Stanford Network Registration Tool Version 3

Changes since version 2:

* name changed from Health Check Tool to Stanford Network Registration Tool
* support added for all 64-bit Windows OSes
* support for Snow Leopard (Mac OS X 10.6) and Windows 7
* greatly improved MAC address detection and filtering (using both a "black list" and a "white list" of all IEEE-registered ethernet OUIs)
* greatly improved AV software detection on both Windows (using Security Center) and Mac OS X (using a larger list of known AV products)
* users are prevented from opening and running a web browser during registration (SNSR only, recognized browser processes only)
* support different security software requirements for different platforms in NetDB template (SNSR only)
* network throughput is estimated in order to provide a guess at how long downloading required patches will take
* greatly improved logging
* numerous bug fixes

SNRT 3.0.12.15 (released 14 Jul 2009):

* fixed serious bugs including: BigFix incorrectly required in many cases, and Mac log file not being created (causing the program to hang)
* for ResComp registrations only: Mac AV will not be required for anyone using the student (jesa) organizational template

SNRT 3.0.12.18 (released 7 Aug 2009):

* fixed problem with AV software detection on Vista SP1 and above

SNRT 3.0.13.1 (released 20 Aug 2009):

* added "Save Log File to Desktop" command (Help menu)
* corrected Mac BigFix detection to accommodate upgrade to Stanford's BigFix service
* added Mac AV detection for: avast!, BitDefender, ClamXav, Dr.Web, McAfee VirusScan, Sophos, Symantec Norton AV, and Trend Micro Security

SNRT 3.0.14.0 (released 1 Sep 2009):

* new SNRT icon and graphics (including Stanford slide show during program run)
* added automatic "relaunch-after-reboot," as appropriate, with file clean-up afterwards
* bug reports can now be sent while on the registration network (SNSR only)
* fixed crash that (rarely) occurred during admin password strength-checking on Windows
* added function to check if a personal firewall (etc) is blocking SNRT
* fixed a bug that might cause MAC address detection to fail if network connectivity suddenly disappeared
* if a test has been run and passed within the last 60 minutes, it won't be run again
* now using a much improved password-guessing dictionary (1525 basic words)
* fixed several problem(s) in "What Settings Will Be Changed?" Help menu item
* many other small fixes and improvements

SNRT 3.0.14.2 (released 2 Sep 2009):

* corrected SNRT's failure to delete itself after its last run (Mac OS X 10.6 only)
* added "YankIP" functionality: when user hits Cancel, machine's IP address is removed from iptables REGSET (SNSR only)

SNRT 3.0.14.3 (released 3 Sep 2009):

* for ResComp registrations only: go to "exit URL" even if computer is already registered in NetDB
* for ResComp registrations only: do not send HTTP header request with HTTP GET

SNRT 3.0.14.4 (released 4 Sep 2009):

* fixed MOSX 10.5/10.6 bug that prevented Software Update from running properly when launched from within SNRT
* added variant ActiveSync MAC address to black list (00-80-00-60-0F-E8)
* fixed bug introduced in 3.0.14.0 that would cause AV and BigFix tests to fail on all but first run

SNRT 3.0.14.5 (released 6 Sep 2009):

* removed beta tag
* eliminated need for separate SNSR and "Hostreg Classic" compilations (all differences now specified in configuration file)
* improved querying and logging of AV software health (Windows Security Center); improved AV software detection for Win 7
* added new Credits and Copyright Notice windows (About... box)
* improved appearance of HTML in "What Settings Will Be Changed?" (Help menu)

SNRT 3.0.14.6 (released 7 Sep 2009):

* specifically excluded null MAC address (00:00:00:00:00:00), which apparently can sometimes slip past other exclusion rules
* made download URL for MAC address white list a configurable option (in case nmap.org goes down)
* created new configuration option (maxnum_macaddr) to control the number of retrieved MAC addresses that SNRT will return to the server
* added NIC descriptions to log, in order to help determine WHERE Vista is getting some of the innumerable NICs it reports

SNRT 3.0.14.7 (released 16 Sep 2009):

* added 10.15.0.0/16 (new West Campus wireless network) to list of private registration address ranges
* updated MAC address white list included in SNRT package (see http://nmap.org/svn/nmap-mac-prefixes)
* modified password strength-checking routine slightly, to try to catch error on Windows XP SP3 (problem fixed in next release)

SNRT 3.0.14.8 (released 18 Sep 2009):

* fixed password test failures on Windows XP SP3 that would sometimes cause SNRT to hang (modified call to Win32 NetLocalGroupGetMembers())
* for slow method for Windows password strength-checking (as for domain-joined machines unable to contact DC), now using smaller dictionary
* improved default short version of password-guessing dictionary
* modified MAC address exclusion rules slightly to further reduce number of bogus addresses potentially returned to server (see below)
* modified delete_snrt.app compiled AppleScript (which runs at login) so that it will better identify itself and its purpose

SNRT 3.0.14.9 (released 22 Sep 2009):

* added workaround for possible failures to write a log file on Mac OS X (will fall back on ~/Library/Logs if /Library/Logs can't be written to)
* Windows only: SNRT will no longer relaunch itself after a reboot initiated solely because security settings were reconfigured on a registered machine
* improved quasi-random sequencing of the splash screen's "Stanford slide show" (with a few other cosmetic changes)
* for ResComp registrations only: configure SNRT to use MS Windows update site rather than Stanford's WSUS servers

SNRT 3.0.15.0 (not released):

* Mac OS X: automatically handle privilege elevation for standard (non-admin) users who provide admin credentials during installation
* added mutex to prevent multiple instances of SNRT from running concurrently
* "active IP addresses" should now be correctly logged regardless of SNRT's configuration or host's network location
* added logic that might allow a single SNRT configuration to work properly for both SNSR and ResComp registrations (testing required)
* 60-min no re-testing grace period now includes runs of new instances of SNRT (previously only applied to one continuous run, with or without a reboot)
* Mac OS X: added awareness of (forthcoming) Google Chrome browser
* Mac OS X: record details of failure to write log file to its default location in /Library/Logs
* if the active NIC cannot be identified, SNRT will still register MAC addresses that are not excluded by any of the usual rules (up to maxnum_macaddr)
* improvements to bug reporter UI (SNSR only)
* fixed bug in MAC address detection routines (doubtful that this will help with the hanging problem described below, but it might shed light)

SNRT 3.0.15.1 (released 15 Oct 2009):

* Mac OS X: fixed a bug that might prevent correct detection of the BigFix client and its version number on Mac OS X 10.3
* Mac OS X: fixed a bug that in some cases might result in multiple entries for delete_snrt.app in Login Items
* Mac OS X: modified delete_snrt.app to remove support files as well as the SNRT application itself (only the log file isn't deleted)
* Mac OS X: cleaner authenticated relaunch of SNRT, with prompt for admin credentials, for unprivileged users after logout or system restart
* Mac OS X: corrected bug that might result in SNRT relaunch helper program not being removed from user's Login Items when no longer needed
* corrected bug that could lead to early termination of certain long-running operations (eg, Mac OS X password checks, Windows MSRT)
* added "Save Log File to Desktop" command to Help menu for all SNRT configurations (had previously appeared only for ResComp builds)
* several minor bug fixes to password-checking functions and splash screen slide show

SNRT 3.0.16.0 (released 17 Nov 2009):

* Mac OS X: implemented new method for password strength-checking that improves performance by multiple orders of magnitude (enabled only for testing)
* fixed contingently inert string-formatting bug (trailing ampersand in MAC address list returned to server if number of NICs exceeded maxnum_macaddr)
* fixed bug that sometimes would prevent logging of all active IP addresses (see 3.0.15.0 above)
* Mac OS X: fixed bug that could prevent SNRT from quitting if Software Update were launched automatically after a system restart
* Mac OS X: ensured that the correct home directory will be used if SNRT is running in a user context other than that of the logged-in user
* Windows: all support files are now deleted when SNRT is removed (excepting the log file); cf 3.0.15.1 supra for Mac OS X
* Mac OS X: fixed bug in shared library function that might have caused failures to write log files to /Library/Logs (see also above)
* Mac OS X: fixed bug in delete_snrt.app that generated a harmless but annoying "file not found" error dialog on Tiger
* added awareness of new 10.31.0.0/16 wireless pilot range for ResComp

SNRT 3.0.16.1 (released 7 Apr 2010):

* when an exception error is caught, the record of tests already passed is now summarily deleted
* numerous small improvements to exception handling, primarily with a view to preventing unusual error conditions from causing tests to be skipped
* disabled "Quit" menu item and keyboard shortcut while tests are being performed: if the process has to be killed, external means must be employed
* added checksum to record of passed tests, written upon normal termination and verified at program launch
* Mac OS X: enabled new method of password strength-checking for production release (see 3.0.16.0 above)
* Mac OS X: owing to bugs in the password cracking facility on Tiger, user accounts on OS 10.4 will only be tested for null passwords
* Mac OS X: modified post-installation scripts to write more detailed information to install.log (see next)
* Mac OS X: modified launch script to address launch failures on Snow Leopard (tentative fix, yet to be confirmed; see below)
* Mac OS X: correcting an oversight, updated old MAC address detection utility to support i386 hardware (Rosetta may not be present on OS 10.6)
* Mac OS X: Installer will now require that SNRT be installed on the root volume (active system partition)
* Windows: if the OS is in Safe Mode, SNRT will display a message asking the user to reboot normally, and will then quit
* Windows: updated launcher utility to correctly identify x64 editions of Windows XP
* MAC addresses are now saved (for 1 hour) to disk: speeds relaunching and avoids NIC detection failures when auto-relaunching at system start-up
* alert dialog requiring user to quit web browsers before proceeding now appears in front of all other windows and lists running browsers
* a daily cron job now generates SNRT's MAC address white list from the IEEE's published OUI listings (stale data have been a chronic problem)

SNRT 3.0.16.2 (released 31 Aug 2010):

* Windows: added possible workaround for reported Windows Update failures (the WU control panel is opened); see below
* added awareness of new NetDB "node states" other than "good" and "unknown"
* at the beginning of each run SNRT now automatically updates its local copy of the MAC address white list (generated by a daily cron job)
* the date of the MAC address white list in use is now recorded in SNRT's log
* Mac OS X: fixed bugs in delete_snrt.app that could generate errors (prompt for admin creds, overlooked in one conditional branch; Finder refresh)
* added 10.30.0.0/15 to the list of private address ranges (having previously had only 10.31.0.0/16; see SNRT 3.0.16.0 above)
* clarified message text in "you must quit all running web browser sessions" dialog box
* updated SNRT code to accommodate significant changes in key REALbasic classes (the language in which the cross-platform GUI app is written)
* Windows: signed SNRT executable and embedded VB Scripts using new VeriSign certificate

SNRT 3.0.16.3 (released 9 Sep 2010):

* added desktop icon to launch SNRT, in case a user finds it convenient, which icon is deleted when SNRT is finished and the system is registered
* SNRT will now continue to relaunch itself at user login until the system is reported to be registered by the SNSR server (excepting residential students)
* the Bug Reporter facility has been (partially) updated to use Secure SMTP, now required by Stanford SMTP servers
* emergency correction to list of private IP address ranges for SNSR, and other small fixes, to address problems for residential student registrants

SNRT 3.0.16.4 (released 26 Sep 2011):

* Windows: fixed several bugs (some in shared code) that were causing null MAC addresses not to be excluded (still!), probably among other confusions
* Windows: temporarily eliminated checks for extra password variants owing to changes in Vista SP2 (and Win 7?) that have significantly slowed the process
* Windows: if Windows Update fails for any reason using the default Microsoft servers, fall back on campus WSUS servers for a second try
* Windows: Windows Automatic Update configuration is now checked only once per session (bug fix)
* Mac OS X: fixed several MAC address detection bugs that (inter alia) caused wired and wireless NICs to be misidentified (primarily on Mac OS 10.7)
* improvements and necessary updates to SNSR registration network awareness

SNRT 3.0.16.5 (released 4 Oct 2011):

* new private domain name (sunet.stanford.edu) now used on SNSR registration network, required by updated server SSL certificates
* Mac OS X: fixed a bug that in some cases would cause the Software Update check to miss required patches (Mac OS X 10.6 and below)

SNRT 3.0.16.6 (not released):

* Windows: corrected a minor bug in self-relaunching logic at user logon
* Added new private wireless registration address range (10.24.0.0/16)

SNRT 3.0.16.7 (released 14 August 2012):

* Mac OS X: dropped support for PowerPC hardware
* Mac OS X: signed application bundle and installer package for the Mac OS 10.8 Gatekeeper default configuration (required architectural changes)
* Mac OS X: numerous fixes for compatibility w/ Mac OS 10.8 (Mountain Lion)
* Windows: eliminated password checks for disabled admin accounts, which checks had begun moving slowly (after the release of some Windows update or other)
* Windows: updated application launcher utility to support Windows 8 (released 15 December 2012 w/out an application version change)

SNRT 3.0.16.8 (released for Windows only 16 January 2013):

* Mac OS X: fixed bug causing the logged-in user name to be incorrectly recorded in the SNRT log (will be incorporated in next release)
* Windows: fixed bug causing null passwords not to be detected for enabled administrator accounts on Windows 7 and above

KNOWN OR SUSPECTED PROBLEMS POSSIBLY STILL EXTANT IN SNRT 3.0.16.5:

* on Windows Vista (perhaps Windows 7) errant MAC addresses are appearing that, while almost certainly wrong, cannot be excluded by any existing rules
	- a workaround is now in place, and logging is improved to better document the scope and nature of the problem [implemented in 3.0.14.6 et seq]
	- SNRT logs from successful runs on Vista and Win 7 are needed to provide more troubleshooting information
* on Windows XP, installed AV software (other than Sophos AV, Stanford's site-licensed solution) rarely is not recognized
	- possibly a WMI query is failing
	- install Sophos AV to bypass problem
* SNRT hangs in rare cases during MAC address detection on Windows Vista and above
	- possibly triggered by network problems (?)
	- possibly associated with localized OS's default use of a wide character set (?)
	- for affected computers, the problem often doesn't appear to resolve itself spontaneously
	- SNRT's CPU usage may become very high when it's caught in this state
* on Mac OS X 10.6 (perhaps not all versions, and not on all hardware) SNRT may fail to launch after being installed (should be corrected in 3.0.16.1)
	- need install.log, system.log, secure.log (in /var/log) from such machines in order to diagnose
* on Windows XP (not observed for other OSes), after automatically relaunching, SNRT may not recognize inactive NICs (should be corrected in 3.0.16.1)
	- SNRT is launched while the OS is still starting up, so Windows is failing to report complete information
	- when this happens, SNRT will fail to register certain MAC addresses w/ the SNSR server
* MAC address detection may fail repeatedly on Windows netbooks
	- need additional information to troubleshoot...
* Bug Reporter facility must be modified to use secure SMTP
* especially over wireless connections, perhaps more in some areas than others, SNRT is sometimes unable to run its Windows Update script
	- apparently a networking problem
	- the error code returned is one of those listed here: http://support.microsoft.com/kb/836941
	- SNRT will now attempt to open the Windows Update control panel in these cases (as of version 3.0.16.2), for manual patching
* on Windows Vista (perhaps Windows 7) password checks for the built-in Administrator account have become slow in at least some cases
	- apparently a consequence of a security update delivered in 2011