This forum is for discussions regarding System Infrastructure and Related Equipment. This includes but is not limited to repeaters, base stations, consoles, voters, Voice over IP, system design and implementation, and other related topics.
We've got a number of Centracom Gold Elite dispatch consoles, and a local server to update them, all running Win2000pro.
With the recent excitement over sobig.f and blaster, I've been thinking about upgrading the O/S on these machines to XP. Most of the IT people I've talked to say that, when it comes to security, Win2000 has more holes that swiss cheese. XP has better built-in security and administrator features.
I'm also not thrilled with the fact that, although Microsoft has released SP4 for 2000, Motorola only certifies their Centracom package as far as SP2.
Clearly, Motorola is subtly directing us towards XP.
Also, I'm interested in any experiences - good or bad - running Norton Anti-Virus on their consoles. These machines have potential access to the Internet if certain steps are taken, and I'm concerned that lack of supervision during some shifts, added to low workload levels, will result in some 'lets see if this will work' hacking on the part of the more creative dispatchers (damn college kids ). One of them already changed the color settings on his machine, and IT can't figure out how he did it. He ain't saying.
What I am going to say might piss your IT guys of!
They need to buy a book.
It is possible to lock ANY windoz system down tight enough so that the only thing a user can do is run 1 (ONE) program. Between restricting user priviledges and using policies it's actually pretty simple to restrict activities to only what you want them to do.
Oh yeah one of the first thing to do is physically secure the machine so folks can't actually get to it.
Good Luck
R
Today's episode was brought to you by the firm of Visigoth, Vandal, and Hun: Litigation specialists for over thirteen hundred years.
Motorola will only certify/support it if it is a closed network (nothing else besides the Motorola equipment on the LAN).
As long as the machines were loaded from the factory OS image cd and the Elite software was installed from the original Elite CD then there should be no way for a virus to infect the machines. No other software should be loaded on the Elite server or OP workstations.
As long as those requirements are met then the PC's will not become infected (provided you do not have bored dispatchers loading games and other crap on the workstation PCs).
As far as only SP2 in Win2000 being certified by Big M, they test the different quarterly releases of software with different operating systems and service packs. By saying it is certified with SP2 they know there are no known issues that affect the Elite operation.
How would any of these virus problems get into your console network in the first place????
Your console network should be stand alone - no connection to the outside world whatsoever.
As far as your 'creative' dispatchers doing things to your computers - that should have been taken care of when the system was configured - a roaming profile with virtually no access to any computer function except the Centracom program.
When our dispatchers sign on they get a blue screen with no icons at all. When they click on START - there is one program - Centracom Gold Elite. Solves all that BS.
The last thing you want to do is just upgrade that software on that network yourself. Motorola has a specific certification process that covers not only the version of O.S., but everything in the system. A particular version of CDM is certified to work with a particular version O.S. That version of CDM is certified to work with a particular version of COIM firmware, BIM firmware, etc. etc.
If you want Motorola to support the proper operation of the system, all the versions have to 'align' in the compatibility matrix. Changing the O.S. would involve what Motorola calls a "refresh". You won't like what that costs.
I heartily endorse what xmo says, with one addition: the console program should be auto start, so that it runs without operator action after a start (and after a reboot caused by a LOOP and the delay while the generator accepts load).
In a public safety system, there is no valid reason for console operators to be doing anything with the console PCs but running the radio.
Great Topic, and replies. I am working on the same issue here. I would be very intrested in how (specifically) to set win 2000 to only allow access to one program, and the blue screen on login. I hate to say that ALL of my OP's log on as administrator, and I am at a loss as how to set privliges. Each time I tried, The Elite program reports an error and shuts down.
We have looked into installing the latest patches for win 2000, here is Motorola's reply:
"Your software is certified only with Windows 2000 and the service pack that is currently installed on it. If you add a newer service pack, or upgrade the operating system, you will be entering uncertified, un-tested territory. It may work, but it hasn't been tested or certified by the Motorola product group.
If your IT insists on upgrading to the latest OS and patches, then you'd need to look at upgrading the Elite software, which in turn would require a CEB board firmware upgrade."
Which brings up another Issue, My IT department will not support the Motorola network, so I am on my own to be the administrator.
I am in the process of internally disconnecting the power to the floppy and CD drives, but would be very interested in restricting access to these drives through win 2000 it's self.
If anyone could help, it would be greatly appreciated.
While I'm by no means a centracom guru, I am a bit of a windows one, so maybe I can be of some slight assistance, and maybe a few centracom guru's can help us out a bit here.
What specific errors are you getting? Have you tried playing with creating a "regular user" account, and also giving that login permission to modify the directories that it needs to in windows?
It could very well be complaining because as a regular user it can't modify a certain directory to log actions or other information. If that's the case, then you might have to set those.
Having people log in as administrator is never a good thing. If you have to allow people to do so, create individual accounts with administrator privies, and enable some sort of logging. This will at least tell you (hopefully) who was doing what and when. Not an ideal solution, but at least you can narrow your problem to a specific user or group thereof.
another thing you could try is having a host server that runs the centracom software off of it, and have it connect to the server as a read only user - and run the profile off the workstation. That might require a somewhat beefy server depending on how many client connections you have - but that might also help you in the long run of people messing with configurations.
Gee... I'm full of ideas:
Go out and buy yourself a copy of Norton Ghost. Backup every console workstation you have that you know is functioning as it should. The second you bump into a problem, restore the ghost image - boom - problem gone.
Downside - any changes you make after you make the image, will need to be redone after you bring the image back.
Also, with windows 2000, you have to consider the fact that there are other ways to attach storage to a computer besides the floppy and cd drives.
Just some help to get you started. Windows will eventually give up and let you do what you need to - you just need to figure out where that sweet spot is.
Alex- I am replying to this off-line, and will paste it to the reply message. I have been contacted via E-mail, I really appreciate any help I can get, and once I have this working, I'll make sure to post for the benifet of other members.
Alex- While I'm by no means a centracom guru, I am a bit of a windows one, so maybe I can be of some slight assistance, and maybe a few centracom guru's can help us out a bit here.
Larry- I am up on the Centracom software, I was weened on Centracom II+ B/L, then upgraded to Centracom Gold Classic. Now we are on Gold Elite.
Alex- What specific errors are you getting? Have you tried playing with creating a "regular user" account, and also giving that login permission to modify the directories that it needs to in windows?
Larry- I created a user called DISPATCH, with a log-on of DISPATCH, I haven't been able to get this to work, The error occures when I try to log on at an Op position, the msg is something like Elite Dispatch can not start, shutting down.
Alex- It could very well be complaining because as a regular user it can't modify a certain directory to log actions or other information. If that's the case, then you might have to set those.
Larry- Hence my weakness, I have broused through the various settings, and am truely at a loss.
Alex- Having people log in as administrator is never a good thing. If you have to allow people to do so, create individual accounts with administrator privies, and enable some sort of logging. This will at least tell you (hopefully) who was doing what and when. Not an ideal solution, but at least you can narrow your problem to a specific user or group thereof.
Larry- I would like to do this.
Alex- another thing you could try is having a host server that runs the centracom software off of it, and have it connect to the server as a read only user - and run the profile off the workstation. That might require a somewhat beefy server depending on how many client connections you have - but that might also help you in the long run of people messing with configurations.
Larry- I am stuck with the equipment I have. one server, 9 Op positions, connected through a 10 port hub. We are running win 2000 Server, and Win 2000 on the Ops.
Gee... I'm full of ideas:
Alex- Go out and buy yourself a copy of Norton Ghost. Backup every console workstation you have that you know is functioning as it should. The second you bump into a problem, restore the ghost image - boom - problem gone.
Larry- I fear this would void Motorola's support. They are very sticky about not having any other applications on the Server or OP PC's.
Alex- Downside - any changes you make after you make the image, will need to be redone after you bring the image back.
Alex- Also, with windows 2000, you have to consider the fact that there are other ways to attach storage to a computer besides the floppy and cd drives.
Larry- I have been told to disconnect the floppy and CD drives manually, I would perfer to limit this access through user configurations.
Alex- Just some help to get you started. Windows will eventually give up and let you do what you need to - you just need to figure out where that sweet spot is.
Larry- I'll get to a point where I really don't want to make too many changes for fear of making the whole thing crash.
I COMPLETELY agree with those folks admonishing to NOT screw around with the OS, especially upgrading W2K from SP2 to a later SP. For home use and general office use, by all means upgrade to SP4---it is way superior to SP2!
But, if you have a system like a Motorola Gold Elite Console, DON't do it!
Let me give you an example. We shoot a lot of video in my copter company, so we also do a lot of non-linear video editing. We chose to use AVID Express DV, since it has over 90% of the market. AVID will only support their product on W2K with SP2, or Windows XP. If you upgrade to SP3 or SP4, they provide no support, and the warranty is voided.
I created the dispatch Elite-Zone1.local\users on the server, then added a dispatch user to the OPs, I tried to make the dispatch a restricted user, but gor the message "The Console was unable to initialize, Contact System Administrator." I changed the Dispatch user to Standard user, and it now works. I couldnt figure out how to restrict access to the floppie or CD Rom, so I just disconnected them. This should cover the requirements that I was required to do.
This is for Primesite, others have said it but I'm reiterating...DO NOT UPGRADE YOUR O/S!!! Your IT guys do not understand that the firmware in the TIMI/COIM, etc boards are not only O/S specific, they are Service Pack specific as well. So is the Centracom dispatch software. I learned the hard way, just ask me about the time our dispatch center was brought down for 3 hours due to a Service Pack issue!! As others have suggested, they would be far better off configuring the computers to deny program access rather than messing with the Motorola supported configuration.
Todd
No trees were harmed in the posting of this message...however an extraordinarily large number of electrons were horribly inconvenienced.
Man, we're still running NT4, service pack 5 & 6 (two different systems). For nearly 3 years we were running with NT3.51 ! Talk about unsecure/unstable. So no whining about Win2k allowed!
Todd
No trees were harmed in the posting of this message...however an extraordinarily large number of electrons were horribly inconvenienced.
With use of the PC Magazine "registryrobot", NTFS file system, and judicious modification of the "default user" profile it should be possible to COMPLETELY lock down a dispatcher profile. By lock down I mean you boot the machine, log on, your dispatch program starts, and that is all that there is to do. I am going to do a bit more research and I will post some details. Depending on response I will try to make a policies file available as well as some basic instructions on installation and what to delete/rename etc.
Let me know if anybody is interested. If there are just a few I would be willing to do this one on one. If there are a great many we might have to get it hosted somewhere.
Before you get started however you need to have a seperate dispatch station to try these modifications on.
R
Today's episode was brought to you by the firm of Visigoth, Vandal, and Hun: Litigation specialists for over thirteen hundred years.
I would be interested, but I ran into a problem with my orginal issue of setting the dispatch positions from administrator to a user logon. I had to apply a SRN that motorola issued. This corrected the problem I was having, but because of the settings required in this SRN, I don't think we can fully lock down an op position.
SRN # S-0072
SUBJECT:
CENTRACOM Gold Series will not function properly if the operating system’s permissions are not set correctly.
MODELS/OPTION AFFECTED:
CENTRACOM Gold Series B1827A, B1879B, and option X03AA
SYMPTOM:
If the directory permissions are not set correctly, you may experience several symptoms including: The inability to edit using the CDM, inability to edit using the ADM, the inability to use the ADM after some period of time, Console aliases not updating over the network.
These symptoms may be intermittent due to the implementation of the security strategies within Microsoft Windows.
CAUSE:
These may all be symptoms of the permissions not being set correctly for the directories and registry of the PCs used for the CENTRACOM Gold Series products. For Windows 2000 releases prior to the Q1 2003 SER that was released on 1/2/03, the permissions need to be set manually if any users group other than administrator is used. For any operating system, the permissions can be set incorrectly by a system administrator. Microsoft Windows sometimes allows editing files shortly after rebooting a PC even though the permissions are set to disallow this activity, which can cause the symptom to seem intermittent.
SOLUTIONS:
The README file that appears automatically at the end of the installation of the CENTRACOM Gold Series software components explains how the permissions need to be set for the software to operate correctly. The README file can be found in the installation directory, which is, by default, “C:\Program Files\CENTRACOM Gold\bin\GoldSeriesReadMe.txt”. The directory and registry must be set for the dispatcher to have full control. A detailed description of how to set up the permissions may be obtained from the System Support Center at 1-800-221-7144.
ReadMe File Text:
The following Permissions changes will allow the running of Elite Dispatch & Admin, ADM, and CDM as a Domain User in Windows 2000 while logged on as a Domain User. The following changes should be made on every computer that the customer will log into using a User account.
1. On the server, open “Windows Explorer,” and navigate to C:\Program Files\CENTRACOM Gold. (Where C:\ is equal to the partition Centracom is installed on.) Right Click “CENTRACOM Gold” folder, and select “Properties.” Select “Security” tab in “Properties” box. If “Domain Users” does not appear in top box, select “Add” button. In the box that appears, select “Domain Users” and select “Add” and then “Ok.” In the “Properties” screen, check the box for FULL CONTROL for the "Domain Users" group. Select the “Advanced” button. Select “Domain Users” and click on “View/Edit.” Make sure that the permissions for this group is applied to “This folder, subfolders and files” from the drop down box. Select “Ok” three times to get back to “Windows Explorer.”
2. On the OP position, follow the same directions as in step 1 in order to add FULL CONTROL to the "Domain Users" group for the CENTRACOM Gold directory, and everything below it.
3. On the server and OP position, Open "C:\Winnt\System32\REGEDT32. Select HKEY_LOCAL_MACHINE\Software\Motorola. From the Toolbar, select “Security” and then “Permissions.” If “Domain Users” does not appear in top box, select “Add” button. In the box that appears, select “Domain Users” and select “Add” and then “Ok.” In the “Permissions” screen, check the box for FULL CONTROL for the "Domain Users" group. Select “Ok” and exit out of the Registry.
4. On the server and OP position, to allow Domain Users to run the CENTRACOM Gold Configuration program, administrator must add "Modify" permissions for Domain Users on the C:\WINNT directory and C:\WINNT\temp directory. To do this: Open “Windows Explorer,” and navigate to C:\WINNT. Right Click “WINNT” folder, and select “Properties.” Select “Security” tab in “Properties” box. If “Domain Users” does not appear in top box, select “Add” button. In the box that appears, select “Domain Users” and select “Add” and then “Ok.” In the “Properties” screen, check the box for MODIFY for the "Domain Users" group. Select “Ok” three times to get back to “Windows Explorer.” Follow the same steps for the C:\WINNT\temp directory.
5. On the server and OP position, if users are unable to login, Right click "My Network Places" on the desktop and select "Properties", then Right click "Local Area Connection" and select Properties, select "Internet Protocol (TCP/IP)" and click "Properties." Verify the settings for IP address, Subnet Mask, Gateway and DNS Server.
). One of them already changed the color settings on his machine, and IT can't figure out how he did it. He ain't saying.
