Friday, December 11, 2009



Configuring the VNC server/viewer in Linux.




Overview of VNC


VNC, or Virtual Networked Computing, is a way of controlling a remote computer just as though you are sitting in front of it. In the Windows world it
is also known as remote desktop but it's normally referred to as VNC in the Linux world. All that happens is that you connect using a VNC client to a
remote computer running the VNC server, then an image of the remote desktop is transmitted to your local computer and you can see and control the desktop
just as though you are there since all keyboard and mouse commands are sent from your client machine to the server.



Gnome Remote Desktop


If you are running the Gnome desktop on Fedora Core then you already have a VNC server built in. Click on the Fedora icon > Desktop > Preferences >
Remote Desktop to open the dialog shown.


Gnome remote desktop


The screen is pretty self explanatory but basically when set up this way another computer can connect to your computer using the command listed on
the dialog. There are a few important things to note, you must open port 5900 on the server for this to work since by default the Gnome Remote
Desktop (called vino) listens on this port, also the person connecting will see the same session that you are currently logged in as. This means that
any programs you have open will also be visible to the client, of course this is very useful if you are helping someone remotely.


A more flexible way to use VNC is to install the VNC server and client software via yum, these are rpm's based on
RealVNC.



vncserver and vncviewer


Check what's installed


First check if you already have them installed on your system, open a terminal and type:



$ rpm -qa|grep vnc
vnc-server-4.1.1-36
vnc-4.1.1-36

If you get an output something like this then you're all ready, if not you need to install them via yum.


Add a user(s)


Next we need to add at least 1 VNC user, open the file /etc/sysconfig/vncservers as root and add the information shown:


$ vi /etc/sysconfig/vncservers

# The VNCSERVERS variable is a list of display:user pairs.
#
# Uncomment the lines below to start a VNC server on display :2
# as my 'myusername' (adjust this to your own). You will also
# need to set a VNC password; run 'man vncpasswd' to see how
# to do that.
#
# DO NOT RUN THIS SERVICE if your local area network is
# untrusted! For a secure way of using VNC, see
# <URL:http://www.uk.research.att.com/archive/vnc/sshvnc.html>.

# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.

# Use "-nohttpd" to prevent web-based VNC clients connecting.

# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel. See the "-via" option in the
# `man vncviewer' manual page.

VNCSERVERS="1:bobpeers"
VNCSERVERARGS[1]="-geometry 1024x768 -depth 16"

The important part is the VNCSERVERS="1:bobpeers", this sets up a users for the vnc server, you can add as many as you like here. The VNCSERVERARGS[1]
line refers to the arguments for user 1, in this case the only user. Geometry sets the size and depth sets the colour depth, you can adjust these to
suit your preferences but in my case the client machine has a resolution of 1024x768 and the depth 16 makes the connection a bit faster since the less
information that needs to be sent the more responsive the session will feel.


Knowing which port to use


It's also important to note the session number user as this will tell us which port vncserver will listen on. Remember the Gnome Remote Desktop
asked us to use computername:0 as the connection string, the number needs to be added to 5900 to get the listening port. In this case we need to use
port 5901 since we are using session 1. In the same way we could use any number, for example:



VNCSERVERS="2000:bobpeers"
VNCSERVERARGS[2000]="-geometry 1024x768 -depth 16"

In this case we need to use port 5900+2000 so port 7900.


Setting a password


To add some security we need to add a password that must be given before a connection can be established, open a terminal and type:


$ vncpasswd
Password:
Verify:

This creates a hidden folder called .vnc in your home folder containing the password file.


Starting the server and startup options


To start the server we type the command 'vncserver' and the session you wish to start (if you have set up more than 1 entry in the
/etc/sysconfig/vncservers file:


$ vncserver :1
Starting VNC server: 1:bobpeers
New 'linux.bobpeers:1 (bobpeers)' desktop is linux.bobpeers:1

Starting applications specified in /home/bobuser/.vnc/xstartup
Log file is /home/bobuser/.vnc/linux.bobpeers:1.log

[ OK ]


Now the server is started and a user could connect, however they will get a plain grey desktop by default as the connection will not cause a new
session of X to start by default, to fix this we need to edit the startup script in the .vnc folder in your home directory.


$ vi ~/.vnc/xstartup

#!/bin/sh

# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
twm &

As the file says make sure the two lines at the top are uncommented by removing the leading # sign. Next we need to restart vncserver to pick up
the changed we just made. To restart the vncserver we need to kill the process and start a new one as root:


$ vncserver -kill :1
Killing Xvnc process ID 13728


$ vncserver :1
Starting VNC server: 1:bobpeers
New 'linux.bobpeers:1 (bobpeers)' desktop is linux.bobpeers:1

Starting applications specified in /home/bobuser/.vnc/xstartup
Log file is /home/bobuser/.vnc/linux.bobpeers:1.log

[ OK ]

Using vncviewer


To start the viewer type:


$ vncviewer localhost:5901

This open a dialog as shown for us to enter our password we set earlier, enter the password and you should now see a copy of your desktop. Note
that unlike the Gnome Remote Desktop this has started a new session of X so any applications open on the host machine are not visible to the new
session, it's basically a whole new logon running at the same time.


If you just type 'vncviewer' at the prompt then you will asked for the host to connect to, then you can type localhost:5901 for example.
Remember to use the correct port number when connecting, if you set your VNCSERVERS to be 2000:myname then you would need to connect on localhost:7900.


VNCVIEWER logon


Stopping the vncserver


There are two ways to stop the server, either as root:



$ /sbin/service vncserver stop
Shutting down VNC server: 1:bobpeers [ OK ]

or you can explicitly kill a particular session without being root:


$ vncserver -kill :1
Killing Xvnc process ID 13728

Just replace the 1 with the vnc session you wish to stop.


Allowing remote connections


So far we have only connected to our own computer using localhost so we have not needed to open any ports in the firewall, however if we want to
allow remote connection we will have to do the following. This can either be done from the command line or using system-config-security if you have
it installed.


Using system-config-security to opens ports.


First we'll look into the GUI system-config-security. Go to the Fedora start menu > Desktop > Administration >
Security Level and Firewall, then type your root password when prompted to see this:


system-config-security



Click on other ports at the bottom and enter the port you wish to open, 5901 in my case, select tcp, then click OK and OK again to save your
settings. That's all there is to it, but remember to close the port again when you are finished.


Select the port to open


Editing the iptables manually to opens ports.


To do the same from the command line add the line in bold to the file /etc/sysconfig/iptables while logged in as root:


# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Finally we need to restart the iptables service to reload the changes.


$ sudo /sbin/service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]

Connecting from the remote machine.



Now from the remote client computer start up vncviewer but this time use the IP address of the host computer followed by the port number. So on my
home network this might be:


$ vncviewer 192.168.1.105:5901

You should see a copy of the hosts desktop, if things seem a bit slow you can try adjusting the colour depth or screen resolution on the vncserver
to see if that helps.








Overview of VNC

VNC, or Virtual Networked Computing, is a way of controlling a remote computer just as though you are sitting in front of it. In the Windows world it
is also known as remote desktop but it's normally referred to as VNC in the Linux world. All that happens is that you connect using a VNC client to a
remote computer running the VNC server, then an image of the remote desktop is transmitted to your local computer and you can see and control the desktop
just as though you are there since all keyboard and mouse commands are sent from your client machine to the server.

Gnome Remote Desktop

If you are running the Gnome desktop on Fedora Core then you already have a VNC server built in. Click on the Fedora icon > Desktop > Preferences >
Remote Desktop to open the dialog shown.

Gnome remote desktop

The screen is pretty self explanatory but basically when set up this way another computer can connect to your computer using the command listed on
the dialog. There are a few important things to note, you must open port 5900 on the server for this to work since by default the Gnome Remote
Desktop (called vino) listens on this port, also the person connecting will see the same session that you are currently logged in as. This means that
any programs you have open will also be visible to the client, of course this is very useful if you are helping someone remotely.

A more flexible way to use VNC is to install the VNC server and client software via yum, these are rpm's based on
RealVNC.


vncserver and vncviewer

Check what's installed

First check if you already have them installed on your system, open a terminal and type:

$ rpm -qa|grep vnc
vnc-server-4.1.1-36
vnc-4.1.1-36


If you get an output something like this then you're all ready, if not you need to install them via yum.

Add a user(s)

Next we need to add at least 1 VNC user, open the file /etc/sysconfig/vncservers as root and add the information shown:

$ vi /etc/sysconfig/vncservers

# The VNCSERVERS variable is a list of display:user pairs.
#
# Uncomment the lines below to start a VNC server on display :2
# as my 'myusername' (adjust this to your own). You will also
# need to set a VNC password; run 'man vncpasswd' to see how
# to do that.
#
# DO NOT RUN THIS SERVICE if your local area network is
# untrusted! For a secure way of using VNC, see
# .

# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP.

# Use "-nohttpd" to prevent web-based VNC clients connecting.

# Use "-localhost" to prevent remote VNC clients connecting except when
# doing so through a secure tunnel. See the "-via" option in the
# `man vncviewer' manual page.

VNCSERVERS="1:bobpeers"
VNCSERVERARGS[1]="-geometry 1024x768 -depth 16"


The important part is the VNCSERVERS="1:bobpeers", this sets up a users for the vnc server, you can add as many as you like here. The VNCSERVERARGS[1]
line refers to the arguments for user 1, in this case the only user. Geometry sets the size and depth sets the colour depth, you can adjust these to
suit your preferences but in my case the client machine has a resolution of 1024x768 and the depth 16 makes the connection a bit faster since the less
information that needs to be sent the more responsive the session will feel.

Knowing which port to use

It's also important to note the session number user as this will tell us which port vncserver will listen on. Remember the Gnome Remote Desktop
asked us to use computername:0 as the connection string, the number needs to be added to 5900 to get the listening port. In this case we need to use
port 5901 since we are using session 1. In the same way we could use any number, for example:

VNCSERVERS="2000:bobpeers"
VNCSERVERARGS[2000]="-geometry 1024x768 -depth 16"


In this case we need to use port 5900+2000 so port 7900.

Setting a password

To add some security we need to add a password that must be given before a connection can be established, open a terminal and type:

$ vncpasswd
Password:
Verify:


This creates a hidden folder called .vnc in your home folder containing the password file.

Starting the server and startup options

To start the server we type the command 'vncserver' and the session you wish to start (if you have set up more than 1 entry in the
/etc/sysconfig/vncservers file:

$ vncserver :1
Starting VNC server: 1:bobpeers
New 'linux.bobpeers:1 (bobpeers)' desktop is linux.bobpeers:1

Starting applications specified in /home/bobuser/.vnc/xstartup
Log file is /home/bobuser/.vnc/linux.bobpeers:1.log

[ OK ]


Now the server is started and a user could connect, however they will get a plain grey desktop by default as the connection will not cause a new
session of X to start by default, to fix this we need to edit the startup script in the .vnc folder in your home directory.

$ vi ~/.vnc/xstartup

#!/bin/sh

# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
exec /etc/X11/xinit/xinitrc

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
twm &


As the file says make sure the two lines at the top are uncommented by removing the leading # sign. Next we need to restart vncserver to pick up
the changed we just made. To restart the vncserver we need to kill the process and start a new one as root:

$ vncserver -kill :1
Killing Xvnc process ID 13728


$ vncserver :1
Starting VNC server: 1:bobpeers
New 'linux.bobpeers:1 (bobpeers)' desktop is linux.bobpeers:1

Starting applications specified in /home/bobuser/.vnc/xstartup
Log file is /home/bobuser/.vnc/linux.bobpeers:1.log

[ OK ]


Using vncviewer

To start the viewer type:

$ vncviewer localhost:5901


This open a dialog as shown for us to enter our password we set earlier, enter the password and you should now see a copy of your desktop. Note
that unlike the Gnome Remote Desktop this has started a new session of X so any applications open on the host machine are not visible to the new
session, it's basically a whole new logon running at the same time.

If you just type 'vncviewer' at the prompt then you will asked for the host to connect to, then you can type localhost:5901 for example.
Remember to use the correct port number when connecting, if you set your VNCSERVERS to be 2000:myname then you would need to connect on localhost:7900.

VNCVIEWER logon

Stopping the vncserver

There are two ways to stop the server, either as root:

$ /sbin/service vncserver stop
Shutting down VNC server: 1:bobpeers [ OK ]


or you can explicitly kill a particular session without being root:

$ vncserver -kill :1
Killing Xvnc process ID 13728


Just replace the 1 with the vnc session you wish to stop.

Allowing remote connections

So far we have only connected to our own computer using localhost so we have not needed to open any ports in the firewall, however if we want to
allow remote connection we will have to do the following. This can either be done from the command line or using system-config-security if you have
it installed.

Using system-config-security to opens ports.

First we'll look into the GUI system-config-security. Go to the Fedora start menu > Desktop > Administration >
Security Level and Firewall, then type your root password when prompted to see this:

system-config-security

Click on other ports at the bottom and enter the port you wish to open, 5901 in my case, select tcp, then click OK and OK again to save your
settings. That's all there is to it, but remember to close the port again when you are finished.

Select the port to open

Editing the iptables manually to opens ports.

To do the same from the command line add the line in bold to the file /etc/sysconfig/iptables while logged in as root:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


Finally we need to restart the iptables service to reload the changes.

$ sudo /sbin/service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]


Connecting from the remote machine.

Now from the remote client computer start up vncviewer but this time use the IP address of the host computer followed by the port number. So on my
home network this might be:

$ vncviewer 192.168.1.105:5901


You should see a copy of the hosts desktop, if things seem a bit slow you can try adjusting the colour depth or screen resolution on the vncserver
to see if that helps.

Wednesday, November 11, 2009

Exchange / Outlook - Allow Automatic Forwarding/Replying to the Internet

Allow Automatic Forwarding/Replying to the Internet

As a secure default Exchange doesn’t allow sending automatic forwards, replies and Out of Office Assistant Messages to the Internet. The security in this is that there can’t be created any mail loops and that Exchange doesn’t reply to any spam messages which might lead to spam attacks. If you still want to disable this behavior after careful consideration you can do this in the following way;

Exchange 2007:

  1. Open Exchange Management Console
  2. Expand Organization Configuration-> Hub Transport
  3. In the right pane select the Remote Domains tab
  4. Right click Default and choose Properties
  5. On the General tab you can set which type of Out of Office Messages you will allow
    On the tab named “Format of original message sent as attachment to journal report:” you can enable or disable the automatic replying/forwarding.

Exchange 2000/2003:

  1. Open Exchange System Manager
  2. Expand your site-> Global Settings-> Internet Message Format
  3. In the right pane right click Default and choose Properties-> tab Advanced
  4. Here you can enable or disable the automatic replying/forwarding

Exchange 5.5:

  1. Open Exchange 5.5 Administrator
  2. Expand your site-> Configuration-> Connections
  3. In the right pane right click Internet Mail Service and choose Properties-> tab Internet Mail Service-> button Advanced Options….
  4. Here you can enable or disable the automatic replying/forwarding
  5. Stop and restart the Internet Mail Service

Friday, September 25, 2009

Get the most out of your iPhone battery


A number of complaints regarding the iPhone 3GS' battery have surfaced on Apple's discussion board since the handset's June 19 launch. Given Apple's promises of a faster and longer lasting iPhone, it's understandable that 3GS users, particularly those who have made the jump from the previous models, have higher expectations.

Preliminary battery testing on our iPhone 3GS review model showed positive results, but we won't know the whole story until CNET Labs finishes its tests. Until that time, I can offer tips on making your iPhone battery last. They can be used individually or in combination to best suit your own needs. Some of these ideas are evenrecommended by Apple and some of them we've mentioned on iPhone Atlas before.

Reset iPhone
In addition to resolving signal strength problems, resetting an iPhone can fix a faulty battery indicator and end applications that are improperly consuming the battery. Hold down the home and sleep buttons simultaneously until you see the white Apple logo indicating that your iPhone has restarted.

Restore with original settings
You can restore your iPhone by launching iTunes and selecting the Restore option on your iPhone's Summary page. This process will erase your iPhone's software and data, including all settings. You can restore them later via iTunes.

Drain the battery completely
Instead of charging it midway through a battery drain, add more juice only after the battery dies completely. A full drain may reset circuitry that prevents a full charge from occurring, despite indication of a full charge.

Force quit applications
If an application quits unexpectedly and you begin to notice poor battery life, relaunch the application, then force quit it by following the directions in this post. This can eliminate problematic or hung processes that might be draining the battery.

Lock your iPhone
Make sure that your iPhone goes to sleep automatically when not in use. You always can press the Sleep/Wake button, but even better is the Auto-Lock feature in the General section of the Settings menu.

Auto lock screen

Applications
Apps that keep the display from dimming or shutting off and that prevent your iPhone from sleeping can reduce battery life. This is particularly true for apps that use location services and push notifications. You can turn off Location Services in Settings > General menu. You'll have to deactivate Push Notifications for each app individually, also in the Setting menu.

App Push Notification settings

Location Services toggle

Push notifications for e-mail
The iPhone 3G's Push functionality for Exchange and Mobile Me accounts also can destroy battery life. Turn this option off in Settings > Mail, Contacts, Calendars > Fetch New Data before restarting your iPhone. Messages sent to your push e-mail accounts will now appear on your phone based on the global Fetch setting (every 15 minutes, every 30 minutes, hourly, or manually) rather than as they arrive. The manual Fetch setting will preserve the most battery life.

Push and Fetch

Checking fewer e-mail accounts
Deleting e-mail accounts or turning them off can preserve battery life as well. You can remove an e-mail account in Settings > Mail, Contacts, Calendars, tap to choose an e-mail account, and tap Delete Account. To turn an account off but leave it on the phone, go to Settings > Mail, Contacts, Calendars, tap to choose an e-mail account, and set Account to Off.

Toggle e-mail account on/off


Delete e-mail account

Airplane mode
Even it you're not flying, use the airplane mode while listening to music, watching a video, working in your favorite productivity app, or whenever you don't want to be disturbed. Also, since constantly seeking a cellular connection also drains the iPhone's battery, the airplane mode is useful if you're in an area with poor cellular coverage.

Airplane mode

Reset network settings
Restarting your phone will delete any stored Wi-Fi passwords, DNS settings, and more. And in some cases it also can resolve signal strength issues. Find it in Settings > General > Reset > Reset Network Settings.

Reset network settings

Turn off Wi-Fi and/or Bluetooth
Be sure to turn off these features when not in use. Go to Settings > Wi-Fi and set Wi-Fi to Off. Go to Settings > General > Bluetooth and set Bluetooth to Off.

Toggle Wi-Fi


Toggle Bluetooth

Turn off 3G
The iPhone's 3G radio consumes a lot of juice so turning if off will save power. Go to Settings > General > Network and toggle Enable 3G to Off. You'll be able to make and receive calls and access some data while 3G is off, though your iPhone will run on the slower EDGE or GPRS 2G network.

Enable/Disable 3G

Adjust brightness
Dimming the screen definitely can extend battery life. Go to Settings > Brightness and drag the slider left to lower brightness or right to increase brightness until you reach your desired settings. Turning off the Auto-Brightness settings also will help.

Brightness settings

Turn off the equalizer
Just like on the iPod, this feature can reduce battery life. Go to Settings > iPod > EQ and select Off. Yet, since EQ settings in iTunes migrate to the iPhone, you'll have to override those settings and set the iPhone to Flat. Go to Settings > iPod > EQ and select Flat.

iPod EQ settings

|

iPod EQ options

More help
If you're worried about your iPhone 3GS being defective, according to HardMac there is Apple's Procedure for Users Experiencing Short Battery Life with the iPhone 3G S. Also, if you're still experiencing severe battery problems after trying some of these tips, it might be time to take a trip to your local Apple Genius Bar.

Personal experience
So far, my personal experience has been that my iPhone 3GS lasts a bit longer than the iPhone 3G, particularly after I tuned the iPhone 3GS' features to meet my personal needs. Yet, it still doesn't last more than a day with heavy use, unlike other smartphones.

One typically intense day started at 100 percent battery capacity at 5:00 a.m. The battery then dipped to 80 percent at 9:30 a.m., 64 percent at 12:30 p.m., 39 percent at 3:30 p.m., and 25 percent at 6:30 p.m before showing the 20 percent battery warning at 8:30 p.m. With my iPhone 3G, I used to get that warning prior to 6:30 p.m. And after tweaking my iPhone 3GS using the tips below, the battery showed 49 percent capacity after 15 hours of heavy use. That's not bad for smartphone battery performance.

Are you experiencing problems with your iPhone battery? Got some tips to share that might help conserve battery life? What kind of activities do you do on your iPhone that deplete the battery faster? Let us know in the comments.

Thursday, September 3, 2009

How To Make Your Computer Faster

Are you wondering, "Why is my computer slow?" Do you need help figuring out how to speed up your computer? Computers are wonderful devices that allow us to do many things but things can get rough once the garbage that comes in through our internet connection begins to stop up our system. I have put together a step-by-step procedure for cleaning all of this out.

Follow the steps below and you will see a noticeable improvement in your system. If you're looking to really speed things up -- like make your computer twice as fast -- check out Computer Secrets Unleashed. Enjoy!

  1. Download Microsoft's Anti-Spyware program, Adaware, and Spybot Search and Destroy. Microsoft's program can be downloaded at Microsoft Windows Defender. Adaware can be downloaded at Lavasoft Downloads. Spybot can be downloaded at The Home of Spybot-S&D. All of these programs are free.
  2. Install Microsoft's anti-spyware program now, but not the other two.
  3. Run MSconfig. To do this, select Start>Run and type msconfig into the space. Select the Startup tab and get rid of all unnecessary programs. The way to determine this is to go to ProcessLibrary.com and check it against their database.
  4. Boot into Safe Mode. To do this, restart the computer and press F8 continuously. Select the Safe Mode option from the list and continue to desktop.
  5. Want more tips to improve computer performance?
    Try PC Booster

  6. Delete any spyware programs from your add/remove. To do this, select Start>Control Panel>Add or Remove Programs. Check all unknown programs against SpywareGuide.com.
  7. Locate the temp folder in your computer and delete everything in the folder. This is located, usually, in C:\Documents and Settings\Username\local settings.
  8. Still in Safe Mode, install Adaware and Spybot. Run Adaware, Microsoft's anti-spyware and Spybot. Update to the most recent definitions in each program and run them in full scan mode. Microsoft's program cannot be installed in Safe Mode. You have already installed it.
  9. Reboot into standard Windows mode.
  10. Download HijackThis. You can get this program here Merijn.org. Install and run it. Click Do A System Scan and Save A Logfile. HijackThis will analyze processes that are running on your computer and alert you when there are things running that should not be there. It will also let you know when there are programs running that are not malicious but can safely be gotten rid of because they are not needed.
  11. Post the logfile in the Automated Log Analyzer at HijackThis.
  12. After determining what's safe and isn't, check appropriate boxes and click Fix Checked.
  13. Run the Microsoft Anti-Malicious program, which you can download at the Microsoft Download Center. This program is designed by Microsoft to detect and remove programs whose sole purpose is harming your computer. The technical term for this type of program is a rootkit.
  14. Download and run BLBeta Expert. This can be downloaded at F-Secure Blacklight. Make sure to carefully review anything it detects before removing. BlBeta is another program that is designed to get rid of rootkits.
  15. For Internet Explorer, click Tools> Internet Options> Security Tab. Click on the Internet Globe icon and select Custom Level. Disable the following:

    a. Download Unsigned ActiveX Controls.

    b. Initialize And Script ActiveX Controls Not Marked As Safe.

    c. Active Scripting.

    d. Scripting Of Java Applets.

    Also click High Safety under Java Permissions.

    If this causes trouble viewing any favorite sites, click the Trusted Sites icon of the Security Tab and use the Sites button to add the URL's of sites that are exempt from these requirements. The purpose of these changes is to tighten the security of your system so that not so many malicious programs make it to your system.

  16. For Firefox, type about:config in the address bar. Right click in the window and click New and Integer. In the first box, type privacy.popups.disable_from_plugins. In the second box, type 2. This will prevent Flash popups in Firefox.
  17. Open Regedit by clicking Start>Run and type in regedit.
  18. Once Regedit is open, click the plus symbol next to the HKEY_CURRENT_USER folder, the plus symbol next to Control Panel, and then click the Desktop folder icon to display its contents. In the right pane, double-click MenuShowDelay to change its value. (This Registry location is referred to as HKEY_CURRENT_USER\CONTROL\PANEL\DESKTOP\MENUSHOWDELAY.) The default Value Data is 400, or 4/10 of a second. Change the Value Data to 0 for the least delay, and click OK. This will make menus appear instantly on your computer instead of having a delay.
  19. Open HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\FILESYSTEM. Right-click Filesystem, select New, and DWORD Value. Rename NewValue#1 on the right-side pane to DisableNTFSLast-AccessUpdate. Double-click this new entry, change the Value Data field from 0 to 1, and then click OK. This disables the constant updating of the dates when a file or folder were last updated. This will speed up the system.
  20. Open HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER. Create a new DWORD Value called DesktopProcess, and set its Value Data to 1.
  21. Expand HKEY_CURRENT_USER, expand Control Panel, and click Desktop. Double-click the AutoEndTasks string and change the value to 1. This causes all of the components of the explorer to run in one process, making your computer faster.

    There is a caveat for some users here. Do not make this change if you are not running at least a Pentium processor and 16 MB of physical memory. Dating Blogs.

  22. Expand HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand Windows, and expand CurrentVersion. Right-click Explorer, expand New, click Key, and name the new key AlwaysUnloadDLL. Click AlwaysUnloadDLL, double-click the Default string, and change the value to 1. Windows tries to keep some DLL's in memory when the program uses them. If a user has low memory, this can cause performance issues.
  23. Expand HKEY_CURRENT_USER, expand Control Panel, and click Desktop. Double-click the HungAppTimeout string and change the value to 1000. Now, double-click the WaitToKillAppTimeout, string and change the value to 2000. This sets your system up to more efficiently handle application hangups. It also will optimize the amount of time a system takes to close a program when you try to end Windows.
  24. Expand HKEY_LOCAL_MACHINE, expand System, expand CurrentControlSet, and click Control. Double-click the WaitToKillServiceTimeout string and change the value to 2000. This optimizes the time that it will take for Windows Services to close when the system is set to shut down.
  25. Expand HKEY_CURRENT_USER, expand Control Panel, click Desktop, and double-click the MenuShowDelay string in the right-hand pane. Change the value to 100. This will cause Desktop menus to appear almost instantly.
  26. Close regedit.
  27. Set Recycle Bin to 1-3 percent of the hard drive space. To do this, right click on the Recycle Bin. Select properties. Move the slider down to the desired amount and click Ok. By default, the Recycle bin takes up too much of your space.
  28. To ensure DMA is in use, click Start, right-click My Computer, click Properties, select the Hardware tab, and click Device Manager. Expand the IDE ATA/ATAPI Controllers entry, double-click the entry for the channel where your hard drive is installed (most likely the Primary IDE Channel), and use the Transfer Mode drop-down menu to select DMA If Available if PIO Only mode is selected. Click Ok, reboot, and recheck the setting to make sure it sticks. When this is enabled, it will allow information from your CD/DVD to go straight to memory, bypassing the system processor and speeding up the system.

You should notice markedly increased speeds in your computer. Remember that this is not a "do once and forget it" procedure.

Crud is constantly building up in your computer, so make sure and set up a maintenance plan to keep your computer clean.

It's important to keep your Windows registry running lean, and that takes regular computer maintenance. This will prevent your computer from running slow.

Monday, August 31, 2009

How do I tell Internet Explorer to trust a security certificate?

Certificates are supposed to prove that you're connecting to the site you think you're connecting to, something that's particularly important if you're about to share sensitive data with the site or download a program or system patch. I won't even talk about phishing and how that ups the ante of site verification (though you can read about it here: Paypal and eBay alerts: legit or phishing?)

Since having a site certify itself doesn't make sense -- because the site could just as easily have a forged security certificate -- there are third party Certification Authorities that act as what security folk call 'trusted third parties'. It used to be that there were just two or three of these authorities, but now there are more, and what's happened in your situation is that you've somehow ended up indicating to your Web browser, Internet Explorer, that you don't trust the third party certification authority that a particular site is using.

But don't panic. This can be fixed and pretty easily at that. Go into Internet Explorer then choose Tools -> Internet Options, then click on the Content tab. The middle of that window will show you different options regarding Certificates. Click on the middle button, labeled "Certificates..."

Now you'll see something that's an interesting user interface gaffe on Microsoft's

part because the tabs on this window don't fit in the window, so you need to click on the tiny right arrow by the rightmost tab. Once you can see it, click on "Untrusted Publishers". You'll end up with a window that looks like this:

Internet Explorer Untrusted Publishers Certificates

You should see the publisher listed that's causing you such problems. On my screen, I have two certificates from Microsoft, published by VeriSign, as you can see. Just delete the entries here by clicking on each one to select it, then clicking "Remove".

Quit the browser, restart, and everything should be good to go!

Creating a Self-Signed Certificate using OpenSSL for use with Microsoft Internet Information Services (IIS) 5



Overview

This document describes how to sign your own SSL certificate requests using the OpenSSL toolkit and use these self-signed certificates to allow HTTPS connections to Microsoft's IIS 5 web server (as supplied with Windows 2000).

If you know what a self-signed certificate is and understand the concept of a certificate authority, great. If not, this should still work but you'll have no idea what you've acheived when it does :)

Command transcripts are shown in monospaced type, with the bits you type shown in bold. Bits in italics are comments to explain what's going on and what you should be doing.


Disclaimer

I'm by no means a security expert, and I'm not an OpenSSL guru. If you find these notes helpful, great - if you don't, there's plenty of more detailed resources out there which will answer your questions if you take the time to read them properly. Contributions and testimonials are welcome; questions will be read and possibly answered but I'm making no guarantees, and please don't rely on this information for anything important. I don't know whether it's the most secure or most effective way of doing this, but it works and that's good enough for me. If it's not good enough for you, don't use it :)

These instructions were tested using OpenSSL 0.9.6g (v1.0 Final) on Windows 2000 Server running Service Pack 3.


Ingredients

Walkthrough

Install and configure the OpenSSL toolkit

  1. Get OpenSSL from the address above, and run the installer, accepting the defaults. These instructions assume OpenSSL is installed in C:\OpenSSL.
  2. Add C:\OpenSSL\bin to your system path (Control Panel, System, Advanced, Environment Variables, System Variables) - this isn't strictly necessary but it makes things a lot easier.
  3. Create a working directory - here, we'll use c:\ssl as our working folder.
  4. Download this copy of openssl.conf to your working folder. (Note: I have no idea what most of the options in this file mean. I just hacked it around until it worked...)
  5. Set up the directory structure and files required by OpenSSL:
    C:\ssl>md keys

    C:\ssl>md requests

    C:\ssl>md certs
  6. Create the file database.txt - an empty (zero-byte) text file. This can be done using the 'touch' command if you have it (it's a Unix tool not available on Windows by default, but you might have one lying around), or by creating an empty file manually:
    c:\ssl>copy con database.txt
    ^Z


    C:\ssl>
    MS-DOS veterans will recognise this particular invocation. We're copying from CON (the console) to a file called database.txt, and that's a Control-Z end-of-file character on the first line. This should produce a zero-byte file called c:\ssl\database.txt
  7. Create the serial number file serial.txt. This is a plain ASCII file containing the string "01" on the first line, followed by a newline. Again, we can use a little bit of ancient DOS magic:
    C:\ssl>copy con serial.txt
    01
    ^Z


    C:\ssl>
    to achieve the desired effect. (That's keystrokes zero, one, return, control-Z, return)

Set up a Certificate Authority (CA)

  1. First, we create a 1024-bit private key to use when creating our CA.:
    C:\ssl>openssl genrsa -des3 -out keys/ca.key 1024
    Loading 'screen' into random state - done
    warning, not much extra random data, consider using the -rand option
    Generating RSA private key, 1024 bit long modulus
    ...........++++++
    ..................++++++
    e is 65537 (0x10001)
    Enter PEM pass phrase: - choose a memorable pass phrase to use for this key
    Verifying password - Enter PEM pass phrase: - type your pass phrase again for verification
    The pass phrase will be requested whenever you use this certificate for anything, so make sure you remember it. This will create a file called c:\ssl\keys\ca.key, containing our certificate authority private key.
  2. Next, we create a master certificate based on this key, to use when signing other certificates:
    C:\ssl>openssl req -config openssl.conf -new -x509 -days 1001 -key keys/ca.key -out certs/ca.cer
    Using configuration from openssl.conf
    Enter PEM pass phrase: - type your passphrase here.
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:GB
    State or Province Name (full name) []:Hampshire
    Locality Name (eg, city) []:Southampton
    Organization Name (eg, company) []:dylanbeattie.net
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your websites domain name) []:ssl.dylanbeattie.net
    Email Address []:ssl@dylanbeattie.net

    C:\ssl>
    This will create our CA certificate and store it as c:\ssl\certs\ca.cer
  3. (optional) Finally, we export our CA certificate in PKCS12 format - this will allow Windows users to import the PKCS12 certificate into their Trusted Root Store, so they don't get warning messages every time they use one of our certificates. From the OpenSSL FAQ:

    12. How do I install a CA certificate into a browser?

    The usual way is to send the DER encoded certificate to the browser as MIME type application/x-x509-ca-cert, for example by clicking on an appropriate link. On MSIE certain extensions such as .der or .cacert may also work, or you can import the certificate using the certificate import wizard.

    You can convert a certificate to DER form using the command:

    openssl x509 -in ca.pem -outform DER -out ca.der

    Occasionally someone* suggests using a command such as:

    openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem

    DO NOT DO THIS! This command will give away your CAs private key and reduces its security to zero: allowing anyone to forge certificates in whatever name they choose.

    * Guilty as charged - sorry! This guide originally recommended the insecure method warned about above. Thanks to Baahl for pointing out the error and Marco Fagiolini for the correct method.

Create an IIS Certificate Request

This is described in detail elsewhere on the web - see Microsoft Knowledge Base Article Q228821. You should end up with a file called certreq.txt.

Sign the Certificate Request

  1. Copy the certreq.txt file into c:\ssl\requests
  2. Sign the request
    C:\ssl>openssl ca -policy policy_anything -config openssl.conf -cert certs/ca.cer -in requests/certreq.txt -keyfile keys/ca.key -days 360 -out certs/iis.cer
    Using configuration from openssl.conf
    Loading 'screen' into random state - done
    Enter PEM pass phrase:
    Check that the request matches the signature
    Signature ok
    The Subjects Distinguished Name is as follows
    commonName :PRINTABLE:'myCommonName'
    organizationalUnitName:PRINTABLE:'myOrganisationalUnit'
    organizationName :PRINTABLE:'myOrganisation'
    localityName :PRINTABLE:'myLocality'
    stateOrProvinceName :PRINTABLE:'myProvince'
    countryName :PRINTABLE:'GB'
    Certificate is to be certified until Feb 2 01:13:14 2004 GMT (360 days)
    Sign the certificate? [y/n]:y


    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

    C:\ssl>
    Let's just take a look at those command-line options in a bit more detail:
    • -policy policy_anything - specifies that we're using the 'policy_anything' policy from our openssl.conf file. This is a relaxed policy in which the name, country, etc. in the certificate don't need to match those used by the certification authority. Use -policy policy_match for a more restrictive CA.
    • -config openssl.conf - specifies we're reading our configuration from openssl.conf in the current directory.
    • -cert certs/ca.cer - specifies we're using our CA master certificate to sign the request.
    • -in requests/certreq.txt - the certificate request we're signing.
    • -keyfile keys/ca.key - the private key for our CA master certificate, which proves we're allowed to use it.
    • -days 360 - the time until the certficate will expire
    • -out certs/iis.cer - the file in which to place our newly-signed certificate
  3. Convert the signed certificate into x509 format for use with IIS:
    C:\ssl>openssl x509 -in certs/iis.cer -out certs/iisx509.cer

    C:\ssl>
    This will leave the new certificate in c:\ssl\certs\iisx509.cer - signed, sealed and ready to install

Install the new certificate under IIS

Again, this is described elsewhere on the web - remember that the iisx509.cer file is our certificate response file, and the instructions in Knowledge Base article 228836 should make everything clear.


Links & Acknowledgements

OpenSSL for Windows: http://www.shininglightpro.com/