CMS Bulletin - July 2018

WordPress 4.9.7 is now available

WordPress has released version 4.9.7.

Being a "security and maintenance release", no new significant functions are introduced, rather some critical issues and problems are fixed, among which:

  • Fixed library bug that allows a user with certain permissions to delete files out of the media folder
  • Taxonomy: improved cache management for queries
  • Post and type of post: on logout, deleted cookie password
  • Widget: basic html tag in the description in sidebar
  • Community events Dashboard: Always show the nearest WordCamp
  • Privacy: the default content of the privacy policy no longer causes an error when you delete the rewrite rules

    Read more ...

Windows Server 2019: the future is here

It has been just a few issues when we described the Technical Preview release of Windows Server 2016, and here we are talking about Microsoft’s next server operating system.

Windows Server 2019 maintains the solid basis of the previous release, which is Microsoft’s server OS whose diffusion has been the fastest, whose release is expected in the second semester of this year. It will be an LTSC edition (Long Term Servicing Channel), so the distribution channel will have a release update every 2/3 years, unlike the typical SAC model (ie Windows 10).

The key points of the development are four, and they come from the analysis of future trends and requests received by Microsoft from clients’ feedback channels: security, hybrid Cloud, application platforms and hyper-convergent environments.

Microsoft naturally worked a lot on the first of these aspects in order to offer a system that can face and resist to the ever growing number of threats. The security approach is based on three specific macro-areas: Protection, Identification and Response. In terms of protection, now Linux VMs can leverage Shielded VMs (introduced in Windows Server 2016), thus being protected against illicit and undesired activities. Add to that the introduction of Encrypted Networks, which will allow sysadmins to encrypt data traffic on whole network segments thus protecting the communication between nodes.

Read more ...

An introduction to Docker pt.3: Storage and Networking

Previous article -> An introduction to Docker pt.2

The Docker introduction series continues with a new article dedicated to two fundamental elements of a containers ecosystem: volumes and connectivity.
That is, how to let two containers communicate with each others and how to manage data on a certain folder on the host.

Storage: volumes and bind-mounts

Files created within a container are stored on a layer that can be written by the container itself with some significant consequences:

  • data don’t survive a reboot or the destruction of the container.
  • data can hardly be brought outside the container if used by processes.
  • the aforementioned layer is strictly tied to the host where the container runs, and it can’t be moved between hosts.
  • this layer requires a dedicated driver which as an impact on performances.

Docker addresses these problems by allowing containers to perform I/O operations directly on the host with volumes and bind-mounts.

Read more ...

CMS Bulletin - April 2018

PrestaShop 1.7.3 is now available

PrestaShop announces the new 1.7.3 version, which includes improvements and new features.
Among the new features introduced we find:

  • PrestaTrust, a function which authenticates the code of the modules with PrestaTrust support and records the license information in the block-chain.
  • Right-to-left support: support for right-to-left languages (RTL) is added, such as Arabic, Hebrew, and Persian.
    A new set of demo products
  • UI kit for modules, core and back-end, with support for Bootstrap 4 jQuery 3.
  • Symfony: three new pages have been migrated to the popular PHP framework
  • Other features and improvements, such as setting delivery times, sending alerts when a product reaches low availability in stock, bulk actions in the stock, added localization in Icelandic and installation wizard in Japanese.

PrestaShop 1.7.3 is available at this address.

Read more ...

Introduction to Docker - pt.2

Previous article -> Introduction to Docker - pt.1

Images and Containers

An image is an ordered set of root filesystem updates and related execution parameters to be used in a container runtime; it has no state and is immutable.
A typical image has a limited size, doesn’t require any external dependency and includes all runtimes, libraries, environmental variables, configuration files, scripts and everything needed to run the application.

A container is the runtime instance of an image, that is, what the image actually is in memory when is run. Generally a container is completely independent from the underlying host, but an access to files and networks can be set in order to permit a communication with other containers or the host.

docker image rm

Conceptually, an image is the general idea, a container is the actual realization of that idea. One of the points of strength of Docker is the capability of creating minimal, light and complete images that can be ported on different operating systems and platforms: the execution of the related container will always be feasible and possible thus avoiding any problem related to the compatibility of packages, dependencies, libraries, and so forth. What the container needs is already included in the image, and the image is always portable indeed.

Read more ...

FreeNAS 11.1: welcome new UI!

A few months ago we talked about the troubled release of the last two FreeNAS versions, which involved a new graphical interface, the premature dismissal of Corral and finally the development of the 11.0 version with the return of the classic UI.

But IXSystems didn’t discourage and kept on developing its NAS system and eventually released the all-new 11.1 version.

Not just a new appearance, but also new features

Let’s start with the aspect that usually draws most of the attention of a system, otherwise quite traditional in terms of features: the new graphic interface.
The dark and edgy theme portrayed in a previous review, developers chose a more comfortable theme based on light colours with a tidier and neatter graphical organization. The overall design resembles the one on latests generations Android systems, quite flat and with icons and volumes characterized by circular contours and vivid colours.

Free11 dash

The upper horizontal menu finally disappears, replaced by a lateral float-out unit which contains the usual features. The organization of voices has been revised and rearranged too, still being coherent with the classic one we’re used to. Another new feature of the UI is a proper visualization on mobile devices too, something the previous releases didn’t accomplish well.

Read more ...

Project Honolulu: a web-based management control for Windows Server by Microsoft

Announced last 14th September with a TechNet blog post, Project Honolulu is the free, Web-based HTML5 platform for centralized management of hosts and clusters that allows to control, manage and troubleshoot Windows Server environments from a single panel. Today is available as a “technical preview”.

Typically, the administration Windows server environments relies upon MMC (Microsoft Management Console) and other graphic tools, in addition to PowerShell, which guarantees a powerful and complete scripting system capable of an high level of automation.
Project Honolulu can be compared to VMware vCenter’s Web Client (albeit some differences), is a centralized management solution for Windows Server hosts and clusters, conceived not as a replacement for System Center and the Operations Management Suite, but as a complementary tool.

Projet Honolulu is the natural evolution of Server Management Tools (SMT is the analog tools retired a few months ago because as it ran on Azure, it required a constant Internet connection that sometimes it can’t be guaranteed) and represents its local, on-prem version. It’s not a substitute for MMC.
During last Ignite, Microsoft introduced the project with two demo sessions (one and the other), and covered the topic with a blog post.

 

project honolulu architecture

Read more ...

Chocolatey, a package manager for Windows

Chocolatey is a package manager similar to Linux apt and yum to create, update, distribute and remove software packages in a centralized and automated manner.

Two are the platforms at its basis: NuGet and Windows PowerShell. The former is a .NET package manager on its turn, and the former is the well-known integrated shell of the Microsoft Windows world. Available both as a command line tool and with a GUI, Chocolatey is an open source project with three licensing models: free, Pro and Business, with the additional MSP and Architect plans for specific uses.

Read more ...

CMS Bulletin January 2018

CMS

Joomla 3.8.3 is now available
Joomla 3.8.3 is now available; this is a security release that doesn’t introduce any new feature, rather it fixes security issues and improves performances.
In particular, this release adds support for PHP 7.2 multiple download sources on update servers (AKA download mirrors), TinyMCE has been updated to version 4.5.8, improvements for multilingual support and search performances for big sites. A complete list of fixes is available at this address.
This version is available within the admin console or at this address.

Meanwhile, the Alpha 1 version of the upcoming Joomla 4.0 is available. The preview include new Bootstrap 4 templates, removal of obsolete functions, a new installation wizards, integration of Joomla Framework packages and a renewed Application for Consoles.

WordPress 4.9 is now available
WordPress 4.9, nicknamed “Tipton”, is now available. This version introduces several new features, including a Customizer with new features, improvements to the system code, new widgets and several new features for developers like improved JavaScript API customizer, CodeMirror (a new library for code revision), MediaElement.js update to version 4.2.6 and other improvements to plugin and translation files management.
This version is available in the administration console or at this address.
Version 4.9.1 is available as well. This is a security release that doesn’t introduce any new feature, rather it fixes security issues. Improvements of this release include a properly generated hash for the newbloguser key instead of a determinate substring, addition of escaping to the language attributes used on html elements, ensuring the attributes of enclosures are correctly escaped in RSS and Atom feeds and removal of the ability to upload JavaScript files for users who do not have the unfiltered_html capability.
Eleven additional bugs have been fixed, including issues relating to the caching of theme template files, a MediaElement JavaScript error preventing users of certain languages from being able to upload media files and the inability to edit theme and plugin files on Windows based servers.

Further information about this version are available at this address.

Read more ...

An introduction to Docker

You have heard about it for sure, it’s one of the hottest technologies of the moment and it’s gaining momentum quickly: the numbers illustrated at DockerConf 2017 are about 14 million Docker hosts, 900 thousands apps, 3300 project contributors, 170 thousands community members and 12 billion images downloaded.
In this series of articles we’d like to introduce the basic concepts in Docker, so to have solid basis before exploring the ample related ecosystem.

The Docker project was born as an internal dotCloud project, a PaaS company, and based on the LXC container runtime. It was introduced to the world in 2013 with an historic demo at PyCon, then released as an open-source project. The following year the support to LXC ceased as its development was slow and not at pace with Docker; Docker started to develop libcontainer (then runc), completely written in Go, with better performances and an improved security level and degree of isolation (between containers). Then it has been a crescendo of sponsorships, investments and general interest that elevated Docker to a de-facto standard.

It’s part of the Open Container Project Foundation, a foundation of the Linux Foundation that regulates the open standards of the container world and includes members like AT&T, AWS, DELL EMC, Cisco, IBM Intel and the likes.

Docker is based on a client-server architecture; the client communicates with the dockerd daemon which generates, runs and distributes containers. They can run on the same host or on different systems, in this case the client communicates with the daemon by means of REST APIs, Unix socket or network interface. A registry contains images; Docker Hub is a public Cloud registry, Docker Registry is a private, on-premises registry.

 

docker architecture

Read more ...

CMS Bulletin October 2017

WordPress 4.8.2 is now available

WordPress release version 4.8.25.
This is a “Security and Maintenance Release” which introduces no new features, instead it fixes some security and performance issues of the most used CMS worldwide.
In particular these 9 problems are fixed, in addition to 6 performance fixes:

  • $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
  • A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. 
  • A cross-site scripting (XSS) vulnerability was discovered in the visual editor.
  • A path traversal vulnerability was discovered in the file unzipping code.
  • A cross-site scripting (XSS) vulnerability was discovered in the plugin editor. 
    An open redirect was discovered on the user and term edit screens.
  • A path traversal vulnerability was discovered in the customizer.
  • A cross-site scripting (XSS) vulnerability was discovered in template names.
  • A cross-site scripting (XSS) vulnerability was discovered in the link modal. 

The update is available within the dashboard or at this address.
Who wants to preview the upcoming new release, can test WordPress 4.9 beta 3. Obviously it’s only for testing purposes and must not be installed in production environments.

Read more ...

Business email: a comparison of services

Emails are a powerful tool for businesses of all kind -Freelancers, Small and Medium Businesses and Big Corporates- to manage it in an efficient manner. In this article we will analyze email services offered by the main providers.

Emails are one of the main vectors of communication in the business world: they’re used for internal, informal, official and even international communications. Its use has, in several cases, ditched verbal communication and, because of that, each user expects this service to be quick, easy and -most of all- reliable. Beside sending and receiving messages, there’s a number of other activities that have merged together with them: calendars, address books, mobile synchronization, and so forth.

Read more ...

GFI LanGuard: network security scanner and patch management

Properly keeping an IT infrastructure updated is a costly and weary activity: GFI’s LanGuard is a product conceived to structure and automate management process in a complete safety.

An example how dangerous is to have non updates systems is clearly shown by the very recent wave of infections by WannaCry, the ransomware that -albeit being targeted to a restricted number of users (they could have been way more had some remedies not been found promptly)- attacked Microsoft-based infrastructures in more than 150 countries. The ransomware exploited the EternalBlue vulnerability, which is available only on non-patched version of the operating system. Yet imagine what the outcome would have been if it targeted all Windows systems.

Read more ...

CMS Bulletin - July 2017

WordPress 4.8 is now available
WordPress 4.8 is now available, and this version introduces some new features: image, audio and video widgets, rich text widget for visual editing, improved link management and a new news section in the dashboard with all related WordPress events near you.
Further information are available in this post on the WordPress blog.

The update is available in the admin dashboard, we suggest to update as soon as possible but after doing a backup (just in case).

Joomla 3.7.3 is now available
Joomla has now reached version 3.7.3Joomla has now reached version 3.7.3, which is a minor release of version 3.x.
This release doesn’t introduce any new function, rather it fixes bugs and solves security issues.
In particular 2 XSS (Cross Site Scripting) and Information Disclosure vulnerabilities are fixed, which could pose a threat in terms of security.

The update is available directly within the admin dashboard.
Joomla 3.8 is expected at the end of July.

WordPress WP Statistics plugin is vulnerable to SQL Injection attacks
Suuri researchers discovered a vulnerabilitySuuri researchers discovered a vulnerability in the famous WP Statistics plugin for WordPress which permits SQL Injection attacks.
Version 12.0.9 of the plugin solves the issue, therefore we highly recommend to update the plugin as soon as possible.

Read more ...

FreeNAS 11: the new features and some talks about Corral

After a false start of the long awaited FreeNAS 10, the iXsystems development team a few weeks ago released the latest stable release of the operating system for NAS solutions.

We’ve extensively covered FreeNAS in previous issues by analyzing structure, functioning and advantages. We expect a high level of stability and reliability from such an operating system, yet we waited for almost a year the revolutionary release 10, code named Corral.

FreeNAS 10 “Corral”: something went wrong
The two main news would have been a new graphical interface and native support to multi-platform virtual machines.
However the release of Corral didn’t go as expected: after being available for 48 on the official FreeNAS website, it mysteriously disappeared and replaced by the previous 9.10 version. For some weeks nobody had a clue of what was going on, as it was still downloadable from the official repository; then it appeared in the Tech Preview section. A communicate was released on the FreeNAS forum on the 12th of April stating the motivations of the retirement of the release.

Read more ...

Wordpress Security

According to W3Techs, WordPress is used in 28,1% of the existing Internet websites, and it accounts for 59% of those based on a CMS (Content Management System), and the adoption rate is ever increasing. These numbers alore are enough to understand the great diffusion of WordPress: its easy installation and customization make it suitable to several use cases, eCommerce shop included.
But such popularity brings a downside: it’s one of the most attractive platforms to hackers. Luckily damages of an hacking attack can be prevented and limited with techniques and best practices that we will discuss in this article.

Read more ...

CMS Bulletin - May 2017

WordPress 4.7.5 - Security and Maintenance Release is now available
While waiting for the release of version 4.8, expected in June, WordPress released version 4.7.5.
This is a “Security and Maintenance Release” which doesn’t add any new feature, it fixes security and performances issues.
In particular these 6 major problems have been fixed, in addition to other 4 fixes about performances:

  1. Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
  2. Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
  3. Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
  4. A Cross Site Request Forgery (CSRF) vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
  5. A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
  6. A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.

The update is available within the administration dashboard.

Read more ...

Nakivo: easy and flexible VMware and Hyper-V backup

The new version of the most renowned backup tool for virtual environments adds the support to vSphere 6.5 and improves the integration with the Microsoft world with the support to Hyper-V and Active Directory.

Nakivo Backup & Replication is a backup and Disaster Recovery solution for virtual machines that offers on-site and off-site backup (with testing), replication, recovery (even single files and Exchange/Active Directory elements), Cloud replica (AWS) and multi-tenant capabilities. We have tried in advance for you the new 7.0 version. You can find our review of the previous release at this address.

Support to vSphere 6.5 and Hyper-V

The new version of vSphere came out a couple of months ago and all big players are updating the support to the new release, and Nakivo makes no exception: now you can add an ESXi 6.5 host or vCenter 6.5 to the Inventory and protect all VMs running there. The new support to Hyper-V (version 2012, 2012 R2 and 2016) is with no doubts the most exciting news of Nakivo Backup & Replication 7: the support is extended to virtual machines created and managed with the popular hypervisor by Microsoft. Now the product can cover both main virtualization platform available in on-premises and Cloud infrastructures, also supporting an hybrid solution with the capability of backing data up to the public cloud by Amazon: AWS EC2.

nakivo 7 activity 1

Read more ...

Windows Server 2016: a new features test

In this article we have selected some of the new features available in Windows Server 2016 with the aim of analysing them and evaluating their impact in a real world scenario.

As we’ve mentioned in the previous issue, this new release is conceived as an improvement of the previous versions, rather than a brand new system. Ne features can be grouped into three ares: Virtualization and Containers, Security and Storage.

Virtualization

The main news in terms of Hyper-V is nested virtualization. With the new Windows Server 2016, Hyper-V hosts can be virtualized (ie a VM with Hyper-V running on it): this approach is often used in testing environments and situations where one wants to create multi-tenant environments without costs related to physical hardware. Now VMs’ hardware hot-add (disks, network cards, controllers, etc..) is supported: this operation was previously available upon powering off machines and restarting them with a subsequent downtime.

hot add

A new feature that is introduced with this version is the Host Guardian role, which we discussed in the previous issue. Host Guardian allows to regulate granularly levels and access permissions of Hyper-V administrators on virtual machines running on an host or cluster. Server 2016 also steps towards the Linux world: one of the main problems when creating a Linux VM was the lack of drivers certified for Secure Boot in Windows, which would lead to a “Failed Secure Boot Verification” error when starting the virtual machine; it could be solved by disabling the Secure Boot feature. This new release of Windows Server fixes the problem including such drivers.

Read more ...

An introduction to XenServer: an Open Source enterprise [para]virtualization solution

Xen, like VMware ESXi, is an hypervisor, that is, a software that allows to run several virtual machines -even with different operating systems, at the same time on the same hardware, sharing resources with the aim op optimizing costs and the management of the IT infrastructure. Given its nature, it’s often compared with concurrent platform by Microsoft (Hyper-V) and VMware (vSphere/ESXi), and in this article we are going to cover its characteristic.

A little bit of history

The Xen virtualization project was born in 2003 at the University of Cambridge as a research project. Within a few time XenSource was founded, before being acquired by Citrix in 2007, which keeps a free version but starts to develop a paid version. The project is backed by big players of the market like Intel, AMD, Cisco, Amazon, Google, Oracle, Samsung and Verizon.

In 2013 Xen became part of the Linux Foundation, and Citrix adopted an opensource licensing for its own XenServer product, then at version 6.2. The paid version, which included support and additional maintenance services, still remains.

3952

Read more ...

CentreStack: the object storage platform by Gladinet

CentreStack is a managed server for the creation of an object storage platform that can be deployed between the walls and in Managed Service Provider mode to be offered as a service to clients.

The product of the american Gladinet is a system halfway between classic file servers for companies and off-premises Cloud storage platforms usually used in SaaS/PaaS mode (think of Dropbox, Onedrive, etc..). By taking the best from both worlds, CentreStack can leverage the internal IT infrastructure (servers, storage, etc..) to offer a file sharing service also suitable for BYOD purposes in a Cloud mode. Management indeed is completely Web based with a dashboard from where you can control and act on all aspects of the platform, be it multi-tenant and multi-node as well.

CS web login evo

Structure and requirements

CentreStack is composed by three main parts, or nodes: Web Front Node, Worker Node and Database Node. Nodes can be deployed as physical hosts or as separate virtual machines, or in an all-in-one mode on a single host (a solution which is particularly suitable for small dimensions scenarios or testing purposes) where all components are installed at once. In some situations Web Front and Worker nodes can be condensed on a single machine.

CS db select 2

Read more ...

CMS bulletin - January 2017

WordPress 4.7.1 - Security and Maintenance Release is now available

Less than a month after the release of version 4.7 “Vaughan”, WordPress releases version 4.7.1 of the most used CMS in the world.
This is a “security and maintenance” release which fixes 8 important vulnerabilities that affect all WordPress versions (4. included), in addition to 2 bugs of the previous version.
The 8 vulnerabilities, which are now fixed, include cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.

The update is available at the administration dashboard and at the official Website. We encourage you to update your installation as soon as possible.

Read more ...

CMS Bulletin - April 2017

WordPres 4.7.3 is now available

This is a “Security & Maintenance” release that doesn’t introduce any new feature, as it fixes bugs and problems available in the previous versions.
Because of the security-related fixes, we encourage you to update as soon as possible.

The previous versions had 6 big problems that have been completely fixed:

  • Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
  • Control characters can trick redirect URL validation. Reported by Daniel Chatfield.
  • Unintended files can be deleted by administrators using the plugin deletion functionality. Reported by TrigInc and xuliang.
  • Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by Marc Montpas.
  • Cross-site scripting (XSS) via taxonomy term names. Reported by Delta.
  • Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema.

The update is available within the administration dashboard with an “Update Now” banner, or it can be performed manually; if you have enabled automated updates, your system will be updated soon.

A vulnerability in Magento that allowed CSRF attacks has been discovered 

A vulnerability that allows Cross Site Request Forgery (CSRF) has been discovered in Magento Community Edition (2.1.6 and older) by DefenseCode, which released a document covering the topic. The discovery followed an auditing on the source code of the Community Edition, the Enterprise version has not been tested (yet), but it’s possible that this version too is affected by this issue as both version share the most of the code.

The vulnerability exploits the option that allows admins to add Vimeo videos to product description; the system retrieves a preview image with a POST request accepting the image URL as parameter.
Such request can be changed to GET, and if the URL links to an invalid image file (like a PHP file), the system returns an error, however it downloading the file and not deleting it if validation fails.
Image information are analyzed and stored in a directory that follows a precise scheme: the pattern used is /pub/media/tmp/catalog/product/<X>/<Y>/<original filename>, where the path depends on the image name. For instance, picture.jpg creates the /pub/media/tmp/catalog/product/p/i/picture.jpg path.
Then two files are downloaded: one is the .htaccess file that enalbes the execution of PHP files in the directory, the other is the malicious PHP script.
A typical scenario involves an hacker targeting a Magento user with admin panel access (it can also be a non-full admin) with a phishing email with a link to a URL that starts the CSRF attack.
The “Add Secret Keys to URLs” option can mitigate attacks: you can enable it in Stores > Configuration > ADVANCED > Admin > Security > Add Secret Key to URLs. 
Also disable the use of .htaccess files in the subdirectories of /pub/media/tmp/catalog/product/.

Magento developers stated this vulnerability will be fixexd in the next release of the CMS.

The difference between email backups and archiving

Emails have become a key element in every business. In most cases the correspondence with clients and provides has such an importance that, in case of loss or theft, missing emails can result in heavy economical and organizational repercussions.

Securing email data is a crucial duty for every company. Emails can be protected by means of a traditional backup system or by an archiving system. A proper knowledge of both systems is required to avoid mistakes.

Backup is conceived as a “photography” (or a series of photos) of the system in a precise moment, for instance the saving of the email archive up to today. You can decide to keep one or more of such photos, maybe one each day for the last 5 working days. Retention describes the number of backup that are stored and its disposition in time (ie one backup per month for three months). A backup is created to retrieve messages deleted by accident or to restore a certain situation after software problems or any other issue that compromises the regular working process.
A good backup must have an easy restore routine and must store all necessary information: the position of the message in the folder structure and all its metadata (date, hour, sender, subject, etc..).

On the other hand, archiving is a process that aims to the long term (and possibly in read mode only) storage of the complete email archive. Archiving is not meant to be used for a restore in case of problems, but for data conservation (regardless of users behaviour). If, for instance, a user receives an offer and deletes it, such offer will be available within the archive and the company can retrieve it if needed. Archiving requires a bigger data space, especially if deletion is blocked, and often offers additional capabilities like full text indexing and quick research.

Naturally there are different and specific software and services for backups and archiving: they are, and must be, distinct and not interchangeable processes. This concept is somehow not immediate to understand, so let’s make some explanatory example to point out the aforementioned differences.

Read more ...

Windows Server 2016: new features and on the road test

Previous articles -> Microsoft believes in containers, too - Windows Server 2016 TP4 is now available

After a development period that started in 2014, last October finally the definitive version of Windows Server 2016 came out.

Windows Server 2016, available in the EssentialStandard and Datacenter editions, offers a lot of news with this release, mostly oriented in terms of security and scalability related to new software-defined architectures. The main difference with the past is the new licensing model: Microsoft now adopts a core-based (hyper-threading excluded) management instead of the previous socket-based approach. New licences will be calculated according to the number of cores of the server the OS will be installed on, instead of being calculated on the basis of the physical processors available. This decision comes, apart from arguments about marketing and profit margins linked with scalable infrastructures, from the will of the Redmond colossus of aligning to the new requirements of the Cloud world (and to those will sell Cloud infrastructures), where the boundaries between physical and hardware resources has become very subtle. A licensing model that considers cores and not processors is, for instance, very useful when quoting hosting plans, as the computational power unit is the single core indeed, and not the whole processor.

In general the use of Windows Server 2016 will require to licence all physical cores of the server with the minimum activation of 8 licences per-core (each covering two cores) for each processor, also in the case of quad-core processors, and with at least 16 per-core licences for each physical server (with dual-socket servers). Furthermore, licences will be sold in non-fractionable packets with two cores each.

Read more ...

Password manager: an invaluable tool for IT pros

Is there a solution to the hell of a problem about all those passwords you should adopt in your personal and working life? Yes, there is!, and it’s called password manager: let’s see what it is and how it can change your life for the better.

A password manager is a software that has storing and management capabilities in a single, secure place for all your access credentials and protects them by means of a single primary password. The main goal of this kind of software is to guarantee the security of stored data and a structured management (research, update, deletion, etc..).
Unlike manual solutions like spreadsheets or even paper notes, a software like this helps you to maintain an archive through time or with a growing number of information. Moreover, it provides a better security level, simplify adding passwords and include interesting features as the automated generation of secure passwords and advanced research features.

pass dash masterkey

Read more ...

The 7 golden rules for great backups

Here’s 7 simple rules to follow in order to guarantee integrity of data, never forgetting good sense.

Actually, it’s like convincing someone of the usefulness of warm water - every professional of company should always have an updated and complete backup that provides an easy restore - yet unfortunately every time I talk with an IT responsible, consultant or sysadmin I discover, with my great surprise, that some basic concepts are misunderstood or ???, if not even unused.

Let’s list the 7 requisites of a good backup system.

1: “2 is better than 1”: an additional copy isn’t a pity
Don’t ever think that a single copy on an external HD, NAS or resource is enough. Failures are always around the corner and you’ll get to face them in the worst moments. Therefore duplicate your backups on two different supports at least, even if the main one seems to be adequately reliable. You don’t have to copy everything: if you make, say, a complete backup of each computer, probably copying terabytes of data is a waste. Backing up critical data (ie documents and emails) however must be done on (at least) two different supports, both of them reliable.

Read more ...

Meetings and video-conferences on the Internet: the right software for every situation

There are tens of different software and services that allows to hold a meeting, a conference or a webinar, however it’s not easy to understand what is the product that fulfills your needs. So we have selected and tried the most interesting and complete software of this sector for you.

The two terms we’ve just used (meetings and webinars) both describe, albeit with little differences, the two main situations where such software are implied. In the first case it’s essentially an easy and handy method to make an online meeting by sharing the screen, files or images. The number of participants is usually limited and interaction is high: for instance, anyone can take control of the presentation and everybody can talk at the same time.
Conversely, in the case of webinars (a portmanteau between the word Web and seminar) the number of participants can be very high, even hundreds, while the level of interaction lowers as usually the speakers are a limited group of people.

The use of these technologies brings advantages in logistical terms and cost-reduction as it can cancel geographical distances with the aim of a computer or a portable device like a smartphone or a tablet.

Types of infrastructures and supported platforms

The vast majority of software we have tried is sold as a service, with a monthly price calculated usually on the number of participants. Only a few software are sold with a license (that is paid once). Some applications like WebEx by Cisco offer an as-a-Service version and an on-premises version, called WebEx meeting Server). The same holds for ScreenConnect by Connectwise, which is a product aimed to remote control but also includes some specific features for online meetings (we have covered it in the previous article on MSP platforms).

Read more ...

Remote control software: anatomy, functioning and types

An essential tool found in the toolbox of every Service Provider is remote control software, a type of software that allows to execute commands and actions on a computer situated in another place, leveraging an Internet connection. Let’s see what are the characteristics of a good remote control software, also introducing some of the available solutions.

The architecture

All remote control solutions we cover in this article are based on an architecture that calls for a host, a gateway and a client (also called guest). The host is the computer to be controlled, on which we can install an agent that sets the remote connection while being executed as service (in Windows) in order to let it run as soon as the operating system is loaded.
The client is the local computer where we can run a specific software, called viewer, which can visualize the remote screen and we use to perform operations.
If both host and client are on the same subnet, on a VPN if needed, visibility is direct and there aren’t any issue in terms of configuration and security (save for the overall network security), but if both computers are on different networks, then some problems arise as there are NAT systems to overcome and it’s mandatory to leverage at least a secure authentication and traffic encryption system for the sake of security.

In order to overcome the obstacle, a third element is introduced in the architecture: a gateway server which abstracts the connection between host and client. Such server is provided by the software produces and guarantees the proper security of connections. Solutions belonging to this review all adopt a combination of public/private key authentication and data encryption. In this way Man in the Middle (MiM) attacks are avoided and intercepted data are unusable thanks to encryption.

aeroadmin2

Read more ...

Comodo One: a complete and free platform for MSP

In the last issue we’ve talked about useful tools for those who want to be Managed Service Providers (MSP) and covered a number of platforms for the management (both technical and administrative) of the clients’ infrastructures. One of them is Comodo One MSP, which the colossus of IT security Comodo makes available for free (with some limitations that can be avoided with the Premium plan).

The free access to the product is the strength point for sure of the Comodo One MSP platform (One onwards), which integrates the three main features every MSP needs: Remote and Security Management, Path Management and Service Desk with Ticketing capabilities. Remote and Security Management and Patch Management belongs to the family of RMM (Remote Monitoring and Management) products that are used to maintain control of the infrastructure and perform maintenance actions for clients. Remote control, resource monitoring, automated notification and management of upgrades are part of it.
Service Desk with ticketing, time tracking and documentation capabilities is more part of the PSA (Professional Service Automation) world.

For those who want more than the basic features, several upgrades are available (some are free, some are paid) allowing higher levels of protection and additional modules. For instance, there’s a better endpoint protection with an advanced firewall and Host Intrusion Prevention, and the package dedicated to network security offers better monitoring and intrusion detection capabilities, and a system for the capture and analysis of in transit packages. Among the upgrade we can also find the Acronis client for Cloud backup (Acronis Cloud Backup).

comod subscriptions

Other available modules are Antispam Gateway, Dome Shield, Korugan Central Manager (RMM category), Comodo CRM and Comodo Quote Manager (PSA category). Note how some of these additional modules are free (like Quote Manager, the package used to prepare quotes), and other can be installed for free but with a basic configuration (like cWatch Basic, a component for network security). In each case, after accessing to the specs of each one, you can find information about prices.

Read more ...

Windows 10: news about security

The release of a new operating system is an usual scenario for IT pros. The release of Windows 10 is no exception to that, but the way of distribution experimented by Microsoft has certainly changed.
For the first time in the history of the OS from Redmond, users of the previous of Windows (7, 8 and 8.1) can download and install for free the upgrade to Windows 10, naturally maintaining an equivalent version to the one previously installed (ie. 7 Professional becomes 10 Pro) and related license. However the insistent distribution method has beared a certain dissatisfaction amongst users and professionals. This feeling is also emphasized by the integration of the Windows 10 update straight into Windows Update (which results in an automated installation in most cases) and by the pounding notification campaigns for non-updated computers.

win 10 update

Read more ...

Managed Service Provider: what it means, why becoming a MSP

The term MSP is the acronym for Managed Service Provider and identifies a working method nowadays used by many companies in the IT world. In general, the idea of Managed Service implies an outsourcing approach of management and maintenance activities with the ultimate goal of optimizing the use of resources and lowering costs of the client. In this scenario, the Provider is the company or society that provides the service.

MSP key points

We can define three main points that characterize a Managed Service Provider (MSP onwards):

  • unlimited phone/remote help desk;
  • proactive management of the infrastructure: backup, security, updates, etc..;
  • being a competent intermediary with additional providers and third parties.

CROP MSP RDM

Advantages and rates

Essentially a MSP contract is an “all-inclusive” contract with reciprocal advantages for both the provider and the client. In this way the client can have a fixed price for IT management, without worrying about any technical aspect or surprise about costs. Moreover, the client is aware the goal of the provide is the same of his own, ie to reduce down times and increase the overall productivity of the company.

Read more ...

Advanced Linux troubleshooting: methods and tools for diagnostics and problem identification of VM, VPS and physical servers

The quick resolution of problems is a fundamental activity for any sysadmin. Let’s discover some tricks and advices to become better and faster at diagnosing and resolving troubles of a Linux system.

In the last issues of GURU advisor we dedicated an article to those commands suitable for a basic Linux troubleshooting in a VPS context, but when top, ps and netstat are not enough, we must aim to more advanced tools. Troubleshooting is an activity that can easily transform into a waste of time and resources, proportional to the difficulties of the problems to be solved. In order to optimize the results and limit unuseful trials and tests it’s mandatory to act following well-structured procedures.

2000px Webpage icon powered by linux.svg

The USE method -which stands for Utilization, Saturation and Errors- was originally conceived by Brendan Gregg (who wrote an omniscient book on the topic: Systems Performance - Prentice Hall, 2013) and has its basis in a simple and efficient idea: defining a workflows that determines the level of utilization, saturation and possible errors for each available resource. In this way we can gradually reduce the number of possible causes of the misbehaviour until we can precisely identify the cause of the loss of performance.
Defining resources is quite easy: they are the physical components of a machine (we can apply the method to software components, but it would get very complicated and detailed -- perhaps a bit too overkill given the scenario), a server in our case -and the equivalent virtual version. Processor, memory, disk, controllers, network interfaces, buses, etc..
Naturally the better the knowledge of the architecture, and the faster and more precise the results will be, albeit implying a certain complexity and a steep learning curve.

Read more ...

VM Explorer: the new tool by HP Enterprise for VMware vSphere and Microsoft Hyper-V backups

VM Explorer is a software that has been developing by the Swiss Trilead since 2007 and count more than 10.000 worldwide clients. This number is going to increase, mostly considering the growing authority gained after the recent acquisition by HPE, as Roberto Beneduci of CoreTech, the historic distributor of the brand in Italy, confirmed: “With respect of the same period in 2015, in the first three months of 2016, the number of VM Explorer licenses sold has more than doubled.”

 2016 05 23 190845

A well justified acquisition
HPE already had an Enterprise tier backup software, the HPE Data Protector Suite and has, with its server, 60% of the VMware OEM market. With VM Explorer HPE can offer its clients an easy, robust and cheap solution, uniquely dedicated to the backup of virtual systems, very different from Data Protector, which is a solution addressed to a different client tier (infrastructures with thousands of VMs). With this move HPE can now offer all its clients of the Small and Medium Business tier (<100 VMs) a less complicated offer and, under certain aspects, more appealing that the widespread solution by Veeam.

Read more ...

banner eng

fb icon evo twitter icon evo

Word of the Day

In the field of Information Technology, the term piggybacking refers to situations where an unauthorized third party gains access to...

>

The acronym GDPR indicates the new General Data Protection Regulation, which will come into force on 25 May 2018. This...

>

The acronym DPO (Data Protection Officer) indicates the person or persons who, within the company context, are responsible for the...

>

InfiniBand is an input / output architecture for the transmission of data between high performance systems composed of CPUs, processors...

>

A Zero Day Exploit describes a situation in which specific and unknown vulnerabilities are disclosed to the public simultaneously with...

>
Read also the others...

Download of the Day

Netcat

Netcat is a command line tool that can be used in both Linux and Windows environments, capable of...

>

Fiddler

Fiddler is a proxy server that can run locally to allow application debugging and control of data in...

>

Adapter Watch

Adapter Watch is a tool that shows a complete and detailed report about network cards. Download it here.

>

DNS DataView

DNS DataView is a graphical-interface software to perform DNS lookup queries from your PC using system-defined DNS, or...

>

SolarWinds Traceroute NG

SolarWinds Traceroute NG is a command line tool to perform advanced traceroute in Windows environment, compared to the...

>
All Download...

Issues Archive

  • GURU advisor: issue 18 - April 2018

    GURU advisor: issue 18 - April 2018

  • GURU advisor: issue 17 - January 2018

    GURU advisor: issue 17 - January 2018

  • GURU advisor: issue 16 - october 2017

    GURU advisor: issue 16 - october 2017

  • GURU advisor: issue 15 - July 2017

    GURU advisor: issue 15 - July 2017

  • GURU advisor: issue 14 - May 2017

    GURU advisor: issue 14 - May 2017

  • GURU advisor: issue 13 - March 2017

    GURU advisor: issue 13 - March 2017

  • GURU advisor: issue 12 -  January 2017

    GURU advisor: issue 12 - January 2017

  • GURU advisor: issue 11 -  October 2016

    GURU advisor: issue 11 - October 2016

  • 1
  • 2
  • 3
  • BYOD: your devices for your firm

    The quick evolution of informatics and technologies, together with the crisis that mined financial mines, has brought to a tendency inversion: users that prefer to work with their own devices as they’re often more advanced and modern than those the companies would provide. Read More
  • A switch for datacenters: Quanta LB4M

    You don’t always have to invest thousands of euros to build an enterprise-level networking: here’s our test of the Quanta LB4M switch Read More
  • Mobile World Congress in Barcelona

    GURU advisor will be at the Mobile World Congress in Barcelona from February 22nd to 25th 2016!

    MWC is one of the biggest conventions about the worldwide mobile market, we'll be present for the whole event and we'll keep you posted with news and previews from the congress.

    Read More
  • 1