Author Archives: MrOne

Your health and carbon dioxide (CO2)

Fresh air is good for your health. Carbon dioxide is not. What does it mean and what impact does carbon dioxide (CO2) have on your health?

How healthy is your office and home environments? And how does it compare to the outside? Let’s find out.

CO2 and health – Theory

Indoor air quality is a vast subject and I don’t expect to cover it better than an Wikipedia article. Suffice to say – quite a few metrics to track, but the most common and universal one is the Carbon dioxide (CO2) level.

And without going into much detail – typical outside CO2 levels measure from 350 ppm (particles per million) to 450 ppm (particles per million).

What’s a good level that CO2 should be at? The maximum indoor CO2 level considered acceptable is ~1000 PPM.

There are multiple sources and standards for this. As a general “rule of thumb”, for a healthy environment – [outdoor CO2 ppm] + [indoor CO2 ppm] < 1000 ppm. Truth is – strictly speaking nobody knows exactly when the adverse effects start. Below image is a very general illustration.

CO2 levels

CO2 levels

What happens if these levels are above the norm? And I’m not talking about extreme levels here. This study (and one more study) mention that:

Relative to 600 ppm, at 1,000 ppm CO2, moderate and statistically significant decrements occurred in six of nine scales of decision-making performance. At 2,500 ppm, large and statistically significant reductions occurred in seven scales of decision-making performance (raw score ratios, 0.06-0.56), but performance on the focused activity scale increased.

CONCLUSIONS:
Direct adverse effects of CO2 on human performance may be economically important and may limit energy-saving reductions in outdoor air ventilation per person in buildings. Confirmation of these findings is needed.

Impact of CO2 on human decision-making performance. Error bars indicate 1 SD.

Impact of CO2 on human decision-making performance. Error bars indicate 1 SD.

CO2 – Current (sad) state of affairs

CO2 impacts a number of other things as well. There’s a recent documentary with Leonardo DiCaprio that talks about global warming and climate change – Before the Flood. “A look at how climate change affects our environment and what society can do to prevent the demise of endangered species, ecosystems and native communities across the planet.” I would say that the question covered is put in a very politically correct and mild way, because not having fresh air is a catastrophe. I mean – as long as somebody is still concerned about being healthy enough to think clearly.

The documentary talks about a spiral effect and if it spins out of control (and there is consensus that it already has), we could see very dramatic rise of CO2 in atmosphere is very short periods of time. Literally meaning – your lifetime.

Before this I’ve never paid much attention to global warming, what it means and what are the trends. But I think everyone understands and can relate to what “running out of fresh air to breath” means. Pictures below demonstrates our current state of events.Atmospheric CO2 increase can and will be bad for your health

Atmospheric CO2

Atmospheric CO2 from www.co2.earth

Tools

So, to measure air quality you need a CO2 meter. Those are a bit pricey. Some of the more available ones go for around ~130 USD.

Example CO2 Meter

Example CO2 Meter

Typically these are combined together into one product that covers date, time, temperature and humidity.

I’ve been lucky to get my hands on a more advanced Netatmo Weather Station, which has nice additional features. To name a few – both outdoor and indoor modules, data reporting for a period of time (humidity, noise, temperature and others), smartphone application, notifications for weather changes an other perks.

Netatmo Weather Station

I’ve been using it for a while now, but only recently decided to check how good the air quality in the office. Before testing I’ve considered that our office is excellent in terms of ventilation.

Measurements and results – Home space

My home space is an apartment and it is ventilated only through windows. In Latvia many people consider that exhaust pipes that kitchens and bathrooms are equipped with are ventilation. No, they’re not, because they do not supply fresh air, they’re exhaust. Same goes for Air Conditioning units. Many people consider them as a supply of fresh air. Wrong again, most of them are cheaper split systems and do not supply fresh air. What’s even more troubling – in our country even the engineering and building experts most often do not understand this.

But, in truth, it’s more a question of supply/demand, because currently there is no demand whatsoever for fresh air intake devices in the apartment market, typically cheaper alternatives are used. Some of them include:

  • “Winter” window ventilation
  • Open windows
  • Air valves mounted into PVC windows
  • One or two air grates in the walls
  • (surprisingly a way that works in older buildings) Wooden windows and “not energy efficient” buildings

In the private house market segment, the above is still true, with some exceptions that are quite expensive – heat recovery ventilation systems. These have high requirements – initial investments ($$$), planning air pipes during repairs and high maintenance costs – mostly due to electricity bills (used to heat up the incoming air to compensate for the temperature difference). So, in our Latvian climate, you’re easily looking at extra ~150 kWh per month.

Now, to jump into the metrics. Here is how Netatmo Weather Station displays common data.

Netatmo Weather Station mid-March 2017 apartment data

Netatmo Weather Station mid-March 2017 apartment data

The space is sufficiently ventilated. Night hours could use improvement. Winter months are more complicated. Humidity levels like this are common in months when using heating. Depending on how “energy efficient” and sealed the building is – results from open/closed windows may vary.

Measurements and results – Office space

Netatmo Weather Station April 2017 office space data

Netatmo Weather Station April 2017 office space data

I’ve been pleasantly surprised by there results. Our open type office space has a lot of people and keeping CO2 levels under control would be a challenge. Lucky the ventilation system keeps up and CO2 levels are optimal (sometimes slightly exceeding recommended 1000 ppm).

Temperature results are a bit weird, but will get better when Air Conditioning kicks in.

Conclusions

To summarize the above and to state the obvious.

You’ll be surprised how fast fresh air runs out. Even if you’ve ventilated the room one hour ago – chances are CO2 levels are already at their peak.

Apartment should be constantly ventilated. Even in the winter. Two times per day with full open windows (the best and fastest way). And using “winter mode” ventilation in PVC windows. I would not worry about saving on heating costs. Heating systems are designed to account and compensate for this. Your health is not planned to compensate.

Summer time – keeping open windows throughout the day is a good idea. Maybe not all of them, but most. And looking into alternatives if living on lower floors/noisy streets.

Most issues come from night time in rooms that do not have open windows. CO2 levels there build up fast and can easily go over 1000 and 2000 ppm. Sleeping with open (or at least slightly open/winter mode ventilation) windows is a must. I would be careful with that during winter months, as some people are prone to catching cold.

Office workers have it harder because keeping windows (if any) open will not be enough for meeting rooms full of people. That’s where ventilation systems and experts come in. And that’s why most offices have these shiny silver pipes hanging over your head or built into ceilings/walls/floor. I would avoid small meeting rooms filled with people on several hour meetings.

Finding a balance on how much fresh air is needed and how often to ventilate is individual.

I’ve found that Netatmo Weather Station helped me wrap my head around this subject and improved my habits. And if these habits make me more healthy and productive in the long run – all the better.

PRINCE2 Practitioner

Just last month I’ve attended the PRINCE2 Foundation training. It seemed a bit too early to go ahead with Practitioner, but I’m glad I did.

Intro

I’ve had an opportunity to attend the second part of PRINCE2 (PRojects IN a Controlled Environment. Prince. Version 2.) training a bit sooner than I felt comfortable. Didn’t get much time to put the theory from the Foundation training to practice at work, so I felt a bit skeptical at first. But after some consideration decided to go ahead with it. After all – it’s not like I could say that – 6 months pass and I will surely take this training then.

If you do not complete your pre-course work (especially the sample Practitioner exam) your chances for successful exam will be really reduced.

Here is a time-frame estimation, which may assist you in planning and carrying out this pre-course work.

Reading PRINCE2 manual (edition 2009) – 7 days

Reading ‘PRINCE2 Practitioner exam candidate guidance’ – 1 hour

Taking and analysing ‘PRINCE2 Practitioner sample examination – 5h’

The pre-course materials were not as bad as the foundation ones. Only 80 pages vs 160 pages.

As the annotation says – do not skip on preparation material, especially if it’s been a while since your Foundation training. Refreshing memory with the Foundation manual is a must as well.

As for myself – I took the risky approach of not reading those, because my previous training was so recent – one and a half month ago.

Instructor

I would love to have had the opportunity to learn from another, new instructor to compare the teaching approach. But we had the same instructor as last time.

A Polish instructor with extensive experience (over 25 years) both in practical and theoretical aspects of Project Management.

Because of his language, manners and structure of speech a non-native English speaker could confuse him with a UK citizen.

You could easily tell he has been doing “this” for a long time now.

After the second training I will summarize that he’s a good and knowledgeable instructor, but not the “I was born to do this” type.

PRINCE2 Practitioner Training

PRINCE2 Practitioner is a 2 day training course with the exam at the end of the second day. Training was as intense as the Foundation one.

There was no time to talk about PRINCE2 theory, it is assumed you know it. Good thing I took the training so soon after completing Foundation.

We’ve jumped straight into practical tasks, sample exam and exercise papers.

PRINCE2 2009 manual is obligatory both for the training and exam. You read it up frequently when answering the test questions.

Homework is a test exam – 80 questions, 55% passing score (44 questions). It takes ~2 hours, depending on pace and desire to dig into the rationales for detailed explanation of the questions.

Training experience was challenging and fun.

PRINCE2 Practitioner Content

Only practical exercises, test exam questions and a lot of PRINCE2 2009 manual reading. No new theoretical knowledge, you’re presented with different scenarios and apply your existing experience to answer the questions.

Scenarios and test exams are very relevant and similar to what the real exam looks like.

There was only one thing about the test exams and the course content that put me off. One specific type of phrasing the question has been structured extremely poorly.

Here’s an example. One question. 6 marks. You have a list of items from 1 to 6. And answers from A to F. Answers represent the correct sequence in which items must appear. Sounds easy except answer A states – “not present in the sequence, can be used once or more or not at all”. Answer B – first, C – second and so on. So imagine if you have several items from the list that do not apply to this sequence at all.

I have never seen questions structured in such a poor way. It’s the only instance when I felt that the training institution is bent on making you fail. Good thing none of these questions were in the final exam.

PRINCE2 Practitioner Exam

Exam is 150 minutes (+30 minutes if taken in a non-native language or because of a medical condition). For most of our group, including myself, it took every minute of those 3 hours.

It is allowed to use the manual during the exam, but the time constraints do not allow you to sit around and read too much.

Trust me –  if it’s your first PRINCE2 Practitioner exam – you literally cannot pass the exam without the manual. Unless you know all the management products by heart – their content, structure, headings and nuances. And roles, and themes, and recommended techniques, and processes, and activities.

And let’s not forget the sticky notes. You have to be very experienced and fast when using the manual during the Exam. There is no time.

PRINCE2 Practitioner sticky notes prep

As a bonus pro-tip – here are the resources I’ve used to pass the exam.

PRINCE2 Practitioner fuel resources

Conclusion

Overall I feel that the content of the training and exam is highly relevant to everyone looking to expand their understanding of best practices and methods for project management.

I’m positively impressed by the complexity level of this training and exam. It keeps you on the edge. It makes you feel unprepared and out of your comfort zone.

I had a nostalgic feeling, feeling like a student, feeling like I’m missing something and should be catching up as soon as possible.

I’ve passed the exam, but I never knew how well I did before the results were announced.  It was great.

PRINCE2 Foundation

I’ve attended Prince2 Foundation training last week. Want to share my experience and impressions.

Intro

A bit of background story first and what the Prince2 is about. PRojects IN a Controlled Environment. Prince. Version 2.

Prince2 is a methodology (not a method, but a science! – as some source love to point out) for Project Management.

Now, what’s a project – it’s any organizational change aimed to achieve a set goal. Quite sure, there are better definitions out there, I want to avoid copy-pasting them from Wikipedia.

Prince2 can be applied in any industry, in any area. Not to be confused with ITIL (Information Technology Infrastructure Library). ITIL is a set of best practices and a rules for managing services (mainly tuned to IT needs).

Prince2 loves to draw attention to its language, practices and principles are precise and are not to be compromised.

Communication has to be structured and worded in a clear and precise manner, much like legal documents.

Prince2 Foundation is a basic training, it’s about theory, definitions and understanding the approach. There’s also the Prince2 Practitioner level that I will not be talking about.

The instructor

We had a Polish instructor with extensive experience (over 25 years) both in practical and theoretical aspects of Project Management.

Because of his language, manners and structure of speech a non-native English speaker could confuse him with a UK citizen.

You could easily tell he has been doing “this” for a long time now.

The training

The course itself is 3 days, 8 hours each day with very few coffee breaks and almost non-existent lunch.

There’s also homework. Which typically will take from 2 to 3 hours after each day, depending on how deep you want to dive in.

And there’s the 160+ pager pre-course material. I would say that at least browsing through it is a requirement. The course is rather time-constrained to do it after training.

I’ve browsed through several Prince2 quick-introduction videos on youtube before the course started to get a basic idea of what’s going to happen. I highly recommend doing that for everyone who wants to attend.

The content

Prince2 requires a set of principles to be met for any given project to be called “Prince2 certified”. There is no compromise here. 🙂

There is no democracy in Prince2, all roles have strictly defined responsibilities, only one person is accountable for the overall success and failure (which may come as a surprise, but some other project management methodologies seem to miss this out) of the project – executive.

There is a strict hierarchy established for each project.

Acceptance criteria and acceptable “levels” of delivery are defined at project initiation, monitored and controlled throughout the whole cycle.

And one that might come as a surprise – projects have a fixed end and a start date. They are temporary, not perpetual.

The exam

Exam is 75 theoretical questions with 4 choices. Closed book exam, pencils. You have to colour in the right oval on a separate paper and you have to do it right.

Standard time is 60 minutes. 15 minute extension is granted to non-native speakers.

Time is tight, I’ve finished my paper and passed the exam in 57 minutes after all the checks.

Questions are tricky, although the official exam statement states precisely the following – “there are no trick questions”.

Questions are tricky in a sense you have to pay attention to details, read and precisely understand what is required. Those 15 extra minutes are very welcome for a non-native speakers as I had to re-read questions multiple times.

On average 80% of the people pass the exam, only 35 out of 75 (5 random questions do not count and are just there for experimental purposes). It’s not as bad, but not easy. Just the perfect amount of a challenge. 

Conclusion

I’ve enjoyed learning about this methodology and recommend attending the course. Some information there you intuitively know from experience and seeing it mentioned in a strong reference material certainly boosts your confidence and gives you the much needed foundation on what you base your work on.

You may use or may not use best practices described in Prince2 – it’s your own choice. But I come to think of these a set of rules written by other people’s mistakes and failure, but also good experiences and successes.

Much like the road traffic laws where each line is written with blood. I’d rather not test every single line and rely on a proven approach.

TechDay 2016 Riga

Intro

Had the pleasure to attend a Microsoft TechDay 2016 Riga event this year. Haven’t been there since 2012 (described here). Let’s see what’s new.

The highlight (pinnacle I would even say) of TechDay 2012 was the security lecture by Paula Januszkiewicz and me winning a laptop bag and an MS t-shirt.

This year was different. I did not win anything. Standard non-discount entry fee was 169 EUR and it just didn’t feel like I had my bang for the buck. More details  below.

Microsoft TechDay agenda link. Or just in case it’s here too TechDay 2016 agenda LAT. The real agenda printed out on the badges is here. The real real agenda was printed in the presentation slides itself. For example – I’ve been wondering how Marin Frankovic will fit the whole Enterprise Mobility Suite from Microsoft discussion in 55 minutes. Well, he technically did, only by doing a high level review and focusing on Advanced Threat Analytics (analyze your DC traffic and track patterns).

Events

I’ve been hopping between IT Managers and IT PROs tracks and attended the following presentations:

  • Keynote for IT PROs, Future of Datacenter, George Dobrea, MVP Romania
  • IT Managers, O365 Roadmap: Digital transformation is hot topic – how can you utilize it? Where to start such journey?, Tomaz Valjavec, Enterprise Solution Specialist, Slovenia
  • IT PROs, Mobility EMS, Marin Frankovic, Technology Solution Specialist, Croatia
  • IT Managers, Project and Visio, Livia Barcsay, Microsoft consultant, Hungary (this got switched in time slot with the next one due to logistic issues)
  • IT Managers, Windows as a Service: creating strategy for workplaces, Goran Medic, Windows Technical Solutions Professional, Croatia

Subjective opinion starts now – the keynote for IT PROs was mostly focused on new functionality of Server 2016 and there is not a lot there, so it was a bit off for me. PowerShell direct (yay!), console unification (yay!), azure stack (or just new web interface for azure management console, yay!), TPM devices in servers (yay!) and so on. I was not impressed. Too much desperate selling.

20160330_13031320160330_111303

The O365 road-map lecture was a pleasant surprise – a very non-intrusive talk for non-technical people about how can they adopt to modern world where companies that embrace cloud, modern technologies and Microsoft stampede over slow people. Gartner magic quadrants were included and abused. A story about a customer adapting yammer for daily awards and activities and a demo of some pie charts you can get by using Microsoft Delve to analyze your exchange mailbox, your calendar, count how many meeting minutes you’ve wasted and other cool things. Presenter was great, one of the better sessions of the day.

20160330_13154820160330_13212120160330_135455

IT PROs, Mobility EMS – A considerable amount of time was spent here to convince people of how insecure their network is and how credential theft and sales are blooming and posing an immediate threat to your enterprise, buy Microsoft Advanced Threat Analytics now. Too bad they’ve mixed up the naming for the agenda and the actual presentation. I would not attend this for one product review.

20160330_140645

Project and Visio session was a pleasant surprise! They’ve switch presentation timing and it was moved up before Windows as a Service. Surprisingly it was one of the better lectures of the event. I’ve learned that Microsoft PowerBI are good old Excel charts that you pay for monthly per user to Microsoft as a subscription cloud service. Some cold reality checks were included, for example – you should probably master pivot tables in excel and at least know how to configure data sources in modern world if you need those reports (or break your piggy bank paying developers each time you need something). Speaker was great.

20160330_152619

Windows as a Service mostly focused on giving a glimpse on how Microsoft’s patching and release cycle will look for future Windows versions. How it is recommended to use those versions depending on your organization type and other interesting facts. Charismatic speaker, even though the lecture was about basic things it was captivating (everyone can relate to Windows).

20160330_16374020160330_16425020160330_17065020160330_172634

Conclusion

Other than the lectures there was plenty of time to socialize, meet a lot of people and enjoy the atmosphere.

TechDay 2016 Riga was OK for me. 2012 was more breathtaking and fun, I would not pay again for 2016 event.

Notes for next year – attend lectures for technologies you have completely no clue about, because if you’re already +- expert in the field there are a few things to pick up, except business cards.

System management platform from Panda – Fusion

Intro

It’s been a while since my last post.  I’ve been asked to look into Panda’s product for System Management – I jumped to the opportunity to share my findings.

panda

Panda Security SL, formerly Panda Software, is a Spanish computer security company founded in 1990 by Panda’s former CEO, Mikel Urizarbarrena, in the city of Bilbao, Spain. Initially producing antivirus software, the company has expanded its product range to include firewall applications, spam and spyware detection applications, cybercrime prevention technology, and other system management and security tools.

I will briefly look into the System Management Platform from Panda. Panda Fusion Panda Cloud Fusion is about managing enterprise devices, policies, apps and security. Much like Microsoft Intune and Enterprise Mobility suite. Or not.

All-in one device management solution sounds great, but in practice I’ve found that there are none in the market that do the job right.

How many working cross-platform management solution do you know? Even a giant like System Center (SCCM) doesn’t work as great on Macs (and you’re purchasing an extension to make it work – Parallels Mac Management) and after seeing how Intune aligns between platforms – my expectations for this were quite low.

The unification challenge becomes immensely complex if you take into account all the major platforms, their requirements and differences –  Windows, Macs, Linux, Android, iOS and Windows ARM architecture. Can Panda do it?

This is a high level overview and impression about this product, no deep technical dives into mechanisms and ways to deploy apps, settings and policies.

Panda solutions – editions and pricing

Let’s start with Edition comparison. It’s sales information heavy, the conclusion I get from this is that if Device Management is needed – you need the Fusion product.

panda_007

Pricing is a complete mystery, there’s no pricing calculator available (or it’s hidden very well), there are no support contact where you can ask about pricing. Community board doesn’t seem like a good communication channel for this. I got only as far as seeing this purchase order for 10 licenses (or more). ~70 EUR per year for 10 devices, 7 EUR per device per year, ~0.58 euro-cents for device per month. (Apr 2016 update: I’ve been corrected, it’s 70 EUR per year per one device, meaning that monthly cost for 1 device is multiplied by 10 times and nets ~5.8 EUR per device per month) This compares favorably to Intune or Microsoft EMS Suite. This does not compare favorably with Intune (5.5 EUR per month for Intune and 8 EUR per month per device for EMS).

panda_008

I haven’t been able to find a contact to get pricing for enterprise customers, partners or re-sellers.

Free Panda Fusion demo

After browsing the website for some time I’ve signed up for a free demo.

The management console is web based and accessible with a variety of browsers. There are separate consoles (websites) for EndPoint Protection Plus and Systems Management.

The console itself is more or less OK. For System Center Configuration Manager guys the technology looks a bit different, but you can get used to that.

panda_009

The Mobile Device Management (MDM) component I had particular interest in seems a bit outdated.

panda_005

The mobile device client capabilities and review numbers are few.

Screenshot_2016-03-07-14-31-41

There is built-in ticket support into the Windows Client.

panda_011

Conclusion

Pros

All in-one solution for smaller enterprises and companies, includes AV, updates, policies, integrated remote assistance tools and even basic incident management and ticket handling (!!!)

Cost. But you get what you pay for. (Apr 2016 update: I’ve been corrected and this is no longer a PRO, as the cost is comparable to other major solutions).

Cons

A niche solution, smaller community, limited support

Platform support (no Windows Mobile)

Limited management capabilities for mobile phones. Almost none – no way to deploy apps, limited number of configuration policies, no way to reset only company data on phone (a complete phone wipe is needed), no policies for phone storage encryption.

Hard to troubleshoot and operate, for example – there is an option to upgrade the AV agent on enrolled device to System Management Agent. Of course it does not work even after several days and there’s no obvious way to find out why.

panda_010

Building a Silent mini PC: What can go wrong

Intro

There are a lot of great resources that have detailed guides on how to choose PC components, a bit less great resources on how to choose quiet PC components, but are there any resources that explain to you and guide you through the “What can go wrong” question every silent/quiet PC builder should ask himself? Now there is.

My previous post “Building a silent PC” from two years ago covers my first experience and go at trying to cut down the decibel levels of a home PC build.  The statements in the previous posts are still valid, but I’ve decided to take another go at building my own quiet PC that can potentially handle games in 2015+.

Over the years I’ve grown rather indifferent to the standard PC cases and super gaming xxx, yyy, zzz cases and builds that are chasing that extra theoretical maximum output performance gain of 5% by sacrificing living space, thermal and heat considerations, noise levels and family budget (like this guy here – [Build Complete] $6,000 budget. New job where I’m not on the road, so it’s time to ditch the laptop for a proper gaming rig).

Nowadays you can get all the information/internets you need with a 5+ year old notebook and a phone (have we stopped calling them smartphones, yet?). One of the big milking cows for PC market is probably your typical enthusiast/gamer – with overclocked components, gaming versions of this, gaming versions of that kind of products. Makes me wonder how long will the home desktop PC industry is going to last.

Build concept

“Build” is a pretty fancy word, in reality it mostly boils down to choosing the components available on the market, it’s not like you will be able to stick things in the incorrect slot, or would you?

Some side info – one of the things that did get me exited recently was this custom made build of a gaming home PC from a while back. Looks extremely nice if you have your underground basement/cave sort of thing in your home, that and and agreement between you and your spouse about non-eviction if this shows up in the living room.

Not something I would want, but it does look geeky and cool. One of the most memorable builds that I’ve seen recently.1000x2000px-LL-32f1c353_02-DSC_4103

 

Getting back to my stuff – the thing that made me want to consider building a silent PC this time was this product by Fractal – Node 304. This is more or less how my mini station will look like.

fractal_node_304_white_3

 

Specifications

  • Mini ITX, Mini DTX motherboard compatibility
  • 2 expansion slots
  • 6 – supports either 3.5″ or 2.5″ HDD / SSD
  • ATX PSUs, up to 160mm in length (To fit in combination with a long graphics card, PSUs with modular connectors on the back typically need to be shorter than 160 mm)
  • Graphics cards, up to 310mm in length, when 2 HDD slots (1 HDD hanging bracket total) are removed (Graphics cards longer than 170 mm will conflict with PSUs longer than 160mm)
  • Tower CPU coolers, up to 165 mm tall
  • Case dimensions (W x H x D): 250 x 210 x 374 mm
  • Case volume: 19.5 Liters
  • Net weight: 4.9 kg
  • Colors available: Black and White

Previously I wasn’t really keeping my eye on the Mini ITX, small factor market at all. Maybe I didn’t even care, maybe the market wasn’t mature enough to have a solution for a quiet, gaming small factor builds, maybe something else.

This time I’ve decided that a big, fan blowing ATX tower was no longer something I want. I didn’t want to vacuum under it and dedicate living space to it.

Turns out you no longer have to have a gigantic thing standing in your room to actually enjoy playing a game or two.

Having something compact and completely silent and running on the newest hardware possible seemed like an appealing though so I gave it a go.

ITX are the future “console” PCs (or anything else, really)

Inspired by the “Quiet Mini-ITX Gaming Build Guide” series I’ve drafted up my components list.

Case: Fractal – Node 304 – is the reason this build exists. There are quite a few worthy alternatives and beautiful cases out there, be sure to check them! But I didn’t want a gaming PC case or an office thin PC, I wanted a microwave I wanted something with a cool design, big enough to work as a NAS device in it’s afterlife and something that would potentially compliment the interior of my living space.

case_02

What can go wrong: Wrong airflow which will lead to higher heat for PC components’, more noise and less durability. Vibration sounds because HDD or other components mount locations are cheap and low quality. Built-in cheap power supply units that sound like a tractor or even worse – a PSU that has specifications of input voltage that are very narrow (235-240 AC!), resulting in loss of power/restarts/burned motherboards and other components. Or your case will look like something from the 1990-ies.

CPU: Intel Core i5 6600K / 3.5 GHz processor – SkyLake it is. As pathetic as this generation of Intel processors is in terms of performance and functionality gains (would you really switch your previous platform for a theoretical maximum of 5-7% under load tests?) – it wins the choice once again because the price is the same (+-) as for Intel Core i5-4670K.

I would really, really, really like to buy an AMD PC (root for the underdog to avoid monopoly). But their Thermal Design Power (TDP) is through the roof, requiring more electricity, better cooling and generating more noise. After so many years they’re still in the budget PC build market, which is regrettable.

My choice here is dictated not by OC needs or any other things like extra 100 Mhz, but just getting top of the line i5. Worthy alternatives are i5-6600/i5-6500 (they do come with a stock cooler unlike the K series), other ones down the line lose too much clock speed.skylake

What can go wrong: You can buy something that heats up like crazy and makes your cooler punish you with uncomfortable levels of noise. You can buy an i7, because it’s an i7 and “faster” (without listing specific applications – it’s hard to tell if they will utilize multiple cores, by default – they don’t or are not worth the performance increase, with some notable exceptions like video editing), you can buy something for the wrong socket. Come to think of it – K series is clearly a marketing trick too, because if you truly want value for money and don’t want to pay for having the option to overclock (yes, that’s exactly what the K series says) – consider something like Intel Pentium G3258 that is a bargain (~74 EUR) and can OC to 3.8 Ghz with a stock cooler and even higher (think 4.2Ghz+).

Cooler (what I got)Scythe Katana 4 – on paper it’s very similar to my first cooler choice with some minor differences – the mounting/installation is considerably easier, it fits into my motherboard and at higher fan RPM it’s slightly more louder than EVO (most people will not notice this), but at the loads I’m running with the correct tuning of CPU fan profile in the BIOS – it’s inaudible.

Cooler (did not fit into this specific motherboard): Hyper 212 EVO – wins again, been using this one for the past 8+ years. Quiet and fits my requirements. What’s surprising it fits inside the case, but be sure to use low-profile memory just in case. I don’t OC my PCs typically, so if someone really want to achieve a balance of maximum OC + silent operations – there might be more expensive candidates that can do that for you.

Hyper 212 EVO

What can go wrong: Getting a non-stock cooler if you’re using a standard size case and don’t plan on overclocking. Most stock coolers are sufficient, unless some specific noise or temperature concerns. Although in the latest I5 Skylake series Intel decided to remove the stock coolers from K “multiplier unlocked” processors (bumping cost even further) and increased their standard cooler heat-sink size quite significantly (probably to compensate for the increased built-in power and performance of the graphics chip (the Skylake one is on the left):

skylake_stock_cooler

Water cooling is a big no-no because of form factor, general loudness of the water pump (unless you specifically want to tune it and tie it down with elastic cords, ropes and scotch magic), maintenance and costs. On exception would be the aesthetics and looks (the wall mounted pic above) or some very, very high cooling requirements (tri/quad SLI (Crossfire) or high end SLI (Crossfire)). Something to watch out for is the cooler dimensions vs what your case is designed to hold. This is critical for small factor systems and not so much of a hassle for a big tower like ATX builds.

This pic is “water cooling inside”:

final04

Memory: HyperX Fury Black Series 16 GB (2 x 8 GB) 2133 MHz DDR4 – I’m not an overclocking fan and memory choice should still be based on the following principle – lifetime warranty + cheapest possible. The only exception in this case is the concern for the cooler fan blocking or somehow not fitting if the memory slots are too close to it. That’s why I’ve decided to go with a low-profile memory type. 16 GB or more can only be explained if you require multiple (really multiple, not just 2-3) Virtual Machines running. Turns out – I do need that for some of the lab and demo environments. Standard gaming builds should never have more than 8 GB. 4 GB are for office worker builds.kingston_memory

What can go wrong: Not much, except maybe buying and overpaying for an overclocked memory chip that will never give any performance increases outside of lab stress tests. Most people don’t realize they don’t need more than 8 Gb of RAM.

Motherboard (what I got): Z170I GAMING PRO AC – some major availability issues caused me too look into this option. It has nothing worthy to justify the price increase as most “gaming” features are essentially useless. One thing to watch out for here is that the supported M.2 slot does not support 2280 size (“The M.2 slot is on the bottom of the motherboard, which supports 4.2cm/6cm length module only”). Otherwise it’s a solid board, like many others on the market.systemboard

Motherboard (what I wanted): Gigabyte GA-Z170N-WIFI (Z170) – could have waited for a more budget oriented release of the LGA 1151 boards on H110 (only has PCI-E 2.0), B150, Q150, H170, Q170 chipsets, as the gains from buying an expensive versions are few in between, but this wasn’t a factor for me. Refer to this table is not sure – https://en.wikipedia.org/wiki/LGA_1151. The thing that I liked about the board was two NIC ports (but again – nice to have, never use kind of thing). Oh, it does have the new and hyped M.2 port.

What can go wrong: Overpaying for unused features would be one thing. After many years it’s still hard to state which company makes the most reliable motherboards on the market, so having a solid 3+ year warranty from the vendor is always highly recommended. Understanding your system build requirements and matching the functionality of the case and system board are important as well.

Storage: Crucial CT250MX200SSD6 M.2 Type 2260DS MX200 250 GB Internal Solid State Drive – hardly anyone buys a PC without an SSD disk nowadays. What I found is that 60-90 Gb of SSD storage is what I typically end up using on my system for frequently accessed files and high speed read/write where it matters. After that the SSD is chosen on the best value principal. With modern technologies and vendor specs SSD disks are almost eternal under normal (business, home and games use). Something to watch out for is the form factor, for my board it has been limited by specifications (2240 or 2260). Although the level of performance here is “only” SATA 3.0, considering my case choice I will only be using one HDD drive bay, which will free up space for those annoying wires from the non-modular PSU. The M.2 disk will be mounted on the back of the system board.

storage

What can go wrong: Buying the PCI-Express M.2 for “performance”. Not considering that the PCI-E M.2 heat up like crazy especially if mounted on the back of the m-ITX board. The temperatures may go from 80 C to 100 C (especially if mounted on the back). Performance throttling will come after a certain point too.

Buying too much storage to “future-proof” (there’s no such thing, don’t invest in depreciating assets). Buying wrong storage M2 type. Buying ultra fast PCI-Express because “benchmarks!”. Making a RAID-0 configuration with your SSD drives to make that HD Tune screenshot.HDTUNERAID0AGILITY4

Storage: WD Red 3TB for NAS 3.5-inch Desktop Hard Drive  x 2 (two) – Hype aside. Two disks were chosen because I need a mirror for home data, restoring lost data is expensive and additional stress. My current storage requirements range somewhere from 1.5Tb to 2Tb. Those include photos, videos, virtual machines, ISO files and the like. Logic here is that this case + storage will have an afterlife as home media server/NAS. Disks were chosen not because they’re advertised for home NAS use, but because of the following table from a resource I trust and they have a wonderful review of these drives.desktop_hdd

storage_hdd

What can go wrong: Bad HDD series (over the years almost every vendor had those), short warranty, vibrations and noise, mechanical clicking. At this point my only concern is the annual drive failure rate for these is rather high.

hdd_failure

Video: Asus Nvidia GeForce GTX 970 Strix Graphics Card (4GB, GDDR5, PCI Express 3ASUS Strix GTX 970 4 GB.0) – once again I would gladly go with an AMD product, but those have the same pitfalls as their CPUs – too much heat and too much noise. The ASUS card is widely regarded as one of the better ones on the market, not looking into the performance features I’ve been sold by these two graphs. 29 dbA under full load is very acceptable, with sufficient cooling the noise is 0. For 1080p games the GTX 960 is a very viable option too. Depends on the resolution and amount of cash one is willing to spend.asus_gtx970_001

gpu_asus

What can go wrong: Buying something terribly overpriced on the level when diminishing returns kick in (GTX 970 is on the borderline level, some would argue that’s it’s already too much). Buying something that is does not work at the resolution you play at. Planning to buy a second GPU after a year for your SLI/Crossfire configuration (this never works). Buying based on performance charts only, ignoring noise levels and heat. Not looking at size and dimensions when building for small factor systems.

Power Supply: be quiet! BN232 – BeQuiet Straight Power 10 600W ’80 Plus Gold’ Power Supply – It’s a German manufacturer who are/were re-branding some of Seasonic products. My first choices was a Seasonic G series something, but they weren’t available. A modular PSU needs to be shorted than 160 MM to fit inside my case of choice and there are only a few manufacturers in the world that offer that (technically there is a workaround which involved two-sided adhesive tape and some “tuning” but I decided against it). None were available, so I went ahead with a non-modular one.

600W is an overkill for my system, if I had a choice in the matter I would have gotten a 500W instead. In addition to being gold certified these power supply units are known for quiet operation (surprise!) and even list them properly in the specifications:be_quiet_straight_600w

Maximum theoretical stress test power draw of my system would be something like this:

CPU (non-OC) – 80W, CPU (OC) – 100W, Video – 175W, HDDs – 2 x 5W = 10W, Fans and others – 10W

Total: 275W and it’s about 50% PSU load which is the most efficient and recommended load for most PSUs on the market:be_quiet_straight_600w_001

To add to the above – my previous build featured a PSU from the same manufacturer and I’m extremely happy with it’s performance – it’s silent.

psu

What can go wrong: One story which I really liked was about a PSU with ~500W specification, but only when working temperature is 25C. Have you ever had any component in your system work at 25C? I consider my current PC to efficiently cooled and I don’t have a single component that is at 25C. Read more about vendor tricks here.temperatures

Another subject is fan-less PSUs which cost premium, but are advertised as 0 dBa. The bad side here is coil whine which plagues these units – “This is my fanless Seasonic X-460FL2 Platinum certified power supply. It cost twice as much as a good 80 Plus Bronze PSU, but I happily paid that expecting total silence. Unfortunately, it makes a constant buzzing noise that becomes worse under load. It’s actually louder than my old PSU which had a fan. A passive power supply is louder than a fan-cooled one!

Sound: Microlab H-50BT 2.0 Speakers with NFC & Bluetooth – After having Logitech Z-4 speakers for the past 10 years (it’s been exactly 10 years) I am not qualified to be called a golden ear, so after doing some reading on this subject the universal formula for any sort of PC sound is this – get 2.0 bookshelf speakers and an external cheap amplifier, avoid cheap 2.1 systems. List of recommended speakers for purchase is located here (mostly USA and Canada markets). For Europe it’s a bit more trickier and my choice here was based on recommendations by friends and general goods availability. So options might vary.

speakers

Final list

Fractal – Node 304
Intel Core i5 6600K / 3.5 GHz processor
Scythe Katana 4
HyperX Fury Black Series 16 GB (2 x 8 GB) 2133 MHz DDR4
Z170I GAMING PRO AC
Crucial CT250MX200SSD6 M.2 Type 2260DS MX200 250 GB Internal Solid State Drive

WD Red 3TB for NAS 3.5-inch Desktop Hard Drive x 2 (two). If mirror and data safety is not a big concern, a 1 TB will do – WD Red 1TB for NAS 3.5-inch Desktop Hard Drive, but I highly recommend skipping a HDD altogether and getting a separate NAS if aiming for a completely silent experience + the additional airflow and cable space in the case will help.

Asus Nvidia GeForce GTX 970 Strix Graphics Card (4GB, GDDR5, PCI Express 3ASUS Strix GTX 970 4 GB.0)

be quiet! BN232 – BeQuiet Straight Power 10 600W ’80 Plus Gold’ Power Supply. A good alternative is the 500W one – BeQuiet Straight Power 10 500W. Modular PSU from this company will not fit the case without extra hassle and two-sided adhesive tape. This vendor is a solid choice as well – Seasonic S12G-550 550W 80+ Gold Certified Wired Power Supply, non modular.

Microlab H-50BT 2.0 Speakers with NFC & Bluetooth

Tests and feelings

These will be my general observations, running synthetic tests, squeezing in an extra 2-3 FPS or CPU clock here and there and publishing charts is mostly pointless, there are countless professional websites that do that.

My first cooler choice – “Hyper 212 EVO” did not fit because the motherboard has a chip that’s blocking one of the cooler’s mounting legs placement. More details in these photos. The Z170I GAMING PRO AC motherboard is not made for backplate mounting CPU coolers, only for push pins. The motherboard manufacturer assumed that only small coolers will be used.

A minor thing – “Scythe Katana 4” default cooling profile is not optimally tuned for passing Prime95 load tests, but it is quiet and works great under typically heavy loads.

A minor thing – cabling from non-modular PSU is sitting on top of it, blocking some airflow from both the front case fans and PSU fan. A solution that’s definitely not for transparent cases with lots of overheating components.

Asus Nvidia GeForce GTX 970 Strix Graphics Card (4GB, GDDR5, PCI Express 3ASUS Strix GTX 970 4 GB.0)” – is the component that caused the most issues for me. The  fan noise on “load” is loud without extra configuration. It goes like this:

30% is almost inaudible for me

At 33% – it’s pretty OK, I can live with that

39% – noticeable

40% – noticeable and uncomfortable

49% – my ears start to bleed

65% – can be audible from the next room

75%+ – apartment explodes (no joke, it competes with a vacuum cleaner)

And this is one of the most “silent” models our there for this GPU. It’s hard for me to image what other brands and products do with acoustics.

The good side – fans do not spin at all (0 dBa) until certain load. This is good if you’re not loading the GPU, but becomes a problem if you decide to, because to compensate the default “fan profile” goes full out and you’re stuck in the loop of very noisy/silent/very noisy/silent and so on. So instead you have to manually tune it and make the fan spin up as the temperature goes higher:

sample_fan_config

This can be done both with Asus GPU Tweak and MSI Afterburner software.

Microlab H-50BT 2.0 Speakers with NFC & Bluetooth. Sound is something that is commonly overlooked in PCs, having tested out those speakers I would say that they are good to get basic levels of surround and immersion. An amplifier is probably recommended for this. The difference between these and my previous 10 year old 2.1 Logitech system is very noticeable for me.

Conclusion and final thoughts

The non-GPU intensive performance is silent. No spinning fans on video, case fans on minimum. Pleasant experience. The most quiet PC I’ve had.
HDDs are good. 5400 is sufficient for typical desktop tasks.
M.2 SSD has a bit higher temperatures (but not as high as PCI-E ones go) – ranging from 37 C to 50 C. By vendor specs it works up to 70 C.
The case looks nice and pleases me. 😉
Idle temperatures are good, even under load with the tuned fan profile settings the GPU does not go over 65 C (in heavy graphics and games it averages out at 54 C for me) and processor is typically 45 C max. You can feel the cool air coming from case side panel where the GPU is, this was really surprising for me.

idle_temperatures

The only component that is rather questionable is the GPU. The industry is in a rather sad state when they push chips performance to the maximum to get favorable reviews, but they sacrifice silence, form factor and sometimes require fans of the video card to be extremely loud (vacuum cleaner or washing machine level of noises). This is compounded by releasing driver patches for “optimizing game” performance. What is this? Why isn’t it released to all the games then? Both game developers and chip manufacturers have a lot to consider.

Highly recommended resources

silentpcreview.com – professional, objective and quality++ content, not just copy-paste from your typical hardware review aggregator. The best.

http://www.techpowerup.com/ – these guys have a well defined testing process with metrics on anything you can possibly want to know – noise levels, performance, specs and more.

ChooseMyPC Build Generator – name says it all. cons – mostly only for USA/CA.

https://pcpartpicker.com/ – neat interface, reviews and some extra nice features, cons – mostly only for USA/CA.

Node 304 owners club – title says it all.

https://www.reddit.com/r/buildapc/ – reddit sub for PC builders and the like.

Revisiting Microsoft Intune

With Microsoft’s Enterprise Mobility product suite getting more spotlight and popularity recently I’ve decided to check out how the Microsoft Intune solution looks and has something changed over the past n-years.

Product line is mostly targeted at SMBs, but gets larger companies and enterprises on board because Microsoft Intune is the only product that MS has that covers management of mobile devices, so this is where the SCCM connector comes into play.

So, finally, with the brand new naming and concept Microsoft is somewhere on the magic quadrant radar.
magic-quadrant-emm-2015.png

The scenario I’ve been interested in is complete cloud management of company’s devices without any investment into local on-premise infrastructure. I left the SCCM connector and on-premise AD sync out of scope for now.

There are quite a few details and screenshots in the below sections, so if you have no interest in these – skip to the overview and some pricing details.

The details

Windows 10 has some out of the box features to let you associate your device with your workplace/company account. So I went ahead and gave that a try. The whole process is about 20 steps including an identity verification, setup of “work” PIN and several SMS to confirm your “identity”.

The work account should be pre-created in your Microsoft Intune portal. To make things easier for users – obviously a custom domain name would be highly preferable.

win_10_002 win_10_003 win_10_004 win_10_005 win_10_006win_10_007win_10_008win_10_009win_10_010win_10_011win_10_013win_10_014win_10_015win_10_016win_10_017win_10_018

Thoughts so far

Tired, yet?

So in the end you have logged are logged in with a “cloud”, non-local username who is an admin on the newly provisioned device. All local users are disabled.

I think it’s amazing that there’s no need for any kind of infrastructure and you still get identity and password management for your users, access controls, all the good things.

win_10_019

The other thing that is needed is enrolling your device. This can be done in a number of ways (including embedding it into the OS image somehow or silently configuring the client installation and enrollment through command line parameters). I’ll be going through the manual way below, which is a bit lengthy.

Then you fire up either Microsoft Edge or Internet Explorer and navigate to https://manage.microsoft.com. The nice part is – you’re automatically logged in and redirected to your company website (SSO!). Here you can “enroll” your device to Microsoft Intune.

win_10_020

What’s weird – there’s no obvious button to enroll your device. So you have to “investigate”.

win_10_021

win_10_022

win_10_023

win_10_024

win_10_025

win_10_026

win_10_027

win_10_028

win_10_029

win_10_31 win_10_32

After quite a few steps your Windows device is finally “enrolled” with Microsoft Intune! There are a few optimizations that can be made, such as – installing the client silently via scripts or GPOs (if you’re in an enterprise environment):

Windows_Intune_Setup.exe /?

Tool Usage:
Windows_Intune_Setup.exe [/Quiet]
Windows_Intune_Setup.exe /Extract <destination-directory>

/Quiet          Used to run enrollment package installation in quiet mod
e.
/Extract        Used to extract enrollment packages (Windows_Intune_{X86
,X64}.msi)
destination     Specifies the directory for the extracted package.
/PrepareEnroll  Used to prepare the reference machine for automatic enro
llment after Windows Setup.

When executed with no switch specified, enrollment package will be run.

e.g.:- Windows_Intune_Setup.exe
e.g.:- Windows_Intune_Setup.exe/Quiet
e.g.:- Windows_Intune_Setup.exe/Extract %temp%
e.g.:- Windows_Intune_Setup.exe/PrepareEnroll

The client itself silently sits in the Windows Tray and has some basic functionality.

win_10_65

The Mobile Client for comparison:

Screenshot_2015-09-17-10-39-42

After that you jump to the Administration Portal to check what’s kind of reports and configuration options are available – https://manage.microsoft.com. You can further customize your company portal as well.

win_10_64

The bad –  the amount of policies for devices is not even close to 5% of what Group Policy Management has. That’s not all of them in the screenshot, but you can get the general idea.

There’s also a new OMA-URI Settings policy format, which will most likely be expanded in the near future – “This topic lists the settings that you can configure for Windows 10 and Windows 10 Mobile devices in a Microsoft Intune Windows 10 Custom Policy.“:

Example:

Both
URI full path: ./Vendor/MSFT/Policy/Config/WiFi/AllowInternetSharing
Data type: Integer
Allowed values:
0 – Do not allow Internet Sharing.
1 – Allow Internet Sharing
Default value: 1

win_10_39

The good – some built-in reports are available and the console has certain level of visual appeal.

win_10_63

The apps

There’s a universal Application Publishing tool that is the same for both Mobile Applications and Desktop ones. Both application deployments work quite nicely with only concern being – there is no way to monitor the installation process on the devices, so it’s either good or error bad. The log files are located locally on the devices.

All installations on windows platform PCs go through with system account and require the setup to be completely silent and functional under these conditions. Additional limitations and behavior under specific scenarios may apply.

The mobile applications distribution has different requirements based on platform, but supports both 3rd party apps and “application market” suggested applications.

There are reports in the management console to show how many devices have the desired software installed.

win_10_45

win_10_51

And can’t resist mentioning the latest Fallout game series:

win_10_61

Screenshot_2015-09-14-17-33-06

Pricing matters

Microsoft Intune is favorably priced, especially as part of Enterprise Mobility Suite bundle.

Stand-alone Microsoft Intune pricing – ~5 EUR per user per month.

Enterprise Mobility Suite (includes extras – Azure AD Premium, Azure Rights Management, Microsoft Advanced Threat Analytics) – about 8 EUR per user per month.

Each of the above mentioned bundled products deserves a separate review on it’s own, I will not go into details for these.

Sample table:

Product

Features

Pricing (per user/month)

Azure Active Directory Premium

    • Self-service password reset to reduce helpdesk calls
    • Multi-factor authentication options for greater security
    • Group-based provisioning and single sign-on for thousands of SaaS apps
    • Machine learning-driven security reports for visibility and threat management
    • Robust sync capabilities across cloud and on-premises directories

$6

Microsoft Intune

    • Mobile application management across devices
    • Broad device support for iOS, Android, Windows and Windows Phone devices
    • Selective wipe of apps and data for greater security
    • Use of System Center Configuration Manager and Endpoint Protection**

$6

Azure Rights Management

    • Information protection from the cloud or in a hybrid model with your existing on-premises infrastructure
    • Integration into your native applications with an easy-to-use SDK
    • Windows Server Active Directory Rights Management Server CAL use rights**

$2

Microsoft Advanced Threat Analytics***

    • Behavioral analytics for advanced threat detection
    • Detection for known malicious attacks and security issues
    • Simple, actionable feed for the suspicious activity alerts and the recommendations
    • Integration with your existing Security Information and Event Management (SIEM) systems

$3.50*

Windows Server CAL

    • Windows Server CAL use rights**

$1.75*

Standalone total

$19.25

Enterprise Mobility Suite

$8.75* (50% savings

over standalone offers)

Conclusion

You get a solution that will offer at least basic levels of compliance and control over the company’s devices and data. There is software, policies, update and antivirus compliance checks included inside the product, although not always with the complete desired functionality set that you would have in your typical on-premise enterprise setup, but available out of the box without any investments in local infrastructure, servers and maintenance. Which is amazing by itself!

For enterprises there is always the option to use the on-premise setup with Active Directory sync and System Center Configuration Manager connector.

There are some things that are still missing and should be noted:

  • No API or PowerShell support to manage the service
  • Remote User Assistance/Control is missing (available with some custom workarounds, rather limited)
  • Silverlight administration portal (Microsoft has set the support end date for Silverlight 5 to be October 2021. In 2015, Microsoft announced that since support for ActiveX was discontinued with Microsoft Edge, Silverlight will not be supported in that browser.). Does not work in Microsoft Edge
  • No Support for App-V
  • No out of the box setup of client and easy enrollment (at this point it can and should probably be scripted, but the scripting expression can apply to almost anything nowadays)
  • There are reports of user experience settings that are not correctly synced between multiple user devices
  • Application delivery reporting is not that transparent, troubleshooting logs are on the client
  • (subjective) I still do not enjoy the battery drain aspect of any mobile device management client. The battery drain from this piece of management software is heavier than from display screen on daily use. This is not OK
  • Policies and settings are quite limited if compared to Group Policy Management

Sysinternals Sysmon – monitoring your system and handling the output

I’ve been excited about the long past announcement (Aug 2014) of a new utility from Sysinternals – Sysmon!

System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time.

In one of the channel9 video’s Mark Russinovich talks about how it helped him track down the original point of entry of a malware application. Mark is an amazing guy.

I was immediately hooked, so Sysmon has been installed on all my home devices and devices that my relatives forces me to support. Plus it’s a cool way to keep your paranoia in check and find out who installed that piece of software on your favourite Terminal (oops, Remote Desktop Services!) Server.

Now, the link above has all the installation and configuration instructions, so I won’t dig into them.

The minor issue I had with the tool is that it lacked structured output. Most of the useful information is stored in the message block of the Event Viewer log, for example:

Process Create:
UtcTime: 19/07/2015 06:35
ProcessGuid: {0021847f-454d-55ab-0000-00109a1f330b}
ProcessId: 7944
Image: C:\WINDOWS\system32\wbem\wmiprvse.exe
CommandLine: C:\WINDOWS\system32\wbem\wmiprvse.exe -Embedding
User: NT AUTHORITY\SYSTEM
LogonGuid: {***************}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
HashType: SHA1
Hash: D06DFEC8ACA88E68A9CECBCF3379B20FF73E6D72
ParentProcessGuid: {0021847f-492f-55a7-0000-001049c00000}
ParentProcessId: 844
ParentImage: C:\WINDOWS\system32\svchost.exe
ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch

I’ve finally decided it’s time to make the output a bit more readable (and my definition of readable was .csv and Pivot Tables in Microsoft Excel), so I wrote a nice script that converted Event Viewer Sysmon log into .csv for some quality reading and analysis. The alternative would be to convert it to xml and work my way from there, but it’s .csv for now.

Main issues were that I got a bit rusty using the string class and methods and the conversion to .csv that required to work with an array of objects that have different number of properties, hence the conversion wasn’t always picking up all the data, stackoverflow.com had the answer to that issue.

The conversion is still a bit messy sometimes, but that doesn’t bother me, data is more or less readable and visible in Excel.

sysmon_001

Now I can track down all the started apps, network connections, which users started the apps, where did the connection from them go and so forth. I know there are probably a lot more complicated and fancy solutions on the market, but Sysmon is easy, small and free, what can be better?

Grab your script copy New-SysmonCsvReport.ps1. No warranties.

Virtual Mobile Devices

“Virtual Mobile Devices” – now that’s an expression you don’t hear often. First thing that pop-up in my mind is the platform for developers – Xamarin, which isn’t really correct, because it’s a way to code your apps in C# and instantly make them available cross-platform – iOS, Android, Windows Phone.

Turns out there is a company that tries to make a living out of “Virtual Mobile Device” concept – remotium.com.

Fancy sales slogans – “VIRTUAL MOBILE DEVICES LET YOU WORK WHERE YOU ARE”. But wait, I can already work where I am using a number of other crazy technologies such as Inbox application (which is really good) on my Android or a laptop configured with a VPN or DirectAccess to my enterprise network, “why do I need this product” – was the question I’ve asked myself.

This post cleared out some confusion:

Let’s start with the basics.  VDI was originally developed to free desktops and desktop apps from the chains of form factor.  Once a desktop is virtualized it can be accessed from any device that supports a viewer.  But mobile apps don’t need to be mobilized – they already run on mobile devices.  So virtual mobility is done for a different reason: to give IT simple, bulletproof controls for managing mobile apps and data.

VDI solutions simply run the stock Windows OS, and cannot provide the levels of application control and visibility that VMI solutions like Remotium Virtual Mobile Platform provide.  Working from the base Android Open Source Platform (AOSP), we have unparalleled visibility and control over app behavior.  For example, Remotium VMP enables IT administrators to apply HTTP and iptables-style filtering to individual apps.  VDI can’t do that.  Neither can it override app permissions to prevent specific apps from accessing contacts, calendars or location data – all built in functions in Remotium VMP.  The audit trails that Remotium VMP can create with an instrumented OS leave VDI solutions in the dust.  VDI might be able to deliver a mobile app, but it can’t secure it the way VMI can.

So the product is all about security measures and auditing for your already written enterprise mobile applications.

What happens on the technical side is that you download a client application on your phone that receives streaming data from a server. Application (a mobile application) is run on server side and the visual data is streamed to your phone.

remotium

This allows for all sorts of security lockdowns – buffer, screenshots, network.

Navigation is only inside the app, with switching between different applications that are available in a locked down environment. There is a built-in 2-step verification with an additional PIN for accessing the app itself – “Workspace”.

In my opinion the streaming protocol could be better, I would say the experience is uncomfortable and not just for graphics-heavy content – even writing an e-mail feels like earlier versions of Citrix solutions. Here are a few demo videos – one and two.

Remotium requires an always-on internet connection (what doesn’t, nowadays?), so there were some technical glitches along the way – “Error – could not connect to remote session.” and time outs/black screens.

Traffic usage is something to keep in mind aswell. I’ve used the app for about 10 minutes and it consumed ~15.58Mb over my Wi-FI network, that’s about ~93.48 Mb per hour.

Remotium is a lot like XenDesktop/XenApp only for streaming mobile apps with all the benefits this brings, it will do what is advertised if you need to lockdown a specific enterprise app.

Sometimes it will be easier to code additional changes to the original application instead. Sometimes it will be easier to use the pre-build bundle of enterprise productivity applications (mail, calendar, file sharing) applications from one of the Enterprise Mobility Management vendors – VMware AirWatch, MobileIron, Citrix, IBM, Microsoft and etc.

Sometimes you can re-use what you have and lockdown using this solution. And maybe restricting/securing and managing apps on mobile devices is not worth the effort for most organizations. We shall see.

Amazon AppStream

Wanted to do a review of “Amazon AppStream” – Amazon AppStream lets you deliver your Windows applications to any device. Started with the intro video first; emphasis on heavy graphics, cross platform and scalability.

Got pushed away by pricing – 132.8$ per user per month or 192$ per user per month and region availability – no Europe.

What’s pretty cool is that they allow you develop your own client app and some other custom features (such as an Entitlement Service).

Will have to get back to this when things improve.

Notes:

  • 01-Jul-2015 No Europe. Limited region availability – “Q: What regions will my application be streamed from? A: AppStream is available in US East (N.Virginia) and Asia Pacific (Tokyo). AppStream will stream the application from the region in which it has been deployed to.”
  • 01-Jul-2015 Pricey. $0.83/hr (US East (N.Virginia)) and $1.20/hr (Asia Pacific (Tokyo)). 160 working hours per month is 132.8$ per user per month or 192$ per user per month
  • Amusing comment – “During the streaming application deployment, you may experience poor performance. This is caused by the Windows Remote Desktop Protocol (RDP) connection to the instance and does not reflect the actual streaming performance.”