On the rack

Running a rack-mount server is definitely the best way to go, especially compared with trying to use a desktop box as a substitute. Anyone with a decent number of servers to look after will have grasped this fact already and spent the money on a small rack that can sit in a suitably cool corner of the office. I’d have used the term “invest in” rather than “spent” just there, but these things seem to be so rapaciously priced and suffer such horrendously fast depreciation that it would be foolish to regard them as any sort of asset beyond their immediate use – second-hand is always a good way to consider buying them.

Even the smallest of organisations usually manages to pick up a few servers in the course of business – primary servers tend to get moved into a secondary role, and from thence to a tertiary one. Nowadays, many companies are putting servers into managed rack space in large datacentres. The cost isn’t high: I pay about £100 per month for 1U of rack space at RedBus in London via my ISP Merula.net, which covers effectively unlimited data transfer per month and all the power and cooling it needs. This hasn’t completely replaced the need to run local servers, of course, but it does allow me to have a remote outpost that’s out in the internet space connected by very fast interconnects. For example, I can download an OS build in a matter of minutes to my staging server in London, then bring the file down to my local network over a period of many hours. My primary mail server is kept there, too, so my access to email isn’t compromised by the vagaries of ADSL uptime on the local lines.

But the move to rack-mounted servers has always had one big worry associated with it. What do you do if a server locks up, or its OS installation is corrupted and the machine won’t boot? If the server is in the corner of your own office, you can stroll across and kick it a couple of times, and even if your offices are spread around a whole town centre it’s still only a few minutes’ walk to the other office to administer the kicking, er, I mean to gain physical access to the server (a good opportunity to take in some fresh air and a coffee en route, of course). Things are very different, though, when your server is located several hundred miles away, or when you’re on holiday in San Francisco. Then, quite apart from the travelling, you need to have the right access permissions to the building. That will often mean arranging for a flesh-and-blood person from your ISP to meet you at the site, because they have the keys and appropriate security tags to get into the building and then into their own area of managed rack space.

Until now, this has been an area I haven’t worried much about. Or, I’ve worried about it a lot, but without any realistic way to solve the problem. If you’re running a large corporate datacentre, there’s a range of out-of-band remote management technologies available to you, each with its own bracingly high price tag, but that’s always been regarded as both affordable and necessary – a small price to pay in a big network environment.

But how does a smaller user manage a flaky server remotely without bankrupting themselves? Terminal Services is no good because you need to get into the BIOS or reconfigure the drive array, or tell it to boot from a DVD. Getting to see the POST (power-on self test) would be useful, too, and Terminal Services can’t show you that because it isn’t even running yet. This is a whole different world of pain.
My new HP server has a facility called iLO2 built in, a term that stands for Integrated Lights Out. Basically, there’s a small area on the motherboard that’s purely dedicated to hardware management: it has its own ethernet port and draws power from a line connected before the main power switch of the computer, so it always remains alive so long as the mains do. This web server (and there are other protocol interfaces) lets you see straight into the computer, even to view the POST boot screen. Want to flash the BIOS on the server? No problem, it can even manage this. All of this is delivered via a web-based interface, which is simplicity itself to use. Power down the server? No problem. Reconfigure the RAID array during the POST setup? Also, no problem. Install an OS from scratch? That’s a piece of cake, too. All I need to know is the IP address of the iLO2 port, and I’m home and dry.

Naturally, this doesn’t all come for free, although viewing the basic status of the system is via a free website. There are two levels of management software web upgrade you can purchase, depending on the features you need. Basic stuff, such as power management, power on/off and status, is all performed via the free interface. An iLO2 Select licence gives you directory integration, power reporting, scripted virtual media, applet-based virtual media and two-factor authentication. The full iLO2 Advanced licence adds remote control and integrated remote console, as well as Microsoft Terminal Services integration. The full licence upgrade costs only a few hundred quid on top of the 24/7 server licence, which is going to have a useful life of at least three years and costs over £3,000. And there’s a free trial-ware licence key, too.

So what do I get? Well, the web interface is split into System Status, Remote Console, Virtual Media, Power Management and Administration tabs, and each of these topics is split into its own set of subsections, so System Health has tabs for Summary, Fans, Temperatures, Power, Processors, Memory and NIC. The Remote Console fires up a Java-based remote screen that lets you watch the entire boot sequence, get into the BIOS and so forth. To be honest, I now find it neater than using a clunky old KVM switch, even for boxes that are sitting only a few feet away.

My current server down in London is a two-year-old Dell with nothing like this level of fancy control and, having used the new HP locally in my lab rack for a while, I’m now tempted to buy another and send it down to replace the Dell. It certainly would bring me some peace of mind compared with what I currently have.

Jon Honeyball

The Visio thing

I’ve always liked Microsoft’s Visio – I love fiddling around with the shapes, but there’s also something very satisfying about creating network diagrams stuffed to the gills with all the relevant data for each item in the network. It makes it easy to create wonderful reference materials. (It’s also fun, occasionally, to create totally outlandish and impenetrable electrical diagrams that you can then leave lying around and later watch your mystified colleagues trying to work out what your latest scheme is all about.) I can still remember arriving in the US for the first time on my way to the Microsoft Developers Conference in Anaheim, California – the one where Windows 95 was introduced to the world – and a certain Steve Ballmer leaping onto the stage and telling us he was the “only marketing slime” we were going to see all week. Anyway, we arrived at Los Angeles International Airport and were bundled onto a coach and whisked away to Anaheim. As we turned onto the freeway for the first time, I turned to Jon (Honeyball) and, being somewhat jet-lagged and thus not fully awake, in a loud voice unthinkingly uttered the immortal words “Gosh, look at the road signs. They look just the same as the ones in Visio!” Most of the coach party threw things at me at that point – bunch of unfeeling Philistines that they were – but I suppose in a way I was saying that Visio’s shapes are very realistic and accurate, at least as far as the road signs were concerned.
I was, therefore, more than interested when I received a Microsoft notification that a Visio 2007 Connector for Microsoft Baseline Security Analyzer (MBSA) 2.1 was now available, and I immediately headed off to check it out. I wanted to download it, but I only had MBSA version 2 installed, so an upgrade was clearly needed. I then saw that MBSA 2.1 was aimed at Microsoft Visio and was in beta, so I went for a slightly different strategy than the one I had in mind, and set about downloading MBSA 2.1 onto a Visio box that wouldn’t be too badly affected were something to go wrong, since I wanted to test the setup before deploying it on a live network. With MBSA 2.1 installed, I checked the remaining system requirements that were for the Microsoft.NET Framework 2, Microsoft Internet Explorer 5.5 or later and, of course, Microsoft Office Visio 2007 Professional. Since those elements were already in place, I now downloaded and installed the Visio 2007 Connector, which, not surprisingly, turned out to consist of a COM add-in.

With the component installed, I then fired up Microsoft Visio 2007 Professional, selected Network from the Template Categories list, and then the Basic Network Diagram, so I could get some shapes to work with. I then dragged the Server shape from the Network and Peripherals stencil onto a blank Visio workspace and right-clicked on the shape, selected Properties and entered “Localhost” into the Network Name edit box. All I had to do then was to move my mouse pointer over the shape and click on the smart tag that appeared, which popped up a menu with one item, that being an offer to “Perform Baseline Security Scan”. I duly clicked on the menu item and then sat back and waited for the scan to complete. Had I wanted to I could have used the new MBSA menu that appeared with the others at the top of the Visio 2007 window, which offered the options to perform a scan, import earlier scan reports (very useful) and open the MBSA Status and Report windows.

The scan raced away and, after some five minutes or so, I was looking at a report on the local system. For those unfamiliar with the Microsoft Baseline Security Analyzer, it scans systems and then reports its findings in a wide variety of areas. These include whether any security updates for Windows, SQL Server and/or Office are missing, if there are any admin issues such as badly configured passwords, how updates are set up, the state of various accounts, how many accounts have admin status, firewall settings and more.

If Microsoft Internet Information Services (IIS) or SQL Server are installed, checks are run on them, too. The scan also checks some desktop applications such as Microsoft Office and Internet Explorer and warns you of security vulnerabilities. In this instance, however, the beta nature of MBSA 2.1 seemed to have reared its head, as it calmly informed me that no Microsoft Office products were installed. For some reason, despite the fact it had been launched from within Microsoft Office Visio 2007 Professional on the local machine, and the scan was just for the local machine, it clearly couldn’t see the local installation.

I also noted that when I shut down Visio, instead of a smooth close-down, I was rewarded with an error message about Visio being unable to close down properly. Following the link offered by the warning message dialog led me to a web page that talked about issues with a COM add-in within Visio, which I presumed had to be the newly installed Visio-to-MBSA connector, although I can’t be sure as the web page stated that it was unable to identify the miscreant.
Undaunted, however, I decided that it could do no real harm to run this on one of my active servers, although I did restrict it to my own personal network and didn’t let it loose on the school’s domain controllers yet – the results were so good, though, that I think this is something I shall do in the near future. Certainly, the scan ran perfectly well and completed in much the same time as it had on the local system.

I was now running the scan from a Vista workstation talking to a Windows 2000 Domain Controller. That’s fine unless you specifically need firewall data, at which point you’re going to have to run MBSA on the server and import the resulting scan into Visio later on, as the firewall settings can’t be checked remotely. To scan more than one system at a time, I simply dragged a network connector from the stencil onto the Visio page, added systems and then asked Visio to use the add-in to perform a baseline scan. The properties dialog then springs up, showing you which systems are to be scanned and the available options. You can choose to scan for Windows vulnerabilities, weak passwords, IIS, SQL, security updates and so on. Once you’ve made your choice, simply hit OK and let the MBSA add-in take the strain. Once a system has been scanned, it changes colour to let you know if there are any pressing problems. If you’re seeing red, severe risks have been identified and you’ll want to peruse the reports to see where they lie. Once the scans are complete, simply click on a particular system to review its report. You’ll also notice that some extra data has appeared next to each system shape, which includes the name of the system, its IP address, the date the scan took place, and how many severe risks and missing updates there are.

I have to say that I like the add-in, and I’m very happy that it’s been updated for use with Windows Vista. It’s still in beta, but, aside from it not being able to see my Microsoft Office installation and that close-down error, it seemed to be working just fine. Hopefully, those two bugs I found will have been fixed by the time you read this and you’ll be able to get MBSA reporting into Visio 2007 Professional under Windows Vista.

To find out more about the Microsoft Office Visio 2007 Connector for the Microsoft Baseline Security Analyzer (MBSA) 2.1, go to www.microsoft.com/technet/security/tools/mbsavisio.mspx. To get the Microsoft Baseline Security Analyzer (MBSA) 2.1 Beta 2, go to www.microsoft.com/technet/security/tools/mbsa2_1/default.mspx. To find out more about the Microsoft Baseline Security Analyzer (MBSA) and the different versions that are available, go to www.microsoft.com/technet/Security/tools/mbsahome.mspx.

David Moss

Related Posts

How to Create a Graph in a Google Doc How to Change or Set Your Profile Picture in Zoom How to Create a New Template in Notion How to Use Inspect Element How to Make Two Columns in Google Docs How to Show Speed Limit on Google Maps Google Meet Camera Failed – Here are the Best Fixes How To Send a Message on Google Docs How To Block an Email Address in Yahoo