Security/Firewall recommendations for DirectAccess 2012 (Dual-NIC Edge Configuration)

Similar Messages

• Firewall Port for DHCP 2012 R2 Failover (Load Sharing mode)

  Hi Everyone,
  I was wondering if anyone can help me with finding a document for required Firewall Ports for DHCP 2012 R2 Failover (Load Sharing mode)
  or just confirm if this is correct or not ?
  TCP 647 for
  DHCP failover messages between DHCP servers
  TCP/UDP 67 and 68 initiate communication between the client and server
  I am not sure if there is anything else
  thanks in advance
  Reza Negarestani

  it was for a technical design document and I put this table for Firewall requirements what do you think ?
  Direction
  Port(s)
  Bidirectional
  TCP 647
  Bidirectional
  TCP 2535
  UDP 2535
  Bidirectional
  TCP 67
  TCP 68
  UDP 67
  UDP 68
  Reza Negarestani

• Updates and Hotfixes for DirectAccess 2012 R2 and Windows 8.1

  for some of you who use DirectAccess probably familiar with the following link
  Recommended hotfixes and updates for Windows Server 2012 DirectAccess
  as far as I know and according to TechNet, DirectAccess hasn't change a bit from 2012 to 2012 R2 servers.
  I use DirectAccess on Windows Server 2012 R2 and I'm surprised to see that there is no single update from that list the applicable with either Server 2012 R2.
  if it's true - shouldn't there be a documentation that talks about the differences of the DirectAccess Client\Server from 2012\8 to 2012 R2 \ 8.1?
  I'm asking because I want to make sure those updates are already include or not needed for 2012 R2\8.1 and not "forgotten" or something.
  Tamir Levy

  I was afraid that you'll said that
  I hate to be the annoying guy but take a look at this KB article:
  http://support.microsoft.com/kb/2787534
  Applied to: Windows 8\2012,
  Doesn't Apply to: Windows 8.1\2012 R2
  and - for a fact, doesn't include in Windows 8.1\2012 R2 as this bug still exists in those operating systems.
  another annoying fact - No other update was released for these version yet.
  this example approves that not every hotfix \ updates that was released for 8\2012 before 8.1\2012 R2, is already included in 8.1\2012 R2
  and allow me to add another fact.
  when you configure DirectAccess via the remote access wizard it creates a WMI query called
  DirectAccess - Laptop Only WMI Filter.
  after you create it in Windows Server 2012 R2 - look at the WMI Query and you'll see that by default it doesn't apply to version 6.3! the version for Windows 8.1.
  if you want to add the support for Windows 8.1 you have to modify manually the query which is of course, not supported by Microsoft.
  That is just another symptom that makes me wonder if Microsoft did ANY change or update to DirectAccess 2012 R2
  Tamir Levy

• What are Best Practice Recommendations for Java EE 7 Property File Configuration?

  Where does application configuration belong in modern Java EE applications? What best practice(s) recommendations do people have?
  By application configuration, I mean settings like connectivity settings to services on other boxes, including external ones (e.g. Twitter and our internal Cassandra servers...for things such as hostnames, credentials, retry attempts) as well as those relating business logic (things that one might be tempted to store as constants in classes, e.g. days for something to expire, etc).
  Assumptions:
  We are deploying to a Java EE 7 server (Wildfly 8.1) using a single EAR file, which contains multiple wars and one ejb-jar.
  We will be deploying to a variety of environments: Unit testing, local dev installs, cloud based infrastructure for UAT, Stress testing and Production environments. **Many of  our properties will vary with each of these environments.**
  We are not opposed to coupling property configuration to a DI framework if that is the best practice people recommend.
  All of this is for new development, so we don't have to comply with legacy requirements or restrictions. We're very focused on the current, modern best practices.
  Does configuration belong inside or outside of an EAR?
  If outside of an EAR, where and how best to reliably access them?
  If inside of an EAR we can store it anywhere in the classpath to ease access during execution. But we'd have to re-assemble (and maybe re-build) with each configuration change. And since we'll have multiple environments, we'd need a means to differentiate the files within the EAR. I see two options here:
  Utilize expected file names (e.g. cassandra.properties) and then build multiple environment specific EARs (eg. appxyz-PROD.ear).
  Build one EAR (eg. appxyz.ear) and put all of our various environment configuration files inside it, appending an environment variable to each config file name (eg cassandra-PROD.properties). And of course adding an environment variable (to the vm or otherwise), so that the code will know which file to pickup.
  What are the best practices people can recommend for solving this common challenge?
  Thanks.

  HI Bob,
  As sometimes when you create a model using a local wsdl file then instead of refering to URL mentioned in wsdl file it refers to say, "C:\temp" folder from where you picked up that file. you can check target address of logical port. Due to this when you deploy application on server it try to search it in "c:\temp" path instead of it path specified at soap:address location in wsdl file.
  Best way is  re-import your Adaptive Web Services model using the URL specified in wsdl file as soap:address location.
  like http://<IP>:<PORT>/XISOAPAdapter/MessageServlet?channel<xirequest>
  or you can ask you XI developer to give url for webservice and username password of server

• Recommendations for SCOM 2012 -- 2012 R2 migration

     Hello to all. I have a customer that has SCOM 2012 in its IT environment but uses it barely and does not have any documentation. I proposed to install a new Manament Group (MG) and "reboot" to a paralell SCOM 2012 R2 considering the
  use of new features present on 2012 R2. 
     Questions:
     1- Does SCOM support a side by side migration strategy , like SCCM 2007 R2 --> SCCM 2012 R2 that takes its main source objects and bring them to the new separated Management Group (the SCOM 2012 R2)?
     2- Considering that all regular member servers are monitored by SCOM 2012 (all have agents installed), what is the recommended way to to install SCOM 2012 R2 agents on them (multi homed deploy, deploy a new agent and it will upgrade/remove the
  already existing SCOM 2012, etc)?
    3- Does SCOM allows a approach to install a SCOM 2012 R2 on already existing SCOM 2012 MG and "migrate" its objects to new server and after that decomission SCOM 2012 (the old version)?
    Your inputs and references will be very welecomed.
    Regards, EEOC.

   1- Does SCOM support a side by side migration strategy , like SCCM 2007 R2 --> SCCM 2012 R2 that takes its main source objects and bring them to the new separated Management Group (the SCOM 2012 R2)?
     2- Considering that all regular member servers are monitored by SCOM 2012 (all have agents installed), what is the recommended way to to install SCOM 2012 R2 agents on them (multi homed deploy, deploy a new agent and it will upgrade/remove the
  already existing SCOM 2012, etc)?
  Yes. You can built SCOM 2012 R2 and do side-by-side migration.
  High Level View of System Center 2012 R2 Operations Manager Upgrade Steps – Upgrading 2012 SP1 Agents to 2012 R2 and Running Two Environments:
  1. Retain the original System Center 2012 Service Pack 1 (SP1), Operations Manager environment.
  2. Set up an additional, new System Center 2012 R2 Operations Manager environment with management servers, gateway, Operations Manager Database, Operations Manager Data Warehouse, console, web console, and reporting server.
  3. Upgrade the System Center 2012 Service Pack 1 (SP1), Operations Manager Agents to 2012 R2.
   a. Push-Install option
   b. Manual / Command Line option
    3- Does SCOM allows a approach to install a SCOM 2012 R2 on already existing SCOM 2012 MG and "migrate" its objects to new server and after that decomission SCOM 2012 (the old version)?
  The upgrade path is from SCOM 2012 --> SCOM 2012 SP1 --> SCOM 2012 R2
  High Level View of System Center 2012 R2 Operations Manager Upgrade Steps – Upgrading a Distributed Management Group
  1. Accomplish Pre-Upgrade Tasks
  2. Upgrade the initial management server and then additional management servers (each management server must be upgraded)
  3. Upgrade ACS (because the ACS server must be on same machine as a management server, we recommend you perform this step along with the upgrade of the management server on which ACS resides.)
  4. Upgrade Gateway(s)
  5. Upgrade Console
  6. Push Install to Agent(s) / Upgrading Manually Installed Agents
  7. Upgrade Web Console
  8. Upgrade Reporting Server
  9. Accomplish Post-Upgrade Tasks
  For detail, pls. refer to
  Upgrading System Center 2012 – Operations Manager to System Center 2012 SP1
  https://technet.microsoft.com/en-us/library/jj899854.aspx
  Upgrading System Center 2012 SP1 - Operations Manager to System Center 2012 R2
  https://technet.microsoft.com/en-us/library/dn249707.aspx
  Roger

• Does Mac Pro use ethernet 1 by default for internet ? (dual nic question)

  Greets all - loving my Mac Pro so far and will likely never have a pc only again - as already switched to macbook pro a year ago - (boot camp still for the pc games at times but rather be in OS X and fusion anyday)
  Anyway at home I have both a Cable Modem and DSL - the wife and I both work in IT and every once in a while one or the other goes out and if we cant get in remotely at all times its a problem
  I use the cable modem and the DSL is routed through an Apple Time Capsule to her Imac and kids pc's
  I hooked in the TC to my second NIC as occasionally I want to get files off it - and it showed up fine - running tracert and speedtest.net shows my internet access still going through port 1 through the cable modem
  This is what I want as it is faster overall but I was curious if anyone knows if by default OS X will always use eth 1 for internet and only eth 2 when I try and access the Time Capsule (have extra hd off it on usb also) or that subnet ? Or do I need to so something to force it to always use eth1 for internet access
  (starting to read up on the aggregation possibilities but wanted to see the basics of how it works like this first)

  OS X uses the connection that is first in the list of ports in Network preferences. You can rearrange by clicking on the options button below the list, select re-order, then arrange. OS X also by default connects to the Ethernet port to which the cable is connected unless you have both ports connected to separate routers. Then the order is determined by the port listing.

• Looking for an elegant dual monitor auto-configure solution (SOLVED)

  I am currently using XFCE becuase Gnome and KDE are both too heavy for my weak little laptop with intel onboard graphics.  The number one thing I miss is auto-detect and configuration when I plug or unplug my monitor.
  I can't find anything that works automatically in an elegant way, the only thing I can do is poll the system every second.  There appears to be a way to make a udev rule but that is a little bit out of my depth.
  My current solution is below, does anybody have a suggestion for something more elegant?  It would be awesome if there was something in the AUR.
  #!/bin/bash
  #inspired of:
  # http://unix.stackexchange.com/questions/4489/a-tool-for-automatically-applying-randr-configuration-when-external-display-is-p
  # http://ozlabs.org/~jk/docs/mergefb/
  dmode="$(cat /sys/class/drm/card0-VGA-1/status)"
  export DISPLAY=:0
  export XAUTHORITY=~/.Xauthority
  # actual script
  while true
  do
  if [ "${dmode}" = disconnected ]; then
  /usr/bin/xrandr --auto
  elif [ "${dmode}" = connected ];then
  /usr/bin/xrandr --output VGA1 --auto --right-of LVDS1
  else /usr/bin/xrandr --auto
  fi
  sleep 1s
  done
  SOLVED using inotify see below and thanks for all the help
  #!/bin/bash
  #inspired of:
  # http://unix.stackexchange.com/questions/4489/a-tool-for-automatically-applying-randr-configuration-when-external-display-is-p
  # http://ozlabs.org/~jk/docs/mergefb/
  # http://superuser.com/questions/181517/how-to-execute-a-command-whenever-a-file-changes/181543#181543
  export MONITOR2=/sys/class/drm/card0-VGA-1/status
  while inotifywait -e modify,create,delete,open,close,close_write,access $MONITOR2;
  dmode="$(cat $MONITOR2)"
  do
  if [ "${dmode}" = disconnected ]; then
  /usr/bin/xrandr --auto
  echo "${dmode}"
  elif [ "${dmode}" = connected ];then
  /usr/bin/xrandr --output VGA1 --auto --right-of LVDS1
  echo "${dmode}"
  else /usr/bin/xrandr --auto
  echo "${dmode}"
  fi
  done
  Last edited by originalsurfmex (2013-10-28 20:51:45)

  Thanks very much for pointing me to inotify.  This is exactly the type of solution I was looking for!  I wasn't too excited about creating some udev tool.  Here is the script using inotify:
  #!/bin/bash
  #inspired of:
  # http://unix.stackexchange.com/questions/4489/a-tool-for-automatically-applying-randr-configuration-when-external-display-is-p
  # http://ozlabs.org/~jk/docs/mergefb/
  # http://superuser.com/questions/181517/how-to-execute-a-command-whenever-a-file-changes/181543#181543
  export MONITOR2=/sys/class/drm/card0-VGA-1/status
  while inotifywait -e modify,create,delete,open,close,close_write,access $MONITOR2;
  dmode="$(cat $MONITOR2)"
  do
  if [ "${dmode}" = disconnected ]; then
  /usr/bin/xrandr --auto
  echo "${dmode}"
  elif [ "${dmode}" = connected ];then
  /usr/bin/xrandr --output VGA1 --auto --right-of LVDS1
  echo "${dmode}"
  else /usr/bin/xrandr --auto
  echo "${dmode}"
  fi
  done
  I am marking this as solved.  If you have more critique or suggestions I'd be open to improve the script.

• Why does my Cisco router firewall block Windows Server 2012 traffic, but not Windows Server 2008 traffic?

  Hello,
     I run a small business network with five physical servers: three Dell servers running Windows Server 2008 R2, one custom build running 2008, and another custom build running 2012 with Domain Controller Role (same hardware for both custom builds). 
  The Dell servers are all running the Hyper-V role and each has a number of 2008 VMs.  I also have a 2012 VM with the Domain Controller Role on one of the Hyper-V servers and another VM with a completely base install of 2012.
     All servers are plugged into a Cisco SG300-52 switch which is uplinked to a Cisco 881 router which is connected to a cable TWC provided Ubee cable modem.  I have no VLANs setup.  I do have the Firewall on the router configured
  to inspect most traffic.
     Here is my problem:  I cannot connect to most of the internet on ANY 2012 server (and all exhibit the exact same behavior), but I have NO problems connecting to the internet from 2008 servers.  Here is what I already know:
     1.) I can ping the outside world just fine so ICMP is passing to any external host.
     2.) Two of the 2012 servers are DCs running DNS services and they can connect to the internet just fine for DNS requests because they are doing a perfectly good job of providing DNS services to my network.
     3.) Here's where it gets really weird: I can browse in internet explorer to Bing.com and it works.  I can also go to a couple other Microsoft websites (though they are very slow).  If I click on any link in Bing, however, it doesn't
  work and gives me a page not available error.  If I connect to a non-MS website like Google or my company website, I get page not available.
      4.) I have tried to telnet to port 80 at Bing and it works.  I have tried to telnet to port 80 at google.com and it won't connect.  The 2008 servers have no issue telneting to either bing or google on port 80 and none of my client
  PCs on the network do either.
      5.) Windows Update will not connect and neither will any other update service such as AVG (I have AVG Antivirus installed WITHOUT firewall on two of the three servers. The base 2012 VM has no software installed and no roles...I built it
  just to see if it could connect after a fresh install and it still cannot.)
      6.) The network connection does not indicate limited connectivity (probably because ICMP appears to be passing successfully)
       7.) If I connect the server directly to the modem it has full internet access.
       8.) All internal LAN connectivity is perfectly fine and runs at full speed.
       9.) I have scoured the internet trying to find other examples of this particular kind of connectivity issue on 2012 and I have found two TechNet articles that are similar, but they both had the same resolution: changing the router
  worked, but no one knows why. (I would have included the links, but apparently I cannot do that yet)
  My question is this: What is different about Windows Server 2012 networking that would render it unable to communicate through a router that Windows Server 2008 has no problems with?  I ask because, unlike in these two articles where they were
  running personal networking equipment they could easily upgrade, I'm running a Cisco 881 with what should be virtually limitless configuration options and I have no desire to replace it.  I have to assume the issue is somehow related to the firewall configuration,
  which I could fix easily, but I don't know what to change.  If anyone knows what changed in 2012 and why I would be able to browse to bing and other MS sites but no where else, please pass them along.  Thanks.

  This is the IP Config for the 2012 DC:
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : COMPANYDC02
     Primary Dns Suffix  . . . . . . . : company.local
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : company.local
  Ethernet adapter Ethernet:
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
     Physical Address. . . . . . . . . : 00-25-90-DC-EF-D5
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
     Link-local IPv6 Address . . . . . : fe80::81d5:53cf:bd07:14ed%12(Preferred)
     IPv4 Address. . . . . . . . . . . : 10.10.10.202(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . . . . : 10.10.10.1
     DHCPv6 IAID . . . . . . . . . . . : 301999504
     DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-96-D5-C3-00-25-90-DC-EF-D5
     DNS Servers . . . . . . . . . . . : 10.10.10.202
                                         10.10.10.221
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.{9929D989-8E88-4096-A1CB-61F1DB173FA3}:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  Tunnel adapter Teredo Tunneling Pseudo-Interface:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . :
     Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  This is the IP Config for the fresh install 2012 VM:
  Windows IP Configuration
     Host Name . . . . . . . . . . . . : WIN-800299O7ES6
     Primary Dns Suffix  . . . . . . . :
     Node Type . . . . . . . . . . . . : Hybrid
     IP Routing Enabled. . . . . . . . : No
     WINS Proxy Enabled. . . . . . . . : No
     DNS Suffix Search List. . . . . . : company.local
  Ethernet adapter Ethernet:
     Connection-specific DNS Suffix  . : company.local
     Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
     Physical Address. . . . . . . . . : 00-15-5D-0A-5C-02
     DHCP Enabled. . . . . . . . . . . : Yes
     Autoconfiguration Enabled . . . . : Yes
     IPv4 Address. . . . . . . . . . . : 10.10.10.49(Preferred)
     Subnet Mask . . . . . . . . . . . : 255.255.255.0
     Lease Obtained. . . . . . . . . . : Saturday, August 23, 2014 10:23:01 PM
     Lease Expires . . . . . . . . . . : Wednesday, August 27, 2014 10:23:01 PM
     Default Gateway . . . . . . . . . : 10.10.10.1
     DHCP Server . . . . . . . . . . . : 10.10.10.1
     DNS Servers . . . . . . . . . . . : 10.10.10.220
                                         10.10.10.221
     NetBIOS over Tcpip. . . . . . . . : Enabled
  Tunnel adapter isatap.company.local:
     Media State . . . . . . . . . . . : Media disconnected
     Connection-specific DNS Suffix  . : company.local
     Description . . . . . . . . . . . : Microsoft ISATAP Adapter
     Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
     DHCP Enabled. . . . . . . . . . . : No
     Autoconfiguration Enabled . . . . : Yes
  NOTE: 10.10.10.220 and 10.10.10.221 are the other domain controllers on my network.  One of them is 2012 and one of them is 2008.  They are both functioning correctly for providing DNS services.  The 2012 Virtual DC, however, still has
  the internet connectivity issue that this whole post was about in the first place.
  NOTE2: When I logged on to COMPANYDC02 this morning, it told me that I had new Windows Updates that needed to be downloaded.   Confused, I checked the most recent time WU had checked for updates at it had successfully checked for updates last night
  at 10pm.  Of course, it failed when trying to download them, but it appears that once in a while, a connection gets through successfully...

• LAN side firewall settings for Direct Access (Windows Server 2012 R2) in DMZ?

  I am currently planning to set up our first Direct Access server (Windows Server 2012 R2). I will be in our firewall DMZ and we will be using the IP-HTTPS listener.
  For the Internet facing rule only TCP 443 inbound/outbound is sufficient but for the LAN facing rules (not talking about the Windows server firewall) what would be the recommended firewall rules for a Direct Access server? Is there a best practice guideline
  to follow for this? Appreciate any advice or comments. Thank you.

  Hi Barkley
  Please see this Technet Link which will backup your requirements - https://technet.microsoft.com/en-gb/library/jj574101.aspx
  Section Reads - 
  When using additional firewalls, apply the following internal network firewall exceptions for Remote Access traffic:
  ISATAP—Protocol 41 inbound and outbound
  TCP/UDP for all IPv4/IPv6 traffic
  Also another link from http://www.ironnetworks.com/blog/directaccess-network-deployment-scenarios#.VO3tfvmsVrU
  "I have had a number of conversations with security administrators and network architects who have expressed a desire to place the DirectAccess server between two firewalls (firewall sandwich) in order to explicitly control access from the DirectAccess
  server to the internal corporate network. While at first this may sound like a sensible solution, it is often quite problematic and, in my opinion, does little to improve the overall security of the solution. Restricting network access from the DirectAccess
  server to the internal LAN requires so many ports to be opened on the inside firewall that the benefit of having the firewall is greatly diminished. Placing the DirectAccess server’s internal network interface on the LAN unrestricted is the best configuration
  in terms of supportability and provides the best user experience."
  Kindest Regards
  John Davies
  Thank for your reply and information John. I find it somewhat disappointing that Microsoft does not provide much more in the way of documentation and information regarding this topic. I required more information to show to our security team so they will allow
  us to have the internal facing NIC not have more restrictive rules in place as it is a security concern.

• TNS Listener Poison attack : Oracle Security Alert for CVE-2012-1675

  Hi,
  I'm looking to implement the following oracle document about COST but not sure what we need to do for Standby Environment ,
  Can you guys please advise.
  Oracle Using Class of Secure Transport (COST) to Restrict Instance Registration [ID 1453883.1]
  Oracle Security Alert for CVE-2012-1675
  Thanks

  user097815 wrote:
  with regrads to the below thread which mostly talks about Oracle Security Alert for CVE-2012-1675 "TNS Listener Poison Attack"....i just wanted to find out if this effect DB that are externally or internally....meaning 95% of our DB are in network(internally) behind our firewall....and rest of the 5% are outside our firewall facing the world wide web....so does this apply to both of just one ?The attack is on the Listener itself - so if you want to prevent this attack, you need to secure that Listener, irrespective of its location.
  IMO, mandatory if you expose your Listener to an unsecured or public network (e.g. internet).
  As for Listeners running on your internal network - if this attack is used, securing your Listeners mean very little IMO. Because your internal network already needs to be compromised in order for the attack to occur. Which means you have far more serious problems then someone attacking your Listeners.

• I just purchased MBP and it is my first Apple computer. How concerned should I be about virus software and what do you recommend for security software?

  I just purchased MBP and it is my first Apple computer. How concerned should I be about virus software and what do you recommend for security software?

  1. This comment applies to malicious software ("malware") that's installed unwittingly by the victim of a network attack. It does not apply to software, such as keystroke loggers, that may be installed deliberately by an intruder who has hands-on access to the victim's computer. That threat is in a different category, and there's no easy way to defend against it. If you have reason to suspect that you're the target of such an attack, you need expert help.
  2. All versions of OS X since 10.6.7 have been able to detect known Mac malware in downloaded files, and to block insecure web plugins. This feature is transparent to the user, but internally Apple calls it "XProtect." The malware recognition database is automatically checked for updates once a day; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders.
  The following caveats apply to XProtect:
  It can be bypassed by some third-party networking software, such as BitTorrent clients and Java applets (see below.)
  It only applies to software downloaded from the network. Software installed from a CD or other media is not checked.
  3. Starting with OS X 10.7.5, there has been another layer of built-in malware protection, designated "Gatekeeper" by Apple. By default, applications and Installer packages downloaded from the network will only run if they're digitally signed by a developer with a certificate issued by Apple. Software certified in this way hasn't actually been tested by Apple (unless it comes from the Mac App Store), but you can be reasonably sure that it hasn't been modified by anyone other than the developer. His identity is known to Apple, so he could be held legally responsible if he distributed malware. For most practical purposes, applications recognized by Gatekeeper as signed can be considered safe.
  Gatekeeper has, however, the same limitations as XProtect, and in addition the following:
  It can easily be disabled or overridden by the user.
  A malware attacker could get control of a code-signing certificate under false pretenses, or could find some other way to evade Apple's controls.
  For more information about Gatekeeper, see this Apple Support article.
  4. Beyond XProtect and Gatekeeper, there’s no benefit, in most cases, from any other automated protection against malware. The first and best line of defense is always your own intelligence. All known malware circulating on the Internet that affects a fully-updated installation of OS X 10.6 or later takes the form of so-called "trojan horses," which can only have an effect if the victim is duped into running them. The threat therefore amounts to a battle of wits between you and the malware attacker. If you're smarter than he thinks you are, you'll win.
  That means, in practice, that you never use software that comes from an untrustworthy source. How do you know whether a source is trustworthy?
  Any website that prompts you to install a “codec,” “plug-in,” "player," "extractor," or “certificate” that comes from that same site, or an unknown one, is untrustworthy.
  A web operator who tells you that you have a “virus,” or that anything else is wrong with your computer, or that you have won a prize in a contest you never entered, is trying to commit a crime with you as the victim. (Some reputable websites did legitimately warn visitors who were infected with the "DNSChanger" malware. That exception to this rule no longer applies.)
  Pirated copies or "cracks" of commercial software, no matter where they come from, are unsafe.
  Software of any kind downloaded from a BitTorrent or from a Usenet binary newsgroup is unsafe.
  Software with a corporate brand, such as Adobe Flash Player, must be downloaded directly from the developer’s website. If it comes from any other source, it's unsafe.
  5. Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page, on the client. That was never a good idea, and Java's developers have had a lot of trouble implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style "virus" affecting OS X. Merely loading a page with malicious Java content could be harmful. Fortunately, Java on the Web is mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice.
  Java is not included in OS X 10.7 and later. Discrete Java installers are distributed by Apple and by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable it — not JavaScript — in your browsers. In Safari, this is done by unchecking the box marked Enable Java in the Security tab of the preferences dialog.
  Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a specific task, enable Java only when needed for the task and disable it immediately when done. Close all other browser windows and tabs, and don't visit any other sites while Java is active. Never enable Java on a public web page that carries third-party advertising. Use it only on well-known, password-protected, secure websites without ads. In Safari 6 or later, you'll see a lock icon in the address bar with the abbreviation "https" when visiting a secure site.
  Follow these guidelines, and you’ll be practically as safe from malware as you can be.
  6. Never install any commercial "anti-virus" or "Internet security" products for the Mac, as they all do more harm than good, if they do any good at all. If you need to be able to detect Windows malware in your files, use the free software ClamXav — nothing else.
  Why shouldn't you use commercial "anti-virus" products?
  Their design is predicated on the nonexistent threat that malware may be injected at any time, anywhere in the file system. Malware is downloaded from the network; it doesn't materialize from nowhere.
  In order to meet that nonexistent threat, the software modifies or duplicates low-level functions of the operating system, which is a waste of resources and a common cause of instability, bugs, and poor performance.
  By modifying the operating system, the software itself may create weaknesses that could be exploited by malware attackers.
  7. ClamXav doesn't have these drawbacks. That doesn't mean it's entirely safe. It may report email messages that have "phishing" links in the body, or Windows malware in attachments, as infected files, and offer to delete or move them. Doing so will corrupt the Mail database. The messages should be deleted from within the Mail application.
  ClamXav is not needed, and should not be relied upon, for protection against OS X malware. It's useful only for detecting Windows malware. Windows malware can't harm you directly (unless, of course, you use Windows.) Just don't pass it on to anyone else.
  A Windows malware attachment in email is usually easy to recognize. The file name will often be targeted at people who aren't very bright; for example:
  ♥♥♥♥♥♥♥♥♥♥♥♥♥♥!!!!!!!H0TBABEZ4U!!!!!!!.AVI♥♥♥♥♥♥♥♥♥♥♥♥♥♥.exe
  ClamXav may be able to tell you which particular virus or trojan it is, but do you care? In practice, there's seldom a reason to use ClamXav unless a network administrator requires you to run an anti-virus application.
  8. The greatest harm done by anti-virus software, in my opinion, is in its effect on human behavior. It does little or nothing to protect people from emerging threats, but they get a false sense of security from it, and then they may behave in ways that expose them to higher risk. Nothing can lessen the need for safe computing practices.
  9. It seems to be a common belief that the built-in Application Firewall acts as a barrier to infection, or prevents malware from functioning. It does neither. It blocks inbound connections to certain network services you're running, such as file sharing. It's disabled by default and you should leave it that way if you're behind a router on a private home or office network. Activate it only when you're on an untrusted network, for instance a public Wi-Fi hotspot, where you don't want to provide services. Disable any services you don't use in the Sharing preference pane. All are disabled by default.

• US Social Security withholding rate for 2012

  Hi Guys,
  The US Social Security withholding rate for 2012 will change to 6.2% (from 4.2%) for the employee withholding.  Our Business would be running the first payroll for 2012 on 12/22/11.  The social security withholding change needs to be in the system for this payroll run.  Do you know if this change is delivered via a TUB or HRSP and where exactly it has been made available? 
  Thank you,
  Subbaiah

  Hi,
     The changes have been already released, it is within TUB 45 in BSI
  Federal change:
  Increases the maximum wage base FROM $106,800 TO $110,100.
  Increases the tax rate FROM 4.2% TO 6.2%.
  We have already applied and tested it, you should have them applied before the first payroll of 2012
  Hope that helps,

• Security Router: Best and cheap recommendation for a home router (security bundled)

  Security Router: Best and cheap recommendation for a home router (security bundled), to practice commands and all CCSP configurations.
  Wireless needed, 802.11N preferred
  Looking for the all in an appliance solution, and maybe compatible with future Unified Communications acquisition like a UC500 maybe...
  Please, please, please...

  At the moment checking these two options:
  SR520W-FE-K9
  CISCO881W-GN-A-K9
  Fast Ethernet

• MS Security Essentials for Server 2012 R2

  I've had MS Security Essentials installed on my Server 2008 R2 Foundation, but now that I've upgraded to 2012 R2 Foundation, MS Security Essentials won't install. It gives an error message saying that it won't run on this computer.
  I've searched for a replacement, but my searches yield ONLY results for Server 2012 R2 Essentials, and NOT Security Essentials.  Is there a replacement for MS Security Essentials, and if so, how/where can I find it???
  Capt. Dinosaur

  Hi,
  I agree with Ed that Microsoft Security Essentials is designed for client machines.
  I have seen forum threads that indicating it is running well on Windows 2008 machines, still, it is not supported.
  Here are some references below for you:
  Microsoft Security Essentials, but for Windows Server 2008?
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/13a80a5d-825d-48b3-9aa8-8a03ae6de249/microsoft-security-essentials-but-for-windows-server-2008
  Windows Security Essentials on Windows 2008 R2
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/c9290ed2-0423-4822-9db9-490c18c3178e/windows-security-essentials-on-windows-2008-r2?forum=winserversecurity
  Best Regards,
  Amy

• What internet security do you recommend for apple products

  What Internet security do you recommend for apple products

  None.  The best security is to backup your data frequently, and using WPA2 encryption on wireless routers.    Otherwise basic good practices include:
  1. Do not download sites that suggest installing cleanup software.
  2. Do not do things that might slow your Mac down:
  https://discussions.apple.com/docs/DOC-6921
  3. Do not install updates except directly from reputable vendors websites, and the Apple Mac Store.
  4. Do not follow instructions of popup windows or banner ads.
  5. Do not use peer2peer or torrent software.
  6. Do not open .scpt, .sct, .app attachments.
  7. If you use Windows on your Mac, the same security rules for Windows on a non-Apple machine apply as an Apple machine.