P
Pascal Bouchard
Can someone tell me the impacts on having the exact same image (including
same SID) on multiple targets on the same network ?
same SID) on multiple targets on the same network ?
S
Slobodan Brcin \(eMVP\)
P
Pascal Bouchard
I understand the security issue but what about the following topics (all
targets with same sid) :
* Domain Registration
Is it a good presumption to think that it will never work (cause same
sid and same hostname) ?
* Active Directory
Is it only based on domain participation (if so, it will never work) ?
(otherwise, will it work?)
* SMS
Is it based on active directory ?
* DUA ?
* Computer Browsing ?
* NetBios
Is all communication other than basic Tcp/IP (e.g. time synchro, domain
credentials, wins, etc ) based on this protocol ?
* Tcp/Ip
DHCP server will be used... i suppose it is not an issue ? isn't it ?
None of my targets need to communicate with each other BUT one or some
servers will.
targets with same sid) :
* Domain Registration
Is it a good presumption to think that it will never work (cause same
sid and same hostname) ?
* Active Directory
Is it only based on domain participation (if so, it will never work) ?
(otherwise, will it work?)
* SMS
Is it based on active directory ?
* DUA ?
* Computer Browsing ?
* NetBios
Is all communication other than basic Tcp/IP (e.g. time synchro, domain
credentials, wins, etc ) based on this protocol ?
* Tcp/Ip
DHCP server will be used... i suppose it is not an issue ? isn't it ?
None of my targets need to communicate with each other BUT one or some
servers will.
K
KM
Pascal,
You seem to have confused a few things together.
SID and hostname are different things and they may cause different issues if not unique per device on the same network.
Basically, in Domain environment it operated with so called Domain SDI which is not the local computer SID that would be cloned
without fbreseal or newsid.
The SID of a user or group from a domain is always based on the SID of the domain, and uniquely identifies the user or group. While
the OS derives local user accounts and group SIDs from the computer SID.
You will need to think more about unique SIDs if your devices work in workgroup or if you clone NTFS based volume with security
attributes set for some accounts.
You may want to read more here:
http://support.microsoft.com/kb/q162001/
http://www.winntmag.com/Windows/Articles/ArticleID/3469/pg/2/2.html
For another question it may take a while to answer as you asked for a whole bunch of different technologies. I'd recommend you to do
some goggling first or search MSDN.
You will find great info on any topic from your list there.
You you really need to know what the same computer name may cause, look at MSDN for WINS information.
Or read this page: http://www.petri.co.il/registration_of_netbios_names.htm. Please note the complete NetBIOS name list and Unique
flag (Type) for each item from the list.
You seem to have confused a few things together.
SID and hostname are different things and they may cause different issues if not unique per device on the same network.
Basically, in Domain environment it operated with so called Domain SDI which is not the local computer SID that would be cloned
without fbreseal or newsid.
The SID of a user or group from a domain is always based on the SID of the domain, and uniquely identifies the user or group. While
the OS derives local user accounts and group SIDs from the computer SID.
You will need to think more about unique SIDs if your devices work in workgroup or if you clone NTFS based volume with security
attributes set for some accounts.
You may want to read more here:
http://support.microsoft.com/kb/q162001/
http://www.winntmag.com/Windows/Articles/ArticleID/3469/pg/2/2.html
For another question it may take a while to answer as you asked for a whole bunch of different technologies. I'd recommend you to do
some goggling first or search MSDN.
You will find great info on any topic from your list there.
You you really need to know what the same computer name may cause, look at MSDN for WINS information.
Or read this page: http://www.petri.co.il/registration_of_netbios_names.htm. Please note the complete NetBIOS name list and Unique
flag (Type) for each item from the list.
P
Pascal Bouchard
Your last question is very relevant KM; let me explain what i'm trying to
validate :
We build a RPOS system; this system was using QNX (Real-time Operating
system based on POSIX); we decided to have a new technological direction and
use XP Embedded; the initial RPOS had a 10Mb footprint onto a M-System IDE
Disk-On-Chip; onto this disk were some partitions; the first active
partition was intended to compare (checksum based) our application with a
server image; if the image was different, it was getting downloaded and
deployed.
The question i'm trying to answer now is "Can i have the exact same OS image
on all my targets and then compare it with a server image?"; intending to
update it without being booted in windows.
Basically, the needs we have are :
* Being able to, remotely, without any manual intervention, update the os
image rapidly (within an acceptable timeframe on a 56K line - In case of
emergency - Sector by Sector if possible (fast))
* Being able to update the OS and Application remotely
* Being able to Remote Assist
* Being BLINDED against viruses and bad interventions (cause on-site
intervention on 10000 RPOS are unacceptable) (rollback probably).
If you had answers or advices for me, i'd be very pleased; EWF will probably
be part of your suggestion. (PXE is available to my RPOS); we'd like to use
a USB Mass Storage Key.
validate :
We build a RPOS system; this system was using QNX (Real-time Operating
system based on POSIX); we decided to have a new technological direction and
use XP Embedded; the initial RPOS had a 10Mb footprint onto a M-System IDE
Disk-On-Chip; onto this disk were some partitions; the first active
partition was intended to compare (checksum based) our application with a
server image; if the image was different, it was getting downloaded and
deployed.
The question i'm trying to answer now is "Can i have the exact same OS image
on all my targets and then compare it with a server image?"; intending to
update it without being booted in windows.
Basically, the needs we have are :
* Being able to, remotely, without any manual intervention, update the os
image rapidly (within an acceptable timeframe on a 56K line - In case of
emergency - Sector by Sector if possible (fast))
* Being able to update the OS and Application remotely
* Being able to Remote Assist
* Being BLINDED against viruses and bad interventions (cause on-site
intervention on 10000 RPOS are unacceptable) (rollback probably).
If you had answers or advices for me, i'd be very pleased; EWF will probably
be part of your suggestion. (PXE is available to my RPOS); we'd like to use
a USB Mass Storage Key.
S
Slobodan Brcin \(eMVP\)
Hi Pascal,
Emergency updates can be done trough some custom BIOS-es, there are third party companies that sell these solutions.
M-Systems has complete solution for booting XPe from USB uDOC disks.
http://www.m-systems.com/files/documentation/doc/uDiskOnChip_PB_0704.pdf
http://www.m-systems.com/content/Products/Product.asp?pid=29
They are very fast ~20 MB/sec and offer option to split them to two disks and put read only protection on first disk.
These things might interest you.
Regards,
Slobodan
Emergency updates can be done trough some custom BIOS-es, there are third party companies that sell these solutions.
M-Systems has complete solution for booting XPe from USB uDOC disks.
http://www.m-systems.com/files/documentation/doc/uDiskOnChip_PB_0704.pdf
http://www.m-systems.com/content/Products/Product.asp?pid=29
They are very fast ~20 MB/sec and offer option to split them to two disks and put read only protection on first disk.
These things might interest you.
Regards,
Slobodan
K
KM
Pascal,
You don't want to make client images different by having them, for instance, different SIDs, right?
I have very little experience with POS systems but I thought they are usually pretty big images. Although I completely understand it
would depends on the main POS application(s) used on the device and the application requirements/dependencies. There is observing
some growing popularly for the port of POS applications to .Net which makes most of the POS systems heaver than, say, regular
Minlogon image size.
Anyway, I think you have already evaluated XPe to meet your device specifications and requirements so I am not going to tell you
that your future XPe image will unlike be around 10MB
Btw, Remote Assistance will bring a bunch of components in your image.
Regarding your device requirements.... How you are going to send the checksum to the server? Do your have your own BIOS
implementation for PXe client and server side PXe?
Or are you planning to use another protocol from, say, temporary loaded OS image?
I mean it is just not clear to me how you are going to calculate the checksum and send it to the server? If it is your custom
protocol you can maintain a simple database on the server side (even a plain text file will work) with the initial client image
checksums. Then whenever a client device boots up and sends the current image checksum to the server, you can compare it there and
download a new image if available. Although this way you still need to use image datetime stamp to know whether the server image is
newer.
So if you get the database then you can have different images on client devices with no harm.
Also, take a look at the IBM Rapid Recovery solution. You will have to have IBM BIOS, though, but if you purchase IBM box you get
the software for free.
Btw, did you have a chance to evaluate WePOS for your needs? My guess is that it is too heavy for you.
You don't want to make client images different by having them, for instance, different SIDs, right?
I have very little experience with POS systems but I thought they are usually pretty big images. Although I completely understand it
would depends on the main POS application(s) used on the device and the application requirements/dependencies. There is observing
some growing popularly for the port of POS applications to .Net which makes most of the POS systems heaver than, say, regular
Minlogon image size.
Anyway, I think you have already evaluated XPe to meet your device specifications and requirements so I am not going to tell you
that your future XPe image will unlike be around 10MB
Btw, Remote Assistance will bring a bunch of components in your image.
Regarding your device requirements.... How you are going to send the checksum to the server? Do your have your own BIOS
implementation for PXe client and server side PXe?
Or are you planning to use another protocol from, say, temporary loaded OS image?
I mean it is just not clear to me how you are going to calculate the checksum and send it to the server? If it is your custom
protocol you can maintain a simple database on the server side (even a plain text file will work) with the initial client image
checksums. Then whenever a client device boots up and sends the current image checksum to the server, you can compare it there and
download a new image if available. Although this way you still need to use image datetime stamp to know whether the server image is
newer.
So if you get the database then you can have different images on client devices with no harm.
Also, take a look at the IBM Rapid Recovery solution. You will have to have IBM BIOS, though, but if you purchase IBM box you get
the software for free.
Btw, did you have a chance to evaluate WePOS for your needs? My guess is that it is too heavy for you.
P
Pascal Bouchard
I already have in hand a M-System USB uDOC but still waiting for M-System to
supply me the software to set my device as bootable device... probably next
week.
I also have a Smart Modular Technologies device to test.
Regarding Emergency updates done by custom BIOS, do you remember the 3rd
party cie ?
What would be your best guess to have a safe remote deployment and a way to
compare images ?
supply me the software to set my device as bootable device... probably next
week.
I also have a Smart Modular Technologies device to test.
Regarding Emergency updates done by custom BIOS, do you remember the 3rd
party cie ?
What would be your best guess to have a safe remote deployment and a way to
compare images ?
P
Pascal Bouchard
Exactly, this is my reason to deploy the exact same image on multiple
targets.
My QNX image is very tiny but, my XPE his pretty large since it contains
WINLOGON and .NET Framework... it is presently 256Mb (ntfs compressed).
Intending to compare my XPe partition, i though i'd have a partition that
boots a tiny OS that speaks TCP/IP, compute the checksum of the XPE
partition and, with a custom protocol over TCP, asks the server for the
current XPE partition checksum..... update... etc etc....
Actually, i'd like to confirm that having the same SID on all my targets
will cause me a problem implementing ADS, Domain Registration, SMS, Windows
Network... if it causes a problem, i will stop trying to find a "partition
checksum comparison" solution and find another architecture.
The best workaround i found is to have a read-only initial XPE partition and
having EWF overlays; my problem is that if a virus infects my system and
that it cannot boot anymore, i'm in deep s@#$!@ 10000 times; in emergency
case, i'd like to rollback to initial version or completely remotely
reinstall an image; your advices are welcome.
targets.
My QNX image is very tiny but, my XPE his pretty large since it contains
WINLOGON and .NET Framework... it is presently 256Mb (ntfs compressed).
Intending to compare my XPe partition, i though i'd have a partition that
boots a tiny OS that speaks TCP/IP, compute the checksum of the XPE
partition and, with a custom protocol over TCP, asks the server for the
current XPE partition checksum..... update... etc etc....
Actually, i'd like to confirm that having the same SID on all my targets
will cause me a problem implementing ADS, Domain Registration, SMS, Windows
Network... if it causes a problem, i will stop trying to find a "partition
checksum comparison" solution and find another architecture.
The best workaround i found is to have a read-only initial XPE partition and
having EWF overlays; my problem is that if a virus infects my system and
that it cannot boot anymore, i'm in deep s@#$!@ 10000 times; in emergency
case, i'd like to rollback to initial version or completely remotely
reinstall an image; your advices are welcome.
S
Slobodan Brcin \(eMVP\)
Hi Pascal,
About comparing images some simple approach would be to divide disk on certain logical blocks like 1 MB and calculate checksums of
each block.
About custom BIOS manufacturer I do not know since I was told once but I can't remember it now since I do not use it :-(
Regards,
Slobodan
About comparing images some simple approach would be to divide disk on certain logical blocks like 1 MB and calculate checksums of
each block.
About custom BIOS manufacturer I do not know since I was told once but I can't remember it now since I do not use it :-(
Regards,
Slobodan
S
Slobodan Brcin \(eMVP\)
The best workaround i found is to have a read-only initial XPE partition and
Well if you put your disk with XPe to read-only mode in hardware then no viruses or updates will be possible for that matter.
Regards,
Slobodan
Well if you put your disk with XPe to read-only mode in hardware then no viruses or updates will be possible for that matter.
Regards,
Slobodan
K
KM
Pascal,
This sounds right. So, why don't you compare the current image checksum with the initial checksum of the same original image?
By original image I mean the one that you get after a Cloning phase. You run the image first time at the field, turn on EWF, shut it
down and capture the image checksum with your QSX custom OS.
Then if you save the checksum on the server assigning to to this particular device in the devic list you will always be able to
compare the checksums later on. Assuming, of course, you have EWF running and enabled on the client image.
If later on you wanted to update the image (EWF commit then), you would capture and update the initail checksum once again.
Well.. It is hard to confirm that with such broad range of different technologies listed. It all comes to much of testing.
Again, there have been no known issues in Domain environment caused by the same local SIDs.
I agree with Sloboda. Make your media read-only (CD-ROM, flash with hardware read-only switch, etc.) and you won't be worring about
persistent viruses.
(while there are still some session-active viruses)
This sounds right. So, why don't you compare the current image checksum with the initial checksum of the same original image?
By original image I mean the one that you get after a Cloning phase. You run the image first time at the field, turn on EWF, shut it
down and capture the image checksum with your QSX custom OS.
Then if you save the checksum on the server assigning to to this particular device in the devic list you will always be able to
compare the checksums later on. Assuming, of course, you have EWF running and enabled on the client image.
If later on you wanted to update the image (EWF commit then), you would capture and update the initail checksum once again.
Well.. It is hard to confirm that with such broad range of different technologies listed. It all comes to much of testing.
Again, there have been no known issues in Domain environment caused by the same local SIDs.
I agree with Sloboda. Make your media read-only (CD-ROM, flash with hardware read-only switch, etc.) and you won't be worring about
persistent viruses.
(while there are still some session-active viruses)
P
Pascal Bouchard
Thank you Slobodan, using small chunks with checksum is what i intended to
do; i'm looking for a standard protocol that does the transfer but i think
that i will have to implement it by myself.
do; i'm looking for a standard protocol that does the transfer but i think
that i will have to implement it by myself.
P
Pascal Bouchard
My XPe partition will be write-protected; i will probably have an initial
partition that will override the XPe partition if necessary before botting
with it.
Thanks.
partition that will override the XPe partition if necessary before botting
with it.
Thanks.
P
Pascal Bouchard
This is a original idea; i'll have it as my contigency plan; or as future
implementation; finally, my bosses decided not tu use any Domain, ADS or SMS
stuff; i will deploy the exact same image (with same sid) to all my targets
(as first implementation).
Thank you KM!
implementation; finally, my bosses decided not tu use any Domain, ADS or SMS
stuff; i will deploy the exact same image (with same sid) to all my targets
(as first implementation).
Thank you KM!
K
KM
Pascal,
Just be careful with the same SID. It makes things worse on non Domain MS network environment.
KM
Just be careful with the same SID. It makes things worse on non Domain MS network environment.
KM
S
Slobodan Brcin \(eMVP\)
Perhaps your TFTP implementation on client side?
Regards,
Slobodan
Regards,
Slobodan
S
Slobodan Brcin \(eMVP\)
Hi Pascal,
Software protections can we work arounded :-(
You need firmware protection implemented in disk hardware or physical hardware switch protection.
Regards,
Slobodan
What do you mean by this? EWF or some other protection.
Software protections can we work arounded :-(
You need firmware protection implemented in disk hardware or physical hardware switch protection.
Regards,
Slobodan
P
Pascal Bouchard
Physical protection supplied with the hardware.
Slobodan Brcin (eMVP) said: