Technology for Families – Part 2: Hardcore Porn & Malware Filtering

This is Part 2.  Part 1 is a “technology parenting” overview.  Part 2 is the technical “horsepower” and resource for securing your home internet connection. Securing your router is a foundation of Part 1 and, in my professional opinion, a best practice for anyone using the internet.

Overview

By the end of this post, you will have a very cheap and powerful DD-WRT router with two SSIDs (wireless network names).  One for you and your older kids with a less-restricted or no content filtering.  Another wireless network for your kids that is secured with OpenDNS’ family content filter.

A quick technical commentary: A simple approach to this is a creating a “kids” VLAN.  The major, which is unacceptable for most homes, is that in a home/SMB network you want everything to be on the SAME VLAN.  Having separate VLAN breaks every “newer” convience such as AirPrint, DLNA, Rokus, Screen Mirroring, wireless printers, etc; basically anything that relies on SSDP and mDNS.  Said another way, if you have separate VLANs, kids on their “kids” content filtered network could not print to your wireless printer on the “parents” VLAN; and vice versa.  The solution I propose eliminates this issue by putting everyone on one VLAN, uses ebtables to “mark” packets from the “kids” SSID, and then enforces these “marked” packets to use a parallel instance of dnsmasq for DNS which relays to OpenDNS Family Filter (or whatever DNS servers of your choice).

On a semi-related topic, you could add a third SSID to create a guest VLAN: here is a DD-WRT guide for builds >23020 for simple creation of a guest VLAN.

Notes, Assumptions, & Prerequisites:

  1. Refer to the next section for a support-router
  2. You have broadband internet.
  3. You want to protect your home. You recognize that the steps below will not protect you/your family against over-the-air data. Refer to the handout in Part 1. The steps below along with your new router protect your local wireless network only.
  4. Connect the blue port on the router to port #1/WAN port on your modem.
  5. As you go through the following steps, please fill out of the “Checklist and Documentation”. This is required in order to properly troubleshoot and keep you organized in the future when making changes.
  6. When you see text in quotations (e.g. “password”), only use the text inside the quotes. Do not copy/paste the quotes. The quotes are there to make it clearer for you to read.
  7. If you have Comcast, make sure you enable bridge mode if you have Comcast phone service; follow these instructions closely.
  8. If Comcast, make sure you disable Xfinity Hotspot; follow these instructions.

Hardware Needs & Original Flashing

  1. These steps are specific to the TP-LINK TL-WR841N Wireless Router (available on Amazon for >$20).  It is a cheap, DD-WRT supported router. You want a “v9.x” version router. Be aware: TP-LINK may release newer revisions that do not support DD-WRT under the same “TL-WR841N” model number.
  2. You can flash the TP-LINK TL-WR841N v9 flashed to DD-WRT rather easily.
  3. Download a recent build (I tested on this one from April). This is for v9 ONLY.  See the bottom of the router to make it its “v9.x”.  You can flash this version directly in the TP-LINK GUI. Just login to 192.168.0.1 and browse to the firmware you just downloaded from DD-WRT.  For step-by-step instructions, see this post by Gregg Borodaty.  Remember: you have to flash the v9 firmware.
  4. I cover in another post how to revert back to the original TP-LINK OEM firmware if desired.  Or how to cross-flash to Gargoyle which has certain benefits that I am not going to cover here.
  5. If you have another DD-WRT router, the below configuration is basically the same with some minor but critical changes to the copy/paste steps.  Post a comment if you want specific help.  E.g. instead of “ath0.1” it may be “wl0.1” for Broadcom-based routers or “ath1.1” for 5GHz dual band Atheros routers (wl1.1 for Broadcom dual band 5GHz routers).

OpenDNS Setup

  1. Go to OpenDNS and signup for a free account: https://www.opendns.com/home-internet-security/parental-controls/opendns-home/. Hit the “SIGN UP NOW” orange button. At right, enter your information to setup your account. Write your username and password down on the checklist at the end; #1.
  2. Check your email for an account confirmation email from OpenDNS.  Not all email services allow hyperlinks within the content of messages, if the link in your email is not clickable copy and paste the link into your browser to confirm your account.  If you click (or copy and paste) the link in the confirmation email you will be taken to your OpenDNS dashboard.
  3. Once confirmed, move on to router setup.

DD-WRT TP-LINK TL-WR841N Router Setup

  1. Go to http://192.168.1.1/Click “Setup” at the top and enter the following when the webpage prompts you:Username: “root” / Password: “admin” (admin is the default DD-WRT password)
  2. First, change the default password. At the top, go to “Administration”. Scroll down and enter “root” as the username (overwriting the ••/***). Please enter a new password and re-confirm it; please make it something your kids cannot guess. Write your username and password down on the checklist at the end; #2. Scroll further down and check the box next to “Info Site Password Protection”. Go to the bottom and hit “Save”. This is the router password that you will need to make changes to the router in the future, and prevents your kids from changing settings.
  3. Next, click on the upper left tab “Setup”. It should take you to the “Basic Setup” sub-tab. Scroll down, feel free to name your router whatever you would like under “Router Name”. Scroll to the bottom and enter the “Time Settings” as follows:

    Copy/paste to make data entry easier: 0.us.pool.ntp.orgHit “Save”.
  4. Click on the “DDNS” sub-tab at the top (next to “Basic Setup”). Select “Custom”. Enter the following information. Copy/paste below.
    1. DDNS Service: “Custom”
    2. DYNDNS Server: “updates.dnsomatic.com”
    3. <Enter your OpenDNS username and password you setup earlier; should be #1 on your checklist>
    4. Hostname: “all.dnsomatic.com”
    5. Under URL: “/nic/update?hostname=”

    Hit “Save” at the bottom.

  5. Click on the “Wireless” tab at the top. Under “Wireless Network Name (SSID)” enter whatever you want the parents/adult/older kids network to be named. For demonstration, I am calling it “Home Wireless”. Hit Save.

    Once saved, click on “Add” under “Virtual Interfaces” and enter a network name “Wireless Network Name (SSID)” for the kids. For demonstration, I am calling it “Kids Wireless”. Hit Save.

  6. At the top, go to “Wireless Security” and under “Security Mode” select “WPA2 Personal”. Under “WPA Shared Key” enter whatever password you want for your parent wireless network. In the example, this is the “Home Wireless” network. It must be 8 characters and should not be easily guessable and not shared with kids. Hit “Save”. Write down the “Home Wireless” key on the checklist at the end; #3.

  7. Do the same for the “Virtual Interfaces ath0.1“below. Make sure you hit “Save” from the step before then add the security information for the virtual interface. Select “WPA2 Personal”, under “WPA Shared Key” enter whatever password you want for your kids wireless network. In the example, this is the “Kids Wireless” network. It must be 8 characters and given to your kids. Write down the “Kids Wireless” key on the checklist at the end; #4.
  8. Next click on the “Services” tab at the top. Scroll down to the “DNSMasq” section. Enable “Query DNS in Strict Order”and copy/paste the following carefully into the “Additional DNSMasq Options”. Hit “Save”.
  9. no-resolv
    server=199.85.126.20
    server=199.85.127.20
    address=/google.com/216.239.38.120
    address=/google.ca/216.239.38.120
    address=/www.google.com/216.239.38.120
    address=/www.google.ca/216.239.38.120
  10. Go to the bottom of the “Services” table and disable the last option: “ttraff Daemon” (this prevents excess nvram writes over time; leave it enabled if you want WAN traffic history). Hit “Save”.
  11. At the top, go to the “NAT /QoS” section. Then go to the “UPnP” submenu at top. Enable both the “UPnP Service” and “Clear port forwards at startup” options and hit save. See below.
  12. At the top, go to “Administration”. Next, click on the “Keep Alive” sub-menu at top. Hit enable for “Schedule Reboot”. Enter when you want the router to automatically reboot itself to stay healthy. E.g. below at 2:00am Sunday morning. Select the radio button to the right of “At a set time” and choose “2” under the first drop-down menu. Hit “Save”.
  13. Go to the “Commands” sub-menu.
    Copy/paste very carefully the following code into the “Commands” box.
    #KidsWireless DNS repeater instead of directly forwarding to OpenDNS to handle Google SafeSearch
    sleep 5
    dnsmasq -S 208.67.222.222 -S 208.67.220.220 -R -i br0 -p 54 --address=/google.com/216.239.38.120 --address=/google.ca/216.239.38.120 --address=/www.google.com/216.239.38.120 --address=/www.google.ca/216.239.38.120

    Hit “Save Startup” at the bottom.

  14. Next, Copy/paste very carefully the following code into the “Commands” box.
  15. #Append HomeWireless/non-marked traffic to local DNS server, NortonDNS, using the integrated DNSMASQ instance
    iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    
    #Mark packets coming out of ath0.1 (KidsWireless)
    insmod ebtables
    insmod ebtable_filter
    insmod ebt_mark.ko
    sleep 2
    ebtables -I INPUT -i ath0.1 -j mark --set-mark 2
    
    #Append traffic for KidsWireless to local DNS server, OpenDNS, running on the manual instance of DNSMASQ on port 54
    iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -m mark --mark 2 -j DNAT --to $(nvram get lan_ipaddr):54
    iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -m mark --mark 2 -j DNAT --to $(nvram get lan_ipaddr):54
    
    #For 5GHz dual band Atheros routers with virtual SSID
    #ebtables -I INPUT -i ath1.1 -j mark --set-mark 2
    
    #For Broadcom Routers
    #ebtables -I INPUT -i wl0.1 -j mark --set-mark 2
    #For 5GHz dual band Broadcom routers with virtual SSID
    #ebtables -I INPUT -i wl1.1 -j mark --set-mark 2
    
    
    #CRON key for setting up a wireless schedule
    #minute (0-59),
    #| hour (0-23),
    #| | day of the month (1-31),
    #| | | month of the year (1-12),
    #| | | | day of the week (0-6 with 0=Sunday).
    #| | | | | commands
    #
    #For example to disable wireless between 9pm-6am (and disables it every hour the hour in between). To override/extend access another hour just reset the router.
    #0 21-23,0-5 * * * root ifconfig ath0.1 down
    #0 6 * * * root ifconfig ath0.1 up
    #
    #Now how about turning off wireless only on S,M,T,W,TH nights? (O=Sunday)
    #0 21-23 * * 0-4 root ifconfig ath0.1 down
    #0 0-5 * * 1-5 root ifconfig ath0.1 down
    #0 6 * * 1-5 root ifconfig ath0.1 up
    

    After pasting the code above, hit “Save Firewall”. It will take roughly 30 seconds for the firewall script to save.

  16. Lastly, go back to the “Management” sub-tab at the top, scroll the entire way to the bottom, and click the red “Reboot Router” button.

Linking OpenDNS to your home internet

(Do NOT do this away from home; These steps must be done directly on your broadband connection at your home)

  1. First, go re-read section #1, “Notes, Assumptions, & Prerequisites” and ensure you have your Comcast or internet connection setup correctly. Confirm you modem/internet connection is in bridge mode. Your best option is to purchase your own modem (Motorola SB6141 is recommended) that does bridging by default.
    • The key is getting a public IP address assigned directly to your router. Not only will it make filtering work correctly, it will make the internet faster and allow ports to automatically be opened for certain devices (e.g. AppleTV, Roku, Chromecast, etc.) making those devices work better.
    • To check if your router is getting a proper public IP address, login to http://192.168.1.1 and look at the upper right. You will see a “WAN Address” line in white text. If that number does NOT start with “10.x.x.x” or “172.x.x.x” or “192.x.x.x” (where “x” represents any number) you are good to go. If that line starts with a 10, 172, or 192, then your modem is also a router and not in bridge mode correctly. Please call your internet provider and have them walk you through getting the modem into bridge mode.
  2. Login to OpenDNS. www.opendns.com. At the top, click on “Dashboard”(The steps and screenshots are from https://support.opendns.com/entries/53936430-Configuring-OpenDNS-on-your-Network with edits for working with DD-WRT.)
  3. Next you need to “Add a Network”. You will see a big box on your Home screen that says Add a network as shown below. Adding a network to your OpenDNS dashboard allows you to use our custom content filtering and stats features. Click on the Add a network box to get started:Once you click Add a network you will get the below screen which asks you to add an IP address.  If you are on your home network you will see your current IP address displayed at the top of your dashboard where it says Your current IP is.  Copy this number from the top of the screen. This is your current external (public) IP address that is assigned to you by your internet service provider as your network.   Use that IP address for your dashboard network:
  4. Next you will get a screen that asks you for a network name and whether or not you have a Dynamic IP address.  If you are unsure, you most likely have a dynamic IP address.  Most internet service providers lease dynamic IP addresses which means that your IP address can change. Check off “Yes, it is dynamic”.Do not download the software under #3. The DD-WRT software on the router will handle the auto updating for you if you followed the router setup instructions above under “DDNS”. If you have more questions regarding dynamic IP addresses please see Dynamic IP Addresses : Technical Detail and FAQ.
  5. After you add your network you will see the screen below. Time to check your email to verify your IP address.
  6. You should receive an email that looks like the one below, once you click the link your IP address will be verified and you will be taken back to the dashboard.
  7. Configuring Content Filtering Settings: After you have added a network, content filtering can be configured in the Settings tab.  Click on the Settings tab and choose the network you added from the Settings for: drop down to open the Web Content Filtering menu for this network.  In the Choose your filtering level settings you can choose from one of the levels that are pre-set or chose Custom to select the categories you would like to filter on your network. Custom is powerful and recommended to filter specific categories like Social Media, File Sharing, and Webmail.
  8. Based on our PG-13 presentation, especially for younger kids, please enable the following categories: Adult Themes, Alcohol, Dating, Lingerie/Bikini, P2P/File Sharing, Pornography, Adware, Chat, Drugs, Hate/Discrimination, Gambling, File Storage, Classifieds, Nudity, Phishing, Proxy/Anonymizer, Social Networking, Tasteless, and Webmail (to block web-based email). This is the “magic” of the router. These categories will only apply to those connected to the “Kids Wireless” connection. “Home Wireless” is filtered via Norton ConnectSafe for general pornography and adware.
  9. You can also manage individual domains to customize your filtering settings.  For example, if you choose to block the Lingerie/Bikini category but would still like to shop at victoriassecret.com you can add victoriassecret.com to your Never Block list which will allow access to victoriassecret.com while blocking all other domains in that category.For more information on content filtering please see: Web Content Filtering and Security.For more information on configuring the Manage individual domains section please see: Getting Started: Blocking/Allowing Specific Domains with Whitelist/Blacklist.
  10. Configuring Reporting/Statistics: If you would like statistics for your network, first you must Enable stats and logs on your network. To do so, click on the Settings tab, choose the network you added from the Settings for: drop down and click on Stats and Logs from the left hand menu. You will see the option to enable stats and logs, check the box and hit APPLY to enable stats as shown below:

    It can take up to 24 hours for stats to initially populate after you enable them, so if you don’t see them right away don’t fret they are coming! When stats begin to populate you can view them in the Stats tab. There are several different ways you can view your stats by choosing the options in the left hand menu:

Testing, FAQs, and more technical information

  1. Almost done. Well done. Now time to test. The “Home Wireless” network uses Norton ConnectSafe. To test your “Home Wireless” network go to playboy.com. IT SHOULD BE BLOCKED. As of 4/15/2015 (and since 2010) the playboy.com homepage is “safe” and does not have pornographic images on the homepage. Assuming you followed the steps above correctly, you should NOT get the playboy.com site and instead get the Norton ConnectSafe block page.
  2. Thankfully OpenDNS has an easy testing website. To test OpenDNS, connect to the “Kids Wireless” connection and go to www.opendns.com/welcome. You should get a large checkmark indicating OpenDNS is setup correctly. If you do NOT get a large checkmark, you have something incorrect in the “Commands” section above (or see NOTE2 below) where you copied/pasted the large block of gray-colored code. Retry and reboot router and PC and retest on “Kids Wireless”.NOTE: OpenDNS will “work” with a green checkmark but that does NOT mean your low/medium/high/custom OpenDNS filtering settings are being applied. You must try a website that you know should be blocked in a category you specified and look for the OpenDNS block page instead of the website loading. For example, if you select “Custom” filtering profile and you then check off to block “Social Media”, this should block Facebook.com. When you go to facebook.com when using the “Kids Wireless” connection it should NOT load facebook.com and instead give you the OpenDNS block page.If for example, you expected Facebook to be blocked based on your OpenDNS categories, and it is not AND you correctly get the checkmark indicator when you go to www.opendns.com/welcome, then your issue is with the “DDNS” section above. Your router is not correctly telling OpenDNS what your home internet connection IP address is and thus not applying your custom filtering categories. This could also be an issue if you did not properly put your modem into bridge mode.
    NOTE2: The commands above in the “Commands” step that start with “iptables” handle the DNS enforcement. If your kids try to specify their own DNS settings to bypass the filter, the router redirects everything back to its local DNS server (called DNSMasq) which then forwards everything to either OpenDNS (for kids) and Norton ConnectSafe (for parents/Home Wireless).

KEEP THIS PAGE
Checklist and Documentation

  1. OpenDNS.comUsername: ________________________Password: _________________________
  2. Router Configuration: http://192.168.1.1Router Username (root): _________________________Password: __________________________
  3. Parent/Home Wireless (≥8 characters): __________________________
  4. Kids Wireless Password (≥8 characters): __________________________

Last Thoughts: Support & Sharing with Others

I will do my best to assist families. As mentioned in Part 1, I share a passion for Christ and helping parents navigate technology to strengthen families and faith. I, with the help of the pastors, have spent >30 hours putting together this material: the presentation, handout, this router workshop material and equipment. I am trying, in good faith, to have this material stand on its own. That being said, I also know there will be many questions and many unique situations that we cannot document or anticipate. I do anticipate issues; with your internet provider, with a device, with setup questions. I will do my best to respond to comments and questions.  Cheers.

For historical reasons, here is the original Word docx (and pdf).  Refer to the post for current and updated information.

 

“Set Up Internet Explorer 11” Bypass with GPO or Registry

This took too long to Google the answer.  Most information is out-of-date with IE8/IE9 solutions.  It is basically a duplicate of this post from Andres Cheah.

The goal is to bypass this dialogue box:
set-up-ie-11

Our users are easily confused.

Using Group Policy Editor

  1. Use gpedit.msc or launch the Group Policy Editor.
    Note: In an Active Directory environment, open gpmc.msc and either edit an existing GPO, or create a new one and link it to the domain level, or to an OU of your choice.
    Refer to “Group Policy for Beginners” from Microsoft for the basics.
  2. In the left pane, expand User Configuration > Administrative Templates > Windows Components > Internet Explorer.
  3. On the right pane, double-click on “Prevent running First Run wizard”. A new settings window will open up.
    prevent-first-run-ie-11
  4. Set the value to “Enable”.
  5. In the options section you must choose one of the two options from the drop-down menu:
    1. Go directly to “Welcome To IE” page.  This configures IE to skip the Welcome screen and and go to the “Welcome to Internet Explorer” page directly.
    2. Go directly to home page.  This configures IE to skip the Welcome screen and go directly to your home page.  This is the option we chose.  You can combo this up with this post from ServerFault to also push a desired homepage to users.
      You need to choose one of the two, otherwise the configuration will not work.

For those who really want to dig into how IE11 is handling the policy, I later came across this post from chentiangemalc where it details how the policy is applied and the associated ADMX.  It also explains why much of the internet is outdated in the older “Prevent performance of First Run Customize Settings” that were used in IE8 and IE9 (e.g. here, here and here).

Publishing a legacy, 32-bit RemoteApp on Windows Server 2012 R2

In a separate upcoming post I will document our trials and security tribulations with Horizon Software and their Village Merchant Point of Sale system (i.e. cash registers with additional functionality).  Village Merchant is a SQL-based, 32-bit and, by the looks of the UI, a legacy Visual Basic app.

The two problems that I had to solve were:

  1. Installing legacy software on a shared-user Terminal/Remote App server.
  2. Running a RemoteApp executable from a remote (non-local) file share.

Solving Problem #1

To install, we had to go-back-in-time to something I had tried years ago and had forgotten.
“Use the CHANGE USER Command to Switch to Install Mode in Windows 2000 Terminal Services”.  Ironically, this commands lives on today.  Screenshots courtesy of this Microsoft blog page.

Switch Terminal Services to Install Mode

  1. Launch an elevated command prompt
  2. At the command prompt, type
    change user /install
  3. Press ENTER. The following message appears:
    User session is ready to install applications.
  4. Type exit, and then press ENTER.
  5. You are now in Change User Mode so go install programs or change settings that you want to propagate to all users.  Add or remove the programs that you want.

change user install terminal server

Switch Terminal Services to Execute Mode

  1. Again, launch an elevated command prompt
  2. At the command prompt, type
    change user /execute
  3. Press ENTER. The following message appears:
    User session is ready to execute applications.
  4. Type exit, and then press ENTER.
  5. You are now in Change User Mode so go install programs or change settings that you want to propagate to all users.  Add or remove the programs that you want.

That solved problem #1.  All users could manually launch the application.  And by “manually” I mean you had to launch the “MERCHANT.EXE” from the remote file share on the Horizon server from the full desktop UI.

Solving Problem #2

Again, the “MERCHANT.EXE” executable resides on another server and is accessed via SMB file share using the full UNC path.  E.g. \\<FQDN server name>\<shared name>\merchant.exe.

The problem is that in Windows Server 2012 R2, remote or non-local applications cannot be published by RemoteApps.  This challenge led me to this post at SpiceWorks on using a locally saved batch file to launch the remote executable.  Brilliant.

I created a local batch file (e.g. C:\<folder>\remoteapp.bat) all users could access and it contained one simple line:

@echo off
echo.
echo.
echo Launch Horizoning, please wait up to 10 seconds. . . .
echo.
echo.
PING -n 7 127.0.0.1 >nul
start "" "\\<FQDN server name>\<shared name>\merchant.exe" /MAX

The start command dates back to the OS/2 and 16-bit Windows days.  It launches an application from a command prompt; simple enough.  See here if you if you want to get fancy on window sizing, processor priority, etc.  The “ping” command resolved issues where Horizon would launch but not accept keyboard/mouse input.

When adding the remoteapp.bat batch file on the RemoteApp server, I also used the full UNC path; e.g. \\<RemoteApp server FQDN>\<folder>\remoteapp.bat (even though its a local batch file, if you ever add additional RemoteApp servers for your Collection, they will know where to locate the batch file).  Enjoy launching remote applications using RemoteApp.

Outlook 2013 & red x HTTPS images not displaying in HTML emails

I spent better part of an hour working on why Outlook 2013 would not properly display inline, linked email images.  I got the dreaded red “x”.

outlookredx

Backstory: I am working with a team to roll out an improved daily newsletter.  After trying Constant Contacts and Mailchimp, I was thoroughly impressed with Mailchimp.  For example, Constant Contacts did not have “smart tags” or “merge tags” as Mailchimp calls them.  In other words, with Mailchimp I can insert a PHP date code in the heading bar of my email template:

*|DATE:l \t\h\e jS \of F, Y|*

which every day generates a clean date that looks like:

Tuesday the 16th of June, 2015

Back on point: After setting up SPF and DKIM authentication with Mailchimp everything seemed smooth with one major catch: all the images were broken.  Mobile devices were fine.  Viewing the email in a browsers (IE & Chrome) were fine.  It was Outlook.

After searching and searching, I actually misread this post from Slipstick under “Encrypted page setting”.  A few minutes later I stumbled across this Microsoft KB article 30333864.  This immediately solved the issue after restarting Outlook.

Uncheck “Do not save encrypted pages to disk” and hit “Apply” and “OK”.

outlookredxfix

Ironically the MSDN blog has some caution on why NOT to enable this option.  We had enabled this option long ago via GPO due to HIPAA compliant web-based applications.  Now with Bitlocker and other supporting security, this is a risk-reward compromise.

 

 

 

Dell E6410 Refurb & Odd Hard Drive “Power On Hours”

At my prior employer we had thousands of Dell D630 (my favorite) and E6410 notebooks or, as I like to still call them, laptops.  A side thought: a quick search turned up this post on why the term “laptop” has been phased out and an ironic example of Apple’s marketing from back in 2006 (Apple: “don’t put our laptops on your lap”) when “laptops” were transitioning to “notebooks” or “portable computers”.

The Dell D630 and E6410 laptops were bulletproof.  After the E6410, HP ProBooks were issued and, in my narrow sample size, did not live up to the same ruggedness.  Fast forward to my current leadership role where we have chosen to purchase E6410 refurbished laptops from Newegg.  Before jumping to conclusions, recognize our requirements: rugged, TPM equipped for Bitlocker, reliable, readily available parts, reasonable docking stations, and decent battery life.  Notice I did not mention “super-fast-ultra-high-performance”.  Most users, consistent with our users, have performance as a secondary requirement.  With over 100 refurbished E6410 laptops deployed, I can say confidently we were stewards of our financial resources easily saving ~$30,000 in new, current generation Latitude/ProBooks.  For those users needing more performance, we simply doubled the RAM to 8GB and swapped in an SSD.  The first generation i5 are fast enough.

Back to the original point of this post: artificial power-on time.  After having success with the E6410 refurbs, I purchased one for family.  After installing a clean copy of Windows 7, I quickly checked the hard drive S.M.A.R.T data.  This is what I found:

e6410 refurb power on hours

295,016 hours!
Or roughly 12292 days; almost 34 years.

My immediate thought was maybe the company that does the refurbishment somehow alters the S.M.A.R.T. data.  Well, a little digging, and I turn up this excellent FAQ courtesy of the open source project Smartmontools.

It turns out the S.M.A.R.T. data is rather vendor specific.  Instead of working with the command line and Smartmontools, I downloaded GSmartControl, a UI front-end for Smartmontools, and I got this updated screenshot:

e6410 refurb power on hours minutes

19836 hours + 43 minutes (Hex 1227bb converts to 118981 minutes divided by 60).  This is a much more plausible number.  Not sure where Crystal Disk got its number.

~2.26 years.  I was surprised at the few “Power Cycle Count” at  309 times.  The average power up had the drive powered for ~64 hours (19836/309).  I was also interested in the high “Load / Unload Cycle” number: 504,004 is high, very high.

The S.M.A.R.T. Wikipedia page sheds light on this metric:

Count of load/unload cycles into head landing zone position.[28]  
Western Digital rates their VelociRaptor drives for 600,000 load/unload cycles,[29] and WD Green drives for 300,000 cycles;[30] the latter ones are designed to unload heads often to conserve power. On the other hand, the WD3000GLFS (a desktop drive) is specified for only 50,000 load/unload cycles.[31]

In other words, if 504,004 is the real “Load / Unload Cycle” number, this hard drive has seen its share of wear-and-tear.

For now, the hard seems to be working fine.  One last thing: check out the Smartmontools for Windows Package by Ozy de Jong. It can easily install Smartmontools as a Windows Service and has out-of-the-box email and local warning messages in the event S.M.A.R.T. data detects a problem or failure.  In this case, this E6410 is not important enough to warrant self-monitoring via email but for anything critical or any remote systems (e.g. a BlueIris video security recorder that is very hard drive intensive at a remote location).

 

 

easy2boot & WSUS Offline; a must-have USB stick for Technology professionals

I was in a difficult position.  I had an older family member drive a decent distance to get their PC fixed on-the-spot.  Long story short, they use their PC to upload insulin results and without these uploads, they have mandatory visits to the endocrinologist.

After determining the motherboard was the culprit (swapping RAM, PSU, CPU) I swapped their hard drive to another system.  Yes, I know a clean install would have been the preferred method.  However this is the “real world” and I decided to swap the hard drive rather than struggling to get Java 1.6  working (required for the insulin pump uploads; yes, I know its terrible; thank healthcare vendors), some audio recording software, and a user who needs the same icons, workflows, printer, and Quattro Pro.

Enough introduction.  The old system was a Dell Dimension 3100 Windows 7 x86 PC running in AHCI mode.  I anticipated boot issues related to different storage controller(s) after the swap.  Typically when I am planning to move from one motherboard to another, I will run “sysprep /generalize” before moving.  This “preps” Windows for the move and usually gracefully handles new hardware/HAL/storage controller(s).

In this example, I could not boot the original system, so this brings me back to the title of this post: easy2boot.  In short, easy2boot is by-far the best USB drive creation tool/utility out there.  I needed to run the HDC_fix which attempts to detect the new storage controllers and injects the appropriate drives to an offline system.  The HDC_Fix is found on many Windows PE boot .ISOs; e.g. UBCD4Win, Hiren.  In this case I used UBCD4Win.  My typical bootable USB sticks were not working (the new Acer motherboard seemed to have major issues booting USB devices) and my older boot CDs either were too old or the optical drive was unable to read the burned media.

In frustration, here were the steps that saved the day:

Step 1: Read the easy2boot “Introduction” page.

Step 2: Go to the Download page and get the “Download E2B+DPMS” version (v1.69 at the time of posting).  Extract the .zip.  I inserted a blank 32GB USB drive.  Run the “Make_E2B_USB_Drive.cmd” script to make the 32GB drive bootable with easy2boot.  I choose to format the drive as NTFS so it can handle files >4GB without any major drawbacks.

Step 3: Download the UBCD4Win ISO.

Step 4: Copy the UBCD4Win .ISO file to \_ISO\MAINMENU\ on the newly formatted, bootable 32GB USB drive.  E.g. E:\_ISO\MAINMENU\.

Step 5: Enjoy.  The new Acer system booted easy2boot without issue and the easy2boot menu auto-populated the UBCD4Win .ISO.  I ran the HDC_fix on the D:\ drive (the actual physical disk). When booting Windows off a USB drive, the C:\ is typically the “RAM Disk” or virtual drive not the actual physical disk/hard drive.  It will typically be mounted to another drive letter; e.g. D:\ or E:\.  It should be obvious because it will be the correct size and and hopefully an informative partition label.  Upon reboot, Windows 7 was happily booting.  A few minutes later with new drivers and my relatives were on their way.

Now, the post could end here, but this is where easy2boot really shines.  It can boot Windows installer .ISOs.  It can even boot UEFI Windows installers; e.g. Windows 8.1 and Server 2012 R2.

So I went to town and copied Windows 7 SP1 x86, x64 and Windows 8.1 x64, and Server 2012 R2 x64, and Windows XP SP3 (for nostalgia) to their respected folders; i.e. \_ISO\WINDOWS\XXX.  I also went back to the easy2boot Download page and got the “MPI Tool Pack (MakePartImage)“.  (“MPI Tool Pack + Clover Lite v0.048 2015-04-16″ at the time of posting).  After extracting the .zip, I ran \ImDisk\imdiskinst.exe to install the virtual disk driver.  Then I easily drag-n-dropped the Windows 8.1 .ISO onto the “MakePartImage_AutoRun_FAT32.cmd” batch file and used all the defaults to generate a .imgPTN for Windows 8.1.  I placed this new .imgPTN in the \_ISO\MAINMENU\ (not the \_ISO\WINDOWS\XXX folders) and I was able to UEFI boot to install Windows 8.1.  Very impressive.

Kudos to rmprep (SteveSi) for developing easy2boot.  You earned my donation to support your project.

Lastly, to make my 32GB USB drive even more useful (and since it is NTFS I can put anything else I want on it), I added WSUS Offline.

WSUS Offline is another wonderful project that I have been using and supporting for years.  Download WSUS Offline (v9.6 at the time of posting) , extract it to your USB drive, and run the “\wsusoffline\UpdateGenerator.exe”.  Pick what versions of Windows you updates for, in my case “w61”, “w61-x64” and “w63-x64” (none of my Windows 8.1/2012 R2 installs are x86), and hit “Start”.
wsusoffline96

Wait for the updates to download.  Depending on your connection speed, it will take some time.  Once complete, you now have a USB drive where you can install Windows 7/8.1/2012R2/X and run Windows Updates all from one USB drive.  To run the WSUS Offline updates, go to “\wsusoffline\client\UpdateInstaller.exe” and hit “Start”.  I usually set it to “Automatic reboot and recall”.  It automatically brings a system current on Windows Updates.

Lastly I added a few other root directories on the 32GB USB drive for DRIVERS and UTILITIES.

So to recap, I have a 32GB USB stick that 1) can install different flavors of Windows in BIOS or UEFI modes, 2) can easily and efficiently patch the new Windows install using WSUS Offline, and 3) contains drives and utilities to get the system online and setup.  Enjoy.

 

Remove & disable the “Get Windows 10” icon shown in the notification area (tray)

10/27 UPDATE: Microsoft continues to push Windows 7/8.x updates nagging and deceptively trying to upgrade them to Windows 10. A good overview here from ZDNet.

The best solution is  now a utility called GWX Control Panel which combines the registry changes, Windows 10 hidden install files, and the ability to restore the update all into one simple-to-use program. Download here directly from the developer; confirm MD5/SHA-1 checksums to verify. See here, thanks to Raymond, for why and how to use MD5/SHA-1 checksums.

8/1 UPDATE: Now that Windows 10 is out, the best method is to disable ‘Get Windows 10’ using a registry update.

You must be logged in as an administrator to be able to do this option.

This option will show you how to enable or disable to show the Get Windows 10 icon on the taskbar notification area for all users on the PC.

This way the Get Windows 10 app is not removed from the PC when disabled, and you will be able enable it again to use it when you like in the future.

The .reg files below will add/change the DWORD value in the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GWX

DisableGWX DWORD
0 or delete = enable tray icon
1 = disable tray icon

Steps to disable GWX  (Get Windows 10).

  1. Download the registry file here: Disable_Get_Windows_10
  2. Extract the .zip file to a reasonable location (e.g. your Desktop)
  3. Double click/tap on the “Disable_Get_Windows_10.reg” file to merge it (you can use the “Enable_Get_Windows_10.reg” to re-enable GWX if you want to undo disabling it).
  4. If prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
    UAC-registry
  5. Restart the computer to apply.

Original post based on this superuser.com post

Thank you Optmet.  I packaged his scripts into a .zip file and I modified the .bat file to automatically elevate (run as Administrator).
Windows10BlockerHider.zip

Save, extract, and launch the “BlockWindows10.bat”.  Hit “Yes” to allow the script to run as an Administrator.

Per the batch file as of 2015-06-02, the script removes the following KBs that are not specifically for a Windows 10 upgrade:

  • KB2952664 – Compatibility update for upgrading Windows 7
  • KB2990214 – Update that enables you to upgrade from Windows 7 to a later version of Windows
  • KB3022345 – Update to enable the Diagnostics Tracking Service in Windows
  • KB3035583 – Update enables additional capabilities for Windows Update notifications in Windows 8.1 and Windows 7 SP1

It also hides the above KBs from reinstalling through Windows Update.
If you want to uninstall/undo the Windows 10 blocker script, Google “Restore and install hidden updates” or use a tutorial such as this one to restore (unhide) the KBs listed above.

TL-WR841N v9 DD-WRT to OEM Factory Firmware to Gargoyle

This post is to revert from DD-WRT back to OEM firmware and then to Gargoyle.

As a long-time user and sporadic contributor to the open-source router communities, here is a quick post in converting a TL-WR841N v9 from DDWRT back to factory TP-Link firmware and then flashing the latest Gargoyle build.

Most of the steps come courtesy of this OpenWRT forum post (FYI – Gargoyle is based on OpenWRT).

Step 1: You must know first your hardware version as described here from TP-Link or here from OpenWRT wiki.  In this example, I am running v9 (same as v9.2).  Only do the following steps via Ethernet; not wireless.

Step 2: Download “stripped” TP-Link firmware here.  Stripped firmware removes the bootloader allowing the factory firmware to fit in place of DD-WRT (in this example).  Please pay careful attention to download the proper build for your version of the router (v5 vs v9, etc).  Extract the zip file after downloading.

Step 3: Get a copy of WinSCP and Putty .  I prefer portable versions.  You can also use telnet in place of Putty.

Step 4: Login to DD-WRT, under the “Services” tab and enable both telnet and SSH.  Save settings and reboot the router.

Step 5: Open WinSCP and use the following settings:
Host name (assuming default): 192.168.1.1
Port: 22
File Protocol: SCP
Username: root
Password: <your DD-WRT password>

Step 6: Copy the stripped firmware.
On the right side, browse to /tmp/
Drag-n-drop from left to right the extracted firmware image.  In this example it was “TL-WR841ND-V9-FW0.0.3-stripped.bin”.  It should show up in the /tmp/root folder.  Rename “TL-WR841ND-V9-FW0.0.3-stripped.bin” to “1.bin” to make life easier.

Step 7: Login with Putty or Telnet using the same host and credentials as above.

Step 8: Flash the stripped firmware.  Type the following commands:
cd /tmp/root
Confirm the file is uploaded correctly. Run:
ls
Hit the “Enter”. Confirm the 1.bin file is in the directory.
Next run:
mtd -e linux -r write 1.bin linux
Use whatever name you copied/renamed in Step 6.

Wait and be patient as the new firmware is flashed.  It should take ~3 minutes and I was able to see the progress via Putty/telnet.  Once the flashing is complete the Putty/telnet session should close and the router should reboot.

Step 9: Disable/re-enable your network adapter to get a new IP from the TP-Link firmware.  v9 had a default IP of 192.168.0.1.

Step 10: Flash Gargoyle firmware from the TP-Link firmware.  In the TP-Link firmware, go to “System Tools” on the right side and “Firmware”.  Then browse to the proper Gargoyle firmware.  In this case it was the current Gargoyle factory build for v9: “gargoyle_1.7.1-ar71xx-generic-tl-wr841n-v9-squashfs-factory.bin”.  Hit “Upgrade”.  Wait and again be patient for ~3 minutes which Gargoyle flashes.

Step 11: Enjoy!  Disable/re-enable your network adapter to get a new IP from the Gargoyle firmware which should be 192.168.1.1.  Remember: Gargoyle does not by default turn on wireless; you have to login to enable the wireless radio.

Seafile HTTPS Install on Windows Server 2012 R2; Step-by-Step

A step-by-step tutorial on getting a functional Seafile Windows Server that does HTTP/HTTPS syncing (port 443 only) running on Windows Server 2012 R2 with IIS 8.5 and Seafile Windows Server 4.0.6.

I cannot provide screenshots for every step. I am only documenting what I did, what issues I encountered, and what was my final configuration.  These steps were based off of this post by Jeffrey Tay.

Step 1: Install Seafile Server for Windows. Specifically “Download and Setup Seafile Windows Server“.

Step 2: Install IIS. Courtesy to Jack Stromberg and this post which covers the install in brief. Make sure you can access the IIS default page at http://localhost/ to confirm IIS is running correctly.

Step 3: Install Application Request Routing (ARR) 3.0. Another post by Jack Stromberg covers the install. Download ARR 3.0 and follow steps 1-5 from Jack’s post under “Installing IIS Application Request Routing (ARR) 3”.

Step 4: (Optional) Generate and install your SSL certificate. I hesitate to make this optional, but please go get an SSL certificate. Self-signed certificates were problematic for me with Seafile and the hassle was not worth it.  A kudos to my hosting provider, EZPZ Hosting, who offers free, basic SSL certificates or Godaddy, or NameCheap, or Comodo; all work for a basic SSL certificate.

I’ll refer you to GoDaddy which has a simple write-up for generating the CSR Request and importing the certificate back into IIS. On the right side of the IIS Manager is where you launch the wizard to get the process started.

Step 3: Create your Seafile site. Create an empty directory for the “Physical path:” and select the “SSL certificate” that you created and imported in the prior step.  Note: the screenshot shows “Not selected”. This is where you select your imported certificate.

Step 5: Create a web.config file in the “Physical path:”. Note: other examples on the internet did not properly add the appendQueryString=”true” for both Seafile rules. The web.config first checks if HTTPS is being used, if not it redirects to HTTPS, then it checks to see if it is using the “seafhttp/” subdirectory and reverse proxies to http://127.0.0.1:8082, and lastly it reverse proxies everything else to http://127.0.0.1:8000.

Download the following web.config file (which has clean indenting) or, using Notepad, copy and paste the following into a new web.confg file (Warning: make sure Notepad did not append .txt upon saving):

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
 <location path="" overrideMode="Deny">
 </location>
 <system.webServer>
 <security>
 <requestFiltering allowDoubleEscaping="true" />
 </security>
 <rewrite>
 <rules>
 <clear />
 <rule name="Redirect to HTTPS" enabled="true" stopProcessing="true">
 <match url="(.*)" />
 <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
 <add input="{HTTPS}" pattern="^OFF$" />
 </conditions>
 <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
 </rule>
 <rule name="seafilehttp" stopProcessing="true">
 <match url="seafhttp/(.*)" />
 <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
 <action type="Rewrite" url="http://127.0.0.1:8082/{R:1}" appendQueryString="true" logRewrittenUrl="true" />
 </rule>
 <rule name="seafile" enabled="true" stopProcessing="true">
 <match url="(.*)" />
 <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
 <action type="Rewrite" url="http://localhost:8000/{R:1}" appendQueryString="true" logRewrittenUrl="true" />
 </rule>
 
 </rules>
 <outboundRules>
 <preConditions>
 <preCondition name="ResponseIsHtml1">
 <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
 </preCondition>
 </preConditions>
 </outboundRules>
 </rewrite>
 <httpErrors errorMode="DetailedLocalOnly" />
 </system.webServer>
</configuration>

Step 6: Check “Enable Proxy” under AAR 3.0.  Refer to steps 1-6 courtesy of this article from Microsoft.

Step 7: Enable 2GB large uploads (30MB is the default) in IIS. Open an elevated/ Administrator command prompt and run:

c:\windows\system32\inetsrv\appcmd set config -section:requestFiltering -requestLimits.maxAllowedContentLength:2000000000

See Option 2 from this IPSWITCH knowledge base article.

Step 8: Make sure your Seafile config files are properly set.

In “seahub_settings.py” change and make sure you do not have a trailing “/” after seafhttp.

FILE_SERVER_ROOT = 'https://<your-domain-name>/seafhttp'

In “ccnet.conf” change the following and I have a trailing “/”

SERVICE_URL = https://<your-domain-name>

Step 7: Restart IIS, Seafile, and go test your new, secured, HTTP-sync-enabled Seafile server.

An easy way to test the IIS rewrite rules for seafhttp is trying the following two URLs; adding or removing the trailing “/”. I came across these debugging URLs from a Seafile support forum thread. It identified an error in my web.config that I posted above that was missing the trailing “seafhttp/”.

http://<your-domain-name>/seafhttp

should return “Sorry, but the requested page could not be found.” with the typical Seafile login UI header and footer.

http://<your-domain-name>/seafhttp/protocol-version

should return {“version”: 1} as text-only with no images.

Before trying HTTPS, make sure you can get HTTP working.  Once trying HTTPS, make sure your 2102R2 machine has the correct time.  It must be accurate for HTTPS.  Use NTP.

Here are a few supporting URLs that may be helpful in debugging HTTPS syncing:
Can’t download any file over mobile device
Seafile Protocol: Are ports 8082, 10001 and 12001 safe and/or necessary?
upgraded to new client (4.2.0) bad response 404 for protocol version
Problems using Seahub on non-root domain
Client always tries /seafhttp/protocol-version
Lighttpd rewrite issue (v1.4)

Enforcing HTTPS & WWW prefix with Apache .htaccess redirects using cPanel

First post is simple.  I wanted a simple way to enforce both HTTPS (TLS/SSL) and the WWW prefix while gracefully handling whatever the user enters.

I am not going to get into the age old debate.  Every domain admin must make the choice.  The combination of sub-domain DNS round-robin, cookies, and the that every non-technical user expects WWW, I chose to redirect to the WWW prefix.  The wrinkle was I also wanted to enforce HTTPS.  After searching for a few minutes I cobbled together a working and flexible solution which does not hard code the domain name.  Kudos to this stackoverflow thread which did most of the heavy lifting.

RewriteOptions inherit
RewriteEngine On

#First rewrite any request to the correct one (i.e. adding "www." if it does not exist)
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

#After checking and adding "www." if necessary, then rewrite to HTTPS:
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

For those new to .htaccess configuration files (and since I am using cPanel) here is a simple article to get you started and how to apply the above config.

Speaking of cPanel/WHM and HTTPS, an honest referral to EZPZ Hosting.  Dan and his team have been superb since I became a customer back in 2010.  Their reseller accounts include unlimited free, basic SSL certificates.

EZPZ Hosting
ezpzlogo