Unflappings

Below are listed some of the best practice guidelines for installing and configuring Citrix Xen Desktop 3.0 in a new environment. Some of the information is miscellaneous, but I hope these notes help someone.

• Uninstall Web Interface and IIS from Desktop Delivery Controller
  • Less overhead on these systems
  • Must use an existing web server infrastructure
  • SETUP.EXE -nosites
  • Suggested to uninstall if already installed
• Separate Farm Master and Desktop Delivery Controller
  • When there are multiple servers, separate these roles.
  • Farm master is best to control its own roles and not worry about being Desktop Delivery Controller
  • Ensure that a particular server is chosen to be Farm Master
  • Ensure that unnecessary duties are not performed by that server
• Server Preference Settings
  • Master: Server are preferentially chosen as Farm Master
  • Backup: Chosen when Master is unavailable
  • Member: When all else fails, this can become the Farm Master
• Farm Master Selection
  • Farm masters have the logic for launching sessions
  • Its recommended to have the Master be its own server, everything else should be Member servers
  • Web interface servers should point to Member servers
• Configure Delivery Controller Selection
  • For some reason we have to do this in the registry.
  • HKLM\Software\Citrix\IMA\RUNTIME\UseRegistrySetting set to DWORD of 1
  • HKLM\Software\Citrix\IMA\RUNTIME\MasterRanking
  • DWORD value, 1 for Master, 2 for Backup, 3 for Member
• Throttling Commands to the Hosting Infrastructure
  • Suggested that the pool management service traffic on the Desktop Delivery Controller and the hosting infrastructure is throttled to 10% of the total pool
  • This is primarily to keep power cycling commands to a minimum which would otherwise overload the infrastructure.
  • To configure:
  • C:\Program Files\Citrix\VmManagement\CdsPoolMgr.exe.config
  • Add the following:
  • <add =key=”MaximumTransitionRate” value=”10″ />
  • This is made under <appSettings> and the value of 10 is arbitrary, it should be tuned for a situation.
  • Save the file and restart the Desktop Delivery Controller
• Scaling the Desktop Delivery Controller
  • Desktop Delivery Zone Master is a single bottleneck and can not be scaled out for a desktop group
  • Citrix says 3000 desktops per group is a good limit
  • Upgrading to a bigger/badder machine is a good plan if you have large requirements
• Scaling the Provisioning Server
  • Disk bound scaling
  • Put Write Cache files on separate LUNs from the vDisk
  • Get yourself a high performance storage system
  • Basically just make sure your storage solution is quick
• Scalability by component
  • Desktops per XenDesktop Group: 3000
  • Tested Logon Rate: 1500 over 5 min
  • vDisk per XenServer: up to 28
  • Provisioning Server for Desktops:  500VM’s per machine when using local cache files
• Planning Security Considerations
  • Install AV, Firewall usage, network securing, user privilege lockdown , etc..
  • Users who are Administrators on virtual desktops can
  • Have full control over this desktop
  • Potentially view other’s information on this desktop if it is pooled rather than assigned
  • Control/Monitor network traffic
  • Install malicious software
• Desktop Delivery Controller Requirements
  • Windows Server 2003 SP2
  • Windows Server 2003 R2
  • Terminal services in application mode, no CAL’s needed
  • IIS version 6.0 (For Web Interface Only)
  • .NET Framework 3.5
  • JRE 1.5.0_15
  • MS J#  2.0 Redistributable Package Second Edition
  • IE 5.0 or later
  • 400MB for DDC Software
• Data Store Database Requirements
  • Microsoft Access (Basically unusable except in tiny installations)
  • Microsoft SQL Server 2000 SP4 and above
  • Oracle Enterprise 10.2.0.1.0
• License Server Requirements
  • Windows 2000, 2003, 2008
  • 30 MB disk
• License Management Console
  • IE5.0 or greater
  • IIS 5.0, 6.0, 7.0
  • Server 2008 needs ASP.NET, Windows Authentication security role, IIS 6 Management Compatibility role
  • Tomcat 4.1.24
  • Apache HTTP Server 2.0.49
• Active Directory
  • No schema changes are needed
  • Each Farm needs an OU
  • Controllers Security Group Created
    • Computer Account of all controllers must  be a member of this security group
    • This is done by default
    • Service Connection Point
      • Farm Meta Info
      • Registration Services Container
        • One SCP object for each controller in the farm
        • Updated on each startup
        • Permissions must match to get rid of security groups which are added automatically by installing.
          • Should contain the computer accounts for the delivery controllers in the farm
          • By default installation sets up permissions so that controllers have write access to their SCP, make sure permissions are set that only trusted admins can change SCP info
          • Replication of new information could take some time
          • Valid forward and reverse DNS is required and up to date
• User Types
  • Task Workers
  • Data entry, standard tasks that do not require personalized desktop
  • Call center staff
    • Knowledge Workers
    • Personalized desktop and software
    • Close experience to personal desktop
• Access Modes
  • Full-Screen-Only
  • Focused on virtual desktop, fits full screen and cannot interact with local desktop
    • Window View
    • Good for multiple virtual desktops
    • Can interact with remote and local desktops
    • Flexible viewing
      • Multiple Monitor support
      • 8 total
      • Identical screen resolutions required
      • 1024×768 x 8 monitors (24bpp)
      • No configuration required, except to physically arrange desktop in a rectangle
• Web Connectivity
  • Desktop Appliance Connector Site
  • http://DesktopDeliveryControllerName/Citrix/DesktopAppliance
    • XenDesktop Services site
    • http://DesktopDeliveryControllerName/Citrix/PNAgent
      • XenDesktop Site
      • http://DesktopDeliveryControllerName/

Attached is a presentation which goes into a large overview of various 802.11 DoS attack conditions. This is not a step-by-step guide, and is merely to inspire discussion into the attack vectors. Please note the original sources from this presentation which will provide you very detailed information about the attacks. This is especially true for the RTS/CTS attacks, for an excellent step-by-step guide, this book is definitely worth it. Wireless Hacking Exposed

802.11 DoS Attacks Presentation

There are many applications out there to help you create the perfect ring tone from mp3’s already on your phone but that takes a little too much effort. In addition, you can use free tools to clip your sounds and simply copy them to your Android phone via USB cable. All these alternatives are easy but can take too much time.

Mabilo Ringtone is a free application on the marketplace that is very quick to download. You can download all the ring tones you want. The good part is the files on the application are updated daily by a user base of over 30,000 users. You can download the tones, set them specifically to certain callers. However, If you phone crashes for some reason or you feel you need to uninstall the application, all the ringers go with it.

Follow these easy steps to take those downloaded ringtones and place them in a more secure location.

1. Plug in your usb cable to the phone and computer.
2. On your phone, initiate the USB connection
3. On the computer, navigate to your phone’s SD card drive and find the folder named ” com -> mabilo”
4. Copy your ring tones in that folder to the directory “media -> audio -> ringtones” (NOTE: be sure to leave the tmp_preview file in the mabilo directory”

That is it! Now you can stream and download new ringtones as they are released and back them up so you never lose them. You can also download a free file explorer utility and do all this from your phone, instead of hooking it up to the usb cable.

This guide is mainly helpful for when you need to lock down a computer using GPO’s and Active Directory. The situation here is a group of users which need to be locked down to the bare minimum usability features. In addition, the computers in which these users sign on are in highly sensitive areas, requiring only certain user’s access to log in.  For example: You have 10 computers in an area in which you only want certain lucked down accounts access to log in. If an account is compromised that has greater privileges such as a more powerful user, they will not be able to log into the restricted machines.

• Create an Organizational Unit which holds all of the machines that need to be restricted. Mine is named ‘Lockdown Computers’
• Create a GPO and link it to the ‘Lockdown Computers’ OU.  This can be done by right clicking OU in Group Policy Management and selecting “Create and Link a GPO Here….”
• Right click on the newly created GPO and select “Edit…..”
  

  

  

  
  
• Under Computer Configuration, navigate to  Windows Settings –> Security Settings –> Local Policies –>User Rights Assignment
• In the Right Pane, find the policy that says “Allow Log on Locally” and “Allow Log on Through Terminal Services”
• In each Policy, under the “Security Policy Setting” tab, click on Add User or Group.
• The easiest method is to create a user group in Active Directory which contains the users you want to be able to log into the given machine. It usually is best to only select the accounts which will be working on the computer in the future, as well as the limited user log in. In addition, for both the policies, the Administrators group for the Domain Controller must be selected. Be careful which users  you select, you do not want to lock yourself out of a machine completely.
• Close out the Group Policy Editor, and navigate to the GPO which was just edited.
• Right click the GPO, and select “Enable”
• Next, open a command prompt on the server and enter “gpupdate /force”

Came across the issue of having to install Server 2008 R2 (Windows 7 kernel, NOT Windows Server 2008 SP2) on a Dell PoweEdge 2950.  Server 2008 R2 wouldn’t proceed with the installation and was asking for a nonspecific driver.  After a large amount of trial and error, I finally decided to go about upgrading the firmware of the Dell Remote Administration Controller (DRAC)  to the latest revision. This then allowed the installation to continue without a problem, and all other drivers were found flawlessly.

So if you have a Dell PowerEdge 2950 with a DRAC version 5 controller card, give this a try when installing Windows Server 2008 R2.

Bold indicates a button clicked or key pressed.
“quotes” indicates a value which has been entered.

Grey block quote is a command typed directly into the console.

Manual Backup of Zimbra

1.Gain root shell access to the Zimbra box

#su

#’Your Password’

Stop Zimbra Services from running in order to perform a cold backup. This is necessary so the database and ZCS stay synced. Depending on your installation size,  your server may be down for up to 10 minutes. Generally, for a decent sized install with approximately 150 users, the server will only be down for 4-6 minutes.

#sudo -u zimbra /opt/zimbra/bin/zmcontrol stop

3.Make a backup directory and Sync Zimbra Directory to backup directoy

#cd /
#mkdir backup
#cd backup
#mkdir zimbra
#rsync -avHK /opt/zimbra/ /backup/zimbra

4.Restart Zimbra services

#sudo -u zimbra /opt/zimbra/bin/zmcontrol start

5.Create archived backup for offsite transfer via FTP

#tar -zcvf /tmp/mail.backup.gz -C /backup/zimbra .

6.Finally, send the archive backup to an FTP backup server. The username and password should be entered without any quotes.  In addition, replace IPADDRESS with your ftp server.

#ncftpput -u ’username -p ’password’ IPADDRESS /mail /tmp/mail.backup.gz

Bold indicates a button clicked or key pressed.
“quotes” indicates a value which has been entered.

Grey block quote is a command typed directly into the console.

Purpose

To keep track of the rate and frequency which processes use resources, enabling accounting is a good simple solution. It is very effective and can tell you were performance bottlenecks are in your machine.

Procedures

#touch /var/account/acct
#accton /var/account/acct
#echo ‘accounting_enable=”YES”‘ >> /etc/rc.conf
#lastcomm

The “lastcomm” command will allow you to view process accounting information.