Vista
Transcription
Vista
0507red_Cover.v14 4/17/07 10:23 AM Page 1 Deciphering Microsoft’s Software+Services M AY 2 0 0 7 REDMONDMAG.COM Vista Game Plan $5.95 1 25274 867 27 7 MAY • 05 > Is early migration the right play? 32 + IT vs. IM: How You Can Win the War 44 Laying the Groundwork for Exchange 49 Find the Right Mix of Citrix & VMware 41 64 © 2007 Brocade Communications Systems, Inc. All Rights Reserved. Brocade is a registered trademark and the B-wing symbol is a trademark of Brocade Communications Systems, Inc. Project1 4/10/07 9:41 AM Page 1 Brocade is the leading provider of data center infrastructure solutions. With Brocade, you have the tools, control, and knowledge to manage your information and create a competitive edge for your business. It’s time to make your data soar. www.brocade.com 0507red_TOC1.v6 4/17/07 11:03 AM Page 1 Redmond The Independent Voice of the Microsoft IT Community Contents M AY 2 007 COV E R STO RY REDMOND REPORT Your Vista Game Plan 9 Reinventing Windows Security Page 9 An early, well-planned move to Microsoft’s new OS could be the answer to enterprise security challenges. Page 32 Microsoft’s Toulouse thinks Windows Vista’s new security walls will prove thick enough. F E AT U R E S 41 10 Vista’s Jackrabbit Start Citrix and VMware: Oil and Water? Some analysts say, ‘Whoa, not so fast!’ Two technologies. One chemistry experiment. Can they mix? Page 44 44 IT vs. IM Instant Messaging (IM) makes tactical communication a snap, but too often IM serves as a doorway for hackers. Here’s how IT can wrestle with the problem. 12 The Low Down Making Things Better Page 41 COLUMNS 49 Laying the Groundwork: Exchange 2007 4 Moving to Exchange 2007 is a complex process with stringent requirements. Make sure you have the tools and infrastructure in place before you begin. I’m All Ears Page 49 REVIEWS 17 Product Reviews Right Gun … Wrong Ammo Web filtering is problematic at best, but iPrism puts up a solid defense. 23 Reader Review MOSS Gathers Momentum Readers rave about the new and improved Microsoft Office SharePoint Server 2007. Barney’s Rubble: Doug Barney 27 Redmond Roundup Manage and Manage Alike In today’s inherently disparate networks, you need a management tool that can take control of all your Windows and open source systems. 14 Mr. Roboto: Jeffery Hicks Stay on Schedule 57 Windows Insider: Greg Shields Isolation Automation Exploration: Part I 59 Security Advisor: Joern Wettern Patch It Up 64 Foley on Microsoft: Mary Jo Foley Software+Services Madness A L S O I N T H I S I S S U E 2 Redmond Magazine Online | 7 Letters@Redmondmag.com | 63 Ad and Editorial Indexes COVER ILLUSTRATION BY ROBERT KAYGANICH 0507red_OnlineTOC_2.v5 4/17/07 11:39 AM Page 2 Redmondmag.com M AY 2 0 0 7 ENT Special Report The Future of Systems Center and DSI V ista and Office dominate the Microsoft technology picture at the moment, but progress on the Dynamic Systems Initiative (DSI)—which, so far, is four years in the making—continues by leaps and bounds with delivery of key products in the Systems Center suite of systems management tools. Eric Berg, Microsoft’s director of product management for Systems Center, took some time at the Microsoft Management Summit in San Diego to give ENTmag.com a DSI progress report. Find out what’s happening now. FindIT code: ENTDSI Redmondmag.com Licensing 101: Back to the Basics W hen it comes to getting a good deal on Microsoft licenses, the best practices haven’t changed much over the years. According to Scott Braden, licensing guru and author of Redmondmag.com’s Redmond Negotiator column, the key issue is still time. “You should begin reviewing and planning for your next agreement at least six months before the current one expires,” he advises. Realizing the limitations of your Microsoft licensing rep’s knowledge is also key: “Don’t take an answer at face value; demand to see where it says that in the terms.” Get more tips from Scott and read his latest column. FindIT code: RedNeg REDMONDMAG.COM RESOURCES Resources Enter FindIT Code >> Daily News >> E-Mail Newsletters >> Free PDFs and Webcasts >> Subscribe/Renew >> Your Turn Editor Queries News Newsletters TechLibrary Subscribe YourTurn Questions with ... Peter Harvey Editor Michael Domingo talks with Peter Harvey, CEO of data management company Moonwalk Inc., on recurring disaster recovery (DR) issues at Redmond Radio this month. FindIT code: RRadio Peter Harvey Some admins think of DR as a passive task. Why flirt with disaster? A fundamental condition of the human psyche is that disaster is something that happens to someone else—DR is no different. What’s a common DR “worst practice”? There’s an approach that can be summarized as, “We’ll just Google the SAN.” You’d be surprised where we come across this being seriously considered. What one big DR issue should companies pay attention to? Very few organizations can function without being online all the time—the majority don’t appear to be doing much to manage a catastrophic event right now. Quotable [ ] LINQ promises to bring about the most profound change in the way database queries are built ... RDN Executive Editor Jeffrey Schwartz and Founding Editor Michael Desmond in their article “Looking to LINQ,” April 1, 2007. FindIT code: RDLINQ Redmondmag.com • RCPmag.com • RedDevNews.com • VisualStudioMagazine.com MCPmag.com • CertCities.com • TCPmag.com • ENTmag.com • TechMentorEvents.com • ADTmag.com • ESJ.com 2 | May 2007 | Redmond | Redmondmag.com | Project1 4/16/07 10:26 AM Page 1 0507red_Rubble4.v5 4/17/07 10:55 AM Page 4 Barney’sRubble by Doug Barney Redmond THE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY R E D M O N D M AG .CO M M AY 2 0 0 7 I’m All Ears ■ VO L . 1 3 ■ N O. 5 Editor in Chief Doug Barney Editor Ed Scannell Executive Editor, Reviews Peter Varhol Executive Editor, Features Lafe Low Managing Editor Wendy Gonchar I love it when people bring me back down to earth: when my kids nail me with a one-liner, my copy editor points out 12 typos and eight atrocious grammatical mistakes Editor, Redmondmag.com Becky Nagel Associate Editor, Web Gladys Rama Contributing Editors Mary Jo Foley Jeffery Hicks Greg Shields Joern Wettern Art Director Brad Zerbel (most of which never make it to the printed page), or when my best girl beats me in every single bet we make (I’ve paid for every dinner since 1998 because of this). And you, the Redmond reader, can bring me back down to the earth faster than a 5-year-old’s kite. It’s easy to think that after 23 years of IT writing and high-tech journalism you know everything. Most of us don’t. We aren’t in IT like you— we just cover IT. Here’s the difference. As an observer, my strong sense is that Windows Vista is far more secure than Windows XP. As such, I reckoned shops would switch over as they brought in new machines, rather than trying to cram a big new operating system onto underpowered old boxes. Boy was I wrong. While some may migrate piecemeal, most of you are far more systematic. Apparently, you actually test new OSes prior to deployment, and you wait for the first service pack so the big bugs can be fixed. In fact, more than a dozen readers set me straighter on this issue than a $10 ruler. Software compatibility is the No. 1 concern. George, an IT Pro, found that many of his corporate apps don’t yet run on Vista, and his users could be just as productive with XP. For Alex, who’s waiting at least a year and a half before starting to switch, it’s not just plowing through compatibility issues, but dealing with management, training and productivity. Associate Managing Editor Katrina Carrasco As for my notion that new PCs with Vista should “work right out of the box,” Dennis begs to differ. He bought a new Dell laptop with Windows Vista Home Premium for his son, only to find that a driver that Dell itself installed wouldn’t work with the OS. Barr believes Vista shipped before it was done. “It should have baked for another six months so it would be truly golden brown and delicious,” Barr argues. Chuck, who “works for a large trash company,” expects to move to Vista “around 2015.” Before you assume that Chuck is joking, you should know that his shop still runs Windows 2000 on the desktop. Stephen from the United Kingdom sees Vista as so disruptive and different that it opens the door for Linux. I’ve found this to be a pretty rare response, and believe the Windows hegemony is unthreatened (and if it is threatened, we’ll just start a Linux magazine, eh what?). Fortunately, a couple of enlightened IT pros see things my way. Kurt advises using Vista on new machines as you phase out the old, rather than bringing in new XP boxes you’ll be stuck with for three or more years. Finally, Rob loaded Vista onto his OptiPlex GX270 and loves it! All of his old apps run, they just run better. And the upgrade was easier than Paris Hilton on a second date. Got something to say? Write to me at dbarney@redmondmag.com.— 4 | May 2007 | Redmond | Redmondmag.com | Senior Graphic Designer Alan Tao President Henry Allain VP, Publishing Matt N. Morollo VP, Editorial Director Doug Barney VP, Conferences Tim G. Smith Director, Marketing Michele Imgrund Creative Director Scott Shultz Executive Editor, Michael Domingo New Media Executive Editor, Becky Nagel Web Initiatives Director, Rita Zurcher Web Development Senior Marketing Tracy S. Cook Manager Marketing Programs Videssa Djucich Manager President & CEO Neal Vitale CFO Richard Vitale Sr. VP, Michael J. Valenti Human Resources VP, Financial William H. Burgin Planning & Analysis VP, Finance & Christopher M. Coates Administration VP, Audience Marketing Abraham M. Langer & Web Operations VP, Erik Lindgren Information Technology VP, Print & Mary Ann Paniccia Online Production Chairman of the Board Jeffrey S. Klein Reaching the Staff Editors can be reached via e-mail, fax, telephone or mail. A list of editors and contact information is available at Redmondmag.com. E-mail: E-mail is routed to individuals’ desktops. Please use the following form: firstnameinitiallastname@1105media.com. Do not include a middle name or middle initials. Telephone: The switchboard is open weekdays 8:30 a.m. to 5:30 p.m. Pacific Time. After 5:30 p.m. you’ll be directed to individual extensions. Irvine Office 949-265-1520; Fax 949-265-1528 Framingham Office 508-875-6644; Fax 508-875-6633 Corporate Office 818-734-1520; Fax 818-734-1528 The opinions expressed within the articles and other contents herein do not necessarily express those of the publisher. PHOTO ILLUSTRATION BY ALAN TAO Project1 4/10/07 9:30 AM Page 1 ® NOD32. Swift. Nimble. Relentless. Can you describe your antivirus software with the same certainty? Just set it and forget it. That’s the beauty and the power of NOD32’s ThreatSense® technology. NOD32 proactively protects against viruses, spyware, rootkits and other malware. And, its high-performance engine won’t slow your system down. Take a free NOD32 30-day test drive. Call 866.499-ESET or download at ESET.com. “Best Antivirus Product of 2006” – AV Comparatives © 2007 ESET. All rights reserved. Trademarks used herein are trademarks or registered trademarks of ESET. Ad code: RM07 Project4 3/12/07 2:11 PM Page 1 A D V E RT I S E M E N T Maximum System Performance Getting to the Bottom of Common Reliability Problems As an IT Professional, you know the importance of maintaining system performance and reliability. If the desktops or servers crash, slow down or freeze, who gets called? That’s right… you or your IT staff. This “break-fix” cycle leaves you little time to be proactive. And yet, many of these issues stem from a single, hidden source. Top 5 reasons customers use Diskeeper Performance and Reliability 83% Automatic operation 83% Much superior to built-in defragmenter 44% Longer systems life with less maintenance Reliability issues commonly traced to disk fragmentation. The most common problems caused by file fragmentation are: • Crashes and system hangs/freezes • Slow boot times and boot failures • Slow backup times and aborted backup • File corruption and data loss • Errors in programs • RAM use and cache issues • Hard drive failures Having files stored contiguously on the hard drive is a key factor in keeping a system stable and performing at peak efficiency. The moment a file is broken into pieces and scattered across a drive, it opens the door to a host of reliability issues. Even a small amount of fragmentation in your most used files can lead to crashes, conflicts and errors. 44% Fast backups and antivirus and/or spyware scans 35% From Diskeeper Customer Survey—Read the full survey at: www.diskeeper.com/survey Is real-time, automatic defragmentation needed in today’s environment? More than ever! Large disks, multimedia files, applications, operating systems, system up-dates, virus signatures—all dramatically increase the rate of fragmentation. Fragmentation increases the time to access files for all common system activities including opening and closing Microsoft® Word documents, searching for emails, opening web pages and performing virus scans.To keep performance at peak, fragmentation must be eliminated instantly. Advanced, automated defragmentation (GET THE PROOF HERE: www.diskeeper.com/paper2) The weak link in today’s computers The disk drive is by far the slowest of the three main components of your computer: CPU, memory and disk. The fastest CPU in the world won’t improve your system’s performance if the drive is fragmented, because data from the disk simply can’t be accessed quickly enough. Maintaining systems can be a daunting task—maintenance, including regular defragmentation, must take place regularly to keep them running at peak levels. However, with constant uptime required, scheduling such processes to run at the right times can be tricky, since while running they pose a considerable drain on system resources. Diskeeper 2007 marks the end of scheduling, and the beginning of REAL TIME, on-the-fly maintenance of systems. Never again worry about dips in performance or straining valuable system resources —even when demand is at its absolute highest! Customers agree Diskeeper maintains the performance and reliability of their desktops and servers, reducing maintenance and increasing hardware life. “We run [Diskeeper] on our client PCs as well as our servers… with Diskeeper running daily, we can keep file performance at peak efficiency.” Tom Hill, CDR Global, Inc. Every system you manage needs Diskeeper for enhanced file system performance—automatically! ® Enhancing File System Performance —Automatically! ™ Special Offer Try Diskeeper 2007 FREE for 45 days! Download: www.diskeeper.com/red7 (Note: Special 45-day trialware is only available at the above link) Volume licensing and Government / Education discounts are available from your favorite reseller or call 800-829-6468 code 4410 © 2007 Diskeeper Corporation. All Rights Reserved. Diskeeper, Enhancing File System Performance—Automatically, and the Diskeeper Corporation logo are registered trademarks or trademarks of Diskeeper Corporation in the United States and/or other countries. Microsoft is a registered trademark of Microsoft Corporation in the United States and other countries. Diskeeper Corporation • 7590 N. Glenoaks Blvd., Burbank, CA 91504 • 800-829-6468 • www.diskeeper.com 0507red_Letters7.v5 4/17/07 10:39 AM Page 7 Letters@Redmondmag.com Old Habits Die Hard [Regarding the March 2007 cover story, “Open Source Enlightenment,”] a couple of decades of experience have shown that Microsoft is an extremely developer-friendly company. Anyone willing to port software to a Microsoft platform and therefore make the platform more valuable is greeted sincerely with open arms. But what history has also shown is that Microsoft has a habit of letting a niche develop right until it takes off, at which point Microsoft comes in and crushes all opposition by means of subsidies, sheer commercial weight and probably one of the most vicious distortions of standardization and interoperability efforts. With that track record, Microsoft will have an extremely hard time convincing anyone that it intends to cooperate. The company belatedly begins to use open source, but only to strengthen its grip on its customers. Jean-Marc Liotier Paris, France Microsoft has gotten itself into a few comfortable niche markets—the office desktop and the home computer appliance—and is trying for some other equally comfortable niches—the “enterprise” back office and the cell phone, for example. Microsoft’s major problem is that its traditional method—allow the pioneers to innovate and develop a market, then step in and take it off them—doesn’t work any longer. There are two reasons for this: Redmond goes to sleep once it gains a monopoly, and the Free and Open Source Software [FOSS] devel- Whaddya Think ?! Send your rants and raves to Letters@redmondmag.com. Please include your first and last name, city and state. If we use it, you’ll be entered into a drawing for a Redmond t-shirt! opment process and people do better work than Microsoft does and are eating its lunch slowly but surely. Microsoft’s actions are perfectly understandable—even to a certain degree In short, it is possible for software companies to make money without treating their customers like criminals. reasonable. But IBM for one has found that the only way to gain respectability in the FOSS circles is to become an active contributor—and Ballmer’s rumblings indicate that Microsoft’s head honchos aren’t comfortable with that. How it will all pan out, I don’t know—but I have thought that SQL Server could be a real market leader if it dropped the religious “Microsoftonly” stance and got ported to Linux and Solaris. But Microsoft would need a management buy-out to do that— Ballmer doesn’t have the guts to do it, Wesley Parish that’s for certain. Christchurch, New Zealand I run a software company and our goal, too, is to make money. However, we don’t illegally abuse a monopoly (as Microsoft was convicted of doing). We don’t try to shove Digital Rights Management down our customers’ throats. We don’t impose onerous end user license agreements on our customers. (Our proprietary software ships with source, and customers are permitted to modify it.) We don’t send nastygrams from the Business Software Alliance shaking down people to prove license compliance. In short, it is possible for software companies to make money without treating their customers David Skoll like criminals. Ottawa, Ontario, Canada Not Buying the Hype The UI—as discussed in Barney’s Rubble, February 2007—is like a work of art that has been touted as a masterful work of color and grace when all it is, is three squares of different sizes, painted imperfectly and stuck in a gallery to be sold for $12,000. Why is this humble effort at being remarkable so admired? Who decided to call it a ribbon anyway? I’ll cease my attempts at wit and get to the point. I don’t care who owns it because I can’t afford it. I’m going to install Linux on the three PCs I have at home (with GNUCash and OpenOffice) and when (and if) I get Vista and Office 2007 at work I’ll dance and sing songs Randall Frye of joy. Cleveland, Ohio | Redmondmag.com | Redmond | May 2007 | 7 Project3 4/16/07 1:38 PM Page 1 Consolidate Windows Servers Now! Proven Server Virtualization • Blazing Fast Bare Metal Performance for Windows Guests • Multi-Server Management • Seamless Upgrade Path • Powerful Administrator Console • Easy Installation and Deployment • Fully Supported Download XenExpress for free! Plus, get a free t-Shirt when you refer three friends! Purchase the Server Consolidation Solution Bundle! Pre-Installed XenEnterprise with IBM System x servers Learn more at www.xensource.com/ibm www.xensource.com/redmond 0507red_RedReport9-12.v11 4/17/07 11:37 AM Page 9 RedmondReport Reinventing Windows Security Microsoft’s Toulouse thinks Windows Vista’s new security walls will prove thick enough. W Redmond: How did you determine what security features were going into Vista? What sort of feedback did you get from enterprise customers about that? Toulouse: By the end of 2004 Vista underwent a fundamental reset in terms of what it was going to be. Part of that reset was what we learned from the development of [Windows XP] tion to alleviate that problem. But the problem with encryption systems is they aren’t full volume, so [hackers] can just pull the drive out of the machine and try to brute-force decrypt it. But BitLocker helps prevent that. That was driven more as a privacy feature and really intended mainly for corporate laptop users. “So when a developer is sitting down in his office, he’s no longer thinking just cool feature, cool feature, cool feature. He’s thinking as much about the misuse of the feature as he is the use of it.” Stephen Toulouse, Senior Product Manager for Microsoft’s Trustworthy Computing Group Service Pack 2 [SP2]. In fact, the first steps toward understanding the larger security picture of Vista were with SP2. In SP2 we did things like the Internet Explorer lock-down for the local machine zone. Feedback from users [on SP2] was really around a couple of things. First, they wanted the code to be fundamentally more resistant to attack. Making sure the operating system was resistant gave us time to evaluate whether or not we should apply the update. Second, better security features in the product helped us tune it to different environments that would help it protect itself. When in the development cycle did you incorporate new technologies like BitLocker? Did that come out of SP2 research or independently of it? That was separate. It was done as part of what we could do to take advantage of some cool technology coming out on the Trusted Platform Modules. At that time, we were seeing this rash of laptops left in taxicabs with databases of 1 million customers’ personal information on [them]. One of the things we thought we could do was full volume drive encryp- PHOTO BY DANIEL SHEEHAN By Ed Scannell and Peter Varhol ith the world’s most talented hackers all laying in wait for its arrival, clearly the most critical improvements Microsoft had to make to Windows Vista centered around its security capabilities. After several vicious viruses successfully attacked Vista’s Windows predecessors over the last few years, Microsoft— particularly its Trustworthy Computing Group—was under enormous pressure to build bulletproof walls around the product. Stephen Toulouse, senior product manager for the Trustworthy Computing Group, is one of Microsoft’s key people thrust into the middle of this perpetual war against hackers. During Vista’s development process he worked on a number of security features including kernel patch protection, the Windows Security Center and Windows Defender, as well as working with partners to ensure their products would work smoothly with the new security technologies. Toulouse sat down with Redmond Editor Ed Scannell and Peter Varhol, executive editor, reviews, to talk about some of the processes Microsoft went through in deciding what technologies to incorporate, and the new testing procedures those new technologies went through in order to make it into the final product. As you collected and incorporated feedback from SP2 users plus your own ideas, how did you determine what security features would work for millions of users? It’s all about hitting a confidence level, striving to define that confidence level and employing the metrics that determine where you are relative to that confidence level. With Windows Vista there were three things going on in reaching that confidence level. Number one, how do we evaluate what we are putting in. Number two, when do we get to the point where we can share that and trust that sharing gives us the feedback we need. Number three, what is our safety net that helps us understand that [feedback] even if we miss something—are there still things within the product that can help. So how did you evaluate what you decided to put in? How [we] evaluate what goes into a product is what I call the security engineering part. That’s where we use our Security Development Lifecycle [SDL]. Vista is unique in that it’s our first client OS that went through the SDL from beginning to end. The SDL is now the process under which Microsoft develops all software. So when a developer is sitting down in his office, he’s no longer thinking just cool feature, cool feature, cool feature. He’s thinking as much about the misuse of the feature as he is the use of it. This | Redmondmag.com | Redmond | May 2007 | 9 0507red_RedReport9-12.v11 4/17/07 11:37 AM Page 10 RedmondReport Vista’s Jackrabbit Start Some analysts say, ‘Whoa, not so fast!’ By Ed Scannell hile Microsoft proudly proclaimed in late March that Windows Vista was off to a fast start, selling 20 million licenses of the product in just its first month of availability (3 million more than Windows XP sold in its first two months), some analysts took a bit of shine off those numbers. In a report to clients, Citigroup analyst Brent Thill states the numbers are “only slightly ahead of expectations,” adding that Microsoft CEO Steve Ballmer has recently made more cautious statements around what sort of revenues the operating system would bring in for the current fiscal year. Thill says Vista’s role is not so much to bring in high numbers but to serve as a stimulant for customers to buy other Microsoft products. Al Gillen, research vice president of System Software at IDC, says he expects Microsoft to ship just under 90 million copies of Vista by the end of 2007, with 52 million going to home users and almost 38 million going to businesses. “We think they should average about 8 million copies a month [over the last 11 months of 2007]. So if they’re saying 20 million in one month—wow, that’s a lot of copies. Their fourth W Continued from page 9 is an important mindset change. Before people were just rushing to make a great feature work well and be stable. Now they have to think about what an attacker can do with it. It’s called Threat Modeling. If we can’t go through this process successfully, then features get cut. Was this hard to develop as a discipline for longtime developers? Well, we started back with SP2 and I think people learned some very hard lessons thanks to [the] Slammer, Blaster and Sasser [viruses]. Thankfully, the quarter client-side numbers were not so good ... so it might be reasonable to assume there was a strong bounce-back in the first quarter,” Gillen says. Gillen adds that in 2001, the year Windows XP shipped, Microsoft sold 103 million Windows client OSes. In 2007 the company is currently on a run rate of 162 million for the year. With all things being equal—and of course they are not all equal ... the numbers ought to be a little bigger. Al Gillen, Research Vice President of System Software, IDC “Rolling out a product in 2007, you might expect there’d be a 60 percent pickup for the first couple of months for that product. With all things being equal—and of course they are not all equal—in theory the numbers ought to be a little bigger,” Gillen says. Microsoft’s numbers include both boxed copies and copies bundled on new PCs, as well as those people who have registered for free Vista upgrades. However, company officials claim that the free upgrade requests were not the main reason for the fast start. — mindset change had already occurred. But a second piece of all this is BlueHat, which is independent of the SDL, where we bring in security researchers to poke holes in functionality right there in front of the same people who developed it. It’s also a good punch in the stomach, as opposed to getting feedback on an intellectual level. Were any other fundamental changes made to the development process since Windows XP? Another change from Windows XP is when a developer now needs to check in 10 | May 2007 | Redmond | Redmondmag.com | code by merging it with the main source tree, that code is run against a variety of tools that scan it. This scanning is looking for banned APIs and unsafe coding practices. It’s not meant to be a catchall, but more of a safety check. If any code contains these things it gets kicked back out and is not allowed to merge. Another big change from Windows XP is the sheer, unprecedented number of security researchers and security companies that we brought into Microsoft to do code review and penetration testing on the product. Looking back, do you feel there’s anything you missed? After all the reviews and security testing, it was clear to us and the public [that] we missed the usability of things like User Account Control. There was just a wave of criticisms after beta 2. I don’t think that feature has fully recovered from the initial criticism. Even though we spent the next two beta releases addressing it, it still carried a bad rep in the final product. You have to assume there are some things you’re not going to see. It’s a constant battle between usability and security. It is a tradeoff. The most secure OS is one running on a computer with no I/O connectivity inside a vault. I’ll go you one better: The most secure OS is the one still on the DVD and that hasn’t been installed anywhere. Let’s be clear—this is the most secure version of Windows we’ve done but that does not mean it’s hackproof. We have great faith in this product and it’s only going to get better from here, but delivering the finished version of Vista doesn’t mean we’re all taking vacations now. — Ed Scannell (escannell@redmondmag.com) is Redmond’s editor; Peter Varhol (pvarhol@redmondmag.com) is executive editor of reviews. Project3 4/16/07 2:56 PM Page 1 0507red_RedReport9-12.v11 4/17/07 11:38 AM Page 12 RedmondReport The LOW DOWN By Lafe Low Making Things Better T he world is not a perfect place. That’s true whether speaking globally of the conflict in Iraq, tsunamis in the Pacific and the nightmares unfolding in Africa, or speaking of the world in which we work—the Microsoft world. They may not have solutions for world peace, but fortunately, there’s no shortage of vendors scurrying to fix imperfections in the Redmond world. Redmond’s heavy hitters like MOM (soon to be renamed SCOM) and Exchange are both getting help from a veritable army of third-party peacekeepers. Lil’ Help from My Friends Systems Center Operations Manager (SCOM) 2007 fans will soon be able to beef up their troubleshooting capabilities. The Zenprise Connector for Operations Manager (ZCOM) 2007 promises to reduce the volume of alerts and the time it takes to troubleshoot problems. The ZCOM (not the official Zenprise acronym) provides context-sensitive, step-by-step instructions for problem resolution; management pack extensions with more than 5,000 diagnostic routines for Exchange, Active Directory, DNS, IIS and Windows Server Operations Manager; advanced troubleshooting routines for BlackBerry and Exchange environments; and event correlation group alerts for your e-mail system. Exchange admins may also sleep easier if they’re running DigiVault. Lucid8’s continuous data protection solution can help recover all your Exchange Server files. Its SingleTouch recovery feature lets you quickly restore an entire Exchange database after an outage. The new version 1.6 boasts faster backups, a simplified setup process, expanded support for Recovery Storage Groups, and Exchange 2007 and 64-bit support. For the AD crowd, NetPro Computing Inc. just announced a new version of RestoreAdmin. This tool gives you control over online AD restores and scheduled backups. RestoreAdmin 3.0 lets you restore or roll back any objects without having to waste time taking your domain controllers offline. It also lets you choose the objects you want to back up, or recreate deleted objects when you can’t run a restore. Car Troubles The next time your car dies in the middle of nowhere and you have to use one of those 800 numbers to call for help, you may have AVIcode Inc. to thank. No, the Baltimore-based .NET developer isn’t getting into the business of changing flat tires or replacing dropped transmissions. It is, however, supplying Cross Country Automotive Services with its Intercept Studio .NET application performance monitoring tool. Cross Country is a major player in the roadside assistance market, through its own auto clubs and contracts with auto manufacturers. Its call centers handle more than 1 million calls per month, and manage a network of 20,000 towing services and other roadside service vendors. Nice to know there’s a safety 12 | May 2007 | Redmond | Redmondmag.com | .NET like that the next time you have a flat in Fryeburg, a dead battery in Boise or lose your keys in Klamath. Sleepless Nights Add this to the list of things to ponder: the current state of Internet security. Trust me, it won’t make you sleep any easier. Webroot Software Inc. just released a report on the increasing sophistication and damage caused by malware. In Webroot’s State of Internet Security report, 43 percent of the companies it surveyed suffered some sort of disruption of business operations due to a malware attack. Here are some other disturbing findings: • 26 percent of those companies reported compromised confidential corporate data due to spyware; • 39 percent reported Trojan horse attacks; • 24 percent reported system monitor attacks; • 20 percent reported pharming and keylogger attacks. Pretty grim statistics, especially when you consider the findings of a report from the Small Business Technology Institute: 20 percent of the companies it surveyed lack adequate virus protection, more than two-thirds don’t even have an information security plan, and most only put security measures in place following an incident. What’s that saying about closing the barn door after the horses are out? Webroot issues its State of Internet Security report on a quarterly basis. You can get a copy of the latest report at www.webroot.com.— Lafe Low (llow@redmondmag.com) is Redmond’s executive editor, features. EventSentry_Redmond.ai 175.00 lpi 45.00° 15.00° 1/5/2007 75.00° 0.00° 1/5/2007 12:40:42 12:40:42PM PM Process CyanProcess MagentaProcess Black Project2 1/16/07 11:16 YellowProcess AM Page 1 0507red_Roboto14.v6 4/17/07 10:49 AM Page 14 Mr. Roboto Automation for the Harried Administrator | by Jeffery Hicks Stay on Schedule O ne of the most incredible things—or one of the scariest, depending on your point of view—is that there’s always something happening on your network. Even in the middle of the night, while you’re dreaming of 64-bit servers and four-way clusters, your servers are quietly churning away doing something. The question is: Do you know what’s going on? If your network is like most that I’ve seen, you’ve set up some scheduled tasks on a number of servers over the years, but never really got around to documenting what they do or when they run. You may even have applications that set up scheduled tasks and don’t tell you about it. I’ve put together an HTML application (HTA) that will generate a report of all scheduled tasks running on your servers and/or desktops. Mr. Roboto’s Scheduled Task Reporter serves as a GUI front-end for the Schtasks.exe command-line utility that ships with Windows XP and Windows 2003. As such, you’ll have to run it from an XP desktop or Windows 2003 server. Microsoft has indeed improved scheduled task support in Vista, but unfortunately this tool won’t detect scheduled tasks on a Vista desktop. You might be able to scan your servers from a Vista desktop, but you shouldn’t count on it. Keep your eyes out for something similar for Vista in the future. For now, you’re probably most interested in what your servers are doing and when they’re doing it. The Scheduled Task Reporter should work fine for that task. After you copy all the files to a directory, launch the HTA file. You’ll have to run this tool with administrator credentials. You can specify alternate credentials for any managed systems you’re polling for task data, but not for the system on which you’re running the tool. To run Scheduled Task Reporter, simply select “computername,” “text file” or “Active Directory” from the drop-down box. Selecting “computername” defaults you to the local computer, but you can type in any computer name you want. All you need is the NETBios name. You can also enter several computer names separated by commas. If you choose the text file option, you can use a text file that contains a columnar list of computer names that might look like this: Server01 Server02 Desk03 If the file isn’t in the same directory as the HTA, enter the full filename and path. I’ve included an option to search Roboto on Demand You can download Mr. Roboto’s Scheduled Task Reporter at: www.jdhitsolutions.com/scripts What Windows admin task would you like Mr. Roboto to automate next? Send your suggestions to jhicks@redmondmag.com. 14 | May 2007 | Redmond | Redmondmag.com | Active Directory for computer accounts. If your computer belongs to a domain, the root distinguished name will be pre-populated. All you have to do is add the organizational unit path. If you’re going to query AD, then you should do so with caution. If you have a lot of obsolete computer accounts or systems that aren’t available, you’ll get incomplete results and it will take a long time to generate the report. I strongly recommend that you use the Ping option to verify that any computer is up and running before you try to poll it for any scheduled task information. Once you have your source, click “Report” and the tool will check each computer for scheduled tasks. If all goes well, you should get an entry for each scheduled task that shows the task name, command, its schedule, credentials, last run and next run times. You can hover your mouse pointer over the last run entry in order to see the last result. If your task has an attached comment, it will show it if you hover your mouse over the task description. It will also report any errors and any systems with no assigned tasks. Finally, use the Print button and file the report away with your network documentation. I also like to print a copy to PDF for fast digital retrieval. Now there’s no reason for you to not know what your servers are doing in the middle of the night, and you’ll sleep much better. Pleasant dreams.— Jeffery Hicks (jhicks@redmondmag.com), MCSE, MCSA, MCT, is the co-author of “Advanced VBScript for Microsoft Windows Administrators” (Microsoft Press 2006), “Windows PowerShell:TFM” (Sapien Press 2006) and several training videos on administrative scripting. Project3 11/10/06 11:45 AM Page 1 Project3 4/16/07 1:21 PM Page 1 FREE DOWNLOAD available for evaluation AvePoint, the AvePoint logo are registered trademarks of AvePoint, Inc. in the United States and/or othountries. © 2007 AvePoint, Inc. All rights reserved www.AvePoint.com Caught with your pants down? AvePoint’s got you covered. Call 18006616588 to schedule a demo SharePoint® ItemLevel Backup, Recovery & Archiving Solutions. 0507red_ProdRev17-20.v8 4/17/07 1:50 PM Page 17 ProductReviews Right Gun … Wrong Ammo Web filtering is problematic at best, but iPrism puts up a solid defense. By Bill Heldman Who can forget the giddy heyday of Napster? You could download almost any song or video you wanted. The magic wasn’t in the Napster servers, though. It was in the notion of peer-topeer (P2P) workstations spread across the globe, sharing content without any payment changing hands. Napster was the arbiter of a large group of people rallying against the idea of paying someone for songs or videos. Great idea, until the music industry stepped in to shut them down. Smarting from a solid drubbing by big-city lawyers, Napster is now a toned-down, obedient, pay-for-play music service. That same P2P notion—only this time, I fear, one with teeth—is embodied in those who seek to banish any form of Web censorship. They don’t like to be blocked from the myriad questionable sites such as pornography, dating/mating, racial supremacy and other oddities. The anti-censorship crowd has weapons in its arsenal against which those in the security business have no practical offense or defense. You could say that Web filtering is akin to the U.S. military fighting insurgents. We iPrism $3,490 for 150 seats St. Bernard Software | 800-782-3762 | www.stbernard.com don’t understand the mentality behind their efforts and have no solid offensive or defensive mechanisms apart from brute force—which doesn’t always work well. They just keep coming. Hope Springs Eternal All is not lost. Lest I sound like a complete downer, it’s important to state this up front: St. Bernard Software has developed a wonderful product in its iPrism Web-filtering appliance. I really like this box—never mind that it runs Java or that it has a gaping back door. The iPrism is easy to install, configure and put into production, and the price is moderate (the iPrism M1200 costs $3,490 for 150 seats—23 bucks and change per seat). The unit actually goes out and updates its URL filtering list on a routine basis without having to be told to do so. You can configure the iPrism to work as an edge device or as a proxy (which is how I used it) that communicates with your edge firewall. There’s nothing complicated about setting it up for either topology. The customer service department is top notch and the documentation is comprehensive and easy to understand. You can also configure the iPrism to work with other iPrisms—a feature I especially like because of the multiple locations inherent in today’s enterprises. The device is Active Directory-aware and supports Windows authentication. When the software said it was going to go out and create a machine account for the iPrism to use, it actually did that with no hassles or disappointments. I had the device up and running in less than an hour. No sweat. The iPrism appliance and its accompanying software RedmondRating Installation/Ease of Use 10% 10.0 Documentation 10% 10.0 Management Interface 20% 10.0 Hack Resistance 10% 2.0 Value 10% 7.0 Performance 20% 8.0 Feature Set 20% 9.0 Overall Rating 8.3 Key: 1: Virtually inoperable or nonexistent 5: Average, performs adequately 10: Exceptional Figure 1. You can configure multiple iPrism systems to coexist and cooperate. | Redmondmag.com | Redmond | May 2007 | 17 0507red_ProdRev17-20.v8 4/17/07 1:50 PM Page 18 ProductReviews WhyJava? The iPrism runs Java and uses Java software for its management interface. My only question is: Why? Apart from the fact that it’s a pain to code, there are two reasons why I don’t much care for Java: • It’s a pig. Java has a tendency to dominate any CPU cycles it can get. In iPrism’s case, I found the box to be robust despite this tendency—no doubt because Windows wasn’t competing for cycles as well. (Java and Windows together reminds me of two obese people competing with one another at an all-you-can-eat buffet.) • It’s hard to create an elegant interface with Java. It ain’t Vista or the Mac. You can spot a Java interface a mile away because they’re always ugly. The font’s weird, the buttons have a half-baked shading element that only partially convinces you they’re 3-D and so on. The Java Web Start (JWS) software required for you to use your browser to manage your iPrism(s) is, at a minimum, an annoyance to have to download and install. It could conceivably be a security risk itself. That being said, the iPrism is the first Java-centric box I’ve messed around with that I really liked. —B.H. really work. When a user attempts to log onto an unauthorized URL, they’ll get a message stating that they were blocked. Setting up the iPrism in proxy mode could be more difficult for a lot of users, because each user has to have his or her browser’s LAN connection setting updated. You first have to create a rule that lets only your iPrism(s) hit the Web through port 80 or 443. You redirect your users’ browsers to the iPrism’s address, port 3128. The documentation helps you make adjustments for Internet Explorer and Mozilla. Redirection worked fine with Opera 9 as well. Using the iPrism as an edge device is even simpler. It has two ports—one for the Web and one for the internal network. Plug-and-play doesn’t get any easier. A quick DHCP configuration change (or some other IP magic trick) and your users are pointed at the iPrism and blocked (see Figure 3). Figure 2. iPrism routinely and automatically updates its Filter List page. You manage the iPrism in one of two ways. You can install the management software tool or run it within your browser—provided you have the Java Web Start (JWS) software installed. In either case, simply navigate your browser to the internal iPrism address and the initial entry page prompts you with the links needed to download and install the software—very slick. The left-hand side of the console has configuration element buttons (Users, Access and so on). Once you’ve clicked a configuration element, you’re presented with tabs and configuration settings screens for that particular element. Overall, the interface is intuitive and easy to use. So, here’s my issue with the iPrism and its Web-filtering cousins: Where there’s a will, there’s a way. My users—a group of technology students with a strong desire to get around any obstacle—were happily working around the iPrism within five or 10 minutes. They contacted PeaceFire and hooked up with Figure 3. Busted! This is the screen users will see when they try to access a blocked site. 18 | May 2007 | Redmond | Redmondmag.com | Project1 2/7/07 9:54 AM Page 1 0507red_ProdRev17-20.v8 4/17/07 10:42 AM Page 20 ProductReviews BackdoorMan During my review, I forgot the password to get into the iPrism management console. I wrote customer service and they quickly and politely wrote me back with a very simple workaround. The product ships with a serial cable. Just plug into the serial port on the back of the iPrism, set your laptop Hyperterminal session to 9600,N,8,1. You’ll contact a FreeBSD screen that lets you change the password in just a couple of steps. Here’s my problem with that: If the iPrism is sitting in an open environment where a technologically savvy and ethically lacking person has access, you may find the device compromised. Most rack-mounted devices like this live in secure data centers. Nevertheless, I was surprised with the ease with which I could backdoor in and update the administrator password. Better to have the iPrism be forced back to factory defaults on a hard reset than to have such a back door. Isn’t this how switches and routers work? In this case, I suspect St. Bernard went out of its way to make things easier for the admin. Bravo for that, but it may be a bit much. —B.H. an anti-censorship proxy avoidance site (called a “circumventer site”)—of which there are hundreds. Here’s how that works. Want to get to MySpace, but the iPrism won’t let you? Just navigate to www.peacefire.org, set yourself up for a regular e-mail blast of the latest circumventers and then use the circumventer site as your destination. The site retrieves any pages you want, disguising them as a URL that shouldn’t be blocked so the iPrism (and competing Web-filter software products) doesn’t bother trying to keep you from your illegal surfing. The circumventer sites come and go, so they’re very difficult to hunt down and eradicate. Web filters know about some of them, but there are always new ones. As we’ve learned from combat, an army of thousands of individuals operating alone is much harder to defeat than an army of millions working as a single organi20 | May 2007 | Redmond | Redmondmag.com | zation. You’re not going to win the circumventer site war by simply blocking URLs. Parting Shots If I were in the market for an enterprise-class Web-filtering product, I would give the iPrism strong consideration. I like the fact that it’s an appliance, as opposed to being software-only. I don’t have to dedicate a server to it, and I can easily get it up and running without a lot of hassles. Of course, the fact that it’s an appliance means that if it breaks the whole shooting gallery is down for the count. Nevertheless, I think appliances trump software in the Web-filtering game. The iPrism software is wellengineered. It’s clearly geared toward a Windows crowd (never mind that it’s Java-based). I especially like that it natively interfaces with AD and Windows user authentication. The iPrism is a well-crafted box from both the software and hardware perspective. The fact that you can have several iPrism boxes play together is very ISAlike and will go over well in those shops where administrators have a lot of outlying locations. Unlike an ISA box (which requires add-in Webfiltering software), the plug-and-play nature of the iPrism makes it an ideal fit for typically unmanned remote-server locations. Remote management is no big deal with the management console software or via the Web. If only I’d been able to plug in this box and not have any users, regardless of their technical prowess, find a workaround. Until the Web-filtering industry, including St. Bernard Software, is able to put down a hard foot, I’m afraid Web filtering as a technology is not everything it should be. — Bill Heldman (bheldman@comcast.net) is an instructor at Warren Tech, a career and technical education high school in Lakewood, Colo. He’s a contributor to Redmond and MCPmag.com, plus several books for Sybex, including “CompTIA IT Project+ Study Guide.” Project2 4/12/07 11:16 AM Page 1 Are you sure your network is secure? With RecordTS you can confirm your network is secure & compliant. RecordTS acts as Your Terminal Services & Remote Desktop “Security Camera”. · First ever Citrix/ICA Session Recorder · Records ALL Terminal Server Sessions (RDP) · Monitors ALL User Activity on Your Servers · Produces More Information Than Event Logs · Eases Auditing & Compliancy Tasks · Prevents Corporate Data Loss · Assists in Detecting Unethical User Activity · Produces Compact, Digitally Signed Video Files Citrix Versio /ICA n Availa Now ble! Visit www.TSFactory.com for a FREE Trial. © 2006 TSFactory. All rights reserved. The names of actual products and companies mentioned herein may be the trademarks of their respective owners. Project3 4/16/07 1:25 PM Page 1 Windows Vista® Ready! Secure Network Monitoring Software you can rely on to proactively Monitor, Alert and Recover your critical applications and network infrastructure equipment. ADMIN DASHBOARD - centralizes status, reports, system information in a single convenient location. • Windows Monitoring • Resource Monitoring • QA Monitoring • Protocol Monitoring • SNMP Monitoring • Trouble Alerting • Detailed Reporting • Secure Web Interface WIZARDS - make it easy to add new monitors and perform complex configuration tasks. • Admin Dashboard • Agentless Architecture 2007 Winner of Network World Clear Choice Award for Management wares that fit the bill but don’t break the bank. See how we scored at www.ipMonitor.com/scorecard/ Just Released Download the Fully-Functional 21 Day Trial REPORTING - completely configurable Reports provide statistical and performance measurements for everything from critical applications to SNMP-enabled equipment. www.ipMonitor.com Sales: 819-772-4772 Copyright© 2007 ipMonitor Corporation. All rights reserved. ipMonitor® is a trademark or registered trademark of ipMonitor Corporation in Canada, the United States of America and other countries. All other trademarks are the property of their respective owners. ipMonitor Corporation, 15 Gamelin Blvd., Suite 500, Gatineau, Quebec, Canada, J8Y 1V4 0507red_ReaderRev23-25.v6 4/17/07 10:44 AM Page 23 ReaderReview Your turn to sound off on the latest Microsoft products MOSS Gathers Momentum Readers rave about the new and improved Microsoft Office SharePoint Server 2007. By Joanne Cummings When Microsoft updated SharePoint Portal Server, it dropped the “Portal” from its name but added a slew of collaboration capabilities that have made most readers quite happy. Now called Microsoft Office SharePoint Server (MOSS) 2007, Microsoft’s collaboration platform offers tighter Office integration, more powerful search, support for Web 2.0-style features like blogs and wikis, and improved workflows. Readers say MOSS 2007, together with Windows SharePoint Services (WSS) 3.0, is perfect for building a comprehensive collaborative platform. “With SharePoint, we’ve shown the management people that yes, you can really keep a project on track with team members dispersed all over the country and all over the world,” says TJ Doherty, Microsoft Office SharePoint Server 2007 MOSS Server license: $4,347 MOSS Standard CAL: $93; MOSS Enterprise CAL: $76 Microsoft Corp. | 800-426-9400 | www.microsoft.com going to build our sites, the sites below us and the linkages to them and the site above us,” he says. “We passed that around the department so everybody got an idea of the general template.” For Doherty’s group, all employees have their own personal MySite Web site. The next level up is the group site, and then the department site. Each time a document is created, it begins life in a personal MySite and moves up the levels for feedback, comments and approval. “With MySites, it’s a new paradigm that everybody in the company gets to have their own Web site that With SharePoint, we’ve shown the management people that yes, you can really keep a project on track with team members dispersed all over the country and all over the world. TJ Doherty, Owner, Chariot Enterprises owner of Chariot Enterprises, an information management consultancy in Navarre, Fla. Doherty implemented MOSS 2007 for a couple of his clients to improve collaboration for remote workers. “It has helped us prove the concept of dispersed collaboration throughout the company.” Frameworks Are Fundamental Doherty says organization is essential to succeeding with MOSS 2007. For his clients, he establishes a clear structure for how the SharePoint sites are built and connected. “I put out a conceptual paper describing how we were they tailor to their own features,” he says. Because the individual sites are linked to the team sites, the whole group is better able to work on and view the status of any projects they may have. “When you come to the main team page, whatever tasks or issues that belong to you are instantly displayed right there,” he says. “So you don’t have to go into a general task list, which may have 40 or 50 tasks on it. Instead, when a user signs in, out of those 50 tasks they only see the 10 that belong to them.” It also puts management at ease. “It’s great for the employee because it saves them time, but it’s also good for management,” Doherty says. “If the manager wants to get the overall picture, he can look at the full task list or issues list and know what’s going on right away.” Doherty says his group also uses MOSS 2007’s workflows to keep projects on track. Even the out-of-box workflows help with document approvals and feedback. “It gives you a nice process for getting coordination on documents,” he says. Doherty also uses SharePoint Designer 2007 and Visual Studio to create customized, extensive workflows. “For example, you can start a new project and have an automatic workflow that starts sequencing things and creating tasks, and then have those tasks automatically dispersed to the people working on it,” he says. Safe and Secure Since Doherty’s users are all remote, security was a concern. Users enter the MOSS site via a VPN. Once logged in, Doherty says the security in 2007 is phenomenal. “It’s very granular,” he says. “You can set privileges at the library level, at the folder level or at the document level, and you can also do it by individuals or groups.” Jonathan O’Brien, systems engineer and owner of Active IT Design LLC, a two-person consulting firm in Fort Mill, S.C., agrees that security has been improved in 2007. “One of the best features of WSS 3.0 and SharePoint 2007 is the new ‘security trimmed’ interface, where users only see what they have permissions to see,” O’Brien says. “For example, in the past, with WSS 2.0 and SharePoint 2003, if a Web page | Redmondmag.com | Redmond | May 2007 | 23 Project3 2/14/06 11:31 AM Page 1 0507red_ReaderRev23-25.v6 4/17/07 10:44 AM Page 25 ReaderReview had edit buttons on it for certain items, all users would see these buttons,” O’Brien says. “Even if the user had read-only access, they could still click these edit buttons and were then taken to an error page stating they didn’t have security clearance.” With WSS 3.0 and SharePoint 2007, he says, that doesn’t happen. “On that same Web page, users with read-only permissions wouldn’t even see the edit buttons. Only users with modify access would see them. It makes for a much cleaner interface and removes confusion for the end user.” The search functions in MOSS 2007 are greatly improved, says Doherty. “With SharePoint, when you check the document in, it forces you to fill out all the metadata information or it won’t let you check the document in,” he says. “Once you have all this metadata associated with every document, you’re able to search through and find things easily.” The search functions are helpful for finding sites and documents—and people with certain skills as well, he says. Since each employee lists his or her skill sets on their personal Web page, SharePoint makes finding and collaborating with people much easier. “If you search on ‘SharePoint,’ it goes through the company directory and comes back and tells you who knows about SharePoint,” he says. “It’s a way to find out quickly who the experts are in a particular area. You do a search and boom—you get the list and find out the guy sitting next to you knows more than he’s been letting on.” Office Integration MOSS 2007 is also far more integrated with Office and other Microsoft applications. For example, Doherty says the integration with SQL Server 2005 is vastly improved. “With WSS 2.0, you used to have to use the report viewer to view SQL Server-based reports,” he says. “Now with MOSS 2007, there’s a report section that lets you tap directly into SQL Server. So instead of just using a viewer, you have a dashboard that lets you bring various elements into a more customized report.” MOSS 2007 also sports far greater integration with the Office 2007 applications, especially Outlook. “You can integrate directly with your calendar and your address book now—you have total integration,” he says. A key feature here is integration with Office’s new presence indications. “With MOSS 2007, you can add a Web part where you assign people on your team to the Web site and then you can see a little dot there that shows whether they’re online or not,” he says. “Then you can IM them or whatever. It’s great for productivity.” Web 2.0 Compatibility Another big change for MOSS 2007 is its Web 2.0 support for things like blogs and wikis. “Blogs and wikis in WSS 3.0—I love them,” Doherty says. “I think it’s going to be a while for these things to catch on in the corporate environment, but I think they’re an excellent way to disseminate information. If it’s done correctly, it can really reduce the number of meetings.” For Mike Swofford, systems administrator at RelayHealth Corp. in Tulsa, Okla., the improved recycle bin is the “I like the recovery bin best,” he says. “Recovering files and sites that have been deleted is big.” On the Other Hand Readers cite very few downsides to MOSS 2007. Perhaps the biggest shortcoming is the lack of an easy upgrade path from earlier versions of SharePoint. “Upgrading from the previous version stinks,” Swofford says, noting that there’s no good way to do it right now. “You can’t install and just upgrade the old SharePoint 2003. Moving sites over one by one is a hassle.” Doherty says his firm did a clean install of MOSS 2007 and built it up from scratch. “It would’ve been nice to have an upgrade option,” he says. Doherty also bemoans the lack of intermediate-level tutorials for MOSS 2007. “Training is either very basic or at the developer level—there’s nothing in between,” he says. That has been a struggle for him, especially when it comes to using the variety of Web Parts that come with MOSS 2007. “It comes with 30 or 40 Web Parts, but I have yet to go somewhere One of the best features of WSS 3.0 and SharePoint 2007 is the new ‘security trimmed’ interface, where users only see what they have permissions to see. Jonathan O’Brien, Systems Engineer and Owner, Active IT Design LLC best feature in MOSS 2007. In the past, it was difficult for SharePoint users to recover deleted sites or files. Now, in the 2007 version, there’s a two-stage recycle bin, so when a user deletes a page from their personal site it’s automatically put in the group site’s recycle bin. Similarly, when a group document or site is deleted, it goes to the overall recycle bin, where an administrator can recover it later if need be. Although Swofford says his firm is just testing the latest version of SharePoint, the recycle bin is the feature he’s most looking forward to implementing. that shows me what each of them can do and how I can use them,” he says. “In the Web Part Gallery they have little descriptions for each one, but it’s hard to tell exactly what each will do. That’s the biggest shortfall I’ve seen.” Still, the complaints about MOSS 2007 are few and far between and readers say that overall, they’re pleased with its new features and capabilities. “I’m a real SharePoint believer,” Doherty says. “It’s a great collaboration tool.” — Joanne Cummings (jcummings@ redmondmag.com) is a freelance technology journalist. | Redmondmag.com | Redmond | May 2007 | 25 Project2 4/12/07 10:39 AM Page 1 Get Your Kicks scripting simplified™ Learn PowerShell Scripts! Kick your scripting skills into high gear with ScriptingAnswers.com LIVE! training in Windows PowerShell™ and VBScript! Scripting industry hotshots Don Jones and Jeffrey Hicks are hitting the road and bringing their training classes to a city near you! Line up NOW for fast-paced, intensive training sessions that will get you from zero to scripting in just a few days! Whether you’re a rookie or a pro, you’ll become a lean, mean scripting machine when you train with the people who have made scripting simple... Live! Guru-Led Training For more info and registration: www.scriptingtraining.com/pc.asp Visit our family of websites, products and services at: www.sapien.com (use referral code: REDMOND) Register by April 30, 2007, and receive, upon completion of class, a free copy of Windows PowerShell 101, a self-paced follow-up “Class on Disc” by Don Jones. © 2007 SAPIEN Technologies, Inc. All Rights Reserved. -XPSLQ:H·OOWDNH\RXIURP]HURWRVFULSWLQJLQQRWLPHÁDW • Supports Windows PowerShell™, VBScript and over 30 other languages • 2RSV5HVLOLHQFH,QÀQLWH8QGR)LOH+LVWRU\DQG5HF\FOH%LQ • Supports SourceSafe, Perforce, CVS/Subversion • Advanced Database Tools • Visual XML Editor Take a test drive at http://redmond.primalscript.com 0507red_Roundup27-30.v7 4/17/07 10:51 AM Page 27 RedmondRoundup Manage and Manage Alike In today’s inherently disparate networks, you need a management tool that can take control of all your Windows and open source systems. By Ben Brady Like many of us, I find a certain amount of comfort in Active Directory and the familiar surroundings of Windows. I’ve resisted—often kicking and screaming—when my peers have suggested using a Linux- or Unix-based system within our domain. Much to my consternation, I have to admit that several of these open source systems have found their way into the networks that I have to manage either directly or indirectly. So even though I’ve been exposed to FreeBSD, Red Hat, CentOS, Fedora, SCO and several other Linux- and Unix-based systems, I’ve always shied away from really sinking in my teeth and learning how they work. Out of pure necessity, I’ve learned how to dub around in these operating systems, do some basic maintenance and troubleshooting, and lend “hands and eyes” support to my users. Some of my Linux friends have told me I’ve learned just enough to be dangerous. With acquisitions, mergers, buyouts, downsizing and reengineering, sometimes even the most carefully planned and meticulously managed networks can become a confusing mess. I’ve always been told that networks are living, breathing entities that continue to grow throughout the lifecycle of an organization. It’s no longer a rarity to see Windows, Unix, Linux and Macintosh systems all sharing the same wire in a network environment. This is especially true in a company that has grown through acquisitions or mergers. Even simple churn within the IT staff can result in disparate OSes and different flavors of Unix/Linux as each administrator leaves behind his or her preferred systems. There’s a certain comfort in managing your Windowsbased AD infrastructure, but what InThisRoundup Centeris Likewise Management Suite $349 per server; $69 per workstation Centeris Corp. | 800-378-1330 | www.centeris.com Vintela Authentication Services Pricing begins at $325 per server and $37 per user Quest Software Inc. | 800-306-9329 | www.quest.com Centrify DirectControl $350 per server; $60 per user; Management Console $1,000 per admin Centrify Corp. | 650-961-1100 | www.centrify.com RedmondRating Centeris Likewise Vintela Authentication Services Centrify DirectControl Manageability: 25% 9.0 8.0 8.0 Performance: 25% 9.0 9.0 8.0 Documentation: 25% 8.0 7.0 8.0 User Interface: 25% 9.0 8.0 9.0 Overall Rating 8.7 8.0 8.2 Key: 1: Virtually inoperable or nonexistent | 5: Average, performs adequately | 10: Exceptional about all those Linux servers? This is where Centeris Likewise, Vintela Authentication Services and Centrify DirectControl may be able to help. The Big Easy: Centeris Likewise As I was getting ready to evaluate the Centeris Likewise package, I was reading through the documentation on their Web site. In several places in the documentation, they boasted the product could be up and running in 30 minutes—this I had to see. My lab setup consists of a Microsoft 2003 Server, four Windows XP Professional computers and two Fedora Core 5 servers. All these boxes are fully updated, and the Fedora boxes have no configuration beyond the initial install. Indeed, installing the Centeris package on the Windows server was completely painless. Once I’d finished, I was presented with a GUI management console (see Figure 2, p. 28). The look and feel is not exactly like a Windows Management Console, but any Windows admin should be able to navigate it effectively and defeat the learning curve within a few minutes. From there, all you need to do is add your first Linux box to your domain with the hostname of the Linux server (provided that you have it set up in your DNS listings) or the IP address and the root password. Centeris Likewise then creates a Secure Shell (SSH) session to the box and installs all the components necessary to administer it from your Windows GUI. The total | Redmondmag.com | Redmond | May 2007 | 27 0507red_Roundup27-30.v7 4/17/07 10:51 AM Page 28 RedmondRoundup time for the installation, plus a few extra minutes to review the documentation and set up my first Linux box on my AD domain, was about 25 minutes. Once adding that first Linux server was complete I moved on to the second. All of the benefits conferred by Centeris Likewise could certainly be accomplished with a fair amount of scripting and manual setup on any Unix and Linux machines spread throughout your network. For many with limited experience in this arena, however, Centeris Likewise is a good package to have available. Sign Once: Quest Software Vintela Authentication Services Figure 1. Admins can register the VAS Administrative Tools on their servers. At this point, I noticed there isn’t any apparent method of scripting or creating a batch for this process. In the lab environment I only had to add two servers, but that number could certainly be much higher in a large-scale production environment. Also, after installing the second server, I noticed you can only manage one server at a time. Still, setting up a mixed network was easy. Over the next 30 minutes, I set up an Apache Web site with a DNS up and running, a file share and a network printer on the two servers. It was quickly apparent that seasoned Windows veterans would certainly benefit from this product when adding Linux and Unix boxes to their networks. On the downside, however, there are several popular services found on most Unix/Linux boxes that you can’t manage through the Centeris console. MySQL and PHP are examples of services you must configure and maintain manually. Quest Software’s Vintela Authentication Services (VAS) takes a much different approach to “integrating” Unix and Linux systems into an AD environment. Just about everyone in a mixed environment is familiar with the phrase “Single Sign-On,” or SSO. Many of us are accustomed to providing our frontline users with a single username and password for Windows environments. Administrators and power users often have more than one account, each set up for performing various network administration roles. The non-IT user, though, typically needs only one easilymanaged account. Those of us fortunate enough to have a mixed environment also understand what it’s like to have various flavors of Unix/Linux on our network that require different credentials for each user. It can quickly get cumbersome. Now imagine you’re supporting an enterprise-class organization that has typically been a Microsoft AD environ- ment. You acquire another company with 152 Unix/Linux-based servers. At the outset, this could be a nightmare. You can certainly see how the concept of SSO could be beneficial. Both VAS and Centrify’s DirectControl do require a bit more skill with Unix/Linux. I’d strongly recommend having a good plan in place before beginning an integration project on a production network. Both Quest and Centrify also offer integration services that will help you smooth the process. AD stores certain attributes for each user in its data store. Unix and Linux machines typically store several more attributes for each user. This makes it difficult to integrate your Unix/Linux users into AD. One way to do this is to extend the schema on your AD servers to store the additional attributes. Quest’s VAS takes this approach. I installed VAS on a new and fully updated Windows 2003 Server machine. VAS gives you a utility for extending your AD schema. This was a relatively quick and painless procedure on my new server. In a large production environment with many users and other objects, this process might be a bit more time consuming. I’d recommend a very recent full backup of your AD servers in a production environment on the slight chance that you encounter problems. After updating the schema, VAS completes the installation and installs the remaining VAS Administrative Tools. You can then register these tools on Figure 2. Centeris’ Likewise offers a GUI management console that most admins should be able to navigate. 28 | May 2007 | Redmond | Redmondmag.com | Project12 1/16/07 11:27 AM Page 1 Software to Simplify and Share SAN Storage Extend the Capability of Microsoft Windows Server System Sanbolic shared data SAN software for Microsoft based Data Centers extends the capability of Windows server applications. Scale out your Windows file serving and web serving architecture. Create a truly flexible datacenter using Virtual Server 2005. Take advantage of the full potential of Microsoft Clustering Services for application availability. Easily configure and assign a pool of storage on a heterogeneous SAN centrally with familiar Windows tools. Simple Information Lifecycle Manager Move your files automatically based on storage policy. Copy your data for availability. Take control of your data. Intuitive Software Designed for Windows Servers www.sanbolic.com. Or call us at 617-833-4249 0507red_Roundup27-30.v7 4/17/07 10:51 AM Page 30 RedmondRoundup your server (see Figure 1, p. 28). I created a Unix/Linux users group where you see the newly added ability to select the “Enable Unix Group” check box under the Properties menu. Then I selected a user, went to properties and selected “Enable Unix User.” Management setup on the client-side install was a bit more daunting. VAS supplies a tool called Vastool that lets you add your Unix/Linux machine to the AD domain. Vastool is a commandline tool, so you should be comfortable with the Unix/Linux command line before you start on this endeavor. I did my client installation on two Fedora Core 5 machines. VAS also supports AIX, Debian, VMware ESX Server, Red Hat, SuSE and Solaris Unix. It also supports a wide range of Unix/Linux-based applications such as DB2, Java, Oracle and SAP. Now that I’d configured my AD and client machines, my Fedora machines were full members of the AD domain. The machines’ Kerberos and LDAP implementation created a true single sign-on “trusted realm” in my AD. One of the major benefits of VAS is that it’s completely standards-based. It extends the capabilities of AD to your Unix/Linux environment. One of the nightmares network supervisors experience in a mixed environment is the issue of compliance and the associated management and reporting requirements. VAS will give you the same auditing and reporting capabilities in your Unix/ Linux environment that you’ve grown accustomed to in your AD world. VAS is very scalable. It can accommodate networks with 10 or 10,000 users. While the package doesn’t let you set up Web sites and DNS servers on your Unix/Linux servers, hopefully you can see how using VAS to create an SSO environment to integrate your Unix/Linux servers into your AD could potentially be a huge benefit. Easy Rider: Centrify DirectControl The second product in the single signon arena is Centrify DirectControl. DirectControl uses native AD capabilities to store multiple Unix and Linux identities. Like VAS, this also requires a bit more familiarity with Unix and Linux than Likewise. DirectControl doesn’t actually change or extend the schema of your existing AD—although the end result is still the SSO, DirectControl takes a different approach. Centrify DirectControl lets you store multiple Unix and Linux identities for one AD user and then maps those identities back to “zones” of systems. Figure 3. DirectControl’s Administrator Console presents a cleaner environment for adding users to zones and viewing reports. These “zones” are collections of systems that share similar attributes and let you provide access for users who have membership in the zone. Many seasoned Linux and Unix veterans are familiar with NIS maps: there’s a utility that lets you import these maps. Centrify DirectControl also lets you integrate Macs into your AD, in addition to Unix/Linux machines. For the purpose of my evaluation, I started with a fresh network consisting of a Windows 2003 server, four Windows XP Professional clients and two Fedora Core 4 machines. At the time of this review, Fedora Core 5 was not listed as a supported OS. Still, installing it on the server was quite simple. Once again, the client installation requires a bit of knowledge in the Unix/ Linux environment. That being said, the client installation is fairly well scripted and went off without any problems. 30 | May 2007 | Redmond | Redmondmag.com | One feature I do like about Centrify DirectControl is the DirectControl Administrator Console (see Figure 3). This is a clean and intuitive environment in which you can set up your Centrify DirectControl zones, add users to zones and view reports. In my opinion, the built-in reporting left a bit to be desired. I prefer add-on reporting and auditing tools that pull information directly from my AD. I also question the wisdom of mapping multiple user accounts to one AD account. Singularly Qualified If you have Unix and Linux machines on your network, or if you’re thinking about adding one for Web hosting, DNS, or file and printer sharing, Centeris Likewise would certainly be worth a look. Both Centrify DirectControl and Quest’s Vintela Authentication Services have thorough documentation. They also have “Resource Centers” on their Web sites with vast resources available. If you truly want to integrate your Unix and Linux systems into your AD environment and use single sign-on features like ease of administration and compliance, both VAS and DirectControl are worth a look. I’d recommend giving them serious consideration. There certainly are benefits to this type of choice, including the ease of directly mapping existing users. As I mentioned earlier, making a full backup prior to installation would give you absolute protection in the event of any critical problems. Although I didn’t really encounter any major problems in my tests, I’m a bit leery of manipulating my production AD environment. VAS does let you use traditional Windows applications for user and group management. DirectControl adds their management console. All this may come down to a matter of personal preference with how you’d rather manage your systems. — Ben Brady (bwb5026@yahoo.com), MCSE, CCNP, is the operations manager for ISDN-Net Inc. in Nashville, Tenn. Raxco 4/13/07 8. 10:02 AM Page 1 4. Recognized as the world’s most powerful defrag- menter, PerfectDisk has always been the secret to No hidden surcharges. Unlike other defragmenters, PerfectDisk doesn’t charge you extra for super-sized faster, more reliable computers. Now, with a drives, or administrative console features. powerful new suite of enterprise tools, Microsoft-certified PerfectDisk simply PerfectDisk 8.0 takes disk defragmen- makes it easy to defrag every tation to the farthest reaches of the drive on the enterprise. Period. enterprise, while placing total control right at your fingertips. 7. 3. The Top 8 Are you sitting down? To ensure your drives are always in shape, new AutoPilot Scheduling™ Reasons lets you set your computers to Good, because the PerfectDisk Command Center™ lets you deploy, defrag automatically. What’s configure and manage the defrag- more, unlike the competition, new intelligent Screen Saver Mode auto- mentation of every system on the enterprise ... all from the comfort of your matically defragments idle computers if own desktop. a user-defined number of days has passed since the last defrag. 6. 2. Your Enterprise Can’t Wait For PerfectDisk PerfectDisk's new patent-pending Resource Saver™ technology finds all the fragments of a file without and CPU throttling features automatically detect when a system is “busy” and 8 first opening the file, efficiently defragmenting even the largest reduces its disk I/O or CPU usage accordingly, making the of drives with minimal system defragmentation of even the impact. 5. PerfectDisk's new I/O busiest drives practical. 1. PerfectDisk's Space Restoration Technology,™ with its Consolidate Free Space defragments, optimizes and consolidates even Defrag, lets you create the largest piece of contiguous free space available prior to creating large files or performing And best of all, PerfectDisk 8 the largest drives in a single pass. Done. And with our Competitive Trade-up Program, the time is great to migrate to partition resizing operations. So why wait? Download a FREE trial at Sowhy whywait? wait?Download 8.8.8.So www.perfectdisk8.com. 1-800-546-9728 www.perfectdisk8.com Visit themost mostpowerful powerfulenterprise enterprise defrag defrag solution. solution. See the come by booth 226 during Microsoft Tech Ed, June 5 – 8, 2007 2007 Orlando, Orlando, FL. FL. Come by booth 226 during Microsoft Tech Ed, June - 8, ® June 8, 2004 PerfectDisk 6.0 Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. PerfectDisk is a registered trademark of Raxco Software. PC Magazine Editors’ Choice Award Logo is a registered trademark of Ziff Davis Publishing Holdings Inc. Used under license. All other product names mentioned herein are the trademarks of their respective owners. ¤ May 24, 2005 PerfectDisk 7.0 0507red_F1Security32-38.v11 4/17/07 10:30 AM Page 32 Your Vista Game Plan An early, well-planned move to Microsoft’s new OS could be the answer to enterprise security challenges. By Peter Varhol egardless of your personal or professional opinions of Windows Vista, you know you’ll be running it sooner or later. Uptake on new desktop operating systems tends to be slow, with just over 50 percent of enterprise desktops running them in the first five years, according to industry analyst firm Forrester Research Inc. Most may choose to upgrade gradually, in line with new client hardware, while some may wait until the next planned upgrade cycle. In Vista’s case, there may be good reasons to accelerate adoption, rather than waiting for the next scheduled upgrade cycle. Security and integrity are two of the most prominent reasons. Enterprises that are at a significant risk, given the value of their applications or data, may be attracted to its ability to provide better safeguards. Vista’s higher levels of integrity are also likely to make it more resistant to attack. Still, there are doubters. Forrester security analyst Natalie Lambert says that the security features are a boon for consumers. While helpful in the enterprise, they will still be supported by third-party products. “Enterprises will still use virus checkers and spam blockers to supplement Vista,” she explained. “The new security features have to be weighed against the cost of upgraded hardware. For many, it makes sense to move to Vista with the next hardware upgrade, not sooner.” R 32 | May 2007 | Redmond | Redmondmag.com | 0507red_F1Security32-38.v11 ILLUSTRATION BY ROBERT KAYGANICH 4/17/07 10:30 AM Page 33 | Redmondmag.com | Redmond | May 2007 | 33 0507red_F1Security32-38.v11 4/17/07 10:30 AM Page 34 Vista Game Plan So when does it make sense to upgrade? Vista will almost certainly be the mainstream OS within a few years. Is it worth the hardware and administrative costs to achieve higher levels of security or integrity, or should migration occur on the same schedule as previous OS upgrades? ing Group, the SDL consists of processes encompassing security engineering, reviews by security experts and protection within the OS itself. The first phase of this lifecycle involves designing features and implementing code more resistant to attack. Toulouse describes a process whereby each proposed feature was scruThe Keys to Lockdown tinized for its security implications prior to being included Microsoft has undertaken a formidable task trying to secure as a requirement. “If a feature required a port to always Vista. Security is not achievable in an absolute sense, and remain open, or for a high level of access to be maintained, you don’t achieve added security without cost. That cost is it would get a lot of pushback,” he explained. “It might have typically measured in the quality of the user experience. to be implemented in a different way, or not at all.” Microsoft’s ambitious—some would say unrealistic—goal is The second phase of the security lifecycle is review and to improve both security and user experience. testing by industry security experts. A part of this effort, Microsoft has also labored under legacy burdens that aren’t called BlueHat, involves turning over working code to easily swept aside. Those burdens include the sizeable experts for analysis and exploitation, as well as follow-on Windows code base itself. The company builds new meetings between those experts and Microsoft developers. Windows versions from the source of the current one. While In addition to providing a significant test for the OS code, large parts are modified or replaced entirely with every new it also provides an interaction between Microsoft OS engirelease, starting from scratch would mean throwing away a neers and security experts that almost invariably results in lot of perfectly good technology. better code in the future. Another legacy burden is applications, both those proLast, Microsoft incorporates security features that make duced by Microsoft and those from third-party developers. the OS more difficult to hack and exploit. Features like There are thousands of applications out there whose User Account Control (UAC) and user notifications of required permissions level is above that of users, or is unusual activities make Vista more resistant, but not unknown altogether. Prohibiting these applications from impenetrable. The goal is not to provide a fully hack-proof executing would greatly slow Vista adoption, because users system, but to buy time for other mechanisms to identify would stay with the OS and turn away an attack. where their applications ran. Windows Defender, That’s not the end of it. Windows Firewall and an We had the right idea [with User Account An unknown number of Security Center Control] but we failed to consider usability. Since overhauled custom enterprise applicamake a difference here. that early feedback we’ve made significant tions were written in the Windows Defender helps same fashion, requiring protect against and remove strides in usability, and believe we have a administrator rights to the spyware, adware, root kits, system that makes more sense to Vista users. local machine to execute. bots, keystroke loggers, conStephen Toulouse, Senior Product Manager, Some enterprises fixed trol utilities and some other Trustworthy Computing Group, Microsoft their applications when forms of malware. The they went to a locked-down Windows Firewall includes environment over the security issues of the past several both inbound and outbound filtering, protecting users by years. Others still have many applications that have to run, restricting OS resources if they behave in unexpected ways. at least some of the time, in a more privileged mode. While the Security Center has been around since With Vista, Microsoft attempted to build an OS that Windows XP SP2, Microsoft has made improvements, eases users, administrators and developers into thinking including showing the status of anti-spyware software, about security in a different way. No one at Microsoft Internet Explorer security settings and UAC. The Vista would declare that Vista is 100 percent bulletproof, but it’s Security Center can monitor security solutions from thirdno exaggeration to say that Vista is the most secure party vendors running on a PC and indicate which are Windows OS to date. But is it secure enough for you to enabled and up-to-date. deploy on hundreds or thousands of desktops? Before shipping, Vista also underwent final security reviews, peer reviews and testing via automated attacks. What Microsoft Does for Enterprises Automated attacks typically involve code written to emuWindows Vista is the first OS Microsoft has built under late actual attacks from the wild, to determine the ability the laws laid down by its Security Development Lifecycle of the OS to repulse them or at least slow them down. (SDL), which were defined several years ago during the Patches and Promises intense security training conducted after the release of One of the accepted practices in OSes in recent years has Windows XP. According to Stephen Toulouse, senior been the concept of the security patch. Hackers, researchers product manager for Microsoft’s Trustworthy Comput34 | May 2007 | Redmond | Redmondmag.com | Project3 4/9/07 4:42 PM Page 1 User Account Control for the Enterprise ™ Do you trust your users with Administrative Rights? Windows Vista’s User Account Control asks users for administrator passwords in order to run many critical applications. Distributing administrator passwords to end users is not a secure enterprise solution. Least Privilege Management. BeyondTrust enables enterprises to move beyond the need to trust users with excess privileges or administrator passwords. Apply the principle of Least Privilege to all users by securely elevating privileges for authorized applications without end user input, pop-ups or consent dialogues. Empower network administrators to set centralized security policy. Built for Windows 2000, XP, Server 2003, and Vista; integrated with Active Directory and applied through Group Policy. For a free pilot installation call 1.603.610.4250 or visit www.beyondtrust.com. Windows and Vista are trademarks of Microsoft Corporation. Other company, product and service names may be trademarks of their respective owners. © 2007 BeyondTrust Corporation. All rights reserved. 0507red_F1Security32-38.v11 4/17/07 10:30 AM Page 36 Vista Game Plan or even vendors themselves identify vulnerabilities. The OS Developers tend to be philosophical about security vendor, such as Microsoft, Apple or Red Hat, then analyzes issues. At a recent Visual Studio developer conference, the vulnerability and prepares one or more patches. Sam Restead, a senior software engineer for a large insurMuch has been made of the fact that Vista has had ance provider, shrugged and said, “I care about security fewer security patches in its first 90 days of availability and don’t intentionally write bad code. But the hackers than comparable OSes from Apple or Red Hat. While move so fast that no one can keep up with all the emerging this appears to be a reasonable standard for a new OS, techniques to break into systems.” Microsoft disingenuously included the time before genRestead’s colleague Richard Guest added: “It’s mostly an eral availability when the OS was only available to enterOS problem anyway.” prises and MSDN subscribers. Not surprisingly, both perception and bandwidth have Forrester analyst Jen Albornoz Mulligan notes that the led to the lack of motivation by developers in addressing ranking is very different when only critical flaws are consecurity more rigorously in their applications. That said, sidered. Her conclusion is that there are too many varidevelopers don’t intentionally write insecure code and are ables to consider. For those on the front lines, however, keenly interested in making sure that an application isn’t the question for now is: What does it take to keep the the cause of a security breach. The real problem is that machines up-to-date on patches? The jury is still out on there are just too many other things for developers to do at that question, but Windows Vista looks much more prom- the same time. ising than previous versions of Windows. Vista will help most developers write more secure code. Ironically, at press time there were news reports of a It does so, in part, through the use of UAC. The UAC Vista vulnerability surrounding .ANI files. According to separates standard user privileges and activities from those those reports, .ANI files are used to change the cursor into that require administrator access. It changes the definition an hourglass while a proof a standard user by includgram works, or into a curing many basic functions sor animation on Web that pose no security risk but The new security features have to be sites. The vulnerability was that previously required weighed against the cost of upgraded hardware. allowing hackers to break administrative privileges. For many, it makes sense to move to Vista with into computers and install Many applications require malicious software. Because local machine administrator the next hardware upgrade, not sooner. of a rapidly increasing privileges, so users can end Natalie Lambert, Security Analyst, Forrester Research Inc. number of reported up with administrative exploits, Microsoft released access, invoked only when the patch for this vulnerability early. installing software or executing an application that There is also security from a physical breach. Many of us requires admin rights. Vista displays a dialog box requesthave received notification of a lost or stolen computer con- ing the local administrator password, which the user must taining data on our identity, credit, or buying habits, and enter in order to complete the activity. were outraged that the data was not better protected. If the enterprise locks down desktop systems, UAC can also Here’s where BitLocker, Vista’s full volume encryption, help there. Admins have the option of configuring a policy comes into play. BitLocker uses hardware-enabled protecsetting that prevents users from encountering the access diation to prevent unauthorized users from accessing data by log, in order to prevent administrative actions entirely. breaking Windows file and system protections. Alternatively, UAC lets IT admins give desktop users BitLocker incorporates centralized storage and manageadministrative rights, but normal operations occur using ment of encryption keys in Active Directory, and lets IT lower privileges. If an application requires admin rights to administrators store encryption keys and restore passwords continue, it will prompt the user for an OK. onto a USB key or to a separate file for backup. The UAC helps users better understand how their system is encryption system also enables system recovery in the being used by applications. After an initial training period, field, providing a means for users to enter the restore pass- users will come to know the normal behavior patterns of word and restore their own systems. their applications, enabling them to question unusual or unexplained requests to upgrade system privileges. The Price of Privilege And over time, UAC will help developers. Because those There has been a dichotomy between application developoperations requiring admin privileges are right out there ers and their users that has become significant over the in the open, any inadvertent upgrade in privileges will past several years. Many enterprise developers have become apparent during unit and functional testing. absolute access to their systems, but they tend not to conMicrosoft’s Toulouse admits that UAC got a bad repusider whether or not their users do. In some cases, they tation during early community releases of Vista. “We had raise privileges because a given operation won’t work the right idea,” he explains, “but we failed to consider unless the process has a high set of privileges. usability. Since that early feedback we’ve made significant 36 | May 2007 | Redmond | Redmondmag.com | 32229_redmond5_ns.indd 1 4/9/07 5:05:00 PM 0507red_F1Security32-38.v11 4/17/07 10:30 AM Page 38 Vista Game Plan strides in usability, and believe we have a system that For enterprises, this means that “install and go” is no makes more sense to Vista users.” longer a reasonable strategy for running a Windows OS. One unyielding principle is that users are still informed System administrators, application developers and even whenever an application attempts to do something out of end users have to take increasing responsibility in an envithe ordinary. This means that many computer users will be ronment where known exploits are combined with valuable seeing more messages concerning application privileges data to provide ample opportunities for security violations. than they have in the past. To those who install software The tradeoff required for better security is greater on their own systems, the dialog will be a constant involvement by users, administrators and developers in the reminder of the Vista security strategy. security process. In deciding whether or not to accelerate a The upshot is that users will have to better understand migration to Vista for security purposes, managers have to the security implications of their activities. This may cause first perform a classic risk analysis. If your clients access confusion unless users are trained in their security respondata of significant value to the organization, or your infrasibilities. In many enterprises such training is problematic, structure has vulnerabilities that put clients at greater risk as users generally receive only the training they need to of intrusion, then the additional security features of Vista perform their job activities—and sometimes not even that. should be high on your priority list. According to BeyondTrust CEO John Moyer, this will But—and it’s a big but—that means both your staff and be a problem in enterprises. “Users are focused on their users have to get more involved in security. Users have to jobs, not on the security messages that pop up on their understand and take action based on security messages screens,” he claims. UAC sent by the OS. Vista will has the potential to cause tell them a great deal about System administrators, application developers confusion for users and the security state of their increased workload for desktop, but only if they and even end users have to take increasing administrators. It’s not speak the same language. responsibility in an environment where known going away, though, so Administrators have to exploits are combined with valuable data to sooner or later developers make sure that desktops are will have to make their provide ample opportunities for security violations. configured with the applicaapplications run in more tions, policies and security secure environments and settings required by users to users will have to understand what to do when the UAC perform their jobs. Blasting all desktops with a single dialog box appears. image and pushing blanket policies probably won’t cut it You can get your hands on most, if not all, of these and if you want to move to Vista today. Using features such other less significant security features from third parties to as UAC, policies and the Security Center, administrators use with Windows XP. BeyondTrust, for example, prohave to configure the OS to the precise security paramevides a way to manage user privileges in the IT shop, ters needed to ensure protection of data and systems. rather than on the user’s desktop. Adding third-party point Admins will be on the front lines of helping users undersolutions does mean a more complex configuration for stand their new security responsibilities. installed systems, the need for better management of softLast, developers can no longer assume that users are local ware licensing and upgrades, greater costs and perhaps a machine admins. Relying on Vista privilege elevation for greater potential for system conflicts. applications to work will be confusing to users and show a lack of OS understanding by developers. While it may not Building a More Secure Enterprise be possible to get rid of privilege elevation entirely, develAdvocates for one OS over another tend to get viscerally opers have to build and test with the same security settings involved in their opinions on security and usability. The as their users. debate among client OSes in enterprises tends to settle With a commitment from these three constituencies, around what version of Windows is best, rather than Windows Vista will help an enterprise at risk be measuranon-Windows alternatives. If an enterprise is at risk, bly more secure. But there’s also a word of caution: Witheither by making regular and common use of high-value out that commitment, along with training in security or highly sensitive data, or by losing significant business policies and implementation, the equation falls apart, likely if systems are taken offline by attacks, then Vista can resulting in greater confusion and lost productivity. help immediately. There’s no going back. All parts of the enterprise will There seems to be little question that security is have to have greater involvement in information security improved with Windows Vista. Toulouse calls Vista the in the future. Vista represents an important first step in “best possible baseline for the broadest set of users.” that direction. — While there’s nothing particularly revolutionary about its Peter Varhol (pvarhol@redmondmag.com) is Redmond’s features, it’s useful to have them aggregated into a single executive editor of reviews. product and used in consistent ways. 38 | May 2007 | Redmond | Redmondmag.com | Project2 4/12/07 10:51 AM Page 1 NORTHERN STORAGE SUITE SET LIMITS To collect and store is a natural instinct. A sys admin is guided by a different set of instincts: to maintain order and to set reasonable limits. Northern Storage Suite allows you to establish guidelines and boundaries to promote economical storage usage. It lets you set disk quotas, block file types and keep users informed. Sample the power of Northern Storage Suite – download Northern’s Free Analysis Tool: www.northern.net/redmond WWW.NORTHERN.NET / INFO@NORTHERN.NET / 1.800.881.4950 NORTHERN – MANAGING STORAGE SINCE 1995. TO US IT’S SECOND NATURE. Simplify Active Directory Management, Inventory Control, & Auditing. ® ® ® ® ® ® ® Provides Custom & Canned Reports Includes Ability to Schedule Reports Eases Software Inventory & Auditing Removes Unwanted Client Software Offers Hot Fix & Service Pack Viewer Advanced Export Features Bulk User Updating NG I L E D? FE E M L HE W R OVE FREE 30 Day Trial! Visit CNS-Software.com Tools by Administrators for Administrators 1-866-344-6267 www.CNS-Software.com TM ©2006 CNS Software, LLC. All rights reserved. The names of actual products mentioned herein may be the trademarks of their respective owners. Project4 3/12/07 12:13 PM Page 1 Maximum Control. Minimum Effort. Providing desktop support can be a headache with the large number of systems, servers and mobile devices located on today’s corporate network. With NetSupport Manager remote control software, you can provide seamless IT support centrally from one location, improving response times and reducing associated IT costs. Support, monitor and train your users securely over a LAN, WAN and the Internet. Manage and monitor multiple systems simultaneously with NSM’s multi-platform support including Windows, Linux, MAC, Solaris, and Windows Mobile. Troubleshoot help requests efficiently with NSM’s inventory and desktop management tools. Take control of your network before it controls you. For more information and to download a free trial copy - visit: www.netsupportmanager.com PC Remote Control sales@netsupport-inc.com 770-205-4456 www.netsupport-inc.com 0507red_F2CitrixVM41-43.v8 4/17/07 10:32 AM Page 41 Citrix and VMware: Oil and Water? Two technologies. One chemistry experiment. Can they mix? By Greg Shields and Steve Kaplan ne of the components in our chemistry experiment is a billion-dollar company known worldwide for software that connects any user from any network connection to any data center. Citrix Systems Inc.’s Presentation Server software utilizes an optimized transport protocol called ICA to connect clients to servers over WAN links of virtually any speed. The other component is a subsidiary of another billion-dollar company. This one’s known for multiple years of triple-digit growth and a recent announcement of its first IPO. VMware Inc., EMC Corp.’s subsidiary, has been renowned for its Virtual Infrastructure product that’s capable of squishing together tens of data center servers onto a single hardware chassis. The return on investment (ROI) associated with both technologies is well-documented. Citrix moves your applications from the desktop to the data center, centralizing management and reducing administrator touch points. VMware centralizes your servers, reducing hardware footprint and heat signature, enabling an entire-server snapshot for rapid recovery and business continuity. But when you bring them together, do they mix? Or, like oil and water, do they separate? By running Citrix servers on top of VMware’s Virtual Infrastructure, do you improve their combined ROI, their performance and their survivability? Or do you end up with a big, unresponsive mess? O | Redmondmag.com | Redmond | May 2007 | 41 0507red_F2CitrixVM41-43.v9 4/17/07 2:10 PM Page 42 Hard Facts 7But What About Microsoft Virtual Server? e’ve focused hard on the Virtual Infrastructure virtualization technology created by VMware, but the elephant in the room is: “What about Microsoft Virtual Server?” While there are no equivalent studies detailing Citrix performance on Microsoft Virtual Server, a few connections can be made between the two products. Microsoft Virtual Server is intended to be a comparable product to VMware’s Virtual Infrastructure platform, but its architecture suffers problems stemming from two major issues. First, Microsoft Virtual Server is intended to be installed on top of an existing Windows Server 2003 installation. VMware’s Virtual Infrastructure 3 (VI3) product is its own operating system. As the VI3 OS is highly optimized with an eye toward performing a single function, its virtualization overhead is significantly reduced. This means that virtual machines hosted on VI3 will typically run with better performance. The second issue involves VI3’s capabilities for dynamic load balancing and on-the-fly restarting of failed machines on alternate hosts, enterprise-level features that are critical in high-availability environments. Microsoft Virtual Server has the capability of doing cold migrations of servers from one host to another, but the virtual machine must be powered down prior to the migration. VI3’s ability to move machines from host to host while the virtual machine continues to run makes this feature set a huge boon to downtime-sensitive environments. Microsoft Virtual Server is a good product in some environments. More importantly, it comes at a substantially lower price point than VMware’s enterprise-level product. If your network environment doesn’t have requirements for very high performance and reliability, then Microsoft Virtual Server’s lower price point may make it the product for you. —G.S. and S.K. W 42 | May 2007 | Redmond | Redmondmag.com | Virtualizing a Citrix server provides the same level of benefits at the server chassis as Presentation Server does for its applications. Virtualizing a server enhances that server’s capability for management and hardware mobility. Because of the file-based nature of virtualization, that server’s intrinsic availability and recoverability after a disaster event are improved. And because adding a new virtual server is little more than a copy-and-paste, virtualization provides an IT staff with more options in segmenting applications, as well as securing them against external attack. On the other hand, virtualizing any server involves added overhead to system resources. This overhead comes from the resources needed to run the virtualization layer plus all other virtual servers hosted on the chassis. You may have heard the horror stories about the poor performance Citrix servers experience when running on early versions of VMware’s ESX product. Many of those concerns have changed, however, with VMware’s release of Virtual Infrastructure 3 (VI3). VI3 includes automatic sizing of memory page table caches, and improved latencies on page fault and context switch operations that help reduce total system resource use. Citrix at a high load can be a demanding application due to high kernel-resource utilization and a high level of context switches associated with its underlying Terminal Server architecture. But in many environments this high utilization often doesn’t occur. Many times, application conflicts—or the need for security isolation among applications or users—force a horizontal scaling of Citrix servers. These kinds of applications or users that can’t cohabitate on a single server can result in an organization buying new Presentation Servers even though existing server utilization is low. In a virtualized environment, multiple server instances are enabled to run on the same physical server chassis. When application conflicts or security requirements force additional servers to be brought online, virtualization can enable it to be done with relative ease. You can copy and paste new servers to your heart’s content until the hardware resources of your physical chassis max out. VMware recently completed scalability tests that involved initiating a series of increasing user log-ons to a virtualized Citrix server, followed by a pre-recorded series of actions using Microsoft Word. The test simulated users logging in, opening a Word document and typing for up to 15 minutes. CPU resources were measured so as to identify the number of users capable of being supported by the hardware chassis when running at up to 80 percent of CPU utilization. A quad-socket, dual-core server was used to host the virtualization environment. This server was configured to run eight instances of Presentation Server with near-equivalent user experience to that of eight single-processor physical servers. For the test, a limited set of applications was used and each Presentation Server virtual machine was fixed to a specific processor. After running the test for 80 iterations, results showed that for the hardware chosen, Version 3.0 of ESX and a 0507red_F2CitrixVM41-43.v8 4/17/07 10:32 AM Page 43 Citrix & VMware single-hosted virtual machine could support close to 140 simultaneous sessions. Obviously, mileage will vary depending on the type and number of hosted applications, as well as the number of simultaneously hosted virtual machines on the hardware chassis. But this test did verify that a large number of concurrent users living in a virtualization environment could be supported. Two design decisions on the part of the ESX host combined to reduce this virtualization overhead. Virtualization environments that run on quad-processor rather than dual-processor servers, as well as those running 64-bit processor architectures, can increase the number of concurrent sessions in the virtualization environment. When making the decision to move to virtualized Presentation Server, this combination of host specifications diminishes the negative impact of virtualization overhead. ported for a much lower hardware cost when it comes to concerns over security or application conflicts. Snapshots and Backup Presentation Servers are application servers. Unlike most of the servers in your data center, users have direct access to that server’s desktop and installed applications. This means Presentation Servers have a greater chance of being exploited. A virtual Citrix deployment eliminates the necessity of having one or more Citrix servers set aside as dedicated test machines. Because of VI3’s ability to “snapshot” the server, the process for patching and testing becomes much less painful. To test a virtual server, just snap an existing server instance, apply the desired patches, upgrades or other modifications, and validate their functionality. If anything goes wrong, you can rollback the server to its snapshot. If the testing or patching completes successfully, the modificaSofter Side tions can be applied to the other Citrix Other factors also help to reduce virtual machines with confidence. hardware requirements in a virtualBacking up a virtual Citrix infraized Citrix environment. VI3’s structure is simplified by the ability to Interested in learning more about Distributed Resource Scheduling can store snapshots of the entire virtual VMware’s performance study be configured to automatically machine at any time. Snapshots can be involving Citrix Presentation Server? relocate running instances of virtual replicated off-site, which helps faciliCheck out its white paper at Presentation Servers to other physitate disaster recovery (DR). Because www.vmware.com/pdf/esx_citrix_ scalability.pdf. cal chassis with more available the Citrix virtual machines can be kept resources. This relocation capability running at the DR site, access becomes means that a stack of servers can be treated less like a stack very easy and rapid in the event of a catastrophic failure. of servers and more like a stack of processor and memory Performance vs. Reliability resources. Organizations can pool these server resources As with our question of oil and water, the laws of physics and load balance virtual machines across them, thereby still hold true with virtualized environments. Do Citrix enabling a higher overall utilization without overburdenand VMware mix? For performance—maybe. Using ESX ing any individual machine. with just the right set of hardware, applications and users, This way the server environment is similar to that of an testing shows that you can squeeze a large number of conarray of disks. We no longer have to know or even care current users onto multiple Citrix virtual servers. about where our virtual machines are running. We can set For other reasons—definitely. As you can see, virtualizapolicies to reserve minimum and maximum resources for individual virtual machines. We can also create affinity and tion provides benefits to reliability that help offset that loss in total performance. The gains from centralized adminisanti-affinity rules to ensure servers that should reside tration, higher availability, disaster recovery and server together on the same physical hardware actually do. In a physical environment, a failed server can mean a loss of provisioning make it an option worth considering. that server’s resources until that server is repaired or a new Greg Shields (gshields@redmondmag.com), MCSE: machine is procured. Disparate hardware between the failed Security, CCEA, is a principal consultant for 3t Systems machine and the new one can force a complete rebuild—a (www.3tsystems.com) in Denver, Colo. A contributing editor lengthy process. Because of this, organizations often procure and maintain an inventory of costly identical server hardware to Redmond magazine and a popular speaker at TechMentor events, Greg also hosts a Windows Server blog and regular that sits unused and waiting for a failure to occur. A dead VI3 host server, on the other hand, can quickly be podcast at www.realtime-windowsserver.com. replaced by a new server regardless of brand, CPU or Steve Kaplan (skaplan@accessflow.com), MVP, is president of model. Further improving system uptime, VI3’s High AccessFlow, a VMware Premier Partner headquartered in Availability feature will automatically restart systems elseSacramento, Calif. In addition to co-authoring the where that were homed on the dead host. Osborne/McGraw-Hill series of Citrix Official Guides and Also, the ability to spread out users among a greater Advanced Concepts Guide books, Steve has had dozens of number of virtual Presentation Servers means a smaller impact on that user base when one Presentation Server has articles published on various IT topics ranging from security to disaster recovery to regulatory compliance. an issue. It also means users and applications can be sup- VMware’s Citrix Performance Study | Redmondmag.com | Redmond | May 2007 | 43 0507red_F2ITvIM44-47.v11 4/17/07 10:34 AM Page 44 44 | May 2007 | Redmond | Redmondmag.com | 0507red_F2ITvIM44-47.v11 4/17/07 10:34 AM Page 45 IT IM vs Instant Messaging (IM) makes tactical communication a snap, but too often IM serves as a doorway for hackers. Here’s how IT can wrestle with the problem. By Doug Barney I n October 2006 Instant Messaging reached an ignominious milestone. Security vendor Akonix Systems Inc. reported a record-high 88 IM-based attacks, a mark that still stands almost six months later. While it hasn’t gotten any worse, IM threats have hardly gone away. Most are in the form of worms usually spread as attachments. They have wacky names such as Geezo, NotYou and Tellsky. IT staffers have to clean up these messes, and they’re not laughing. Besides worms and other viruses, IM is also a conduit for phishing, spyware and social engineering attacks. “I fight daily with pesky spam, malware, viruses and backdoors. Every computer I clean has some type of IM client or a residual,” complains one IT professional. While IM is often seen as stripped-down messaging, the viruses it carries are no lightweights. Take the W32/Sohana-C worm. This nasty little germ first shuts down your anti-virus protections, then modifies the registry and can install software from the Internet. It can also change the user’s start page and duplicate itself via IM. It’s no wonder that many in IT aren’t fans of IM. “I’m not an IMer and I don’t see the business case for it. Employees can state their cases all day long but in the end, everyone knows what they use it for most of the time—[and] it’s not work related,” says Dave Zeininger, a network engineer and administrator for The Computer Merchant Ltd, a computer consultancy. Just Say No One solution that may please IT—but not end users—is to ban IM completely. “We just say no [to IM],” explains John Montgomery, MCSE, president and CEO for IMC Studios Inc. IMAGE BY GETTY IMAGES Blocking can be a fairly simple procedure. “In our enterprise, IM protocols are blocked by filtering software at the Internet gateway, and all known IM client software is prevented from running by a combination of group policy—blocked by path and hash—and our AV software,” explains Marc Cote, a network manager in Lenexa, Kan. “So far, I have the CIO onboard with these actions in the name of security,” he says. Others in IT are taking a similar tack. Charlie Jarman, a system administrator and Microsoft Certified Professional with Loris Healthcare System Inc., says he simply uninstalls MS Messenger on all Windows XP Pro-based PCs when they come in the door. He then uses Websense to block all IM clients and all ports, as well as using Group Policy to disallow running the popular IM clients. “This strategy works pretty well for our small hospital system with about 1,000 employees,” he says. Blocking isn’t always enough, however. The fear of God (or at least HR) can also help, argues Dwayne Sudduth, network administrator for Bulova Technologies LLC in Lancaster, Pa. Sudduth says he blocks all the ports for the major IM clients at the firewall. “All of about three users would know how to circumvent that anyway, and we’re all in the same department [IT],” Sudduth says. “It’s a well-known policy that the use of IM is forbidden and is a disciplinary offense, [with penalties] up to and including immediate termination.” If IM is essential to your business, there are two main choices. One is to install a private IM network based on tools from Microsoft, IBM Corp. or Jabber Inc., among others. These private networks tie users to a directory, or let you create a directory that ensures users are who they say they are and have proper password protection. | Redmondmag.com | Redmond | May 2007 | 45 0507red_F2ITvIM44-47.v11 4/17/07 10:35 AM Page 46 IM Solutions Vendors: Akonix, Blue Coat, CypherTrust, FaceTime, IBM, IM Einstein, IMLogic, MessageLabs, Microsoft, NFR Security, PortAuthority, SurfControl, Symantec, Trend Micro, Vericept, Websense, WiredRed Software, Zone Labs. These tools can also archive IM messages that fall under compliance regulations, giving IM the same status as traditional e-mail. These systems also generally include virus blocking, attachment control, the ability to manage and block users, and filters to safeguard confidential data. Another option is to install a gateway that works with existing public IM services like Yahoo! and AIM. These types of tools filter content, detect and block viruses and control what users can do with IM. They can also help with compliance by reporting on IM use and archiving traffic. Gateway tools can also discover just what kind of IM is installed and where. The Trillian Advantage One problem with most IM clients is that they don’t know how to talk to other clients. For Timothy Carroll and many others, Trillian is the answer. “We use Trillian for all IM: It operates with all the popular networks including AOL, MSN and Yahoo!,” says Carroll, who is a network engineer for XS Inc., an IT-based application development shop. Carroll says he first created a default installation, configured it so it looks for profiles in “Documents and Settings,” and then created his own MSI installer with Visual Studio, which duplicates the default installation. The product, however, is not without its shortcomings. “Sadly, Trillian does not respect Windows’ limited-user security out of the box. By default it stores all profiles under Program Files. Its default installer is not an MSI and cannot be deployed. To me both reasons are grounds for immediately uninstalling the product,” Carroll says. But since the company gave him a way around the problem, as well as promising in the next release to permanently fix it by automatically storing everything in documents and settings, Carroll has decided to stick with it. Others are looking to Microsoft for business-oriented solutions. “We’re looking for ways to facilitate the use of IM for business, but in a secure manner. IM will continue to cause issues unless businesses, decision makers, managers and users identify the security risks and address them,” says Michael Esquia, an IT pro with the Floridabased law firm Fowler and White. Esquia says he sees the issue as two-sided. On one side there are the users and their lack of education. On the other side are the IM software companies and the lack of It’s a well-known policy that the use of IM is forbidden and is a disciplinary offense, [with penalties] up to and including immediate termination. Dwayne Sudduth, Network Administrator, Bulova Technologies LLC 46 | May 2007 | Redmond | Redmondmag.com | 0507red_F2ITvIM44-47.v12 4/17/07 2:04 PM Page 47 IT IM vs Batten Down the IM Hatches Understand what you have and do an inventory to see what IM clients are in use and by whom. ■ Create an enforceable IM policy. Users should not open attachments or click links. Get legal involved in approving the policy so it’s in line with compliance standards. ■ Think about creating a standard IM solution, or blocking IM. ■ Patch your IM software, if you have it, regularly. ■ Protect your network with a good Intrusion Protection System. ■ Users should not use names that appear to be someone else, such as GeorgeBush, and IT should not allow false names on the network. ■ Consider encrypting IM messages. ■ manageability they offer in their products. He says it’s not as if he’s asking vendors to develop complete management consoles, but simply to make it easier to manage features using the registry. “Microsoft is leading the way with Live Communications Server [LCS], but it’s still expensive for something that most people view as free to use. If we go with LCS, we’ll keep other IM software from running on workstations,” he says. The Microsoft Way One public radio station, which asked not to be identified, faced an internal IM battle. The station’s former IT director says its news department, radio shows, Web team and key executives all used IM personally and expected the IT department to offer it with no regard for security risks, or for how the existing business logic would support the increased demand. “After initially demonstrating the dangers of unlimited open IMing involving AIM and Yahoo! IM, we were able to get the critical users and execs to understand the problem of security breaches. The AIM virus disaster was the clincher,” he says. The station’s IT department then proposed a secure solution. They were able to convince the powers that were that IT wasn’t refusing to help, but only wanted to comply with the demand in a secure fashion, according to the source. Once they proved the risks and dangers to the corporate network and resources, they made a pitch for the special funding of the project. The CFO then approved the purchase of a small, dedicated server for internal messaging, he says. The specific solution came in the form of the Windows Message Server, which supported all the departments and their users that required the service. According to the former IT director, the productivity improvements were immediate because different departments could communicate significantly faster when, for instance, news was breaking. Despite the Microsoft solution, other clients are sometimes tolerated. “External IM was approved for select individuals or departments but was screened against hitting the main network. This was a very rare permission and had to wait for us to move to Windows 2000 Server, [which had] tighter and more discrete control over user account security,” says the station’s former IT manager. The DBabble Alternative Years ago end users at The Computer Merchant Ltd. had free rein and could install any IM client that came down the pike. That all changed when the company moved to Windows XP Pro and took away end user admin rights. “Because of their demand for IM, stating that their clients required it for quick communication, we deployed DBabble on our network and clients, totaling about 125 users,” The Computer Merchant’s Zeininger says. Because Zeininger’s IT manager was a “real nerd,” he was able to download the manual for the product, read the entire manual, deploy the server and test it out on selected users—all in one day. This allowed the company to deploy the product companywide the following week. The only problem—and it was no small one—was network access, according to Zeininger. He says the major issue for the next couple of years will crop up when the IM companies block communication with the public jabber servers his firm would normally connect through. Most of the time, he notes, it takes several attempts to get connected through a valid jabber server in order to communicate with the IM Servers. “It’s got to the point where, when we lose the communication Check out Redmond’s roundup of for AIM or Yahoo! private IM tools at Redmondmag.com. FindIT code: ITvsIM due to their blocking the jabber server, we may be a week or more before we bother to reconfigure another public jabber server for DBabble,” he says. With such inconsistency, users are starting to give in on IM, and Zeininger says he couldn’t be happier. There are alternatives to DBabble, he says, but he has yet to see a real business case that justifies the cost associated with these options—nor does he have the resources to manage such a system properly. IM doesn’t have to be a minefield. Through blocking or a more secure IM solution, your network can be protected from the likes of Geezo and Sohana. — GetMoreOnline Doug Barney is the editor in chief of Redmond and the VP, editorial director of Redmond Media Group. Reach him at dbarney@redmondmag.com. | Redmondmag.com | Redmond | May 2007 | 47 Project1 4/9/07 4:11 PM UB_Firewall_Redmond.ai Page 1 4/6/07 11:37:57 AM ™ Open door policy? Does Your Backup Software Create a Big Hole in Your Firewall? With UltraBac Software’s advanced backup technology this issue is practically eliminated. Previously there wasn’t a way to securely back up your network through a firewall without excessive risk, or having to place your entire backup infrastructure in the DMZ. The new version of UltraBac will allow you to quickly and easily back up your servers and workstations without having to compromise security by opening many ports in your system. This innovative solution allows you great flexibility by uniquely regulating exactly which ports are used for communication. A one way connection is initiated from inside your firewall so that the outside communications are initiated using a defined range. This means that networks remain more secure by eliminating unnecessary port usage, and you can easily configure your firewall for this defined range to include only your expected backup clients. If you need to better lock down your environment then you need UltraBac’s backup and disaster recovery protection. Your organization’s data is an extremely valuable asset. Keep your data safe and secure inside your firewall, no open door policy allowed. B AC K U P A N D D I S A S T E R R E C OV E RY S O F T WA R E F O R P E O P LE W H O M E A N B U S I N E S S WWW.ULTRABAC.COM © 2007 UltraBac Software. All rights reserved. UltraBac Software, UltraBac, UltraBac Software logo, UBDR Gold, UBDR Pro, and Backup and Disaster Recovery Software for People Who Mean Business are trademarks of UltraBac Software. Other product names mentioned herein may be trademarked and are property of their respective companies. 0507red_F2Exchange49-55.v8 4/17/07 2:24 PM Page 49 Laying the Groundwork: Exchange Server 2007 Moving to Exchange Server 2007 is a complex process with stringent requirements. Make sure you have the tools and infrastructure in place before you begin. By J. Peter Bruzzese T The Leaning Tower of Pisa, although built to stand up straight, began leaning to one side shortly after construction began in 1173. A poorly laid foundation and loose substrate caused the foundation to shift and sink. That’s proof positive that a firm foundation is the key to any structure—be it a monument or a messaging infrastructure like Exchange Sever 2007 (Exchange 2007). A solid foundation is more critical than ever with Exchange 2007, as there is no in-place server upgrade path from an existing Exchange server to the new version. You have to install Exchange 2007 fresh, and there are only three possible paths: • You can create a new Exchange environment for a new company or one without an existing messaging infrastructure. • If you have an existing Exchange environment, you can transition by installing Exchange 2007 servers, co-existing briefly and then phasing out the previous versions. • You could also install Exchange 2007 in a new organization, migrate all your mailboxes over to 2007 and then remove your old Exchange servers. There’s a good reason for the lack of an upgrade path. Basically, Exchange 2007 requires an x64 architecturebased system with an Intel processor that supports Intel Extended Memory 64 Technology (Intel EM64T) or an AMD processor that supports the AMD64 platform. Because earlier versions of Exchange didn’t support x64 architecture, there are no systems from which you can upgrade. | Redmondmag.com | Redmond | May 2007 | 49 0507red_F2Exchange49-55.v8 4/17/07 2:24 PM Page 50 Exchange Server 2007 It’s important to note that the Intel Itanium (IA64) processor will not work with Windows 2003 x64 Editions. Thus, it won’t work for Exchange 2007 deployments. Let’s look at the system and network requirements you’ll need to meet in order to successfully install Exchange 2007. Essential Elements Besides needing a 64-bit processor, Exchange 2007 also requires 2GB of RAM per server, a minimum of 1.2GB of hard disk space (on the drive you install Exchange Server Figure 1. The Best Practices Analyzer Tool helps ensure you have the optimal configuration. 2007), 500MB per language pack and disk partitions formatted as NTFS. Depending on the number of mailboxes and the amount of data you grant each person, you should build out your drive space. You can find more information regarding processor and memory requirements on Microsoft’s Web site. There are also software requirements for any server upon which you wish to install Exchange 2007. Your servers will have to be running Microsoft Windows Server 2003 x64 or Windows Server 2003 R2 x64 (Standard or Enterprise Edition), as well as .NET Framework Version 2.0, Microsoft Management Console (MMC) 3.0 and Windows PowerShell. Your system will also need Active Directory for all server roles, except Edge Transport Server. You’ll need Active Directory Application Mode (ADAM) Service Pack 1 (SP1) if you want to run your server as an Edge Transport. As with moving to Vista, upgrades to accommodate Exchange 2007 may be unavoidable. “Upgrade your key infrastructure server hardware to 64-bit, as well as your Exchange Server hardware. At least consider migrating DCs, especially in a large environment,” says Adam Field, a senior technologist at Content Master (www.contentmaster.com) who has 10 years of Exchange expertise. “Take some time to learn Windows PowerShell—you’ll need it,” he says. “PowerShell represents an entirely new way to manage key functions in your Exchange environment and practice makes perfect.” 50 | May 2007 | Redmond | Redmondmag.com | Take some time to learn Windows PowerShell—you’ll need it. PowerShell represents an entirely new way to manage key functions in your Exchange environment and practice makes perfect. Adam Field, Senior Technologist, Content Master Group Ltd. In terms of preparing AD for the move to Exchange 2007, the Schema Master has to have Microsoft Windows Server 2003 SP1 or Windows Server 2003 R2 installed. You’ll also need at least one domain controller in each AD site that contains Exchange 2007 running Windows Server 2003 SP1. The AD domain functional level must be Windows 2000 Server-native or higher for all domains in the AD forest where you’ll be installing Exchange 2007. You might be wondering if you’ll have to prepare the schema and AD before installing Exchange, as you did in previous versions. Well, that depends. Exchange 2007 has several different preparation switches you can run with the setup.com, including the following: • /preparelegacyexchangepermissions (to grant Exchange permissions where necessary); • /prepareschema (to update the schema for Exchange 2007); • /prepareAD (to configure global Exchange objects in AD). Figure 2. The Exchange Management Console is split into console (left), result (top), work (bottom) and action (right) panes. Besides preparing your AD, you’ll need to prepare the domains into which you plan on installing Exchange 2007. Use the /preparedomain and/or /preparealldomains command (which will provide permissions on the domain container for your Exchange servers, permission for Exchange Organization Administrators and a list of other necessary configuration and 0507red_F2Exchange49-55.v8 4/17/07 2:24 PM Page 51 permission changes) to prepare your domains for Exchange 2007. You don’t have to run these switches manually. They will run automatically when you install your first Exchange 2007 server in your organization. However, depending on the size of your organization, you may decide to prepare AD in advance. You may wonder how you would do this if your current network only uses 32-bit 2003 servers, since Exchange 2007 has a 64-bit requirement. However, you can use the 32-bit trial version of Exchange 2007 to begin deployment preparations throughout AD, and in your domains. Top 5 Tips for Exchange Server 2007 Planning Henrik Walther is an Exchange MVP, technical writer, messaging specialist at Interprise Consulting and author of the book “How to Cheat at Configuring Exchange Server 2007” by Syngress Publishing. He recently gave Redmond his top five deployment tips: Run an Exchange Server 2007 readiness check using the Exchange Best Practice Analyzer (ExBPA) tool. The ExBPA report will give you a clear picture of what you’ll need to change in your environment before you begin the transition process to Exchange Server 2007 (Exchange 2007). Use ExBPA version 2.7 so you can take advantage of the Exchange 2007 Readiness Check feature. To move over to Exchange 2007, your legacy Exchange organization must be running in native mode. In order to be able to switch the organization to native mode, any Exchange 5.5 Servers (and earlier) must be properly decommissioned and removed from the Exchange organization before you can deploy Exchange 2007. Make sure that the schema master Domain Controller in your Active Directory is running Windows Server 2003 with at least Service Pack 1 (SP1). This is also true for any Global Catalog servers (in each AD site) in which you plan on deploying Exchange 2007. Unlike Exchange 2003 and 2000, Exchange 2007 doesn’t use routing groups. Instead, it takes advantage of the existing AD site topology and the underlying net- 1 2 3 4 It’s a good idea to test the health of your Exchange environment with the Exchange Best Practice Analyzer Tool (ExBPA version 2.7), which was developed by the Microsoft Exchange Team. You’ll find it at www.exbpa.com (you’ll be re-routed to a Microsoft site that presents Microsoft Exchange Analyzers—once there, simply select ExBPA 2.7). The tool has a new feature called the Exchange 2007 Readiness Check. You can use this to scan your existing topology to ensure readiness. You can also perform a deep analysis of each Exchange 2000/2003 server to verify that it has all the necessary updates and configuration for an Exchange 2007 deployment. work to transport messages between Hub Transport Exchange 2007 servers. This means you should plan your AD site topology wisely, before transitioning to Exchange 2007. It also means you should suppress link state updates, as there’s a chance routing loops may occur when they’re enabled. If you only plan on creating one routing group connector between the legacy routing group and Exchange 2007, you won’t have to suppress the link state updates. Always deploy the Exchange 2007 Client Access server role first. Exchange 2003 and 2000 front-end servers don’t support proxy clients for Exchange 2007 Mailbox servers. Also, keep in mind that Exchange 2007 doesn’t support public folder access via the Outlook Web Access (OWA) 2007 interface. In fact, you won’t be able to access a public folder database stored on an Exchange 2007 Mailbox server. So if your end users require public folder access via a browser, keep an Exchange 2003 or 2000 server in the organization. Public folder access via the OWA 2007 interface will be included in Exchange 2007 SP1. Speaking of Outlook, many are wondering whether or not you can install Outlook 2007 on the same system running Exchange 2007. “With previous versions of Exchange, this was not possible due to an incompatibility with the Outlook MAPI binaries, and the versions that shipped with Exchange,” says Stephen Griffin, creator of MAPIEditor. “Microsoft Exchange Server 2007 no longer ships with the client-side binaries. Now [you can] install Outlook 2007 on the same server upon which you’ve installed Exchange 2007.” —J.P.B. 5 | Redmondmag.com | Redmond | May 2007 | 51 AMDAd_may07.final 4/17/07 10:29 AM Page 1 8 Reasons to Move to ® Microsoft Exchange Server 2007 on AMD EFFICIENCY X 64 POWER That is what you need in the datacenter. With Exchange now running on 64-bit servers, efficiency is what you’ll get, especially from AMD64 technology. The AMD OpteronTM processor is designed to enable 64-bit computing while remaining compatible with the vast x86 software infrastructure, and allows you to migrate seamlessly to 64-bit computing and multi-core technology. This means you can have access to improved system efficiency and application performance for both multi-tasking and multithreaded applications without changing the processor footprint. That is efficiency. As a native 64-bit application, Exchange Server 2007 provides higher performance because it breaks 32-bit memory and I/O barriers, increasing the capability of each server running Exchange. The Direct Connect Architecture of AMD OpteronTM processors, with HyperTransportTM technology and integrated memory controller, reduces traditional bottlenecks inherent in legacy frontside bus architectures, offering high-throughput responsiveness and scalability for your applications. That is power! CONFIDENCE Exchange’s new local and cluster continuous replication models for high availability of the mailbox data store also provide support for backups without impacting production environments. With normal server configurations now able to contain up to 1,000 mailboxes per processor core, this is an important feature. You can deploy AMD64 technology with confidence, knowing that AMD provides solutions that are compatible, reliable, stable, and supported by a world-class ecosystem. This level of confidence puts you in the driver’s seat. Configure your next AMD Exchange server at: www.dell.com/exchange About the authors Danielle Ruest and Nelson Ruest (MCSE, MCT, MVP) are multiple book authors focusing on systems design, administration, and management. They run a consulting company that concentrates on IT infrastructure architecture, change and configuration management. You can reach them at redmondmag@reso-net.com. www.reso-net.com HIGH PERFORMANCE Exchange 2007 running on AMD OpteronTM processors provides great performance. Exchange Server 2007 enables new levels of operational efficiency through capabilities that optimize hardware and networking investments and features that help make administrators more productive. The AMD OpteronTM processor delivers stable, long-term solutions with exceptional performance and performanceper-watt that can help enhance your company's productivity. Now, that is performance! AMDAd_may07.final 4/17/07 10:30 AM Page 2 Exchange Server, Microsoft’s flagship e-mail management system, is undergoing a major facelift in version 2007. For the first time, Exchange will offer a platform for unified messaging, expanded access mechanisms, message control and hosted messaging service, that provides a secure, one-stop communications tool. Since email is now the mission critical application, organizations will be looking to a rapid migration to this powerful new version. But, Exchange 2007 now runs exclusively on x64 hardware giving it access to the performance gains 64-bit processing provides. As an IT professional, you need to look now at how you’ll make the migration, especially if you are currently running only 32-bit systems. Better yet, we think it is time to consider changing your server processor infrastructure. Here are eight reasons why you should consider moving to Exchange 2007 and 64-bit computing on AMD processors. We think they provide a compelling picture for changing the server infrastructure in your organization as you move to Exchange 2007. A RCHITECTURE Exchange 2007 now includes new server roles designed to drive deployment efficiency. Each role is responsive to the number of processors or processor cores the server includes. The AMD OpteronTM processor with Direct Connect Architecture provides the foundation for balanced, scalable servers that are easy to manage and operate in today’s thermally and electrically limited datacenters. The AMD64 common core architecture allows you to minimize the cost of transition and maximize past investments in hardware, software, and personnel. N IMBLE Email system usage grows with time; every administrator knows this. The AMD OpteronTM processor with Direct Connect Architecture enables you to easily transition to multi-core technology at your desired pace without sacrificing current performance and investments, and will provide an easy upgrade path to Quad-Core AMD Opteron processors in 2007. That’s nimble! G UARD Email security is the most important aspect of any Exchange architecture and Exchange 2007 is no slouch in this regard. The new Edge Transport server role provides a host of anti-spam and data protection features. AMD OpteronTM processors include Enhanced Virus Protection* (EVP), which can help protect against viruses, worms and malicious attacks, and improve the integrity of office networks. Are you ready to guard your email? E VALUATE Evaluate your options now! AMD Opteron processor-based systems offer great value. These systems are found in many Dell servers including PowerEdge 2970 and PowerEdge 6950. Both Dell servers offer leading performance/watt, and are designed to reduce complexity and simplify operations. Whether you’re planning your Exchange 2007 deployment or just buying new servers, find out which AMD Opteron processor-based Dell server is right for you. Are you ready for action? Then move to AMD on Dell. ©2006 Advanced Micro Devices, Inc. All rights reserved. AMD, the AMD Arrow logo, AMD Opteron, and combinations thereof are trademarks of Advanced Micro Devices, Inc. HyperTransport is a licensed trademark of the HyperTransport Technology Consortium. Microsoft and Windows are registered trademarks of Microsoft Corporation in the U.S. and/or other jurisdictions. Other names are for informational purposes only and may be trademarks of their respective owners. * Enhanced Virus Protection (EVP) is only enabled by certain operating systems, including the current versions of the Microsoft® Windows®, Linux®, Solaris, and BSD Unix operating systems. After properly installing the appropriate operating system release, users must enable the protection of their applications and associated files from buffer overrun attacks. Consult your OS documentation for information on enabling EVP. Contact your application software vendor for information regarding use of the application in conjunction with EVP. AMD strongly recommends that users continue to include third-party antivirus software as part of their security strategy. Trademark Attribution: AMD, the AMD Arrow logo, AMD Athlon, AMD Opteron, AMD Turion, AMD Sempron. AMD Geode, and combinations thereof are trademarks of Advanced Micro Devices, Inc. in the United States and/or other jurisdictions. Other names used in this presentation are for identification purposes only and may be trademarks of their respective owners. Windows Vista is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. ©2006 Advanced Micro Devices, Inc. All rights reserved. 0507red_F2Exchange49-55.v8 4/17/07 2:24 PM Page 54 Exchange Server 2007 • Edge Transport (ET): This type of server is placed on the edge of your network as a standalone server. It’s not part of the AD domain, so it has to use ADAM and EdgeSync to handle recipient lookups and spam filtering. This role handles all incoming and outgoing Exchange mail. You can also use the ET server to perform anti-virus and antispam protection, and lock down your messaging security by applying ET rules that examine messages based on your criteria. Keep in mind that while you can combine other roles on a single system, the ET role must reside alone. Figure 3. The Troubleshooting Assistant lets you choose from a list of symptoms, then helps you determine the problem. Experts agree testing with this tool will help. “Administrators planning on migrating to Exchange 2007 should reference Microsoft’s best practices for Exchange 2007,” says Dave Goldman, Exchange escalation engineer and author of the Offline Address Book Integrity (OABInteg). “I would also suggest becoming very familiar with the Exchange Best Practice Analyzer Tool. With any planning, administrators should set up a sandbox for testing to ensure that when they’re ready to set up in production, they can avoid any unnecessary downtime.” Exchange Server Roles When deploying Exchange, it’s good to note that the setup process lets you choose the server role for your messaging environment. There are five different server roles from which to choose, each one designed to perform a specific function. The roles include the following: With any planning, administrators should set up a sandbox for testing to ensure that when they’re ready to set up in production, they can avoid any unnecessary downtime. Dave Goldman, Exchange Escalation Engineer, Microsoft • Hub Transport (HT): This role handles internal mail flow and routing, similar to a Bridgehead server in previous Exchange environments. When installed in an environment with an ET server, the HT server will work with it hand-in-hand. Messages coming in through the ET server will be passed to the HT and vice-versa. However, you can configure the HT role to perform most of the same features as the ET server. If you don’t need the added protection of an ET server, install the HT on a member server connected to your domain, so it doesn’t require ADAM and can still send/receive mail from the Internet. Part of your planning should include deciding whether or not you want an ET server and how you’ll configure your HT server. • Mailbox: This hosts both mailbox and public folder databases and provides calendar access and messaging-records management. You’ll have to specifically enable the public folders, as they’re not enabled by default in Exchange 2007. Figure 4. You can configure the alias, server and SMTP address of your e-mail list members. • Client Access (CA): This role is similar to the frontend server for an Exchange 2000/2003 infrastructure. Users connect to this server from their mail clients (e-mail clients that support MAPI, POP3 or IMAP4, mobile devices that use at least Windows Mobile 5.0, and/or a Web browser). 54 | May 2007 | Redmond | Redmondmag.com | Figure 5. Outlook Web Access now behaves much more like Outlook in native mode. 0507red_F2Exchange49-55.v8 4/17/07 2:24 PM Page 55 • Unified Messaging (UM): This merges VOIP with your Exchange mailbox. This means you’ll be able to access your voicemail, fax and e-mail from one location, using Figure 6. You can configure the security settings of an Exchange 2007 server in Edge Transport mode. multiple access interfaces (phone, e-mail or Web browser). For this to work properly, you’ll need an IP-PBX or VOIP gateway (if you have a legacy PBX). If you plan on using UM with Exchange 2007, you should seek out the assistance of a UM specialist. Properly configuring this role requires a significant amount of knowledge of PBXs and Exchange 2007. Migration Plan There’s quite a difference between installing Exchange into a new environment and transitioning or migrating from an existing Exchange organization. Every organization will be different, so there’s no single right way. It’s important to begin your transition by using the ExBPA tool with the Readiness Check as mentioned earlier, to ensure that you’re fully prepared. If you plan on transitioning, your first task is to install the Client Access Server role. Install this in each site that will contain a mailbox server. The next step is to install and configure your ET servers (if you plan on using them). Then set up an HT server (which can work with Exchange 2000/2003 bridgehead servers). You’ll need these to work with your Mailbox and UM servers. Figure 7. The meeting scheduler lets you check on the availability of all participants. Next, deploy your Mailbox servers. Then you can start to move mailboxes over using either the Move-Mailbox cmdlet or the Move Mailbox Wizard. Once you’ve finished moving all your mailboxes and other necessary resources (like public and system folders), you’ll be ready to decommission your Exchange 2000/2003 servers. Figure 8. You can also share calendars through Outlook Web Access. Keep in mind that both Exchange Server 2000 and 2003 support features that are no longer supported in 2007. If you plan on using those features, you’ll need to keep at least one Exchange 2000 server running. Exchange 5.5 isn’t supported at Learn more about upgrade all for transitioning requirements and best practices for purposes. To an Exchange 2007 migration at Redmondmag.com. migrate from 5.5, you’ll first have to FindIT code: Exchange0507 transition to Exchange 2000 or 2003 and then move towards 2007. GetMoreOnline To Read or Not To Read: There’s No Question Exchange 2007 will require a lot of preparation and reading. The good news is that there are plenty of sites already posting articles about how to plan, configure and troubleshoot your Exchange 2007 world. It would be wise to take advantage of all this free advice. Having a proper foundation and proper preparation are essential. Engineers in Italy recently propped up the Leaning Tower of Pisa to keep it from toppling to the ground. They say it will stand for another 300 years thanks to the efforts of the impressive technology that pulled it back to a safer position. That just goes to show you that besides properly laying the groundwork, you’ll need to be prepared for disaster recovery as well—but that’s a topic for another day. J. Peter Bruzzese (jpb@cliptraining.com), MCSE 2003/2000/NT, is a private training consultant and technical author. He just released his latest book, “Tricks of the Vista Masters.” He is the lead developer for cliptraining.com, which provides educational clips to teach users about Vista and Office 2007. | Redmondmag.com | Redmond | May 2007 | 55 3_07_Redmond_Dorian_WTB.ai 133.00 lpi 15.00° 1/31/2007 45.00° 0.00° 75.00° 1/31/2007 Yellow Process Black 12:20:16 12:20:16PM PM Cyan 10:44 Process AM Magenta Process Project2 Process 2/9/07 Page 1 57 0507red_WinInsider57.v7 4/17/07 11:36 AM Page 57 WindowsInsider by Greg Shields Isolation Automation Exploration: Part I E ntire books have been written on network security and IPSec. Full of three-letter acronyms for encryption technologies and concepts like “data integrity” versus “data authorization,” network security can make your head swim. Before Windows Vista, setting up IPSec for system-to-system authentication was complex, sometimes requiring hundreds of filters to secure traffic between domain controllers while at the same time not inhibiting log-ons for older operating systems. When a non-IPSec-aware client tried to connect to an IPSec-enabled server, it often resulted in no connection at all. Thankfully, with Windows Vista’s improvements to IPSec, it all gets a lot easier. It’s now possible to create isolation groups that mandate machine-tomachine authentication between sets of computers on your network. Additional Authentication So what’s an isolation group? It’s a way of using network rules to further protect potentially open spots on your network. Let’s say an administrator accidentally shares a sensitive folder on your file server with Full Control permissions to the Everyone group. Suddenly, all that sensitive data is immediately exposed to anyone. If the data is on a human resources or other highly sensitive server, you’re really in trouble. Isolation domains leverage IPSec to ensure that any machine attempting to connect to that share must authenticate via Kerberos before it can transfer data. Think of an isolation domain as an extra access control list (ACL)—like NTFS and share permissions—but way down at the net- work level. This extra computer-based ACL ensures that only the correct machines get access to sensitive data and can only transfer that data securely. Here’s how it works. When you log in to a computer, your user account goes through a Kerberos authentication process that ensures you are who you say you are. Adding in an isolation group with IPSec means that any time your computer tries to access another computer, the computer itself goes through an additional authentication. If your computer successfully authenticates, then you can access the data. This other computers. This group can be for all machines in the Active Directory Kerberos boundary, or can be an identified list of machines by IP address. Authentication can occur for either inbound or outbound traffic, or both. • Authentication Exemption: This will create a group of machines exempt from any authentication requirements. • Server to Server: This will create an authenticated connection between two specific groups of computers. Think of this as the “one-to-one” connection where the Isolation group would be the “many-to-many” connection. • Tunnel: Like Server to Server, but usually used for bridging traffic across the Internet, this will create an authenticated connection between two computers utilizing an Internet-facing gateway server. • Custom Connection: A connection that can be created using a combination of the four different rules. So what’s an isolation group? It’s a way of using network rules to further protect potentially open spots on your network. assumes of course that you then have the correct share and NTFS rights. If your computer can’t authenticate, the server either rejects the request or allows a fallback to clear text communication. All this was possible in Windows 2003, but IPSec was notoriously difficult to set up. In Windows Vista, IPSec configuration has been merged with the Windows Firewall and is now called Windows Firewall with Advanced Security. In setting up an isolation group, four types of canned rules are available or a custom rule can be created: • Isolation: This will create a group of machines that are isolated from Next month I’ll give step-by-step instructions for setting up an isolation group on your network and go over some other tips on how to protect your network from the inside out. Greg Shields (gshields@redmondmag.com), MCSE: Security, CCEA, is a principal consultant for 3t Systems (www.3tsystems.com) in Denver, Colo. A contributing editor to Redmond magazine and a popular speaker at TechMentor events, Greg is also the resident editor for Realtime Publishers’ Windows Server Community, www.realtimewindowsserver.com, providing daily commentary and expert advice for readers. | Redmondmag.com | Redmond | May 2007 | 57 Project1 4/10/07 10:01 AM Page 1 59 0507red_SecAdvisor59-60.v8 4/17/07 10:58 AM Page 59 SecurityAdvisor by Joern Wettern Patch It Up A pplying security patches to your desktops is The New WSUS necessary, but it’s often tedious and annoying. Microsoft is putting the finishing touches on version 3.0 of its WSUS. After some practice with the first two versions—which didn’t win any prizes for features or usability—Microsoft seems to be getting it right this time. Like the previous versions, WSUS 3.0 lets you set up either a simple patch management system for a smaller office or a hierarchical structure for a larger organization with multiple offices. You can choose which updates are installed on which computers and whether or not this should happen automatically or only after you’ve reviewed and approved the updates. You can use Group Policy to easily configure the update mechanism. This is especially true for administrators responsible for small- to medium-sized networks. Fortunately, there are some tools to help you out. Patching has come a long way since the days of Windows NT. Back then, it meant installing a Service Pack to Windows when you could find the time. Microsoft’s quality control wasn’t up to snuff on some of those service packs. After a few bad experiences, some IT professionals even decided to skip the odd-numbered service packs. Today, anyone who is responsible for securing a network knows that taking such a leisurely attitude can spell disaster. They need to install new hot fixes as soon as they’re available. The days following Patch Tuesday—the second Tuesday of every month when Microsoft releases most fixes for its products—tend to be the busiest in IT shops everywhere. By now, most organizations have adopted some type of patch management strategy. Larger organizations often have full-time staff tasked with rolling out updates and administering management software like Systems Management Server. At the same time, many smaller and medium-sized organizations struggle with finding the right solution. Luckily, there are some solutions available that can help you keep your systems up-todate without breaking the bank. Let’s look at the new version of Microsoft’s Windows Server Update Service (WSUS) and Shavlik Technologies LLC’s HfNetChkPro. Before using any patching solution, I evaluate it by several criteria. First and foremost, it has to quickly make newly released updates from Microsoft (and preferably other vendors) available to client computers. It must also reliably detect which updates are needed and which ones are not. After all, you don’t want your patch management solution to apply the wrong updates or roll back previous system states. Figure 1. Besides new reporting and management features, WSUS also sports a new interface that makes this tool easier to use. Most of the solutions available today generally meet these requirements. Where they differ is in usability, manageability, reporting and how much granular control they offer. A good patch management solution lets you control which updates can be applied and creates easy-to-use reports to let you know which updates have been successfully deployed so you can troubleshoot any problems. The biggest addition to version 3.0 is vastly improved reporting, which now uses the Microsoft Report Viewer (see Figure 1). These reports are useful for finding information about specific patches. You can also use the reports to assess how well your patch deployment is working. The administration tools for WSUS have also been completely revamped, making WSUS 3.0 a mature patch management product. | Redmondmag.com | Redmond | May 2007 | 59 0507red_SecAdvisor59-60.v8 4/17/07 10:58 AM Page 60 SecurityAdvisor One of the most appealing features of WSUS is its price. It’s free—sort of. It runs under Windows Server, so you’ll need to be running that. All but the smallest organizations typically run this on a dedicated server, so you’ll have to budget for the hardware and the operating system license. Patch Possibilities Many companies will indeed be happy with Microsoft’s tool, but there are good reasons to consider the other alternatives. Foremost among those reasons is that someone other than Microsoft will double-check the updates. Some other advantages to using thirdparty patch management tools are that they include patches for non-Microsoft products, they review any patch classifications and they add additional quality control tests for updates. Many patch management vendors also have mechanisms with which to recall problematic patches more quickly than WSUS. HfNetChkPro (short for Hotfix Network Check and pronounced H-FNetcheck Pro) from Shavlik is one of my preferred tools because of Shavlik’s quality control and support for some non-Microsoft software, such as Adobe Acrobat and Firefox. For example, HfNetChkPro found that one of my servers was missing 17 patches. WSUS showed that it was completely up-to-date. The reason for the discrepancy wasn’t a flaw in WSUS, but rather Shavlik’s decision to scan for more items, including fixes for isolated problems. Unlike WSUS, HfNetChkPro can run without agent software on the client computers. WSUS depends on the client computers to check in with the update server at regular intervals, download updates and install them. HfNetChkPro can work the same way, but you can also have it actively connect to computers, check their status and push out updates, instead of depending on them to check in with the server. This gives you real-time control over the patch process. You also can configure HfNetChkPro to work in an entirely hands-off manner. Whether you use WSUS, HfNetChkPro or another solution, the good news is that patch management tools have matured. There are excellent tools available to ensure that your computers are up-to-date without requiring you to go to each of them with a CD full of updates.This means there’s no excuse for having any computers in your network that aren’t up-to-date with any and all applicable security patches. — Joern Wettern (jwettern@redmondmag.com), Ph.D., MCSE, MCT, Security+, is the owner of Wettern Network Solutions, a consulting and training firm. He has written books and developed training courses on a number of networking and security topics, in addition to regularly teaching seminars and speaking at conferences worldwide. Project3 4/16/07 1:29 PM Page 1 May 20-22, 2007 I Westin Mission Hills Resort, Rancho Mirage Build a Solid Foundation for the Agile Enterprise Enterprise Architecture Summit returns with more in-depth sessions and content designed to deliver the most essential and up-to-date information on best practices and strategic designs in the real world—to assure you that your organization is equipped to respond to the future IT challenges and opportunities. Learn about the latest advances in service-oriented architecture, legacy migration, business process re-engineering, outsourcing, and more from some of the top experts in the field. Event Highlights: Enterprise Architect Classic Golf Tournament I Walt Disney Studios on Meeting the Strategic Challenges of EA I The Open Group on the Evolving Role of the EA I IBM Corporation on Realizing Business Agility in SOA I Troux Technologies on Business Intelligence for IT I Burton Group on SOA: Evolving the Development Environment I And much more…. Score a Hole-in-One—Win a Porsche! Register today for Enterprise Architect Summit and you could be eligible to play in the Enterprise Architect Classic Golf Tournament. Network with your peers as you play the renowned Pete Dye eighteen-hole course. See Web site for full details. Secure your spot at this exclusive event today! Past sponsors and exhibitors include: Microsoft Sun BEA Metallect Compuware DataDirect Sonic Systems Sparx Systems Actional Above All Software Fiorano Troux Technologies Herzum Software Infravio Blue Titan Software Netegrit Westin Mission Hills Resort & Spa, Rancho Mirage, California Platinum Sponsor Call 1-800-280-6218 today or visit us online at www.enterprise-architect.net/summit Project3 4/16/07 3:40 PM Page 1 New York September 16-19, 2007 New York Marriott at the Brooklyn Bridge Bridge the Gap between Today’s Knowledge and Tomorrow’s Toolset at VSLive! New York Join us as VSLive! returns to the New York Marriott 63 at the Brooklyn Bridge, September 16-19, 2007. Over four action-packed days, VSLive! New York will provide a depth of resources and perspectives to help you be productive now and prepare for the near future. Attend SQL, .NET 3.0, and ASP sessions featuring practical techniques for writing software with today’s tools. From ASP.NET AJAX and data binding, to VB, C# and the .NET Framework, we have you covered. Our speakers have years of experience mastering the tools you need to get your job done. Learn cutting-edge techniques for today and tomorrow in sessions on VSTS, SharePoint 2007, Atlas, .NET 3.0 technologies including Windows Presentation Foundation (WPF), Windows Communication Foundation (WCF), and Windows Workflow Foundation (WF), and much more. VSLive!—The Best Independent Microsoft Conference Around Choose VSLive! for: • Top Speakers and Educators • Total Coverage of New and Existing Technologies • In-depth Workshops • Networking Opportunities • Great Locations • Membership to the Virtual VSLive! Online Community More talent, information, learning and networking under one roof at one time for the best value! » Register by the Super Early Bird Deadline of July 11, 2007 and save $300! Visit www.vslive.com/newyork for more details. • 1-800-280-6218 – www.redmondevents.com Sponsored & Presented by 0507red_Index_63.v1 4/17/07 1:28 PM Page 63 AdvertisingSales RedmondResources AD INDEX Matt Morollo VP, Publishing 508-532-1418 tel 508-875-6622 fax mmorollo@1105media.com West/MidWest East Advertiser Page URL Acronis, Inc. C3 www.acronis.com AppDev Training 20 www.appdev.com AMD 52,53 www.amd.com www.avepoint.com 16 www.avepoint.com Beyondtrust Brocade Communications Systems 35 C2 www.beyondtrust.com www.brocade.com CNS Software 39 www.cns-software.com Digiscope 11 www.lucid8.com Diskeeper Corporation 6 www.diskeeper.com Dorian Software Enterprise Architect Summit 56 61 www.doriansoft.com www.enterprisearchitect.net/summit ESET LLC 5 www.eset.com GOexchange 19 www.goexchange.com ipMonitor Corporation 22 www.ipMonitor.com iTripoli Inc. 15 www.itripoli.com www.netikus.com Dan LaBianca JD Holzgrefe Netikus 13 Director of Advertising, West 818-674-3417 tel 818-734-1528 fax dlabianca@1105media.com Director of Advertising, East 804-752-7800 tel 253-595-1976 fax jdholzgrefe@1105media.com NetSupport Software 40 www.netsupport-inc.com NORTHERN Parklife, Inc. 39 www.northernlife.com Raxco Software 31 www.raxco.com Sanbolic, Inc. 29 www.sanbolic.com SAPIEN Technologies, Inc. 26 www.sapien.com IT CERTIFICATION & TRAINING: USA, EUROPE Special Operations Software 24 www.specopssoft.com St. Bernard Software C4 www.stbernard.com Western RegionalSales Manager CA, OR, WA 209-473-2202 tel 209-473-2212 fax bhalldorson@1105media.com Al Tiano The Training Camp 58 www.trainingcamp.com Advertising Sales Manager 818-734-1520 ext. 190 tel 818-734-1529 fax atiano@1105media.com TS Factory 21 www.tsfactory.com UltraBac Software 48 www.ultrabac.om VMWare 3 www.vmware.com Western Governors University 21,60 www.wgu.edu Danna Vedder PRODUCTION Wiley Publishing 37 www.wiley.com VSLive New York 62 www.vslive.com XenSource, Inc. 8 www.xensource.com EDITORIAL INDEX Company Page URL Adobe Systems Inc. 60 www.adobe.com Kelly Ann Mundy Akonix Systems Inc. 46 www.akonix.com Production Coordinator 818-734-1520 ext. 164 tel 818-734-1528 fax redadproduction@1105media.com AOL LLC 45 www.aol.com AVIcode Inc. 12 www.avicode.com Blue Coat Systems 46 www.bluecoat.com Centeris Corp. 27 www.centeris.com Centrify Corp. 27 www.centrify.com Citrix Systems Inc. 41 www.citrix.com SALES Bruce Halldorson Microsoft Account Manager 253-514-8015 tel 775-514-0350 fax dvedder@1105media.com Tanya Egenolf Advertising Sales Associate 760-722-5494 tel 760-722-5495 fax tegenolf@1105media.com CORPORATE ADDRESS 1105 Media, Inc. 9121 Oakdale Ave. Ste 101 Chatsworth, CA 91311 www.1105media.com MEDIA KITS: Direct your Media Kit requests to Matt Morollo, VP, Publishing, 508-532-1418 (phone), 508-875-6622 (fax), mmorollo@1105media.com REPRINTS: For all editorial and advertising reprints of 100 copies or more, and digital (web-based) reprints, contact PARS International, Phone (212) 221-9595, e-mail: 1105reprints@parsintl.com, web: www.magreprints.com/QuickQuote.asp LIST RENTAL: To rent this publication’s email or postal mailing list, please contact our list manager Merit Direct: Jeff Moriarty 333 Westchester Ave., South Building White Plains, NY 10604 jmoriarty@meritdirect.com (518) 608-5066 Redmond (ISSN 1553-7560) is published monthly by 1105 Media, Inc., 9121 Oakdale Avenue, Ste. 101, Chatsworth, CA 91311. Periodicals postage paid at Chatsworth, CA 91311-9998, and at additional mailing offices. Complimentary subscriptions are sent to qualifying subscribers. Annual subscription rates for non-qualified subscribers are: U.S. $39.95 (U.S. funds); Mary Ann Paniccia VP, Print & Online Production Julie Lombardi Production Manager Canada/Mexico $54.95; outside North America $64.95. Subscription inquiries, back issue requests, and address changes: Mail to: Redmond, P.O. Box 2063, Skokie, IL 60076-9699, email RED@1105service.com or call (866) 2933194 for U.S. & Canada; (847) 763-9560 for International, fax (847) 763-9564. POSTMASTER: Send address changes to Redmond, P.O. Box 2063, Skokie, IL 60076-9699. Canada Publications Mail Agreement No: 40039410. Return Undeliverable Canadian Addresses to Circulation Dept. or DHL Global Mail, 7496 Bath Rd Unit 2, Mississauga, ON, L4T 1L2. © Copyright 2007 by 1105 Media, Inc. All rights reserved. Printed in the U.S.A. Reproductions in whole or part prohibited except by written permission. Mail requests to “Permissions Editor,” c/o REDMOND, 16261 Laguna Canyon Road, Ste. 130, Irvine, CA 92618. The information in this magazine has not undergone any formal testing by 1105 Media, Inc. and is distributed without any warranty expressed or implied. Implementation or use of any information contained herein is the reader’s sole responsibility. While the information has been reviewed for accuracy, there is no guarantee that the same or similar results may be achieved in all environments. Technical inaccuracies may result from printing errors and/or new developments in the industry. eBay Inc. 64 www.ebay.com FaceTime Communications 46 www.facetime.com Google 64 www.google.com IBM Corp. 45 www.ibm.com Jabber Inc. 45 www.jabber.org Lucid8 12 www.lucid8.com MessageLabs Ltd. 46 www.messagelabs.com NetPro Computing Inc. 12 www.netpro.com Oracle Corp. 30 www.oracle.com Quest Software Inc. 27 www.quest.com Red Hat Inc. 27 www.redhat.com Salesforce.com Inc. 64 www.salesforce.com SAP AG 30 www.sap.com Shavlik Technologies LLC 59 www.shavlik.com St. Bernard Software 17 www.stbernard.com SurfControl plc 46 www.surfcontrol.com Symantec Corp. 46 www.symantec.com Trend Micro Inc. 46 http://us.trendmicro.com Vericept Corp. 46 www.vericept.com VMware Inc. 30, 41 www.vmware.com Webroot Software Inc. 12 www.webroot.com Websense Inc. 45 www.websense.com WiredRed Software 46 www.wiredred.com Yahoo! Inc. 45 www.yahoo.com Zenprise 12 www.zenprise.com This index is provided as a service. The publisher assumes no liability for errors or omissions. | Redmondmag.com | Redmond | May 2007 | 63 0507red_Foley64.v6 4/17/07 11:36 AM Page 64 FoleyOnMicrosoft by Mary Jo Foley Software+Services Madness M icrosoft has been desperately seeking ways to differentiate itself from the rest of the Software as a Service (SaaS) pack. Even though Microsoft is charging full steam ahead into the software services realm, the Microsofties don’t want to be seen as Johnny-come-lately to a world already dominated by Google, eBay and Salesforce.com. That’s where Microsoft’s “Software+ Services” (S+S) strategy comes into play. S+S, according to the Softies, is a superset of SaaS. It’s SaaS done right. There’s only one problem: No one at Microsoft or anyone who watches it seems to be able to succinctly explain S+S. Microsoft tried to get the message out to market researchers and analysts at the end of February, but no one with whom I spoke seemed to understand the subtleties of Redmond’s message. I’m going to give it a whirl. After chatting with Microsoft Director of Platform Strategy Tim O’Brien, I feel ready to try to decipher S+S for the masses. Microsoft’s competitors—like Adobe with Apollo and Salesforce.com with its Salesforce.com Offline Edition client app—are gradually acknowledging that an all-services approach leaves many business customers cold, says O’Brien. They want offline capabilities, even if they’re relying on SaaS applications. For business customers, “network dependency is a nonstarter when it comes to line-of-business applications,” says O’Brien. Consequently, everyone’s trying to figure out how best to move to the middle. O’Brien says Microsoft’s stance is “anyone can get reach.” “The real battle is on the client,” O’Brien posits, and desktop software has always been Microsoft’s strong suit. However, Microsoft is no slouch on the Internet-based services side either, O’Brien says. The company doesn’t get enough credit for its Internet savvy, which it has demonstrated by running highly scalable Hotmail, Xbox Live and other consumer-side services. O’Brien itemizes current and future Microsoft services into three buckets: Foundation services, like Microsoft’s long-rumored LiveDrive cloud-based Services companies like Google and Salesforce.com often underestimate the types of back-end infrastructure that are needed to properly field enterprise-ready software. storage; Attached services, such as disaster recovery, anti-spam and Windows Defender; and Finished services, like Windows Live and Office Live. Services companies like Google and Salesforce.com often underestimate the types of back-end infrastructure that are needed to properly field enterprise-ready software, he explains. What you need in order to do it all, O’Brien says, is “a platform.” That doesn’t mean .NET or some kind of development platform, which is what Microsoft usually means when it uses the “P” word. In the S+S case, “a platform” is synonymous with vision (I think). 64 | May 2007 | Redmond | Redmondmag.com | These are the elements of Microsoft’s S+S platform, according to O’Brien: • Experience: As in the interface. Depending on the access point (whether a PC, browser or mobile device), you get a different look/ feel/interaction. • Delivery vehicle: There are several, including hosted on premise, hosted in the cloud, 100 percent shrink-wrapped software, try-before-you-buy, pay-asyou-go and managed services, like Microsoft’s “Energizer” desktopmanagement offering. • Federation: How do users validate/ authenticate/manage when one vendor doesn’t own all the pieces? The pie-inthe-sky answer is the identity metasystem. S+S will provide some elements of this system (via Microsoft CardSpace, Active Directory and Live ID). • Composition: All of the bits aren’t located in one place in the S+S world. Composite applications and mashups are the new “it” apps. • Monetization: Online ads aren’t the only way to make software services pay for themselves. Subscriptions, pay as you go, traditional shrink-wrap plus maintenance and other to-be-determined mechanisms will also fuel S+S. As usual, Microsoft believes it can be all things to all people. The S+S arena is just another example of that belief. What do you believe? Is Microsoft well-positioned to take on Google, Salesforce.com and other services competitors? Or is Microsoft’s desktop legacy holding the company back from being able to move ahead in the brave new SaaS/S+S world?— Mary Jo Foley (mjfoley@redmondmag.com) is editor of the new ZDnet “All About Microsoft” blog and has been covering Microsoft for about two decades. Project5 2/12/07 11:14 AM Page 1 Project1 1/16/07 9:56 AM Page 1