also, based on the answer to the previous question, can you provide some insight as to how the ethernet cables should be connected to achieve this?
  Another concern I have is what device will be used as the default gateway.  Currently, the Netgear N600 is set as the default gateway on both Windows servers.  In your recommended best practice solution, does the ASA 5505 become the default gateway or does the router remain the default gateway?
  And my final area of concern is with DHCP.  As I stated earlier, I am running DHCP on Windows Small Business Server 2011 Standard.  Most of the examples I have studied for the ASA 5505 utilize its DHCP functionality.  I also have done some research on the "dhcprelay server" command.  So I'm not quite sure which is the best way to go. First off, does the "dhcprelay server" even work with SBS 2011?  And secondly, if it does work, is the best practice to use the "dhcprelay" command or to let the ASA 5505 perform the DHCP server role?
  All input/guidance/suggestions with these issues would be greatly appreciated!  I want to implement the ASA 5505 firewall solution following "best practices" recommendations in order to maximize its functionality and minimize the time to implement.
  FYI, the information (from the "show version" command) for the ASA 5505 is shown below:
  Cisco Adaptive Security Appliance Software Version 8.4(7)
  Device Manager Version 7.1(5)100
  Compiled on Fri 30-Aug-13 19:48 by builders
  System image file is "disk0:/asa847-k8.bin"
  Config file at boot was "startup-config"
  ciscoasa up 2 days 9 hours
  Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
  Internal ATA Compact Flash, 128MB
  BIOS Flash M50FW016 @ 0xfff00000, 2048KB
  Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                               Boot microcode   : CN1000-MC-BOOT-2.00
                               SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                               IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.06
                               Number of accelerators: 1
  0: Int: Internal-Data0/0    : address is a493.4c99.8c0b, irq 11
  1: Ext: Ethernet0/0         : address is a493.4c99.8c03, irq 255
  2: Ext: Ethernet0/1         : address is a493.4c99.8c04, irq 255
  3: Ext: Ethernet0/2         : address is a493.4c99.8c05, irq 255
  4: Ext: Ethernet0/3         : address is a493.4c99.8c06, irq 255
  5: Ext: Ethernet0/4         : address is a493.4c99.8c07, irq 255
  6: Ext: Ethernet0/5         : address is a493.4c99.8c08, irq 255
  7: Ext: Ethernet0/6         : address is a493.4c99.8c09, irq 255
  8: Ext: Ethernet0/7         : address is a493.4c99.8c0a, irq 255
  9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
  10: Int: Not used            : irq 255
  11: Int: Not used            : irq 255
  Licensed features for this platform:
  Maximum Physical Interfaces       : 8              perpetual
  VLANs                             : 3              DMZ Restricted
  Dual ISPs                         : Disabled       perpetual
  VLAN Trunk Ports                  : 0              perpetual
  Inside Hosts                      : 10             perpetual
  Failover                          : Disabled       perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 10             perpetual
  Total VPN Peers                   : 12             perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has a Base license.

  Hey Jon,
  Again, many thanks for the info!
  I guess I left that minor detail out concerning the Guest network.  I have a second Netgear router that I am using for Guest netowrk access.  It is plugged in to one of the LAN network ports on the first Netgear router.
  The second Netgear (Guest) router is setup on a different subnet and I am letting the router hand out IP addresses using DHCP.
  Basic setup is the 192.168.1.x is the internal network and 192.168.11.x is the Guest network.  As far as the SBS 2011 server, it knows nothing about the Guest network in terms of the DHCP addresses it hands out.
  Your assumption about the Guest network is correct, I only want to allow guest access to the internet and no access to anything internal.  I like your idea of using the restricted DMZ feature of the ASA for the Guest network.  (I don't know how to do it, but I like it!)  Perhaps you could share more of your knowledge on this?
  One final thing, the (internal) Netgear router setup does provide the option for a separate Guest network, however it all hinges on the router being the DHCP server.  This is what led me to the second (Guest) Netgear router because I wanted the (internal) Netgear router NOT to use DHCP.  Instead I wanted SBS 2011 to be the DHCP server.  That's what led to the idea of a second (Guest) router with DHCP enabled.
  The other factor in all this is SBS 2011.  Not sure what experience you've had with the Small Business Server OS's but they tend to get a little wonky if some of the server roles are disabled.  For instance, this is a small busines with a total of about 20 devices including servers, workstations and printers.  Early on I thought, "nah, I don't need this IPv6 stuff," so I found an article on how to disable it and did so.  The server performance almost immediately took a nose dive.  Rebooting the server went from a 5 minute process to a 20 minute process.  And this was after I followed the steps of an MSDN article on disabling IPv6 on SBS 2011!  Well, long story short, I enabled IPv6 again and the two preceeding issues cleared right up.  So, since SBS 2011 by "default" wants DHCP setup I want to try my best to accomodate it.  So, again, your opinion/experiece related to this is a tremendous help!
  Thanks!

• Securing with NAT - Best Practice ?

  Hi,
  It is forbidden to do NAT Exempt from Internal to DMZ ?
  I hear there is a compliance in banking that 2 server who needs to communicate but its forbidden to know each other ip address ?
  How about NAT as second layer or firewall ?
  What is best practice to secure enterprise network from NAT point of view ?
  Thx

  Hello Ibrahim,
  No, not at all, that is not a restriction at all. You can do it if needed.
  Now looks like in your enviroment is a requirement that this 2 servers communicate with each other but they will not know each other IP address.
  Then NAT is your friend as will satisfy the requirement you are looking for.
  Well I do not consider NAT to be a security measure as for me it does not perform any inspection, any rule set any policy ,etc but I can ensure you there are a lot of people that think about it as a security measure.
  I see it as an IP service that allows us to preserve the IP address space.
  For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
  Any question contact me at [email protected]
  Cheers,
  Julio Carvajal Segura

• Best Practice/Idea - purchasing of assembly

  Hello,
  we are looking for way how to buy/purchase configurable assembly where some parts of the assembly will be provided by our company for the vendor and other parts will be provided by the vendor itself.
  Then we will receive a completed assembly from the vendor.
  Thank you!
  Best regards
  Matthias

  Hi Matthias,
  There are a couple of ways to do it, but the configurable thing bothers me; what is the meaning of configuration when you purchase an assembly? What does it serve later in your supply chain?
  Anyway, you can do it like this:
  1) as a regular subcontract process; you don't manage a BOM for the assembly, or menage a BOM that contains only the parts that are provided by you, or manage the full BOM, where the parts that are provided by the vendor are marked as such (BOM item details).
  2) you manage the assembly as a configurable material, for which you create a production order in your company and configure. In the BOM you mark the items provided by the vendor as such (like in 1). The main assembly operation is for external processing (the other way of subcontracting).
  Regards,
  Mario

• Best practice idea;PDF forms to Oracle Database idea?

  Working on a check list type of form
  Most of the items are "Compliant," "Non Compliant," "Not applicable."
  So with three check boxes all labeled "item2" I get the behavior that I want. Specifically there are three options but only one is allowed.
  Presently the plan is to fill in the document, save, and print and/or email. So far so good.
  BUT...
  In the long haul it would be nice that the data go via email in some format to populate an Oracle database.
  Question:
  What type of logic needs to be attached (and where) such that "For 'item2' the one and only one choice from a universe of 3 is [answer]
  I guessing Javascript (not well versed in this yet) but is there something simplier?
  Thanks

  A question with three choices. Only one answer.
  To have the checkboxes mutually exclusive I have given them a name which is identical.
  This gives me the visual behavior I need.
  The project will evolve next year to pushing the value to a back end database. Presently if I give each choice a unique name in order to record the answer then the mutual exclusivity breaks
  I hail as an Authorware developer. From this perspective I'd do a "If then else" conditional statement for each choice.
  So in the PDF realm I think it is some type of script that is needed.

• HTTP Web Response and Request Best Practices to Avoid Common Errors

  I am currently investigating an issue with our web authentication server not working for a small subset of users. My investigating led to attempting to figure out the best practices for web responses.
  The code below allows me to get a HTTP status code for a website.
  string statusCode;
  CookieContainer cookieContainer = new CookieContainer();
  HttpWebRequest myHttpWebRequest = (HttpWebRequest) WebRequest.Create(url);
  // Allow auto-redirect
  myHttpWebRequest.AllowAutoRedirect = true;
  // make sure you have a cookie container setup.
  // Probably not saving cookies and getting caught
  // in a redirect loop.
  myHttpWebRequest.CookieContainer = cookieContainer;
  WebResponse webResponse = myHttpWebRequest.GetResponse();
  statusCode = "Status Code: " + (int)((HttpWebResponse)webResponse).StatusCode + ", " + ((HttpWebResponse)webResponse).StatusDescription;
  Through out my investigation, I encountered some error status codes, for example, the "Too
  many automatic redirections were attempted" error. I fixed this by having a Cookie Container, as you can see above.
  My question is - what are the best practices for requesting and responding to HTTP requests?
  I know my hypothesis that I'm missing crucial web request methods (such as implementing a cookie container) is correct, because that
  fixed the redirect error. 
  I suspect my customers are having the same issue as a result of using our software to authenticate with our server/URL. I would like to avoid as many web request issues as much as possible.
  Thank you.

  Hello faroskalin,
  This is issue is more reagrding ASP.NET, I suggest you asking it at
  http://forums.asp.net/
  There are ASP.NET experts who will help you better.
  Regards.
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• Best practices in wireless configuration?

  Hi,
  Is there a best practice document that shows 3500 AP with 5508 controllers? The questions I have are below.
  1. Do I configure each AP to non overlapping neighbor channels(1,6,11 for 2.4GHz) or leave that to controller to decide? Does controller change the channel of an AP when it sees congestion on a specific frequency?
  2. For 5 GHz is it good idea to bond the channels? What frequency to use for neighboring APs? OR again, leave it to controller to shift as needed?
  3. For security what's best practices? 802.1x or different?
  Thanks,
  Sm

  1. Do I configure each AP to non overlapping neighbor channels(1,6,11 for 2.4GHz) or leave that to controller to decide?
  Let the controller(s) decide.  By default the Dynamic Channel Assignment (DCA) verifies the channel for interferrence every 600 seconds.  Because you have 3500 then make sure you enable Event Driven RRM (Radio Resource Management) on both channels.
  Does controller change the channel of an AP when it sees congestion on a specific frequency?
  The controllers will not change the channel when it sees congestion.  The controller will change the channel if it sees interference on the same channel.  The CleanAir will change the channel when it sees interference from non-AP interference like Bluetooth, Microwave ovens, cordless phones, etc.
  2. For 5 GHz is it good idea to bond the channels?
  Sure.
  What frequency to use for neighboring APs? OR again, leave it to controller to shift as needed?
  Leave this option in default.
  3. For security what's best practices? 802.1x or different?Sure.

• Consuming web services in a jsr 168 portlet best practices.

  I am building portlets (jsr 168 api in Websphere Portal 6.0 using web service client of Rational). Now needed some suggestions on caching the web services data on the portlet. We have a number of portlets (somewhere around 4 or 5) on a portal page which basically rely on a single wsdl Lotus Domino Web Service.
  Is there a way I can cache the data returned by webservice so that I dont make repeated calls to the webservice on every portlet request. Any best practices/ideas on how I could do avoid multiple web service calls would be appreciated ?

  Interestingly, as it often happens with Oracle portal, this has started working without me doing anything special.
  However, the session events my listener gets notified of are (logically, as this portlet works via WSRP) different from user sessions. The problem I'm trying to solve now is that logging off (in SSO) doesn't lead to those sessions being destroyed. They only get destroyed after timeout specified in my web.xml (<session-config><session-timeout>30</session-timeout></session-config>). On the other hand, when they do expire, the SSO session may still be active, in which case the user gets presented with the infamous "could not get markup" error message. The latter is unacceptable in our case, so we had to set session-timeout to a pretty high value.
  So the question is, how can we track when the user logs off. We have found the portal.wwctx_sso_session$ and portal.WWLOG_ACTIVITY_LOG1$ (and ...2$) tables, but no documentation for them. However, the real problem with using those tables is that there's no way we could think of to match the portlet sessions with SSO sessions/actions listed in the tables. (Consider situation when someone logs in from two PCs.)
  Any ideas?

• Best Practice Advice - Using ARD for Inventorying System Resources Info

  Hello All,
  I hope this is the place I can post a question like this. If not please direct me if there is another location for a topic of this nature.
  We are in the process of utilizing ARD reporting for all the Macs in our district (3500 +/- a few here and there). I am looking for advice and would like some best practices ideas for a project like this. ANY and ALL advice is welcome. Scheduling reports, utilizing a task server as opposed to the Admin workstation, etc. I figured I could always learn from those with experience rather than trying to reinvent the wheel. Thanks for your time.

  hey, i am also intrested in any tips. we are gearing up to use ARD for all of our macs current and future.
  i am having a hard time with entering the user/pass for each machine, is there and eaiser way to do so? we dont have nearly as many macs running as you do but its still a pain to do each one over and over. any hints? or am i doing it wrong?
  thanks
  -wilt

• Best practice for moving images between projects?

  Hey all,
  I have a project that has an album inside of it. I want to move the album, containing all of the photographs to a new project. If I drag the photos individually to the new project it moves them successfully although they now don't belong to an album in their new project. If I drag the album itself it moves the album and photographs but leaves the photos in the original project as well.
  Does anyone have some best practice ideas for this scenario?
  Thanks in advance for any help!

  As you have discovered if the drop target is the project the images move projects. If the drop target is an album the images show up in the album but do not actually move anywhere. Moving albums does nothing to move masters. So...
  Select all of the images in the album. Drag them to the new project and then drag the album to the new project. Simple enough.
  RB

• Best Practice for Securing Web Services in the BPEL Workflow

  What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
  They are all deployed on the same oracle application server.
  Defining agent for each?
  Gateway for all?
  BPEL security extension?
  The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
  Regards
  Farbod

  It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
  The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
  Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
  If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
  Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
  You can enforce rules at your network layer to allow access to the App server only from Gateway.
  When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
  The next BPEL developer in your project may not be aware of Security extensions
  Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
  Thanks
  Ram

• Any known security best practices to follow for FMS deployment

  Hi all,
  We have recently deployed Flash Media Streaming server 3.5.2 and Flash Media Encoder on a Windows 2003 machine. Do you guys know of any security best practices to follow for the FMS server deployment on a Windows machine, could you please point me to that resource.

  Hi
  I will add some concepts, I am not sure how all of them work technically but there should be enough here for you to
  dig deeper, and also alot of this is relevant to your environment and how you want to deploy it.
  I have done a 28 server deployment, 4 origin and 24 edge servers.
  All the Edge servers on the TCP/IP properties we disabled file and printer sharing. Basically this is a way in for hackers and we disabled this only on the edge servers as these are the ones presented to the public.
  We also only allowed ports 1935, 80, 443 on our NICs. Protocol numbers are 6 and 17, this means that you are allowing UDP and TCP. So definitely test out your TCP/IP port filtering until you are confortable that all your connection types are working and secure.
  Use RTMPE over RTMP, as it is there to be used and I am surprised not more people use it. The problem as with any other encryption protocol, it may cause higher overhead on resources of the servers holding the connections.
  You may want to look at SWF verification. In my understanding, it works as the following. You publish a SWF file on a website. This is a source code that your player uses for authentication. If you enable your edge servers to only listen for authentication requests from that SWF file, then hopefully you are really lessening the highjacking possibilities on your streams.
  If you are doing encoding via FME then I would suggest that you download the authentication plugin that is available on the Flash Media Encoder download site.
  There are other things you can look at making it more secure like adaptor.xml, using a front end load balancer, HTML domains, SWF domains,
  Firewalls and DRM.
  I hope this helps you out.
  Roberto

• Remoting Security: Best Practice

  I am exploring Remoting and I am curious about security best practice. By default, Enable-PSRemoting will configure an HTTP listener that listens to all addresses. Initially I thought this address was the addresses of the computer making
  the demoting request, but it isn't, it's the address on the local machine that is doing the listening. My reason for thinking this was the controller machine IP was that I thought I might want to limit successful remote requests to just the one machine. From
  a security standpoint this seemed better than letting any machine initiate a remote session. I know that the remote session is limited by the permissions of the user initiating, so any real threat is only because I have already been breached anyway. But still,
  I wonder if there is a way, and value, in limiting remoting to a subset of machines?
  Or is the default here really fine from a security standpoint as well?
  Thanks!
  Gordon

  It is most secure to configure remoting and restrict it using Group Policy.  GP will let you define subnets for both ends of the conversation network wide.
  \_(ツ)_/

• Web Intelligence Security Best Practices

  Hi All,
  We are in the process of starting to use web intelligence. I am puttng together a security model for it and I have some questions around best practices. We have a fairly simple two tier security model so far, end users and creators. Creators will be able to create reports in certain folders and everyone else will be able to run and refresh those reports they can see.
  I was going to create a group for all the creators and assign them to a custom access level in the web intelligence application. Then they would also need to be in another creator group for the particular folder. So they would be able to the create reports in that folder and execute reports in another.
  For all the end users, they need to be able to view and refresh reports, drilling, data tracking, etc. if they have access to them. Is the best practice then to just assign the Everyone group the out of the box view on demand access level?
  I have been digging around looking for resources and welcome anyone's input or ideas on the subject.
  Thanks in advance for any assistance provided.

  Thank you for your prompt reply.
  But that means that the same security groups will need to be creaed on both palces, web intelligence application and at the folder level?
  I was thinking if I create a developer group for the web intelligence application level, all developers would go into there. Then at the folder level I could create another folder level security group for developers to access the folder.
  Would that not simplify the maintenance at the application level? Or would that not work?