os

Controlling what information can be moved around via thumb drives, i-Pods, cameras and other forms of removable storage media has gained a lot of focus over the past 12-months. It's not to say the need hasn't been there for much longer, because it has, just that media attention following exposure and loss of personal information, for instance social security numbers, has resulted in auditor attention.

There are a number of third-party products that claim to control usage of and the functionality thereto in terms of read or read-write capability for USB storage devices, however, in my experience the simplest approach is usually the only approach that stands the test of time.

What I am referring to here specifically is the control through local security settings and in the case of Windows also through Group Policy and Active Directory.

The NSA have produced a rather enlightening document that not only addresses the need as relates to Microsoft Windows but also that of Linux and Solaris (both 9 and 10) as well as Mac OS X. For further reading you may find the document here on this site or directly from the NSA, here.

Unfortunately this document does not cover the currently available Windows 2003-based Domain and Active Directory.

Windows Vista has a number of additional Administrative Templates that provide better 'out of the box' control of such devices. (It is out of the scope of this post to validate whether exporting any of these templates and subsequently importing them into 2003 would provide this additional functionality and as such I would love to here from anyone that has pursued this direction either from a successful or unsuccessful perspective.)

For now, we have another way. The Administrative Template attached to this post here and listed below may be imported into the active directory domain template in your domain and enabled to effectively provide read-only access to USB devices. This policy change will not disable the usage of any USB powered keyboards or mice.

As mentioned earlier in this post, there are a number of third-party products that report to control access in a similar fashion but most if not all that successfully achieve this are commercial products. Windows Group Policy is an integral, necessary component of any Windows-based Active Directory domain and can be enabled to offer a potentially similar albeit basic level of control at a price acceptable to all.

If you wish to take the level of control even further you may utilize the information found here at the Microsoft web site to disable other devices such as CD-ROM, Floppy and LS-120 drives also.

If there are any errors or omissions to the methods described by the NSA document attached or by the Microsoft website that have subsequently surfaced through user testing please let us know so we can all share from your experiences.

I hope you find this information useful.

Thanks.

Over the past several weeks/months I have been collecting together the components necessary to update and enhance the hardware supporting this and several other websites that I maintain from my home.

The original configuration in a self-hosted model was that of a single PC. This thankfully was replaced by better hardware a couple of years ago that could be best described as powerful desktops or low-grade, non-redundant, server equipment.

Well today I am pleased to announce that through a little begging, a little borrowing and a little scavenging I have established not only a redundant configuration in terms of multiple web servers but also a load-balanced and highly available configuration.

Here's a quick overview of the setup as it stands now.

[Click Image To Enlarge] Home Network Diagram

As you can see there are now two web servers and two database servers. A little overkill for the current setup maybe; but enough room to grow for the foreseeable future too. Like I said earlier this is not the only website that I am hosting on this system but it is the one that currently draws the most attention and the most traffic.

Here are few pictures of the equipment in operation. Some of it is not the newest server technology but the systems run strong, offer RAID capability and in the case of the two newer servers redundant power also.

[Click Image To Enlarge] The used rack is a little more aesthetically pleasing than the previous open wire rack	[Click Image To Enlarge] Wiring mostly in place, just a little tidy up to do.
[Click Image To Enlarge] Intake fan at bottom aids cooling as does spacing somewhat	[Click Image To Enlarge] Separate switches for separate internet connections
[Click Image To Enlarge] Extractor fan to remove excess heat. First fan had worn bearing hence the clipped wires	[Click Image To Enlarge] Foam aids sound suppression but also heat build up

My next step will be to establish some kind of round-robin DNS setup that permits fail over, albeit slightly delayed between the two types of internet connectivity that I have.

Over the next week or so I hope to provide examples of how I have established the load-balancing and replication using the Microsoft Windows Operating System.

Yes, that's right I am using Windoze!

Why not Linux I hear you cry? It's the perfect LAMP configuration! This is true, but I wanted to try something a little, well unconventional by todays standards.

That said, in all likelihood upgrades or additional equipment will involve Linux, although I'm hearing good things about Windows 2008, so I'm gonna have to try it somewhere, maybe here!

Which Operating System is your favorite?
What applications do you use most?
What is the best freeware you have come across?
How do you protect your system/network?