Alex, Linux Engineering
Dave, Windows Engineering
Ikenna, Associate Director
Jeffrey, Cloud Operations
Kevin, Windows Engineering
Leroy, Windows Engineering
Michael, Linux Engineering
Richard, Engineering Lead
Vedran, Cloud Devops
505 Broadway St
Cardinal Hall, MC 8823
Redwood City, CA
There are a lot of different Content Management Systems available for publishing websites these days. Gone are the days when you had to learn Hypertext Markup Language to create a simple web page, or craft a comprehensive set of Cascading Style Sheets to redesign your website look and feel. A Content Management System provides a powerful environment to help you to build and maintain your website, regardless of size.
Unfortunately, all that power comes at a cost. The CMS itself becomes another component you are required to power and maintain. The tool you selected to help you build your website can get in the way of you focusing on the task it was meant to help with. Worse yet, a CMS usually creates overhead when displaying your website to visitors, which can lead to scaling issues and possible downtime in the event of a traffic surge. Continue reading “Static Fling”
by David Fong
We had a need to migrate a MS SQL cluster with a shared RDM disk in a VMware environment to a new storage for both the OS disks and the RDM. The two nodes on the clustered are located on different ESXi hosts. We put the database files and logs on the RDM disk other than the OS is on a VMFS datastore. It was not a very straight forward migration that involves un-mapping and re-mapping RDMs, coping the databases and all the related files, and finally migrating the OS drives.
Continue reading “Migrate a MS SQL cluster with a shared RDM disk in a VMware environment”
by Bhakti Chokshi
TCG now offers CloudBerry as a cloud backup alternative when we build servers for our clients. It is a low-cost, month-to-month managed cloud backup as a service. TCG can even provide CloudBerry as a standalone service for the systems we do not proactively manage with a support contract.
With this new offering that supports several Operating systems such as Windows, Mac, Linux, TCG installs backup software on the server, setup and manage the cloud storage account, tunes the backup strategies, closely monitors the progress of any backups, troubleshoots any errors and perform any restores.
TCG is excited about this new offering as it aligns with the UIT multi-year cloud initiative.
Some of the interesting features of CloudBerry:
Continue reading “Backing up directly to the Cloud using Cloudberry”
by Leroy Altman
As you may have heard, Stanford is moving away from their in-house created authentication software known as “WebAuth” to an industry standard Open Source technology called SAML2. Software called “Shibboleth” is available to leverage SAML2 and it includes a version created for Microsoft’s Internet Information Server (IIS) web server running on Windows.
This article was gathered from two great sources listed below, and I encourage you to read both for more details. This article is really just the tip of the iceberg:
There are two new terms to know:
- Identity Provider (IDP): This is Stanford’s central authentication service
- Service Provider (SP): This is your web server
Installation: This is a quick summary of how to get Shibboleth installed and working on a Windows IIS web site.
- Windows Server 2012 R2 w/ IIS installed.
- In addition to the default IIS modules, you’ll also need to add Management Compatibility components:
- IIS 6 WMI
- IIS 6 Metabase compatibility
- IIS 6 Scripting tools
- IIS 6 Management Console
- Install ISAPI filter and Extensions [located in Web Server (IIS) → Web Server → Application Development]
- A “Default Web Site” which has a default page, used for testing.
- A “/secure” subfolder under the root, also with a test page.
- An SSL certificate installed and working on the website.
Run the Shibboleth Installer. The most recent version, as of this writing, is here: https://shibboleth.net/downloads/service-provider/2.6.1/win64/
The defaults for installation are typically fine to use:
Continue reading “Shibboleth Authentication on IIS”
by Kevin Tai
I recently had a client who hired a consultant to work on a special project to update their website. The client initially requested to allow the consultant access to a file share on the server where the website is hosted so that he can update the files. Then the consultant realized that he needed additional access like restarting the services for the website’s Prod and Dev environments. We could’ve lazily grant him Remote Desktop access to the server and call it the day, but that would be giving him more access than he really needs. All he really needs to do is to be able to restart 2 services (the production web server and the dev web server) after he makes updates to the environments.
That got me thinking that there must be an alternative way to accomplish this without giving up too much access. So, I designed a process that would do just that and here’s how it works…
Continue reading “Granting User Access Without Granting User Access in Windows”
by Jonathan Lent
Systems administrators today (Linux systems administrators, in the context of this post) have many valuable tools at their fingertips. After some initial time expenditures, learning curves, architectural decisions, dead-ends, inevitable frustration, and testing, the adoption of automation technologies can make day-to-day tasks much more productive, repeatable, iterative, and secure.
Continue reading “My Cabin in the Woods”
by Jonathan Lent
Like many developers, application maintainers, and system administrators at Stanford, I’ve been focussing a lot of time lately on migrating legacy web applications to using Shibboleth (from WebAuth). Also like many, I’ve found Alex Tayts’ article Migrating away from WebAuth: practical steps very useful during this process. However, as straight-forward as that writeup is, it doesn’t account for one thing: the Shibboleth SP software is not perfect.
During a recent deployment, I found that by simply enabling the shib2 Apache module on systems with Apache 2.4 running, applications using multiple AuthTypes (e.g. WebAuth and basic authentication) were suddenly presenting a 401 (Unauthorized) error message. This was before adding any directives to use Shibboleth as the AuthType.
Continue reading “Shibboleth on Apache 2.4 Using Mixed Authentication Methods”
For those of us who are accustomed to the “revert to snapshot” function in a VMware environment, it is quite a challenge to do the same on AWS. The problem comes from the fact that you can’t manipulate the volume itself most of the time, and restoring basically means replacing the currently mounted volume of the instance. Here’s a script I wrote for a group discussion we had here at TCG (Technology Consulting Group) to simplify the restore process.
Continue reading “A simple powershell script to restore from a snapshot for a Windows EC2 instance (single volume)”
Bit9, now called Carbon Black (Cb) Protection Enterprise is a utility that will intentionally block any application that has not been authorized to execute on the system. Carbon Black protection is a tool for whitelisting, and allows the creation of rules to control file executions on monitored systems. Stanford University IT is actively working on implementing Carbon black Protection in our environment. This is an additional security tool along with Firewalls and anti-virus applications.
Carbon black works by continuously monitoring all file system activities happening on the server and provides a real-time response and blocks potential threats. We can whitelist applications by creating event rules and custom rules, and in this article we will be elaborating on best practices for creating custom rules, and why and when we need them.
Continue reading “Carbon black custom rules”