Vista

Transcription

Vista
0507red_Cover.v14
4/17/07
10:23 AM
Page 1
Deciphering Microsoft’s Software+Services
M AY 2 0 0 7
REDMONDMAG.COM
Vista
Game
Plan
$5.95
1
25274 867 27
7
MAY
•
05 >
Is early migration
the right play? 32
+
IT vs. IM: How You Can Win the War 44
Laying the Groundwork for Exchange 49
Find the Right Mix of Citrix & VMware 41
64
© 2007 Brocade Communications Systems, Inc. All Rights Reserved. Brocade is a registered trademark and the B-wing symbol is a trademark of Brocade Communications Systems, Inc.
Project1
4/10/07
9:41 AM
Page 1
Brocade is the leading provider of
data center infrastructure solutions.
With Brocade, you have the tools,
control, and knowledge to manage
your information and create a
competitive edge for your business.
It’s time to make your data soar.
www.brocade.com
0507red_TOC1.v6
4/17/07
11:03 AM
Page 1
Redmond
The Independent Voice of the Microsoft IT Community
Contents
M AY 2 007
COV E R STO RY
REDMOND REPORT
Your Vista
Game Plan
9
Reinventing
Windows Security
Page 9
An early, well-planned move to
Microsoft’s new OS could be the answer
to enterprise security challenges.
Page 32
Microsoft’s Toulouse
thinks Windows Vista’s
new security walls will
prove thick enough.
F E AT U R E S
41
10 Vista’s Jackrabbit
Start
Citrix and VMware: Oil and Water?
Some analysts say,
‘Whoa, not so fast!’
Two technologies. One chemistry experiment. Can they mix?
Page 44
44
IT vs. IM
Instant Messaging
(IM) makes tactical
communication a snap,
but too often IM serves as
a doorway for hackers.
Here’s how IT can wrestle
with the problem.
12 The Low Down
Making Things Better
Page 41
COLUMNS
49 Laying the Groundwork:
Exchange 2007
4
Moving to Exchange 2007 is a complex process with
stringent requirements. Make sure you have the tools
and infrastructure in place before you begin.
I’m All Ears
Page 49
REVIEWS
17
Product Reviews
Right Gun … Wrong Ammo
Web filtering is problematic at best, but
iPrism puts up a solid defense.
23 Reader Review
MOSS Gathers Momentum
Readers rave about the new and improved
Microsoft Office SharePoint Server 2007.
Barney’s Rubble:
Doug Barney
27 Redmond Roundup
Manage and
Manage Alike
In today’s inherently disparate
networks, you need a
management tool that can take
control of all your Windows
and open source systems.
14 Mr. Roboto:
Jeffery Hicks
Stay on Schedule
57 Windows Insider:
Greg Shields
Isolation Automation
Exploration: Part I
59 Security Advisor:
Joern Wettern
Patch It Up
64 Foley on Microsoft:
Mary Jo Foley
Software+Services
Madness
A L S O I N T H I S I S S U E 2 Redmond Magazine Online | 7 Letters@Redmondmag.com | 63 Ad and Editorial Indexes
COVER ILLUSTRATION BY ROBERT KAYGANICH
0507red_OnlineTOC_2.v5
4/17/07
11:39 AM
Page 2
Redmondmag.com
M AY 2 0 0 7
ENT Special Report
The Future of Systems
Center and DSI
V
ista and Office dominate the Microsoft technology picture at the moment,
but progress on the Dynamic Systems Initiative (DSI)—which, so far, is four
years in the making—continues by leaps and bounds with delivery of key
products in the Systems Center suite of systems management tools.
Eric Berg, Microsoft’s director of product management for Systems Center, took
some time at the Microsoft Management Summit in San Diego to give ENTmag.com
a DSI progress report. Find out what’s happening now. FindIT code: ENTDSI
Redmondmag.com
Licensing 101: Back
to the Basics
W
hen it comes to getting a good deal on
Microsoft licenses, the best practices
haven’t changed much over the years.
According to Scott Braden, licensing guru and
author of Redmondmag.com’s Redmond Negotiator
column, the key issue is still time. “You should
begin reviewing and planning for your next
agreement at least six months before the current one expires,” he advises.
Realizing the limitations of your Microsoft licensing rep’s knowledge is
also key: “Don’t take an answer at face value; demand to see where it says
that in the terms.”
Get more tips from Scott and read his latest column. FindIT code: RedNeg
REDMONDMAG.COM RESOURCES
Resources
Enter FindIT Code
>> Daily News
>> E-Mail Newsletters
>> Free PDFs and Webcasts
>> Subscribe/Renew
>> Your Turn Editor Queries
News
Newsletters
TechLibrary
Subscribe
YourTurn
Questions with ...
Peter Harvey
Editor Michael Domingo
talks with Peter Harvey,
CEO of data management
company Moonwalk Inc., on
recurring disaster recovery
(DR) issues at Redmond
Radio this month.
FindIT code: RRadio
Peter Harvey
Some admins think of DR as a passive
task. Why flirt with disaster?
A fundamental condition of the human
psyche is that disaster is something
that happens to someone else—DR is
no different.
What’s a common DR “worst practice”?
There’s an approach that can be summarized as, “We’ll just Google the SAN.”
You’d be surprised where we come
across this being seriously considered.
What one big DR issue should
companies pay attention to?
Very few organizations can function
without being online all the time—the
majority don’t appear to be doing
much to manage a catastrophic event
right now.
Quotable
[ ]
LINQ promises to bring
about the most profound
change in the way database
queries are built ...
RDN Executive Editor Jeffrey Schwartz and
Founding Editor Michael Desmond in their article
“Looking to LINQ,” April 1, 2007. FindIT code: RDLINQ
Redmondmag.com • RCPmag.com • RedDevNews.com • VisualStudioMagazine.com
MCPmag.com • CertCities.com • TCPmag.com • ENTmag.com • TechMentorEvents.com • ADTmag.com • ESJ.com
2 | May 2007 | Redmond | Redmondmag.com |
Project1
4/16/07
10:26 AM
Page 1
0507red_Rubble4.v5
4/17/07
10:55 AM
Page 4
Barney’sRubble
by Doug Barney
Redmond
THE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY
R E D M O N D M AG .CO M
M AY 2 0 0 7
I’m All Ears
■
VO L . 1 3
■
N O. 5
Editor in Chief Doug Barney
Editor Ed Scannell
Executive Editor, Reviews Peter Varhol
Executive Editor, Features Lafe Low
Managing Editor Wendy Gonchar
I
love it when people bring me back down to earth: when
my kids nail me with a one-liner, my copy editor points
out 12 typos and eight atrocious grammatical mistakes
Editor, Redmondmag.com Becky Nagel
Associate Editor, Web Gladys Rama
Contributing Editors Mary Jo Foley
Jeffery Hicks
Greg Shields
Joern Wettern
Art Director Brad Zerbel
(most of which never make it to the printed page), or when
my best girl beats me in every single bet
we make (I’ve paid for every dinner
since 1998 because of this).
And you, the Redmond reader, can
bring me back down to the earth faster
than a 5-year-old’s kite.
It’s easy to think that after 23 years of
IT writing and high-tech journalism
you know everything.
Most of us don’t. We
aren’t in IT like you—
we just cover IT.
Here’s the difference.
As an observer, my strong
sense is that Windows
Vista is far more secure
than Windows XP. As
such, I reckoned shops
would switch over as they
brought in new machines, rather than
trying to cram a big new operating
system onto underpowered old boxes.
Boy was I wrong. While some may
migrate piecemeal, most of you are far
more systematic. Apparently, you actually test new OSes prior to deployment,
and you wait for the first service pack
so the big bugs can be fixed.
In fact, more than a dozen readers
set me straighter on this issue than a
$10 ruler.
Software compatibility is the No. 1
concern. George, an IT Pro, found that
many of his corporate apps don’t yet
run on Vista, and his users could be just
as productive with XP.
For Alex, who’s waiting at least a year
and a half before starting to switch, it’s
not just plowing through compatibility
issues, but dealing with management,
training and productivity.
Associate Managing Editor Katrina Carrasco
As for my notion that new PCs with
Vista should “work right out of the box,”
Dennis begs to differ. He bought a new
Dell laptop with Windows Vista Home
Premium for his son, only to find that a
driver that Dell itself installed wouldn’t
work with the OS. Barr believes Vista
shipped before it was done. “It should
have baked for another six
months so it would be
truly golden brown and
delicious,” Barr argues.
Chuck, who “works for a
large trash company,”
expects to move to Vista
“around 2015.” Before
you assume that Chuck is
joking, you should know
that his shop still runs
Windows 2000 on the desktop.
Stephen from the United Kingdom
sees Vista as so disruptive and different that it opens the door for Linux.
I’ve found this to be a pretty rare
response, and believe the Windows
hegemony is unthreatened (and if it is
threatened, we’ll just start a Linux
magazine, eh what?).
Fortunately, a couple of enlightened
IT pros see things my way. Kurt advises
using Vista on new machines as you
phase out the old, rather than bringing
in new XP boxes you’ll be stuck with
for three or more years.
Finally, Rob loaded Vista onto his
OptiPlex GX270 and loves it! All of his
old apps run, they just run better. And
the upgrade was easier than Paris
Hilton on a second date.
Got something to say? Write to me
at dbarney@redmondmag.com.—
4 | May 2007 | Redmond | Redmondmag.com |
Senior Graphic Designer Alan Tao
President Henry Allain
VP, Publishing Matt N. Morollo
VP, Editorial Director Doug Barney
VP, Conferences Tim G. Smith
Director, Marketing Michele Imgrund
Creative Director Scott Shultz
Executive Editor, Michael Domingo
New Media
Executive Editor, Becky Nagel
Web Initiatives
Director, Rita Zurcher
Web Development
Senior Marketing Tracy S. Cook
Manager
Marketing Programs Videssa Djucich
Manager
President & CEO Neal Vitale
CFO Richard Vitale
Sr. VP, Michael J. Valenti
Human Resources
VP, Financial William H. Burgin
Planning & Analysis
VP, Finance & Christopher M. Coates
Administration
VP, Audience Marketing Abraham M. Langer
& Web Operations
VP, Erik Lindgren
Information Technology
VP, Print & Mary Ann Paniccia
Online Production
Chairman of the Board Jeffrey S. Klein
Reaching the Staff
Editors can be reached via e-mail, fax, telephone or mail.
A list of editors and contact information is available at
Redmondmag.com.
E-mail: E-mail is routed to individuals’ desktops. Please use the
following form: firstnameinitiallastname@1105media.com.
Do not include a middle name or middle initials.
Telephone: The switchboard is open weekdays 8:30 a.m.
to 5:30 p.m. Pacific Time. After 5:30 p.m. you’ll be directed
to individual extensions.
Irvine Office 949-265-1520; Fax 949-265-1528
Framingham Office 508-875-6644; Fax 508-875-6633
Corporate Office 818-734-1520; Fax 818-734-1528
The opinions expressed within the articles and other contents
herein do not necessarily express those of the publisher.
PHOTO ILLUSTRATION BY ALAN TAO
Project1
4/10/07
9:30 AM
Page 1
®
NOD32. Swift. Nimble. Relentless.
Can you describe your antivirus
software with the same certainty?
Just set it and forget it. That’s the beauty and
the power of NOD32’s ThreatSense® technology.
NOD32 proactively protects against viruses,
spyware, rootkits and other malware. And,
its high-performance engine won’t slow your
system down. Take a free NOD32 30-day test drive.
Call 866.499-ESET or download at ESET.com.
“Best Antivirus Product of 2006”
– AV Comparatives
© 2007 ESET. All rights reserved. Trademarks used herein are trademarks or registered trademarks of ESET. Ad code: RM07
Project4
3/12/07
2:11 PM
Page 1
A D V E RT I S E M E N T
Maximum System Performance
Getting to the Bottom of Common Reliability Problems
As an IT Professional, you know the
importance of maintaining system
performance and reliability. If the
desktops or servers crash, slow
down or freeze, who gets called?
That’s right… you or your IT staff.
This “break-fix” cycle leaves you little
time to be proactive. And yet, many
of these issues stem from a single,
hidden source.
Top 5 reasons customers use Diskeeper
Performance and Reliability
83%
Automatic operation
83%
Much superior to built-in defragmenter
44%
Longer systems life with less maintenance
Reliability issues commonly
traced to disk fragmentation.
The most common problems
caused by file fragmentation are:
• Crashes and system
hangs/freezes
• Slow boot times and boot failures
• Slow backup times and
aborted backup
• File corruption and data loss
• Errors in programs
• RAM use and cache issues
• Hard drive failures
Having files stored contiguously on
the hard drive is a key factor in
keeping a system stable and
performing at peak efficiency. The
moment a file is broken into pieces
and scattered across a drive, it opens
the door to a host of reliability issues.
Even a small amount of fragmentation
in your most used files can lead to
crashes, conflicts and errors.
44%
Fast backups and antivirus and/or spyware scans
35%
From Diskeeper Customer Survey—Read the full
survey at: www.diskeeper.com/survey
Is real-time, automatic
defragmentation needed in
today’s environment?
More than ever! Large disks,
multimedia files, applications,
operating systems, system up-dates,
virus signatures—all dramatically
increase the rate of fragmentation.
Fragmentation increases the time to
access files for all common system
activities including opening and
closing Microsoft® Word documents,
searching for emails, opening web
pages and performing virus scans.To
keep performance at peak, fragmentation must be eliminated instantly.
Advanced, automated
defragmentation
(GET THE PROOF HERE:
www.diskeeper.com/paper2)
The weak link in
today’s computers
The disk drive is by far the slowest
of the three main components of your
computer: CPU, memory and disk.
The fastest CPU in the world won’t
improve your system’s performance if
the drive is fragmented, because data
from the disk simply can’t be
accessed quickly enough.
Maintaining systems can be a
daunting task—maintenance, including regular defragmentation, must
take place regularly to keep them
running at peak levels. However,
with constant uptime required,
scheduling such processes to run
at the right times can be tricky,
since while running they pose a considerable drain on system resources.
Diskeeper 2007 marks the end
of scheduling, and the
beginning of REAL TIME,
on-the-fly maintenance of
systems. Never again
worry about dips in
performance or straining
valuable system resources
—even when demand is
at its absolute highest!
Customers agree Diskeeper maintains the performance and reliability of
their desktops and servers,
reducing maintenance and
increasing hardware life.
“We run [Diskeeper] on our
client PCs as well as our
servers… with Diskeeper
running daily, we can keep
file performance at
peak efficiency.”
Tom Hill, CDR Global, Inc.
Every system you manage needs
Diskeeper for enhanced file system
performance—automatically!
®
Enhancing File System Performance
—Automatically! ™
Special Offer
Try Diskeeper 2007 FREE
for 45 days!
Download: www.diskeeper.com/red7
(Note: Special 45-day trialware is
only available at the above link)
Volume licensing and Government / Education
discounts are available from your favorite
reseller or call 800-829-6468 code 4410
© 2007 Diskeeper Corporation. All Rights Reserved. Diskeeper, Enhancing File System Performance—Automatically, and the Diskeeper Corporation logo are registered trademarks or
trademarks of Diskeeper Corporation in the United States and/or other countries. Microsoft is a registered trademark of Microsoft Corporation in the United States and other countries.
Diskeeper Corporation • 7590 N. Glenoaks Blvd., Burbank, CA 91504 • 800-829-6468 • www.diskeeper.com
0507red_Letters7.v5
4/17/07
10:39 AM
Page 7
Letters@Redmondmag.com
Old Habits Die Hard
[Regarding the March 2007 cover story, “Open Source Enlightenment,”] a couple of decades of experience have shown that
Microsoft is an extremely developer-friendly company. Anyone
willing to port software to a Microsoft platform and therefore
make the platform more valuable is greeted sincerely with open
arms. But what history has also shown is that Microsoft has a
habit of letting a niche develop right until it takes off, at which
point Microsoft comes in and crushes all opposition by means of
subsidies, sheer commercial weight and probably one of the most
vicious distortions of standardization and interoperability efforts.
With that track record, Microsoft will
have an extremely hard time convincing
anyone that it intends to cooperate.
The company belatedly begins to use
open source, but only to strengthen its
grip on its customers.
Jean-Marc Liotier
Paris, France
Microsoft has gotten itself into a few
comfortable niche markets—the office
desktop and the home computer appliance—and is trying for some other
equally comfortable niches—the
“enterprise” back office and the cell
phone, for example.
Microsoft’s major problem is that its
traditional method—allow the pioneers
to innovate and develop a market, then
step in and take it off them—doesn’t
work any longer. There are two reasons
for this: Redmond goes to sleep once it
gains a monopoly, and the Free and
Open Source Software [FOSS] devel-
Whaddya Think
?!
Send your rants and raves to
Letters@redmondmag.com.
Please include your first and
last name, city and state. If we
use it, you’ll be entered into a
drawing for a Redmond t-shirt!
opment process and people do better
work than Microsoft does and are eating its lunch slowly but surely.
Microsoft’s actions are perfectly understandable—even to a certain degree
In short, it is possible for
software companies to make
money without treating their
customers like criminals.
reasonable. But IBM for one has found
that the only way to gain respectability in
the FOSS circles is to become an active
contributor—and Ballmer’s rumblings
indicate that Microsoft’s head honchos
aren’t comfortable with that.
How it will all pan out, I don’t
know—but I have thought that SQL
Server could be a real market leader if
it dropped the religious “Microsoftonly” stance and got ported to Linux
and Solaris. But Microsoft would need
a management buy-out to do that—
Ballmer doesn’t have the guts to do it,
Wesley Parish
that’s for certain.
Christchurch, New Zealand
I run a software company and our goal,
too, is to make money. However, we
don’t illegally abuse a monopoly (as
Microsoft was convicted of doing). We
don’t try to shove Digital Rights
Management down our customers’
throats. We don’t impose onerous end
user license agreements on our customers. (Our proprietary software
ships with source, and customers are
permitted to modify it.) We don’t send
nastygrams from the Business Software
Alliance shaking down people to prove
license compliance. In short, it is possible for software companies to make
money without treating their customers
David Skoll
like criminals.
Ottawa, Ontario, Canada
Not Buying the Hype
The UI—as discussed in Barney’s
Rubble, February 2007—is like a work
of art that has been touted as a masterful
work of color and grace when all it is, is
three squares of different sizes, painted
imperfectly and stuck in a gallery to be
sold for $12,000. Why is this humble
effort at being remarkable so admired?
Who decided to call it a ribbon anyway? I’ll cease my attempts at wit and
get to the point. I don’t care who owns
it because I can’t afford it. I’m going to
install Linux on the three PCs I have at
home (with GNUCash and OpenOffice)
and when (and if) I get Vista and Office
2007 at work I’ll dance and sing songs
Randall Frye
of joy.
Cleveland, Ohio
| Redmondmag.com | Redmond | May 2007 | 7
Project3
4/16/07
1:38 PM
Page 1
Consolidate
Windows Servers
Now!
Proven Server Virtualization
• Blazing Fast
Bare Metal Performance
for Windows Guests
• Multi-Server Management
• Seamless Upgrade Path
• Powerful Administrator Console
• Easy Installation and Deployment
• Fully Supported
Download
XenExpress
for free!
Plus, get
a free t-Shirt
when you
refer three friends!
Purchase the Server Consolidation
Solution Bundle!
Pre-Installed XenEnterprise with
IBM System x servers
Learn more at
www.xensource.com/ibm
www.xensource.com/redmond
0507red_RedReport9-12.v11
4/17/07
11:37 AM
Page 9
RedmondReport
Reinventing Windows Security
Microsoft’s Toulouse thinks Windows Vista’s new security walls will
prove thick enough.
W
Redmond: How did you determine
what security features were going
into Vista? What sort of feedback
did you get from enterprise
customers about that?
Toulouse: By the end of 2004 Vista
underwent a fundamental reset in
terms of what it was going to be. Part
of that reset was what we learned from
the development of [Windows XP]
tion to alleviate that problem. But the
problem with encryption systems is they
aren’t full volume, so [hackers] can just
pull the drive out of the machine and try
to brute-force decrypt it. But BitLocker
helps prevent that. That was driven more
as a privacy feature and really intended
mainly for corporate laptop users.
“So when a developer is sitting down in
his office, he’s no longer thinking
just cool feature, cool feature, cool
feature. He’s thinking as much
about the misuse of the
feature as he is the
use of it.”
Stephen Toulouse,
Senior Product
Manager for
Microsoft’s
Trustworthy
Computing
Group
Service Pack 2 [SP2]. In fact, the first
steps toward understanding the larger
security picture of Vista were with
SP2. In SP2 we did things like the
Internet Explorer lock-down for the
local machine zone. Feedback from
users [on SP2] was really around a
couple of things. First, they wanted the
code to be fundamentally more resistant
to attack. Making sure the operating
system was resistant gave us time to
evaluate whether or not we should
apply the update. Second, better security features in the product helped us
tune it to different environments that
would help it protect itself.
When in the development cycle did
you incorporate new technologies
like BitLocker? Did that come out of
SP2 research or independently of it?
That was separate. It was done as part of
what we could do to take advantage of
some cool technology coming out on
the Trusted Platform Modules. At that
time, we were seeing this rash of laptops
left in taxicabs with databases of 1 million customers’ personal information on
[them]. One of the things we thought we
could do was full volume drive encryp-
PHOTO BY DANIEL SHEEHAN
By Ed Scannell and Peter Varhol
ith the world’s most talented hackers all laying in wait
for its arrival, clearly the
most critical improvements Microsoft
had to make to Windows Vista centered around its security capabilities.
After several vicious viruses successfully
attacked Vista’s Windows predecessors
over the last few years, Microsoft—
particularly its Trustworthy Computing Group—was under enormous pressure to build bulletproof walls around
the product.
Stephen Toulouse, senior product
manager for the Trustworthy Computing Group, is one of Microsoft’s key
people thrust into the middle of this
perpetual war against hackers. During
Vista’s development process he worked
on a number of security features
including kernel patch protection, the
Windows Security Center and Windows
Defender, as well as working with partners to ensure their products would
work smoothly with the new security
technologies. Toulouse sat down with
Redmond Editor Ed Scannell and Peter
Varhol, executive editor, reviews, to
talk about some of the processes
Microsoft went through in deciding
what technologies to incorporate, and
the new testing procedures those new
technologies went through in order to
make it into the final product.
As you collected and incorporated
feedback from SP2 users plus your
own ideas, how did you determine
what security features would work
for millions of users?
It’s all about hitting a confidence level,
striving to define that confidence level
and employing the metrics that determine where you are relative to that
confidence level. With Windows Vista
there were three things going on in
reaching that confidence level. Number
one, how do we evaluate what we are
putting in. Number two, when do we
get to the point where we can share
that and trust that sharing gives us the
feedback we need. Number three, what
is our safety net that helps us understand that [feedback] even if we miss
something—are there still things within
the product that can help.
So how did you evaluate what you
decided to put in?
How [we] evaluate what goes into a product is what I call the security engineering
part. That’s where we use our Security
Development Lifecycle [SDL]. Vista is
unique in that it’s our first client OS that
went through the SDL from beginning
to end. The SDL is now the process
under which Microsoft develops all software. So when a developer is sitting down
in his office, he’s no longer thinking just
cool feature, cool feature, cool feature.
He’s thinking as much about the misuse
of the feature as he is the use of it. This
| Redmondmag.com | Redmond | May 2007 | 9
0507red_RedReport9-12.v11
4/17/07
11:37 AM
Page 10
RedmondReport
Vista’s Jackrabbit Start
Some analysts say, ‘Whoa, not so fast!’
By Ed Scannell
hile Microsoft proudly proclaimed in late March that
Windows Vista was off to a
fast start, selling 20 million licenses of
the product in just its first month of
availability (3 million more than
Windows XP sold in its first two
months), some analysts took a bit of
shine off those numbers.
In a report to clients, Citigroup analyst Brent Thill states the numbers are
“only slightly ahead of expectations,”
adding that Microsoft CEO Steve
Ballmer has recently made more cautious statements around what sort of
revenues the operating system would
bring in for the current fiscal year.
Thill says Vista’s role is not so much
to bring in high numbers but to serve
as a stimulant for customers to buy
other Microsoft products.
Al Gillen, research vice president of
System Software at IDC, says he expects
Microsoft to ship just under 90 million
copies of Vista by the end of 2007, with
52 million going to home users and
almost 38 million going to businesses.
“We think they should average about
8 million copies a month [over the last
11 months of 2007]. So if they’re saying 20 million in one month—wow,
that’s a lot of copies. Their fourth
W
Continued from page 9
is an important mindset change. Before
people were just rushing to make a great
feature work well and be stable. Now
they have to think about what an attacker
can do with it. It’s called Threat Modeling. If we can’t go through this process
successfully, then features get cut.
Was this hard to develop as a
discipline for longtime developers?
Well, we started back with SP2 and I
think people learned some very hard lessons thanks to [the] Slammer, Blaster
and Sasser [viruses]. Thankfully, the
quarter client-side numbers were not
so good ... so it might be reasonable to
assume there was a strong bounce-back
in the first quarter,” Gillen says.
Gillen adds that in 2001, the year
Windows XP shipped, Microsoft sold
103 million Windows client OSes. In
2007 the company is currently on a run
rate of 162 million for the year.
With all things being
equal—and of course they are
not all equal ... the numbers
ought to be a little bigger.
Al Gillen, Research Vice President of
System Software, IDC
“Rolling out a product in 2007, you
might expect there’d be a 60 percent
pickup for the first couple of months
for that product. With all things being
equal—and of course they are not all
equal—in theory the numbers ought to
be a little bigger,” Gillen says.
Microsoft’s numbers include both
boxed copies and copies bundled on
new PCs, as well as those people who
have registered for free Vista upgrades.
However, company officials claim that
the free upgrade requests were not the
main reason for the fast start. —
mindset change had already occurred.
But a second piece of all this is BlueHat,
which is independent of the SDL, where
we bring in security researchers to poke
holes in functionality right there in
front of the same people who developed
it. It’s also a good punch in the stomach,
as opposed to getting feedback on an
intellectual level.
Were any other fundamental
changes made to the development
process since Windows XP?
Another change from Windows XP is
when a developer now needs to check in
10 | May 2007 | Redmond | Redmondmag.com |
code by merging it with the main source
tree, that code is run against a variety of
tools that scan it. This scanning is looking for banned APIs and unsafe coding
practices. It’s not meant to be a catchall,
but more of a safety check. If any code
contains these things it gets kicked back
out and is not allowed to merge.
Another big change from Windows XP
is the sheer, unprecedented number of
security researchers and security companies that we brought into Microsoft to
do code review and penetration testing
on the product.
Looking back, do you feel there’s
anything you missed?
After all the reviews and security testing, it was clear to us and the public
[that] we missed the usability of things
like User Account Control. There was
just a wave of criticisms after beta 2.
I don’t think that feature has fully
recovered from the initial criticism.
Even though we spent the next two
beta releases addressing it, it still carried a bad rep in the final product.
You have to assume there are some
things you’re not going to see. It’s
a constant battle between usability
and security.
It is a tradeoff. The most secure
OS is one running on a computer
with no I/O connectivity inside
a vault.
I’ll go you one better: The most
secure OS is the one still on the DVD
and that hasn’t been installed anywhere. Let’s be clear—this is the most
secure version of Windows we’ve done
but that does not mean it’s hackproof. We have great faith in this
product and it’s only going to get
better from here, but delivering the
finished version of Vista doesn’t mean
we’re all taking vacations now. —
Ed Scannell (escannell@redmondmag.com)
is Redmond’s editor; Peter Varhol
(pvarhol@redmondmag.com) is executive
editor of reviews.
Project3
4/16/07
2:56 PM
Page 1
0507red_RedReport9-12.v11
4/17/07
11:38 AM
Page 12
RedmondReport
The
LOW
DOWN
By Lafe Low
Making Things Better
T
he world is not a perfect
place. That’s true whether
speaking globally of the conflict in Iraq, tsunamis in the
Pacific and the nightmares unfolding in
Africa, or speaking of the world in
which we work—the Microsoft world.
They may not have solutions for
world peace, but fortunately,
there’s no shortage of vendors
scurrying to fix imperfections
in the Redmond world. Redmond’s heavy hitters like
MOM (soon to be renamed
SCOM) and Exchange are
both getting help from a veritable
army of third-party peacekeepers.
Lil’ Help from My Friends
Systems Center Operations Manager
(SCOM) 2007 fans will soon be able to
beef up their troubleshooting capabilities. The Zenprise Connector for Operations Manager (ZCOM) 2007 promises
to reduce the volume of alerts and the
time it takes to troubleshoot problems.
The ZCOM (not the official Zenprise
acronym) provides context-sensitive,
step-by-step instructions for problem
resolution; management pack extensions
with more than 5,000 diagnostic routines
for Exchange, Active Directory, DNS,
IIS and Windows Server Operations
Manager; advanced troubleshooting routines for BlackBerry and Exchange environments; and event correlation group
alerts for your e-mail system.
Exchange admins may also sleep easier
if they’re running DigiVault. Lucid8’s
continuous data protection solution can
help recover all your Exchange Server
files. Its SingleTouch recovery feature
lets you quickly restore an entire
Exchange database after an outage. The
new version 1.6 boasts faster backups, a
simplified setup process, expanded support for Recovery Storage Groups, and
Exchange 2007 and 64-bit support.
For the AD crowd, NetPro Computing
Inc. just announced a new version of
RestoreAdmin. This tool gives you control over online AD restores and scheduled backups. RestoreAdmin 3.0
lets you restore or roll back
any objects without having
to waste time taking your
domain controllers offline.
It also lets you choose the
objects you want to back up,
or recreate deleted objects
when you can’t run a restore.
Car Troubles
The next time your car dies in the middle of nowhere and you have to use one
of those 800 numbers to call for help,
you may have AVIcode Inc. to thank.
No, the Baltimore-based .NET developer isn’t getting into the business of
changing flat tires or replacing dropped
transmissions. It is, however, supplying
Cross Country Automotive Services
with its Intercept Studio .NET application performance monitoring tool.
Cross Country is a major player in the
roadside assistance market, through its
own auto clubs and contracts with auto
manufacturers. Its call centers handle
more than 1 million calls per month,
and manage a network of 20,000 towing services and other roadside service
vendors. Nice to know there’s a safety
12 | May 2007 | Redmond | Redmondmag.com |
.NET like that the next time you have a
flat in Fryeburg, a dead battery in Boise
or lose your keys in Klamath.
Sleepless Nights
Add this to the list of things to ponder:
the current state of Internet security.
Trust me, it won’t make you sleep any
easier. Webroot Software Inc. just
released a report on the increasing
sophistication and damage caused
by malware.
In Webroot’s State of Internet Security report, 43 percent of the companies
it surveyed suffered some sort of disruption of business operations due to a
malware attack. Here are some other
disturbing findings:
• 26 percent of those companies
reported compromised confidential
corporate data due to spyware;
• 39 percent reported Trojan horse
attacks;
• 24 percent reported system monitor
attacks;
• 20 percent reported pharming and
keylogger attacks.
Pretty grim statistics, especially when
you consider the findings of a report
from the Small Business Technology
Institute: 20 percent of the companies
it surveyed lack adequate virus protection, more than two-thirds don’t even
have an information security plan, and
most only put security measures in
place following an incident. What’s
that saying about closing the barn door
after the horses are out?
Webroot issues its State of Internet
Security report on a quarterly basis.
You can get a copy of the latest report
at www.webroot.com.—
Lafe Low (llow@redmondmag.com) is
Redmond’s executive editor, features.
EventSentry_Redmond.ai 175.00 lpi 45.00°
15.00° 1/5/2007
75.00°
0.00°
1/5/2007 12:40:42
12:40:42PM
PM
Process CyanProcess
MagentaProcess
Black
Project2
1/16/07
11:16 YellowProcess
AM Page
1
0507red_Roboto14.v6
4/17/07
10:49 AM
Page 14
Mr. Roboto
Automation for the Harried Administrator | by Jeffery Hicks
Stay on Schedule
O
ne of the most incredible things—or one of the
scariest, depending on your point of view—is
that there’s always something happening on your
network. Even in the middle of the night, while you’re
dreaming of 64-bit servers and four-way clusters, your
servers are quietly churning away doing something. The
question is: Do you know what’s going on?
If your network is like most that I’ve
seen, you’ve set up some scheduled
tasks on a number of servers over the
years, but never really got around to
documenting what they do or when
they run. You may even have applications that set up scheduled tasks and
don’t tell you about it.
I’ve put together an HTML application (HTA) that will generate a report
of all scheduled tasks running on your
servers and/or desktops. Mr. Roboto’s
Scheduled Task Reporter serves as a
GUI front-end for the Schtasks.exe
command-line utility that ships with
Windows XP and Windows 2003.
As such, you’ll have to run it from an
XP desktop or Windows 2003 server.
Microsoft has indeed improved scheduled task support in Vista, but unfortunately this tool won’t detect scheduled
tasks on a Vista desktop. You might be
able to scan your servers from a Vista
desktop, but you shouldn’t count on it.
Keep your eyes out for something similar for Vista in the future.
For now, you’re probably most interested in what your servers are doing
and when they’re doing it. The Scheduled Task Reporter should work fine
for that task. After you copy all the files
to a directory, launch the HTA file.
You’ll have to run this tool with administrator credentials. You can specify
alternate credentials for any managed
systems you’re polling for task data, but
not for the system on which you’re
running the tool.
To run Scheduled Task Reporter,
simply select “computername,” “text
file” or “Active Directory” from the
drop-down box. Selecting “computername” defaults you to the local computer, but you can type in any
computer name you want. All you
need is the NETBios name. You can
also enter several computer names
separated by commas.
If you choose the text file option, you
can use a text file that contains a
columnar list of computer names that
might look like this:
Server01
Server02
Desk03
If the file isn’t in the same directory as
the HTA, enter the full filename and
path. I’ve included an option to search
Roboto on Demand
You can download Mr. Roboto’s
Scheduled Task Reporter at:
www.jdhitsolutions.com/scripts
What Windows admin task would
you like Mr. Roboto to automate
next? Send your suggestions to
jhicks@redmondmag.com.
14 | May 2007 | Redmond | Redmondmag.com |
Active Directory for computer
accounts. If your computer belongs to a
domain, the root distinguished name
will be pre-populated. All you have to
do is add the organizational unit path.
If you’re going to query AD, then
you should do so with caution. If you
have a lot of obsolete computer
accounts or systems that aren’t available, you’ll get incomplete results and
it will take a long time to generate the
report. I strongly recommend that you
use the Ping option to verify that any
computer is up and running before
you try to poll it for any scheduled
task information.
Once you have your source, click
“Report” and the tool will check each
computer for scheduled tasks. If all
goes well, you should get an entry for
each scheduled task that shows the task
name, command, its schedule, credentials, last run and next run times.
You can hover your mouse pointer
over the last run entry in order to see
the last result. If your task has an
attached comment, it will show it if you
hover your mouse over the task
description. It will also report any
errors and any systems with no assigned
tasks. Finally, use the Print button and
file the report away with your network
documentation. I also like to print a
copy to PDF for fast digital retrieval.
Now there’s no reason for you to not
know what your servers are doing in
the middle of the night, and you’ll sleep
much better. Pleasant dreams.—
Jeffery Hicks (jhicks@redmondmag.com),
MCSE, MCSA, MCT, is the co-author of
“Advanced VBScript for Microsoft
Windows Administrators” (Microsoft Press
2006), “Windows PowerShell:TFM”
(Sapien Press 2006) and several training
videos on administrative scripting.
Project3
11/10/06
11:45 AM
Page 1
Project3
4/16/07
1:21 PM
Page 1
FREE DOWNLOAD
available for evaluation
AvePoint, the AvePoint logo are registered trademarks of AvePoint, Inc. in the United States and/or othountries. © 2007 AvePoint, Inc. All rights reserved
www.AvePoint.com
Caught with
your pants down?
AvePoint’s
got you covered.
Call 18006616588
to schedule a demo
SharePoint® ItemLevel Backup, Recovery & Archiving Solutions.
0507red_ProdRev17-20.v8
4/17/07
1:50 PM
Page 17
ProductReviews
Right Gun … Wrong Ammo
Web filtering is problematic at best, but iPrism puts up a solid defense.
By Bill Heldman
Who can forget the giddy heyday of
Napster? You could download almost
any song or video you wanted. The
magic wasn’t in the Napster servers,
though. It was in the notion of peer-topeer (P2P) workstations spread across
the globe, sharing content without any
payment changing hands.
Napster was the arbiter of a large
group of people rallying against the idea
of paying someone for songs or videos.
Great idea, until the music industry
stepped in to shut them down. Smarting
from a solid drubbing by big-city
lawyers, Napster is now a toned-down,
obedient, pay-for-play music service.
That same P2P notion—only this
time, I fear, one with teeth—is embodied in those who seek to banish any
form of Web censorship. They don’t
like to be blocked from the myriad
questionable sites such as pornography,
dating/mating, racial supremacy and
other oddities.
The anti-censorship crowd has
weapons in its arsenal against which
those in the security business have no
practical offense or defense. You could
say that Web filtering is akin to the
U.S. military fighting insurgents. We
iPrism
$3,490 for 150 seats
St. Bernard Software | 800-782-3762 | www.stbernard.com
don’t understand the mentality behind
their efforts and have no solid offensive
or defensive mechanisms apart from
brute force—which doesn’t always
work well. They just keep coming.
Hope Springs Eternal
All is not lost. Lest I sound like a complete downer, it’s important to state
this up front: St. Bernard Software has
developed a wonderful product in its
iPrism Web-filtering appliance. I really
like this box—never mind that it runs
Java or that it has a gaping back door.
The iPrism is easy to install, configure and put into production, and the
price is moderate (the iPrism M1200
costs $3,490 for 150 seats—23 bucks
and change per seat). The unit actually
goes out and updates its URL filtering
list on a routine basis without having to
be told to do so.
You can configure the iPrism to
work as an edge device or as a proxy
(which is how I used it) that communicates with your edge firewall. There’s
nothing complicated about setting it
up for either topology. The customer
service department is top notch and
the documentation is comprehensive
and easy to understand. You can also
configure the iPrism to work with
other iPrisms—a feature I especially
like because of the multiple locations
inherent in today’s enterprises.
The device is Active Directory-aware
and supports Windows authentication.
When the software said it was going to
go out and create a machine account
for the iPrism to use, it actually did that
with no hassles or disappointments.
I had the device up and running in less
than an hour. No sweat. The iPrism
appliance and its accompanying software
RedmondRating
Installation/Ease of Use 10%
10.0
Documentation 10%
10.0
Management Interface 20%
10.0
Hack Resistance 10%
2.0
Value 10%
7.0
Performance 20%
8.0
Feature Set 20%
9.0
Overall Rating
8.3
Key:
1:
Virtually inoperable or nonexistent
5:
Average, performs adequately
10: Exceptional
Figure 1. You can configure multiple iPrism systems to coexist and cooperate.
| Redmondmag.com | Redmond | May 2007 | 17
0507red_ProdRev17-20.v8
4/17/07
1:50 PM
Page 18
ProductReviews
WhyJava?
The iPrism runs Java and uses Java
software for its management interface. My only question is: Why?
Apart from the fact that it’s a pain to
code, there are two reasons why I
don’t much care for Java:
• It’s a pig. Java has a tendency to
dominate any CPU cycles it can get. In
iPrism’s case, I found the box to be
robust despite this tendency—no
doubt because Windows wasn’t competing for cycles as well. (Java and
Windows together reminds me of two
obese people competing with one
another at an all-you-can-eat buffet.)
• It’s hard to create an elegant
interface with Java. It ain’t Vista or
the Mac. You can spot a Java interface a mile away because they’re
always ugly. The font’s weird, the
buttons have a half-baked shading
element that only partially convinces
you they’re 3-D and so on.
The Java Web Start (JWS) software
required for you to use your browser
to manage your iPrism(s) is, at a minimum, an annoyance to have to
download and install. It could conceivably be a security risk itself. That
being said, the iPrism is the first
Java-centric box I’ve messed around
with that I really liked.
—B.H.
really work. When a user attempts to log
onto an unauthorized URL, they’ll get a
message stating that they were blocked.
Setting up the iPrism in proxy mode
could be more difficult for a lot of users,
because each user has to have his or her
browser’s LAN connection setting
updated. You first have to create a rule
that lets only your iPrism(s) hit the Web
through port 80 or 443. You redirect
your users’ browsers to the iPrism’s
address, port 3128. The documentation
helps you make adjustments for Internet
Explorer and Mozilla. Redirection
worked fine with Opera 9 as well.
Using the iPrism as an edge device is
even simpler. It has two ports—one for
the Web and one for the internal network. Plug-and-play doesn’t get any
easier. A quick DHCP configuration
change (or some other IP magic trick)
and your users are pointed at the
iPrism and blocked (see Figure 3).
Figure 2. iPrism routinely and automatically updates its Filter List page.
You manage the iPrism in one of two
ways. You can install the management
software tool or run it within your
browser—provided you have the Java
Web Start (JWS) software installed. In
either case, simply navigate your
browser to the internal iPrism address
and the initial entry page prompts you
with the links needed to download and
install the software—very slick.
The left-hand side of the console has
configuration element buttons (Users,
Access and so on). Once you’ve clicked
a configuration element, you’re presented with tabs and configuration settings screens for that particular
element. Overall, the interface is intuitive and easy to use.
So, here’s my issue with the iPrism and
its Web-filtering cousins: Where there’s
a will, there’s a way. My users—a group
of technology students with a strong
desire to get around any obstacle—were
happily working around the iPrism
within five or 10 minutes. They contacted PeaceFire and hooked up with
Figure 3. Busted! This is the screen users will see when they try to access a blocked site.
18 | May 2007 | Redmond | Redmondmag.com |
Project1
2/7/07
9:54 AM
Page 1
0507red_ProdRev17-20.v8
4/17/07
10:42 AM
Page 20
ProductReviews
BackdoorMan
During my review, I forgot the
password to get into the iPrism
management console. I wrote customer service and they quickly and
politely wrote me back with a very
simple workaround.
The product ships with a serial
cable. Just plug into the serial port
on the back of the iPrism, set your
laptop Hyperterminal session to
9600,N,8,1. You’ll contact a FreeBSD
screen that lets you change the password in just a couple of steps. Here’s
my problem with that: If the iPrism is
sitting in an open environment where
a technologically savvy and ethically
lacking person has access, you may
find the device compromised.
Most rack-mounted devices like this
live in secure data centers. Nevertheless, I was surprised with the ease
with which I could backdoor in and
update the administrator password.
Better to have the iPrism be forced
back to factory defaults on a hard
reset than to have such a back door.
Isn’t this how switches and routers
work? In this case, I suspect St.
Bernard went out of its way to make
things easier for the admin. Bravo for
that, but it may be a bit much. —B.H.
an anti-censorship proxy avoidance site
(called a “circumventer site”)—of
which there are hundreds.
Here’s how that works. Want to get to
MySpace, but the iPrism won’t let you?
Just navigate to www.peacefire.org, set
yourself up for a regular e-mail blast of
the latest circumventers and then use
the circumventer site as your destination. The site retrieves any pages you
want, disguising them as a URL that
shouldn’t be blocked so the iPrism (and
competing Web-filter software products) doesn’t bother trying to keep you
from your illegal surfing.
The circumventer sites come and
go, so they’re very difficult to hunt
down and eradicate. Web filters
know about some of them, but there
are always new ones. As we’ve learned
from combat, an army of thousands
of individuals operating alone is
much harder to defeat than an army
of millions working as a single organi20 | May 2007 | Redmond | Redmondmag.com |
zation. You’re not going to win the
circumventer site war by simply
blocking URLs.
Parting Shots
If I were in the market for an enterprise-class Web-filtering product, I
would give the iPrism strong consideration. I like the fact that it’s an appliance,
as opposed to being software-only. I
don’t have to dedicate a server to it,
and I can easily get it up and running
without a lot of hassles. Of course, the
fact that it’s an appliance means that if
it breaks the whole shooting gallery is
down for the count. Nevertheless, I
think appliances trump software in the
Web-filtering game.
The iPrism software is wellengineered. It’s clearly geared toward a
Windows crowd (never mind that it’s
Java-based). I especially like that it
natively interfaces with AD and
Windows user authentication. The
iPrism is a well-crafted box from both
the software and hardware perspective.
The fact that you can have several
iPrism boxes play together is very ISAlike and will go over well in those
shops where administrators have a lot
of outlying locations. Unlike an ISA
box (which requires add-in Webfiltering software), the plug-and-play
nature of the iPrism makes it an ideal
fit for typically unmanned remote-server
locations. Remote management is no
big deal with the management console
software or via the Web.
If only I’d been able to plug in this
box and not have any users, regardless
of their technical prowess, find a
workaround. Until the Web-filtering
industry, including St. Bernard Software,
is able to put down a hard foot, I’m
afraid Web filtering as a technology is
not everything it should be. —
Bill Heldman (bheldman@comcast.net) is
an instructor at Warren Tech, a career
and technical education high school in
Lakewood, Colo. He’s a contributor to
Redmond and MCPmag.com, plus several
books for Sybex, including “CompTIA IT
Project+ Study Guide.”
Project2
4/12/07
11:16 AM
Page 1
Are you sure your network is secure?
With RecordTS you can confirm your
network is secure & compliant.
RecordTS acts as Your Terminal Services
& Remote Desktop “Security Camera”.
· First ever Citrix/ICA Session Recorder
· Records ALL Terminal Server Sessions (RDP)
· Monitors ALL User Activity on Your Servers
· Produces More Information Than Event Logs
· Eases Auditing & Compliancy Tasks
· Prevents Corporate Data Loss
· Assists in Detecting Unethical User Activity
· Produces Compact, Digitally Signed Video Files
Citrix
Versio /ICA
n
Availa Now
ble!
Visit www.TSFactory.com for a FREE Trial.
© 2006 TSFactory. All rights reserved. The names of actual products and companies mentioned herein may be the trademarks of their respective owners.
Project3
4/16/07
1:25 PM
Page 1
Windows Vista® Ready!
Secure Network Monitoring Software you can rely on
to proactively Monitor, Alert and Recover your critical
applications and network infrastructure equipment.
ADMIN DASHBOARD - centralizes status,
reports, system information in a single
convenient location.
• Windows Monitoring
• Resource Monitoring
• QA Monitoring
• Protocol Monitoring
• SNMP Monitoring
• Trouble Alerting
• Detailed Reporting
• Secure Web Interface
WIZARDS - make it easy to add
new monitors and perform complex
configuration tasks.
• Admin Dashboard
• Agentless Architecture
2007 Winner of Network World Clear
Choice Award for Management wares
that fit the bill but don’t break the bank.
See how we scored at www.ipMonitor.com/scorecard/
Just
Released
Download the
Fully-Functional 21 Day Trial
REPORTING - completely configurable
Reports provide statistical and performance
measurements for everything from critical
applications to SNMP-enabled equipment.
www.ipMonitor.com
Sales: 819-772-4772
Copyright© 2007 ipMonitor Corporation. All rights reserved. ipMonitor® is a trademark or registered trademark of ipMonitor Corporation in Canada, the United States of America and other
countries. All other trademarks are the property of their respective owners. ipMonitor Corporation, 15 Gamelin Blvd., Suite 500, Gatineau, Quebec, Canada, J8Y 1V4
0507red_ReaderRev23-25.v6
4/17/07
10:44 AM
Page 23
ReaderReview
Your turn to sound off on the latest Microsoft products
MOSS Gathers Momentum
Readers rave about the new and improved
Microsoft Office SharePoint Server 2007.
By Joanne Cummings
When Microsoft updated SharePoint
Portal Server, it dropped the “Portal”
from its name but added a slew of collaboration capabilities that have made
most readers quite happy. Now called
Microsoft Office SharePoint Server
(MOSS) 2007, Microsoft’s collaboration platform offers tighter Office integration, more powerful search, support
for Web 2.0-style features like blogs
and wikis, and improved workflows.
Readers say MOSS 2007, together
with Windows SharePoint Services
(WSS) 3.0, is perfect for building a
comprehensive collaborative platform.
“With SharePoint, we’ve shown the
management people that yes, you can
really keep a project on track with team
members dispersed all over the country
and all over the world,” says TJ Doherty,
Microsoft Office SharePoint Server 2007
MOSS Server license: $4,347
MOSS Standard CAL: $93; MOSS Enterprise CAL: $76
Microsoft Corp. | 800-426-9400 | www.microsoft.com
going to build our sites, the sites below
us and the linkages to them and the site
above us,” he says. “We passed that
around the department so everybody
got an idea of the general template.”
For Doherty’s group, all employees
have their own personal MySite Web
site. The next level up is the group site,
and then the department site. Each time
a document is created, it begins life in a
personal MySite and moves up the levels for feedback, comments and
approval. “With MySites, it’s a new paradigm that everybody in the company
gets to have their own Web site that
With SharePoint, we’ve shown the management people that
yes, you can really keep a project on track with team members
dispersed all over the country and all over the world.
TJ Doherty, Owner, Chariot Enterprises
owner of Chariot Enterprises, an information management consultancy in
Navarre, Fla. Doherty implemented
MOSS 2007 for a couple of his clients
to improve collaboration for remote
workers. “It has helped us prove the
concept of dispersed collaboration
throughout the company.”
Frameworks Are
Fundamental
Doherty says organization is essential
to succeeding with MOSS 2007. For
his clients, he establishes a clear structure for how the SharePoint sites are
built and connected. “I put out a conceptual paper describing how we were
they tailor to their own features,” he
says. Because the individual sites are
linked to the team sites, the whole
group is better able to work on and view
the status of any projects they may have.
“When you come to the main team
page, whatever tasks or issues that
belong to you are instantly displayed
right there,” he says. “So you don’t have
to go into a general task list, which may
have 40 or 50 tasks on it. Instead, when
a user signs in, out of those 50 tasks they
only see the 10 that belong to them.”
It also puts management at ease. “It’s
great for the employee because it saves
them time, but it’s also good for management,” Doherty says. “If the manager
wants to get the overall picture, he can
look at the full task list or issues list and
know what’s going on right away.”
Doherty says his group also uses
MOSS 2007’s workflows to keep projects on track. Even the out-of-box workflows help with document approvals and
feedback. “It gives you a nice process for
getting coordination on documents,” he
says. Doherty also uses SharePoint
Designer 2007 and Visual Studio to create customized, extensive workflows.
“For example, you can start a new
project and have an automatic workflow that starts sequencing things and
creating tasks, and then have those
tasks automatically dispersed to the
people working on it,” he says.
Safe and Secure
Since Doherty’s users are all remote,
security was a concern. Users enter the
MOSS site via a VPN. Once logged in,
Doherty says the security in 2007 is
phenomenal. “It’s very granular,” he
says. “You can set privileges at the
library level, at the folder level or at the
document level, and you can also do it
by individuals or groups.”
Jonathan O’Brien, systems engineer
and owner of Active IT Design LLC, a
two-person consulting firm in Fort
Mill, S.C., agrees that security has been
improved in 2007. “One of the best features of WSS 3.0 and SharePoint 2007
is the new ‘security trimmed’ interface,
where users only see what they have
permissions to see,” O’Brien says.
“For example, in the past, with WSS
2.0 and SharePoint 2003, if a Web page
| Redmondmag.com | Redmond | May 2007 | 23
Project3
2/14/06
11:31 AM
Page 1
0507red_ReaderRev23-25.v6
4/17/07
10:44 AM
Page 25
ReaderReview
had edit buttons on it for certain items,
all users would see these buttons,”
O’Brien says. “Even if the user had
read-only access, they could still click
these edit buttons and were then taken
to an error page stating they didn’t
have security clearance.”
With WSS 3.0 and SharePoint 2007,
he says, that doesn’t happen. “On that
same Web page, users with read-only
permissions wouldn’t even see the edit
buttons. Only users with modify access
would see them. It makes for a much
cleaner interface and removes confusion for the end user.”
The search functions in MOSS 2007
are greatly improved, says Doherty.
“With SharePoint, when you check the
document in, it forces you to fill out all
the metadata information or it won’t let
you check the document in,” he says.
“Once you have all this metadata associated with every document, you’re able to
search through and find things easily.”
The search functions are helpful for
finding sites and documents—and people
with certain skills as well, he says. Since
each employee lists his or her skill sets
on their personal Web page, SharePoint
makes finding and collaborating with
people much easier. “If you search on
‘SharePoint,’ it goes through the company directory and comes back and tells
you who knows about SharePoint,” he
says. “It’s a way to find out quickly who
the experts are in a particular area. You
do a search and boom—you get the list
and find out the guy sitting next to you
knows more than he’s been letting on.”
Office Integration
MOSS 2007 is also far more integrated
with Office and other Microsoft applications. For example, Doherty says the
integration with SQL Server 2005 is
vastly improved. “With WSS 2.0, you
used to have to use the report viewer to
view SQL Server-based reports,” he
says. “Now with MOSS 2007, there’s a
report section that lets you tap directly
into SQL Server. So instead of just
using a viewer, you have a dashboard
that lets you bring various elements into
a more customized report.”
MOSS 2007 also sports far greater
integration with the Office 2007 applications, especially Outlook. “You can
integrate directly with your calendar
and your address book now—you have
total integration,” he says.
A key feature here is integration with
Office’s new presence indications.
“With MOSS 2007, you can add a Web
part where you assign people on your
team to the Web site and then you can
see a little dot there that shows whether
they’re online or not,” he says. “Then
you can IM them or whatever. It’s great
for productivity.”
Web 2.0 Compatibility
Another big change for MOSS 2007 is
its Web 2.0 support for things like
blogs and wikis. “Blogs and wikis in
WSS 3.0—I love them,” Doherty says.
“I think it’s going to be a while for
these things to catch on in the corporate environment, but I think they’re an
excellent way to disseminate information. If it’s done correctly, it can really
reduce the number of meetings.”
For Mike Swofford, systems administrator at RelayHealth Corp. in Tulsa,
Okla., the improved recycle bin is the
“I like the recovery bin best,” he says.
“Recovering files and sites that have
been deleted is big.”
On the Other Hand
Readers cite very few downsides to
MOSS 2007. Perhaps the biggest
shortcoming is the lack of an easy
upgrade path from earlier versions of
SharePoint. “Upgrading from the
previous version stinks,” Swofford
says, noting that there’s no good way
to do it right now. “You can’t install
and just upgrade the old SharePoint
2003. Moving sites over one by one
is a hassle.”
Doherty says his firm did a clean
install of MOSS 2007 and built it up
from scratch. “It would’ve been nice to
have an upgrade option,” he says.
Doherty also bemoans the lack of intermediate-level tutorials for MOSS 2007.
“Training is either very basic or at the
developer level—there’s nothing in
between,” he says.
That has been a struggle for him, especially when it comes to using the variety
of Web Parts that come with MOSS
2007. “It comes with 30 or 40 Web
Parts, but I have yet to go somewhere
One of the best features of WSS 3.0 and SharePoint 2007 is the
new ‘security trimmed’ interface, where users only see what
they have permissions to see.
Jonathan O’Brien, Systems Engineer and Owner, Active IT Design LLC
best feature in MOSS 2007. In the
past, it was difficult for SharePoint
users to recover deleted sites or files.
Now, in the 2007 version, there’s a
two-stage recycle bin, so when a user
deletes a page from their personal site
it’s automatically put in the group
site’s recycle bin. Similarly, when a
group document or site is deleted, it
goes to the overall recycle bin, where
an administrator can recover it later if
need be.
Although Swofford says his firm is
just testing the latest version of SharePoint, the recycle bin is the feature he’s
most looking forward to implementing.
that shows me what each of them can do
and how I can use them,” he says. “In
the Web Part Gallery they have little
descriptions for each one, but it’s hard
to tell exactly what each will do. That’s
the biggest shortfall I’ve seen.”
Still, the complaints about MOSS
2007 are few and far between and readers say that overall, they’re pleased with
its new features and capabilities. “I’m a
real SharePoint believer,” Doherty says.
“It’s a great collaboration tool.” —
Joanne Cummings (jcummings@
redmondmag.com) is a freelance technology journalist.
| Redmondmag.com | Redmond | May 2007 | 25
Project2
4/12/07
10:39 AM
Page 1
Get Your Kicks
scripting simplified™
Learn PowerShell Scripts!
Kick your scripting skills into high gear with
ScriptingAnswers.com LIVE! training in
Windows PowerShell™ and VBScript!
Scripting industry hotshots Don Jones and Jeffrey Hicks are
hitting the road and bringing their training classes to a city near
you! Line up NOW for fast-paced, intensive training sessions
that will get you from zero to scripting in just a few days!
Whether you’re a rookie or a pro, you’ll become a lean, mean
scripting machine when you train with the people who have
made scripting simple...
Live!
Guru-Led Training
For more info and registration:
www.scriptingtraining.com/pc.asp
Visit our family of websites,
products and services at:
www.sapien.com
(use referral code: REDMOND)
Register by April 30, 2007, and receive, upon completion of
class, a free copy of Windows PowerShell 101, a self-paced
follow-up “Class on Disc” by Don Jones.
© 2007 SAPIEN Technologies, Inc. All Rights Reserved.
-XPSLQ:H·OOWDNH\RXIURP]HURWRVFULSWLQJLQQRWLPHÁDW
• Supports Windows PowerShell™, VBScript and over 30 other languages
• 2RSV5HVLOLHQFH,QÀQLWH8QGR)LOH+LVWRU\DQG5HF\FOH%LQ
• Supports SourceSafe, Perforce, CVS/Subversion
• Advanced Database Tools
• Visual XML Editor
Take a test drive at http://redmond.primalscript.com
0507red_Roundup27-30.v7
4/17/07
10:51 AM
Page 27
RedmondRoundup
Manage and Manage Alike
In today’s inherently disparate networks, you need a management tool that
can take control of all your Windows and open source systems.
By Ben Brady
Like many of us, I find a certain
amount of comfort in Active Directory
and the familiar surroundings of
Windows. I’ve resisted—often kicking
and screaming—when my peers have
suggested using a Linux- or Unix-based
system within our domain.
Much to my consternation, I have to
admit that several of these open source
systems have found their way into the
networks that I have to manage either
directly or indirectly. So even though
I’ve been exposed to FreeBSD, Red Hat,
CentOS, Fedora, SCO and several other
Linux- and Unix-based systems, I’ve
always shied away from really sinking in
my teeth and learning how they work.
Out of pure necessity, I’ve learned
how to dub around in these operating
systems, do some basic maintenance
and troubleshooting, and lend “hands
and eyes” support to my users. Some of
my Linux friends have told me I’ve
learned just enough to be dangerous.
With acquisitions, mergers, buyouts,
downsizing and reengineering, sometimes even the most carefully planned
and meticulously managed networks
can become a confusing mess. I’ve
always been told that networks are living, breathing entities that continue to
grow throughout the lifecycle of an
organization. It’s no longer a rarity to
see Windows, Unix, Linux and
Macintosh systems all sharing the same
wire in a network environment.
This is especially true in a company
that has grown through acquisitions or
mergers. Even simple churn within the
IT staff can result in disparate OSes and
different flavors of Unix/Linux as each
administrator leaves behind his or her
preferred systems. There’s a certain
comfort in managing your Windowsbased AD infrastructure, but what
InThisRoundup
Centeris Likewise Management Suite
$349 per server; $69 per workstation
Centeris Corp. | 800-378-1330 | www.centeris.com
Vintela Authentication Services
Pricing begins at $325 per server and $37 per user
Quest Software Inc. | 800-306-9329 | www.quest.com
Centrify DirectControl
$350 per server; $60 per user; Management Console $1,000 per admin
Centrify Corp. | 650-961-1100 | www.centrify.com
RedmondRating
Centeris
Likewise
Vintela
Authentication
Services
Centrify
DirectControl
Manageability: 25%
9.0
8.0
8.0
Performance: 25%
9.0
9.0
8.0
Documentation: 25%
8.0
7.0
8.0
User Interface: 25%
9.0
8.0
9.0
Overall Rating
8.7
8.0
8.2
Key:
1: Virtually inoperable or nonexistent | 5: Average, performs adequately | 10: Exceptional
about all those Linux servers? This is
where Centeris Likewise, Vintela
Authentication Services and Centrify
DirectControl may be able to help.
The Big Easy:
Centeris Likewise
As I was getting ready to evaluate the
Centeris Likewise package, I was reading through the documentation on
their Web site. In several places in the
documentation, they boasted the
product could be up and running in
30 minutes—this I had to see.
My lab setup consists of a Microsoft
2003 Server, four Windows XP Professional computers and two Fedora Core 5
servers. All these boxes are fully updated, and the Fedora boxes have no
configuration beyond the initial install.
Indeed, installing the Centeris package on the Windows server was completely painless. Once I’d finished, I
was presented with a GUI management
console (see Figure 2, p. 28). The look
and feel is not exactly like a Windows
Management Console, but any
Windows admin should be able to navigate it effectively and defeat the learning curve within a few minutes.
From there, all you need to do is add
your first Linux box to your domain
with the hostname of the Linux server
(provided that you have it set up in
your DNS listings) or the IP address
and the root password. Centeris Likewise then creates a Secure Shell (SSH)
session to the box and installs all the
components necessary to administer it
from your Windows GUI. The total
| Redmondmag.com | Redmond | May 2007 | 27
0507red_Roundup27-30.v7
4/17/07
10:51 AM
Page 28
RedmondRoundup
time for the installation, plus a few
extra minutes to review the documentation and set up my first Linux box on
my AD domain, was about 25 minutes.
Once adding that first Linux server
was complete I moved on to the second.
All of the benefits conferred by
Centeris Likewise could certainly be
accomplished with a fair amount of
scripting and manual setup on any
Unix and Linux machines spread
throughout your network. For many
with limited experience in this arena,
however, Centeris Likewise is a good
package to have available.
Sign Once:
Quest Software Vintela
Authentication Services
Figure 1. Admins can register the VAS
Administrative Tools on their servers.
At this point, I noticed there isn’t any
apparent method of scripting or creating a batch for this process. In the lab
environment I only had to add two
servers, but that number could certainly
be much higher in a large-scale production environment. Also, after installing
the second server, I noticed you can
only manage one server at a time.
Still, setting up a mixed network was
easy. Over the next 30 minutes, I set up
an Apache Web site with a DNS up
and running, a file share and a network
printer on the two servers. It was quickly
apparent that seasoned Windows veterans would certainly benefit from this
product when adding Linux and Unix
boxes to their networks.
On the downside, however, there are
several popular services found on most
Unix/Linux boxes that you can’t manage
through the Centeris console. MySQL
and PHP are examples of services you
must configure and maintain manually.
Quest Software’s Vintela Authentication
Services (VAS) takes a much different
approach to “integrating” Unix and
Linux systems into an AD environment.
Just about everyone in a mixed environment is familiar with the phrase
“Single Sign-On,” or SSO. Many of us
are accustomed to providing our frontline users with a single username and
password for Windows environments.
Administrators and power users often
have more than one account, each set
up for performing various network
administration roles. The non-IT user,
though, typically needs only one easilymanaged account.
Those of us fortunate enough to have
a mixed environment also understand
what it’s like to have various flavors of
Unix/Linux on our network that
require different credentials for each
user. It can quickly get cumbersome.
Now imagine you’re supporting an
enterprise-class organization that has
typically been a Microsoft AD environ-
ment. You acquire another company
with 152 Unix/Linux-based servers. At
the outset, this could be a nightmare.
You can certainly see how the concept
of SSO could be beneficial.
Both VAS and Centrify’s DirectControl do require a bit more skill with
Unix/Linux. I’d strongly recommend
having a good plan in place before
beginning an integration project on a
production network. Both Quest and
Centrify also offer integration services
that will help you smooth the process.
AD stores certain attributes for each
user in its data store. Unix and Linux
machines typically store several more
attributes for each user. This makes it
difficult to integrate your Unix/Linux
users into AD. One way to do this is to
extend the schema on your AD servers
to store the additional attributes.
Quest’s VAS takes this approach.
I installed VAS on a new and fully
updated Windows 2003 Server machine.
VAS gives you a utility for extending
your AD schema. This was a relatively
quick and painless procedure on my new
server. In a large production environment with many users and other objects,
this process might be a bit more time
consuming. I’d recommend a very
recent full backup of your AD servers in
a production environment on the slight
chance that you encounter problems.
After updating the schema, VAS completes the installation and installs the
remaining VAS Administrative Tools.
You can then register these tools on
Figure 2. Centeris’ Likewise offers a GUI management console that most admins
should be able to navigate.
28 | May 2007 | Redmond | Redmondmag.com |
Project12
1/16/07
11:27 AM
Page 1
Software to Simplify and Share SAN Storage
Extend the Capability of Microsoft Windows Server System
Sanbolic shared data SAN software for Microsoft based Data Centers extends the capability of
Windows server applications. Scale out your Windows file serving and web serving architecture.
Create a truly flexible datacenter using Virtual Server 2005. Take advantage of the full potential
of Microsoft Clustering Services for application availability. Easily configure and assign a pool of
storage on a heterogeneous SAN centrally with familiar Windows tools.
Simple Information Lifecycle Manager
Move your files automatically based on storage policy. Copy your data for availability.
Take control of your data.
Intuitive Software Designed for Windows Servers
www.sanbolic.com. Or call us at 617-833-4249
0507red_Roundup27-30.v7
4/17/07
10:51 AM
Page 30
RedmondRoundup
your server (see Figure 1, p. 28). I created a Unix/Linux users group where
you see the newly added ability to
select the “Enable Unix Group” check
box under the Properties menu. Then I
selected a user, went to properties and
selected “Enable Unix User.”
Management setup on the client-side
install was a bit more daunting. VAS
supplies a tool called Vastool that lets
you add your Unix/Linux machine to
the AD domain. Vastool is a commandline tool, so you should be comfortable
with the Unix/Linux command line
before you start on this endeavor.
I did my client installation on two
Fedora Core 5 machines. VAS also
supports AIX, Debian, VMware ESX
Server, Red Hat, SuSE and Solaris
Unix. It also supports a wide range of
Unix/Linux-based applications such as
DB2, Java, Oracle and SAP.
Now that I’d configured my AD and
client machines, my Fedora machines
were full members of the AD domain.
The machines’ Kerberos and LDAP
implementation created a true single
sign-on “trusted realm” in my AD.
One of the major benefits of VAS is
that it’s completely standards-based. It
extends the capabilities of AD to your
Unix/Linux environment. One of the
nightmares network supervisors experience in a mixed environment is the issue
of compliance and the associated management and reporting requirements.
VAS will give you the same auditing and
reporting capabilities in your Unix/
Linux environment that you’ve grown
accustomed to in your AD world.
VAS is very scalable. It can accommodate networks with 10 or 10,000
users. While the package doesn’t let
you set up Web sites and DNS servers
on your Unix/Linux servers, hopefully
you can see how using VAS to create
an SSO environment to integrate your
Unix/Linux servers into your AD
could potentially be a huge benefit.
Easy Rider:
Centrify DirectControl
The second product in the single signon arena is Centrify DirectControl.
DirectControl uses native AD capabilities to store multiple Unix and Linux
identities. Like VAS, this also requires
a bit more familiarity with Unix and
Linux than Likewise.
DirectControl doesn’t actually
change or extend the schema of your
existing AD—although the end result
is still the SSO, DirectControl takes a
different approach. Centrify DirectControl lets you store multiple Unix
and Linux identities for one AD user
and then maps those identities back to
“zones” of systems.
Figure 3. DirectControl’s Administrator
Console presents a cleaner environment for
adding users to zones and viewing reports.
These “zones” are collections of systems that share similar attributes and
let you provide access for users who
have membership in the zone. Many
seasoned Linux and Unix veterans are
familiar with NIS maps: there’s a utility
that lets you import these maps.
Centrify DirectControl also lets you
integrate Macs into your AD, in addition to Unix/Linux machines. For the
purpose of my evaluation, I started with
a fresh network consisting of a Windows
2003 server, four Windows XP
Professional clients and two Fedora
Core 4 machines.
At the time of this review, Fedora
Core 5 was not listed as a supported
OS. Still, installing it on the server was
quite simple. Once again, the client
installation requires a bit of knowledge
in the Unix/ Linux environment. That
being said, the client installation is
fairly well scripted and went off without any problems.
30 | May 2007 | Redmond | Redmondmag.com |
One feature I do like about Centrify
DirectControl is the DirectControl
Administrator Console (see Figure 3).
This is a clean and intuitive environment in which you can set up your
Centrify DirectControl zones, add
users to zones and view reports.
In my opinion, the built-in reporting
left a bit to be desired. I prefer add-on
reporting and auditing tools that pull
information directly from my AD. I also
question the wisdom of mapping multiple user accounts to one AD account.
Singularly Qualified
If you have Unix and Linux machines
on your network, or if you’re thinking
about adding one for Web hosting,
DNS, or file and printer sharing, Centeris Likewise would certainly be worth
a look.
Both Centrify DirectControl and
Quest’s Vintela Authentication Services
have thorough documentation. They
also have “Resource Centers” on their
Web sites with vast resources available.
If you truly want to integrate your
Unix and Linux systems into your AD
environment and use single sign-on
features like ease of administration and
compliance, both VAS and DirectControl are worth a look. I’d recommend
giving them serious consideration.
There certainly are benefits to this
type of choice, including the ease of
directly mapping existing users.
As I mentioned earlier, making a full
backup prior to installation would give
you absolute protection in the event of
any critical problems. Although I didn’t
really encounter any major problems in
my tests, I’m a bit leery of manipulating
my production AD environment. VAS
does let you use traditional Windows
applications for user and group management. DirectControl adds their
management console.
All this may come down to a matter of
personal preference with how you’d
rather manage your systems. —
Ben Brady (bwb5026@yahoo.com),
MCSE, CCNP, is the operations manager
for ISDN-Net Inc. in Nashville, Tenn.
Raxco
4/13/07
8.
10:02 AM
Page 1
4.
Recognized as the world’s most powerful defrag-
menter, PerfectDisk has always been the secret to
No hidden surcharges. Unlike other defragmenters,
PerfectDisk doesn’t charge you extra for super-sized
faster, more reliable computers. Now, with a
drives, or administrative console features.
powerful new suite of enterprise tools,
Microsoft-certified PerfectDisk simply
PerfectDisk 8.0 takes disk defragmen-
makes it easy to defrag every
tation to the farthest reaches of the
drive on the enterprise. Period.
enterprise, while placing total
control right at your fingertips.
7.
3.
The
Top
8
Are you sitting down?
To ensure your
drives are always in shape,
new AutoPilot Scheduling™
Reasons
lets you set your computers to
Good, because the PerfectDisk
Command Center™ lets you deploy,
defrag automatically. What’s
configure and manage the defrag-
more, unlike the competition, new
intelligent Screen Saver Mode auto-
mentation of every system on the
enterprise ... all from the comfort of your
matically defragments idle computers if
own desktop.
a user-defined number of days has
passed since the last defrag.
6.
2.
Your
Enterprise
Can’t Wait
For
PerfectDisk
PerfectDisk's new
patent-pending Resource
Saver™ technology finds all
the fragments of a file without
and CPU throttling features
automatically detect when
a system is “busy” and
8
first opening the file, efficiently
defragmenting even the largest
reduces its disk I/O or CPU
usage accordingly, making the
of drives with minimal system
defragmentation of even the
impact.
5.
PerfectDisk's new I/O
busiest drives practical.
1.
PerfectDisk's Space Restoration
Technology,™ with its Consolidate Free Space
defragments, optimizes and consolidates even
Defrag, lets you create the largest piece of contiguous free
space available prior to creating large files or performing
And best of all, PerfectDisk 8
the largest drives in a single pass. Done. And with our
Competitive Trade-up Program, the time is great to migrate to
partition resizing operations.
So
why
wait?
Download a FREE trial at
Sowhy
whywait?
wait?Download
8.8.8.So
www.perfectdisk8.com.
1-800-546-9728
www.perfectdisk8.com
Visit
themost
mostpowerful
powerfulenterprise
enterprise defrag
defrag solution.
solution.
See the
come
by
booth
226
during
Microsoft
Tech
Ed,
June
5
–
8, 2007
2007 Orlando,
Orlando, FL.
FL.
Come by booth 226 during Microsoft Tech Ed, June - 8,
®
June 8, 2004
PerfectDisk 6.0
Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. PerfectDisk is a registered trademark of Raxco Software. PC Magazine Editors’ Choice Award
Logo is a registered trademark of Ziff Davis Publishing Holdings Inc. Used under license. All other product names mentioned herein are the trademarks of their respective owners.
¤
May 24, 2005
PerfectDisk 7.0
0507red_F1Security32-38.v11
4/17/07
10:30 AM
Page 32
Your Vista
Game Plan
An early, well-planned move
to Microsoft’s new OS could
be the answer to enterprise
security challenges.
By Peter Varhol
egardless of your personal or professional opinions
of Windows Vista, you know you’ll be running it
sooner or later. Uptake on new desktop operating
systems tends to be slow, with just over 50 percent of enterprise desktops running them in the
first five years, according to industry analyst firm
Forrester Research Inc. Most may choose to upgrade gradually, in line with new client hardware, while some may
wait until the next planned upgrade cycle.
In Vista’s case, there may be good reasons to accelerate
adoption, rather than waiting for the next scheduled
upgrade cycle. Security and integrity are two of the most
prominent reasons. Enterprises that are at a significant
risk, given the value of their applications or data, may be
attracted to its ability to provide better safeguards. Vista’s
higher levels of integrity are also likely to make it more
resistant to attack.
Still, there are doubters. Forrester security analyst Natalie
Lambert says that the security features are a boon for consumers. While helpful in the enterprise, they will still be
supported by third-party products. “Enterprises will still
use virus checkers and spam blockers to supplement
Vista,” she explained. “The new security features have to
be weighed against the cost of upgraded hardware. For
many, it makes sense to move to Vista with the next hardware upgrade, not sooner.”
R
32 | May 2007 | Redmond | Redmondmag.com |
0507red_F1Security32-38.v11
ILLUSTRATION BY ROBERT KAYGANICH
4/17/07
10:30 AM
Page 33
| Redmondmag.com | Redmond | May 2007 | 33
0507red_F1Security32-38.v11
4/17/07
10:30 AM
Page 34
Vista Game Plan
So when does it make sense to upgrade? Vista will almost
certainly be the mainstream OS within a few years. Is it
worth the hardware and administrative costs to achieve
higher levels of security or integrity, or should migration
occur on the same schedule as previous OS upgrades?
ing Group, the SDL consists of processes encompassing
security engineering, reviews by security experts and protection within the OS itself.
The first phase of this lifecycle involves designing features
and implementing code more resistant to attack. Toulouse
describes a process whereby each proposed feature was scruThe Keys to Lockdown
tinized for its security implications prior to being included
Microsoft has undertaken a formidable task trying to secure as a requirement. “If a feature required a port to always
Vista. Security is not achievable in an absolute sense, and
remain open, or for a high level of access to be maintained,
you don’t achieve added security without cost. That cost is
it would get a lot of pushback,” he explained. “It might have
typically measured in the quality of the user experience.
to be implemented in a different way, or not at all.”
Microsoft’s ambitious—some would say unrealistic—goal is
The second phase of the security lifecycle is review and
to improve both security and user experience.
testing by industry security experts. A part of this effort,
Microsoft has also labored under legacy burdens that aren’t called BlueHat, involves turning over working code to
easily swept aside. Those burdens include the sizeable
experts for analysis and exploitation, as well as follow-on
Windows code base itself. The company builds new
meetings between those experts and Microsoft developers.
Windows versions from the source of the current one. While In addition to providing a significant test for the OS code,
large parts are modified or replaced entirely with every new
it also provides an interaction between Microsoft OS engirelease, starting from scratch would mean throwing away a
neers and security experts that almost invariably results in
lot of perfectly good technology.
better code in the future.
Another legacy burden is applications, both those proLast, Microsoft incorporates security features that make
duced by Microsoft and those from third-party developers.
the OS more difficult to hack and exploit. Features like
There are thousands of applications out there whose
User Account Control (UAC) and user notifications of
required permissions level is above that of users, or is
unusual activities make Vista more resistant, but not
unknown altogether. Prohibiting these applications from
impenetrable. The goal is not to provide a fully hack-proof
executing would greatly slow Vista adoption, because users
system, but to buy time for other mechanisms to identify
would stay with the OS
and turn away an attack.
where their applications ran.
Windows Defender,
That’s not the end of it.
Windows Firewall and an
We had the right idea [with User Account
An unknown number of
Security Center
Control] but we failed to consider usability. Since overhauled
custom enterprise applicamake a difference here.
that early feedback we’ve made significant
tions were written in the
Windows Defender helps
same fashion, requiring
protect against and remove
strides in usability, and believe we have a
administrator rights to the
spyware, adware, root kits,
system that makes more sense to Vista users.
local machine to execute.
bots, keystroke loggers, conStephen Toulouse, Senior Product Manager,
Some enterprises fixed
trol utilities and some other
Trustworthy Computing Group, Microsoft
their applications when
forms of malware. The
they went to a locked-down
Windows Firewall includes
environment over the security issues of the past several
both inbound and outbound filtering, protecting users by
years. Others still have many applications that have to run,
restricting OS resources if they behave in unexpected ways.
at least some of the time, in a more privileged mode.
While the Security Center has been around since
With Vista, Microsoft attempted to build an OS that
Windows XP SP2, Microsoft has made improvements,
eases users, administrators and developers into thinking
including showing the status of anti-spyware software,
about security in a different way. No one at Microsoft
Internet Explorer security settings and UAC. The Vista
would declare that Vista is 100 percent bulletproof, but it’s Security Center can monitor security solutions from thirdno exaggeration to say that Vista is the most secure
party vendors running on a PC and indicate which are
Windows OS to date. But is it secure enough for you to
enabled and up-to-date.
deploy on hundreds or thousands of desktops?
Before shipping, Vista also underwent final security
reviews, peer reviews and testing via automated attacks.
What Microsoft Does for Enterprises
Automated attacks typically involve code written to emuWindows Vista is the first OS Microsoft has built under
late actual attacks from the wild, to determine the ability
the laws laid down by its Security Development Lifecycle of the OS to repulse them or at least slow them down.
(SDL), which were defined several years ago during the
Patches and Promises
intense security training conducted after the release of
One of the accepted practices in OSes in recent years has
Windows XP. According to Stephen Toulouse, senior
been the concept of the security patch. Hackers, researchers
product manager for Microsoft’s Trustworthy Comput34 | May 2007 | Redmond | Redmondmag.com |
Project3
4/9/07
4:42 PM
Page 1
User Account Control
for the Enterprise
™
Do you trust your users with Administrative Rights? Windows Vista’s User Account Control
asks users for administrator passwords in order to run many critical applications. Distributing
administrator passwords to end users is not a secure enterprise solution.
Least Privilege Management. BeyondTrust enables enterprises to move beyond the need
to trust users with excess privileges or administrator passwords. Apply the principle of Least
Privilege to all users by securely elevating privileges for authorized applications without end
user input, pop-ups or consent dialogues. Empower network administrators to set centralized
security policy. Built for Windows 2000, XP, Server 2003, and Vista; integrated with Active
Directory and applied through Group Policy.
For a free pilot installation call 1.603.610.4250 or visit www.beyondtrust.com.
Windows and Vista are trademarks of Microsoft Corporation. Other company, product and service names may
be trademarks of their respective owners. © 2007 BeyondTrust Corporation. All rights reserved.
0507red_F1Security32-38.v11
4/17/07
10:30 AM
Page 36
Vista Game Plan
or even vendors themselves identify vulnerabilities. The OS
Developers tend to be philosophical about security
vendor, such as Microsoft, Apple or Red Hat, then analyzes
issues. At a recent Visual Studio developer conference,
the vulnerability and prepares one or more patches.
Sam Restead, a senior software engineer for a large insurMuch has been made of the fact that Vista has had
ance provider, shrugged and said, “I care about security
fewer security patches in its first 90 days of availability
and don’t intentionally write bad code. But the hackers
than comparable OSes from Apple or Red Hat. While
move so fast that no one can keep up with all the emerging
this appears to be a reasonable standard for a new OS,
techniques to break into systems.”
Microsoft disingenuously included the time before genRestead’s colleague Richard Guest added: “It’s mostly an
eral availability when the OS was only available to enterOS problem anyway.”
prises and MSDN subscribers.
Not surprisingly, both perception and bandwidth have
Forrester analyst Jen Albornoz Mulligan notes that the
led to the lack of motivation by developers in addressing
ranking is very different when only critical flaws are consecurity more rigorously in their applications. That said,
sidered. Her conclusion is that there are too many varidevelopers don’t intentionally write insecure code and are
ables to consider. For those on the front lines, however,
keenly interested in making sure that an application isn’t
the question for now is: What does it take to keep the
the cause of a security breach. The real problem is that
machines up-to-date on patches? The jury is still out on
there are just too many other things for developers to do at
that question, but Windows Vista looks much more prom- the same time.
ising than previous versions of Windows.
Vista will help most developers write more secure code.
Ironically, at press time there were news reports of a
It does so, in part, through the use of UAC. The UAC
Vista vulnerability surrounding .ANI files. According to
separates standard user privileges and activities from those
those reports, .ANI files are used to change the cursor into that require administrator access. It changes the definition
an hourglass while a proof a standard user by includgram works, or into a curing many basic functions
sor animation on Web
that pose no security risk but
The new security features have to be
sites. The vulnerability was
that previously required
weighed against the cost of upgraded hardware.
allowing hackers to break
administrative privileges.
For many, it makes sense to move to Vista with
into computers and install
Many applications require
malicious software. Because
local machine administrator
the next hardware upgrade, not sooner.
of a rapidly increasing
privileges, so users can end
Natalie Lambert, Security Analyst, Forrester Research Inc.
number of reported
up with administrative
exploits, Microsoft released
access, invoked only when
the patch for this vulnerability early.
installing software or executing an application that
There is also security from a physical breach. Many of us
requires admin rights. Vista displays a dialog box requesthave received notification of a lost or stolen computer con- ing the local administrator password, which the user must
taining data on our identity, credit, or buying habits, and
enter in order to complete the activity.
were outraged that the data was not better protected.
If the enterprise locks down desktop systems, UAC can also
Here’s where BitLocker, Vista’s full volume encryption,
help there. Admins have the option of configuring a policy
comes into play. BitLocker uses hardware-enabled protecsetting that prevents users from encountering the access diation to prevent unauthorized users from accessing data by
log, in order to prevent administrative actions entirely.
breaking Windows file and system protections.
Alternatively, UAC lets IT admins give desktop users
BitLocker incorporates centralized storage and manageadministrative rights, but normal operations occur using
ment of encryption keys in Active Directory, and lets IT
lower privileges. If an application requires admin rights to
administrators store encryption keys and restore passwords continue, it will prompt the user for an OK.
onto a USB key or to a separate file for backup. The
UAC helps users better understand how their system is
encryption system also enables system recovery in the
being used by applications. After an initial training period,
field, providing a means for users to enter the restore pass- users will come to know the normal behavior patterns of
word and restore their own systems.
their applications, enabling them to question unusual or
unexplained requests to upgrade system privileges.
The Price of Privilege
And over time, UAC will help developers. Because those
There has been a dichotomy between application developoperations requiring admin privileges are right out there
ers and their users that has become significant over the
in the open, any inadvertent upgrade in privileges will
past several years. Many enterprise developers have
become apparent during unit and functional testing.
absolute access to their systems, but they tend not to conMicrosoft’s Toulouse admits that UAC got a bad repusider whether or not their users do. In some cases, they
tation during early community releases of Vista. “We had
raise privileges because a given operation won’t work
the right idea,” he explains, “but we failed to consider
unless the process has a high set of privileges.
usability. Since that early feedback we’ve made significant
36 | May 2007 | Redmond | Redmondmag.com |
32229_redmond5_ns.indd 1
4/9/07 5:05:00 PM
0507red_F1Security32-38.v11
4/17/07
10:30 AM
Page 38
Vista Game Plan
strides in usability, and believe we have a system that
For enterprises, this means that “install and go” is no
makes more sense to Vista users.”
longer a reasonable strategy for running a Windows OS.
One unyielding principle is that users are still informed
System administrators, application developers and even
whenever an application attempts to do something out of
end users have to take increasing responsibility in an envithe ordinary. This means that many computer users will be ronment where known exploits are combined with valuable
seeing more messages concerning application privileges
data to provide ample opportunities for security violations.
than they have in the past. To those who install software
The tradeoff required for better security is greater
on their own systems, the dialog will be a constant
involvement by users, administrators and developers in the
reminder of the Vista security strategy.
security process. In deciding whether or not to accelerate a
The upshot is that users will have to better understand
migration to Vista for security purposes, managers have to
the security implications of their activities. This may cause
first perform a classic risk analysis. If your clients access
confusion unless users are trained in their security respondata of significant value to the organization, or your infrasibilities. In many enterprises such training is problematic,
structure has vulnerabilities that put clients at greater risk
as users generally receive only the training they need to
of intrusion, then the additional security features of Vista
perform their job activities—and sometimes not even that.
should be high on your priority list.
According to BeyondTrust CEO John Moyer, this will
But—and it’s a big but—that means both your staff and
be a problem in enterprises. “Users are focused on their
users have to get more involved in security. Users have to
jobs, not on the security messages that pop up on their
understand and take action based on security messages
screens,” he claims. UAC
sent by the OS. Vista will
has the potential to cause
tell them a great deal about
System administrators, application developers
confusion for users and
the security state of their
increased workload for
desktop, but only if they
and even end users have to take increasing
administrators. It’s not
speak the same language.
responsibility in an environment where known
going away, though, so
Administrators have to
exploits are combined with valuable data to
sooner or later developers
make sure that desktops are
will have to make their
provide ample opportunities for security violations. configured with the applicaapplications run in more
tions, policies and security
secure environments and
settings required by users to
users will have to understand what to do when the UAC
perform their jobs. Blasting all desktops with a single
dialog box appears.
image and pushing blanket policies probably won’t cut it
You can get your hands on most, if not all, of these and
if you want to move to Vista today. Using features such
other less significant security features from third parties to
as UAC, policies and the Security Center, administrators
use with Windows XP. BeyondTrust, for example, prohave to configure the OS to the precise security paramevides a way to manage user privileges in the IT shop,
ters needed to ensure protection of data and systems.
rather than on the user’s desktop. Adding third-party point Admins will be on the front lines of helping users undersolutions does mean a more complex configuration for
stand their new security responsibilities.
installed systems, the need for better management of softLast, developers can no longer assume that users are local
ware licensing and upgrades, greater costs and perhaps a
machine admins. Relying on Vista privilege elevation for
greater potential for system conflicts.
applications to work will be confusing to users and show a
lack of OS understanding by developers. While it may not
Building a More Secure Enterprise
be possible to get rid of privilege elevation entirely, develAdvocates for one OS over another tend to get viscerally
opers have to build and test with the same security settings
involved in their opinions on security and usability. The
as their users.
debate among client OSes in enterprises tends to settle
With a commitment from these three constituencies,
around what version of Windows is best, rather than
Windows Vista will help an enterprise at risk be measuranon-Windows alternatives. If an enterprise is at risk,
bly more secure. But there’s also a word of caution: Witheither by making regular and common use of high-value
out that commitment, along with training in security
or highly sensitive data, or by losing significant business
policies and implementation, the equation falls apart, likely
if systems are taken offline by attacks, then Vista can
resulting in greater confusion and lost productivity.
help immediately.
There’s no going back. All parts of the enterprise will
There seems to be little question that security is
have to have greater involvement in information security
improved with Windows Vista. Toulouse calls Vista the
in the future. Vista represents an important first step in
“best possible baseline for the broadest set of users.”
that direction. —
While there’s nothing particularly revolutionary about its
Peter Varhol (pvarhol@redmondmag.com) is Redmond’s
features, it’s useful to have them aggregated into a single
executive editor of reviews.
product and used in consistent ways.
38 | May 2007 | Redmond | Redmondmag.com |
Project2
4/12/07
10:51 AM
Page 1
NORTHERN STORAGE SUITE
SET LIMITS
To collect and store is a natural instinct. A sys admin
is guided by a different set of instincts: to maintain order
and to set reasonable limits.
Northern Storage Suite allows you to establish guidelines and
boundaries to promote economical storage usage. It lets you
set disk quotas, block file types and keep users informed.
Sample the power of Northern Storage Suite – download
Northern’s Free Analysis Tool: www.northern.net/redmond
WWW.NORTHERN.NET / INFO@NORTHERN.NET / 1.800.881.4950
NORTHERN – MANAGING STORAGE SINCE 1995. TO US IT’S SECOND NATURE.
Simplify Active Directory Management,
Inventory Control, & Auditing.
®
®
®
®
®
®
®
Provides Custom & Canned Reports
Includes Ability to Schedule Reports
Eases Software Inventory & Auditing
Removes Unwanted Client Software
Offers Hot Fix & Service Pack Viewer
Advanced Export Features
Bulk User Updating
NG
I
L
E
D?
FE
E
M
L
HE
W
R
OVE
FREE 30 Day Trial!
Visit CNS-Software.com
Tools by Administrators for Administrators
1-866-344-6267
www.CNS-Software.com
TM
©2006 CNS Software, LLC. All rights reserved. The names of actual products mentioned herein may be the trademarks of their respective owners.
Project4
3/12/07
12:13 PM
Page 1
Maximum Control. Minimum Effort.
Providing desktop support can be a headache with the large number of systems, servers and mobile devices
located on today’s corporate network. With NetSupport Manager remote control software, you can provide
seamless IT support centrally from one location, improving response times and reducing associated IT costs.
Support, monitor and train your users securely over a LAN, WAN and the Internet. Manage and monitor multiple
systems simultaneously with NSM’s multi-platform support including Windows, Linux, MAC, Solaris, and Windows
Mobile. Troubleshoot help requests efficiently with NSM’s inventory and desktop management tools.
Take control of your network before it controls you.
For more information and to download a free trial copy - visit:
www.netsupportmanager.com
PC Remote Control
sales@netsupport-inc.com
770-205-4456
www.netsupport-inc.com
0507red_F2CitrixVM41-43.v8
4/17/07
10:32 AM
Page 41
Citrix and VMware:
Oil and
Water?
Two technologies.
One chemistry
experiment.
Can they mix?
By Greg Shields and Steve Kaplan
ne of the components in our chemistry experiment is a billion-dollar
company known worldwide for
software that connects any user
from any network connection to any
data center. Citrix Systems Inc.’s
Presentation Server software utilizes an optimized
transport protocol called ICA to connect clients to
servers over WAN links of virtually any speed.
The other component is a subsidiary of another
billion-dollar company. This one’s known for
multiple years of triple-digit growth and a recent
announcement of its first IPO. VMware Inc., EMC
Corp.’s subsidiary, has been renowned for its Virtual
Infrastructure product that’s capable of squishing
together tens of data center servers onto a single
hardware chassis.
The return on investment (ROI) associated with
both technologies is well-documented. Citrix
moves your applications from the desktop to the
data center, centralizing management and reducing
administrator touch points. VMware centralizes
your servers, reducing hardware footprint and heat
signature, enabling an entire-server snapshot for
rapid recovery and business continuity.
But when you bring them together, do they mix?
Or, like oil and water, do they separate? By running
Citrix servers on top of VMware’s Virtual Infrastructure, do you improve their combined ROI, their
performance and their survivability? Or do you end
up with a big, unresponsive mess?
O
| Redmondmag.com | Redmond | May 2007 | 41
0507red_F2CitrixVM41-43.v9
4/17/07
2:10 PM
Page 42
Hard Facts
7But What About
Microsoft Virtual Server?
e’ve focused hard on the Virtual
Infrastructure virtualization technology created by VMware, but the
elephant in the room is: “What about
Microsoft Virtual Server?”
While there are no equivalent studies
detailing Citrix performance on Microsoft
Virtual Server, a few connections can be
made between the two products.
Microsoft Virtual Server is intended to be a
comparable product to VMware’s Virtual Infrastructure platform, but its architecture suffers
problems stemming from two major issues.
First, Microsoft Virtual Server is intended to be
installed on top of an existing Windows Server
2003 installation. VMware’s Virtual Infrastructure 3 (VI3) product is its own operating system. As the VI3 OS is highly optimized with an
eye toward performing a single function, its virtualization overhead is significantly reduced.
This means that virtual machines hosted on VI3
will typically run with better performance.
The second issue involves VI3’s capabilities
for dynamic load balancing and on-the-fly
restarting of failed machines on alternate
hosts, enterprise-level features that are
critical in high-availability environments.
Microsoft Virtual Server has the capability of
doing cold migrations of servers from one
host to another, but the virtual machine must
be powered down prior to the migration.
VI3’s ability to move machines from host to
host while the virtual machine continues to
run makes this feature set a huge boon to
downtime-sensitive environments.
Microsoft Virtual Server is a good product in
some environments. More importantly, it
comes at a substantially lower price point than
VMware’s enterprise-level product. If your network environment doesn’t have requirements
for very high performance and reliability, then
Microsoft Virtual Server’s lower price point
may make it the product for you.
—G.S. and S.K.
W
42 | May 2007 | Redmond | Redmondmag.com |
Virtualizing a Citrix server provides the same level of benefits at the server chassis as Presentation Server does for its
applications. Virtualizing a server enhances that server’s
capability for management and hardware mobility. Because
of the file-based nature of virtualization, that server’s
intrinsic availability and recoverability after a disaster event
are improved. And because adding a new virtual server is
little more than a copy-and-paste, virtualization provides an
IT staff with more options in segmenting applications, as
well as securing them against external attack.
On the other hand, virtualizing any server involves added
overhead to system resources. This overhead comes from
the resources needed to run the virtualization layer plus all
other virtual servers hosted on the chassis.
You may have heard the horror stories about the poor
performance Citrix servers experience when running on
early versions of VMware’s ESX product. Many of those
concerns have changed, however, with VMware’s release
of Virtual Infrastructure 3 (VI3). VI3 includes automatic
sizing of memory page table caches, and improved latencies on page fault and context switch operations that help
reduce total system resource use.
Citrix at a high load can be a demanding application due
to high kernel-resource utilization and a high level of context switches associated with its underlying Terminal Server
architecture. But in many environments this high utilization
often doesn’t occur. Many times, application conflicts—or
the need for security isolation among applications or
users—force a horizontal scaling of Citrix servers. These
kinds of applications or users that can’t cohabitate on a single server can result in an organization buying new Presentation Servers even though existing server utilization is low.
In a virtualized environment, multiple server instances are
enabled to run on the same physical server chassis. When
application conflicts or security requirements force additional servers to be brought online, virtualization can enable
it to be done with relative ease. You can copy and paste new
servers to your heart’s content until the hardware resources
of your physical chassis max out.
VMware recently completed scalability tests that involved
initiating a series of increasing user log-ons to a virtualized
Citrix server, followed by a pre-recorded series of actions
using Microsoft Word. The test simulated users logging in,
opening a Word document and typing for up to 15 minutes.
CPU resources were measured so as to identify the number
of users capable of being supported by the hardware chassis
when running at up to 80 percent of CPU utilization.
A quad-socket, dual-core server was used to host the virtualization environment. This server was configured to run
eight instances of Presentation Server with near-equivalent
user experience to that of eight single-processor physical
servers. For the test, a limited set of applications was used
and each Presentation Server virtual machine was fixed to
a specific processor.
After running the test for 80 iterations, results showed
that for the hardware chosen, Version 3.0 of ESX and a
0507red_F2CitrixVM41-43.v8
4/17/07
10:32 AM
Page 43
Citrix & VMware
single-hosted virtual machine could support close to 140
simultaneous sessions.
Obviously, mileage will vary depending on the type and
number of hosted applications, as well as the number of
simultaneously hosted virtual machines on the hardware
chassis. But this test did verify that a large number of concurrent users living in a virtualization environment could
be supported.
Two design decisions on the part of the ESX host combined to reduce this virtualization overhead. Virtualization
environments that run on quad-processor rather than
dual-processor servers, as well as those running 64-bit
processor architectures, can increase the number of concurrent sessions in the virtualization environment. When
making the decision to move to virtualized Presentation
Server, this combination of host specifications diminishes
the negative impact of virtualization overhead.
ported for a much lower hardware cost when it comes to
concerns over security or application conflicts.
Snapshots and Backup
Presentation Servers are application servers. Unlike most
of the servers in your data center, users have direct access
to that server’s desktop and installed applications. This
means Presentation Servers have a greater chance of
being exploited.
A virtual Citrix deployment eliminates the necessity of
having one or more Citrix servers set aside as dedicated test
machines. Because of VI3’s ability to “snapshot” the server,
the process for patching and testing becomes much less
painful. To test a virtual server, just snap an existing server
instance, apply the desired patches, upgrades or other modifications, and validate their functionality. If anything goes
wrong, you can rollback the server to its snapshot. If the
testing or patching completes successfully, the modificaSofter Side
tions can be applied to the other Citrix
Other factors also help to reduce
virtual machines with confidence.
hardware requirements in a virtualBacking up a virtual Citrix infraized Citrix environment. VI3’s
structure is simplified by the ability to
Interested in learning more about
Distributed Resource Scheduling can
store snapshots of the entire virtual
VMware’s performance study
be configured to automatically
machine at any time. Snapshots can be
involving Citrix Presentation Server?
relocate running instances of virtual
replicated off-site, which helps faciliCheck out its white paper at
Presentation Servers to other physitate disaster recovery (DR). Because
www.vmware.com/pdf/esx_citrix_
scalability.pdf.
cal chassis with more available
the Citrix virtual machines can be kept
resources. This relocation capability
running at the DR site, access becomes
means that a stack of servers can be treated less like a stack
very easy and rapid in the event of a catastrophic failure.
of servers and more like a stack of processor and memory
Performance vs. Reliability
resources. Organizations can pool these server resources
As with our question of oil and water, the laws of physics
and load balance virtual machines across them, thereby
still hold true with virtualized environments. Do Citrix
enabling a higher overall utilization without overburdenand VMware mix? For performance—maybe. Using ESX
ing any individual machine.
with just the right set of hardware, applications and users,
This way the server environment is similar to that of an
testing shows that you can squeeze a large number of conarray of disks. We no longer have to know or even care
current users onto multiple Citrix virtual servers.
about where our virtual machines are running. We can set
For other reasons—definitely. As you can see, virtualizapolicies to reserve minimum and maximum resources for
individual virtual machines. We can also create affinity and tion provides benefits to reliability that help offset that loss
in total performance. The gains from centralized adminisanti-affinity rules to ensure servers that should reside
tration, higher availability, disaster recovery and server
together on the same physical hardware actually do.
In a physical environment, a failed server can mean a loss of provisioning make it an option worth considering.
that server’s resources until that server is repaired or a new
Greg Shields (gshields@redmondmag.com), MCSE:
machine is procured. Disparate hardware between the failed
Security, CCEA, is a principal consultant for 3t Systems
machine and the new one can force a complete rebuild—a
(www.3tsystems.com) in Denver, Colo. A contributing editor
lengthy process. Because of this, organizations often procure
and maintain an inventory of costly identical server hardware to Redmond magazine and a popular speaker at TechMentor
events, Greg also hosts a Windows Server blog and regular
that sits unused and waiting for a failure to occur.
A dead VI3 host server, on the other hand, can quickly be podcast at www.realtime-windowsserver.com.
replaced by a new server regardless of brand, CPU or
Steve Kaplan (skaplan@accessflow.com), MVP, is president of
model. Further improving system uptime, VI3’s High
AccessFlow, a VMware Premier Partner headquartered in
Availability feature will automatically restart systems elseSacramento, Calif. In addition to co-authoring the
where that were homed on the dead host.
Osborne/McGraw-Hill series of Citrix Official Guides and
Also, the ability to spread out users among a greater
Advanced Concepts Guide books, Steve has had dozens of
number of virtual Presentation Servers means a smaller
impact on that user base when one Presentation Server has articles published on various IT topics ranging from security to
disaster recovery to regulatory compliance.
an issue. It also means users and applications can be sup-
VMware’s Citrix
Performance Study
| Redmondmag.com | Redmond | May 2007 | 43
0507red_F2ITvIM44-47.v11
4/17/07
10:34 AM
Page 44
44 | May 2007 | Redmond | Redmondmag.com |
0507red_F2ITvIM44-47.v11
4/17/07
10:34 AM
Page 45
IT IM
vs
Instant Messaging (IM) makes tactical communication a snap,
but too often IM serves as a doorway for hackers. Here’s how
IT can wrestle with the problem.
By Doug Barney
I
n October 2006 Instant Messaging reached an ignominious milestone. Security vendor Akonix Systems
Inc. reported a record-high 88 IM-based attacks, a
mark that still stands almost six months later.
While it hasn’t gotten any worse, IM threats have
hardly gone away. Most are in the form of worms usually
spread as attachments. They have wacky names such as
Geezo, NotYou and Tellsky. IT staffers have to clean
up these messes, and they’re not laughing.
Besides worms and other viruses, IM is also a conduit
for phishing, spyware and social engineering attacks. “I
fight daily with pesky spam, malware, viruses and backdoors. Every computer I clean has some type of IM
client or a residual,” complains one IT professional.
While IM is often seen as stripped-down messaging,
the viruses it carries are no lightweights. Take the
W32/Sohana-C worm. This nasty little germ first
shuts down your anti-virus protections, then modifies
the registry and can install software from the Internet.
It can also change the user’s start page and duplicate
itself via IM.
It’s no wonder that many in IT aren’t fans of IM. “I’m
not an IMer and I don’t see the business case for it.
Employees can state their cases all day long but in the
end, everyone knows what they use it for most of the
time—[and] it’s not work related,” says Dave Zeininger,
a network engineer and administrator for The Computer
Merchant Ltd, a computer consultancy.
Just Say No
One solution that may please IT—but not end users—is
to ban IM completely. “We just say no [to IM],” explains
John Montgomery, MCSE, president and CEO for
IMC Studios Inc.
IMAGE BY GETTY IMAGES
Blocking can be a fairly simple procedure. “In our
enterprise, IM protocols are blocked by filtering software at the Internet gateway, and all known IM client
software is prevented from running by a combination of
group policy—blocked by path and hash—and our AV
software,” explains Marc Cote, a network manager in
Lenexa, Kan. “So far, I have the CIO onboard with
these actions in the name of security,” he says.
Others in IT are taking a similar tack. Charlie Jarman,
a system administrator and Microsoft Certified Professional with Loris Healthcare System Inc., says he
simply uninstalls MS Messenger on all Windows XP
Pro-based PCs when they come in the door. He then
uses Websense to block all IM clients and all ports, as
well as using Group Policy to disallow running the
popular IM clients.
“This strategy works pretty well for our small hospital
system with about 1,000 employees,” he says.
Blocking isn’t always enough, however. The fear of
God (or at least HR) can also help, argues Dwayne
Sudduth, network administrator for Bulova Technologies
LLC in Lancaster, Pa. Sudduth says he blocks all the
ports for the major IM clients at the firewall.
“All of about three users would know how to circumvent that anyway, and we’re all in the same department
[IT],” Sudduth says. “It’s a well-known policy that the
use of IM is forbidden and is a disciplinary offense, [with
penalties] up to and including immediate termination.”
If IM is essential to your business, there are two main
choices. One is to install a private IM network based on
tools from Microsoft, IBM Corp. or Jabber Inc., among
others. These private networks tie users to a directory, or
let you create a directory that ensures users are who they
say they are and have proper password protection.
| Redmondmag.com | Redmond | May 2007 | 45
0507red_F2ITvIM44-47.v11
4/17/07
10:35 AM
Page 46
IM Solutions Vendors:
Akonix, Blue Coat, CypherTrust, FaceTime,
IBM, IM Einstein, IMLogic, MessageLabs,
Microsoft, NFR Security, PortAuthority, SurfControl, Symantec, Trend Micro, Vericept,
Websense, WiredRed Software, Zone Labs.
These tools can also archive IM messages that fall under
compliance regulations, giving IM the same status as traditional e-mail. These systems also generally include virus
blocking, attachment control, the ability to manage and
block users, and filters to safeguard confidential data.
Another option is to install a gateway that works with
existing public IM services like Yahoo! and AIM. These
types of tools filter content, detect and block viruses and
control what users can do with IM. They can also help
with compliance by reporting on IM use and archiving
traffic. Gateway tools can also discover just what kind of
IM is installed and where.
The Trillian Advantage
One problem with most IM clients is that they don’t know
how to talk to other clients. For Timothy Carroll and many
others, Trillian is the answer. “We use Trillian for all IM:
It operates with all the popular networks including AOL,
MSN and Yahoo!,” says Carroll, who is a network engineer
for XS Inc., an IT-based application development shop.
Carroll says he first created a default installation, configured it so it looks for profiles in “Documents and Settings,” and then created his own MSI installer with Visual
Studio, which duplicates the default installation. The
product, however, is not without its shortcomings.
“Sadly, Trillian does not respect Windows’ limited-user
security out of the box. By default it stores all profiles
under Program Files. Its default installer is not an MSI and
cannot be deployed. To me both reasons are grounds for
immediately uninstalling the product,” Carroll says.
But since the company gave him a way around the problem, as well as promising in the next release to permanently
fix it by automatically storing everything in documents and
settings, Carroll has decided to stick with it.
Others are looking to Microsoft for business-oriented
solutions. “We’re looking for ways to facilitate the use of
IM for business, but in a secure manner. IM will continue
to cause issues unless businesses, decision makers, managers and users identify the security risks and address
them,” says Michael Esquia, an IT pro with the Floridabased law firm Fowler and White.
Esquia says he sees the issue as two-sided. On one side
there are the users and their lack of education. On the
other side are the IM software companies and the lack of
It’s a well-known
policy that the use of
IM is forbidden and is a
disciplinary offense,
[with penalties] up to
and including immediate
termination.
Dwayne Sudduth,
Network Administrator,
Bulova Technologies LLC
46 | May 2007 | Redmond | Redmondmag.com |
0507red_F2ITvIM44-47.v12
4/17/07
2:04 PM
Page 47
IT IM
vs
Batten Down
the IM Hatches
Understand what you have and do an
inventory to see what IM clients are in
use and by whom.
■ Create an enforceable IM policy. Users
should not open attachments or click links.
Get legal involved in approving the policy
so it’s in line with compliance standards.
■ Think about creating a standard IM
solution, or blocking IM.
■ Patch your IM software, if you have
it, regularly.
■ Protect your network with a good
Intrusion Protection System.
■ Users should not use names that appear
to be someone else, such as GeorgeBush,
and IT should not allow false names on
the network.
■ Consider encrypting IM messages.
■
manageability they offer in their products. He says it’s not
as if he’s asking vendors to develop complete management
consoles, but simply to make it easier to manage features
using the registry.
“Microsoft is leading the way with Live Communications
Server [LCS], but it’s still expensive for something that most
people view as free to use. If we go with LCS, we’ll keep
other IM software from running on workstations,” he says.
The Microsoft Way
One public radio station, which asked not to be identified,
faced an internal IM battle. The station’s former IT director says its news department, radio shows, Web team and
key executives all used IM personally and expected the IT
department to offer it with no regard for security risks, or
for how the existing business logic would support the
increased demand.
“After initially demonstrating the dangers of unlimited
open IMing involving AIM and Yahoo! IM, we were able
to get the critical users and execs to understand the problem of security breaches. The AIM virus disaster was the
clincher,” he says.
The station’s IT department then proposed a secure solution. They were able to convince the powers that were that
IT wasn’t refusing to help, but only wanted to comply with
the demand in a secure fashion, according to the source.
Once they proved the risks and dangers to the corporate network and resources, they made a pitch for the special funding
of the project. The CFO then approved the purchase of a
small, dedicated server for internal messaging, he says.
The specific solution came in the form of the Windows
Message Server, which supported all the departments
and their users that required the service. According to
the former IT director, the productivity improvements
were immediate because different departments could
communicate significantly faster when, for instance, news
was breaking.
Despite the Microsoft solution, other clients are sometimes tolerated. “External IM was approved for select individuals or departments but was screened against hitting the
main network. This was a very rare permission and had to
wait for us to move to Windows 2000 Server, [which had]
tighter and more discrete control over user account security,” says the station’s former IT manager.
The DBabble Alternative
Years ago end users at The Computer Merchant Ltd. had
free rein and could install any IM client that came down
the pike. That all changed when the company moved to
Windows XP Pro and took away end user admin rights.
“Because of their demand for IM, stating that their
clients required it for quick communication, we deployed
DBabble on our network and clients, totaling about 125
users,” The Computer Merchant’s Zeininger says.
Because Zeininger’s IT manager was a “real nerd,” he
was able to download the manual for the product, read the
entire manual, deploy the server and test it out on selected
users—all in one day. This allowed the company to deploy
the product companywide the following week.
The only problem—and it was no small one—was network
access, according to Zeininger. He says the major issue for
the next couple of years will crop up when the IM companies block communication with the public jabber servers
his firm would normally connect through. Most of the
time, he notes, it takes several attempts to get connected
through a valid jabber server in order to communicate
with the IM Servers.
“It’s got to the point
where, when we lose
the communication
Check out Redmond’s roundup of
for AIM or Yahoo!
private IM tools at Redmondmag.com.
FindIT code: ITvsIM
due to their blocking
the jabber server, we
may be a week or more before we bother to reconfigure
another public jabber server for DBabble,” he says.
With such inconsistency, users are starting to give in on
IM, and Zeininger says he couldn’t be happier. There are
alternatives to DBabble, he says, but he has yet to see a
real business case that justifies the cost associated with
these options—nor does he have the resources to manage
such a system properly.
IM doesn’t have to be a minefield. Through blocking or
a more secure IM solution, your network can be protected
from the likes of Geezo and Sohana. —
GetMoreOnline
Doug Barney is the editor in chief of Redmond and the VP,
editorial director of Redmond Media Group. Reach him at
dbarney@redmondmag.com.
| Redmondmag.com | Redmond | May 2007 | 47
Project1
4/9/07
4:11 PM
UB_Firewall_Redmond.ai
Page 1
4/6/07
11:37:57 AM
™
Open door policy?
Does Your Backup Software Create a Big Hole in Your Firewall?
With UltraBac Software’s advanced backup technology this issue is practically eliminated.
Previously there wasn’t a way to securely back up your network through a firewall without
excessive risk, or having to place your entire backup infrastructure in the DMZ. The new
version of UltraBac will allow you to quickly and easily back up your servers and workstations
without having to compromise security by opening many ports in your system. This innovative
solution allows you great flexibility by uniquely regulating exactly which ports are used for
communication. A one way connection is initiated from inside your firewall so that the outside
communications are initiated using a defined range. This means that networks remain more
secure by eliminating unnecessary port usage, and you can easily configure your firewall for
this defined range to include only your expected backup clients. If you need to better lock
down your environment then you need UltraBac’s backup and disaster recovery protection.
Your organization’s data is an extremely valuable asset. Keep your data safe and secure
inside your firewall, no open door policy allowed.
B AC K U P A N D D I S A S T E R R E C OV E RY S O F T WA R E F O R P E O P LE W H O M E A N B U S I N E S S
WWW.ULTRABAC.COM
© 2007 UltraBac Software. All rights reserved. UltraBac Software, UltraBac, UltraBac Software logo, UBDR Gold, UBDR Pro, and Backup and Disaster Recovery Software for
People Who Mean Business are trademarks of UltraBac Software. Other product names mentioned herein may be trademarked and are property of their respective companies.
0507red_F2Exchange49-55.v8
4/17/07
2:24 PM
Page 49
Laying the Groundwork:
Exchange Server 2007
Moving to Exchange Server 2007 is a complex process with
stringent requirements. Make sure you have the tools and
infrastructure in place before you begin.
By J. Peter Bruzzese
T
The Leaning Tower of Pisa, although built to stand up
straight, began leaning to one side shortly after construction began in 1173. A poorly laid foundation and loose
substrate caused the foundation to shift and sink. That’s
proof positive that a firm foundation is the key to any
structure—be it a monument or a messaging infrastructure
like Exchange Sever 2007 (Exchange 2007).
A solid foundation is more critical than ever with
Exchange 2007, as there is no in-place server upgrade path
from an existing Exchange server to the new version. You
have to install Exchange 2007 fresh, and there are only
three possible paths:
• You can create a new Exchange environment for a new
company or one without an existing messaging infrastructure.
• If you have an existing Exchange environment, you can
transition by installing Exchange 2007 servers, co-existing
briefly and then phasing out the previous versions.
• You could also install Exchange 2007 in a new organization, migrate all your mailboxes over to 2007 and then
remove your old Exchange servers.
There’s a good reason for the lack of an upgrade path.
Basically, Exchange 2007 requires an x64 architecturebased system with an Intel processor that supports Intel
Extended Memory 64 Technology (Intel EM64T) or an
AMD processor that supports the AMD64 platform.
Because earlier versions of Exchange didn’t support
x64 architecture, there are no systems from which you
can upgrade.
| Redmondmag.com | Redmond | May 2007 | 49
0507red_F2Exchange49-55.v8
4/17/07
2:24 PM
Page 50
Exchange Server 2007
It’s important to note that the Intel Itanium (IA64)
processor will not work with Windows 2003 x64 Editions.
Thus, it won’t work for Exchange 2007 deployments. Let’s
look at the system and network requirements you’ll need
to meet in order to successfully install Exchange 2007.
Essential Elements
Besides needing a 64-bit processor, Exchange 2007 also
requires 2GB of RAM per server, a minimum of 1.2GB of
hard disk space (on the drive you install Exchange Server
Figure 1. The Best Practices Analyzer Tool helps ensure you
have the optimal configuration.
2007), 500MB per language pack and disk partitions formatted as NTFS. Depending on the number of mailboxes
and the amount of data you grant each person, you should
build out your drive space. You can find more information
regarding processor and memory requirements on
Microsoft’s Web site.
There are also software requirements for any server upon
which you wish to install Exchange 2007. Your servers will
have to be running Microsoft Windows Server 2003 x64 or
Windows Server 2003 R2 x64 (Standard or Enterprise Edition), as well as .NET Framework Version 2.0, Microsoft
Management Console (MMC) 3.0 and Windows PowerShell. Your system will also need Active Directory for all
server roles, except Edge Transport Server. You’ll need
Active Directory Application Mode (ADAM) Service Pack 1
(SP1) if you want to run your server as an Edge Transport.
As with moving to Vista, upgrades to accommodate
Exchange 2007 may be unavoidable. “Upgrade your key
infrastructure server hardware to 64-bit, as well as your
Exchange Server hardware. At least consider migrating DCs,
especially in a large environment,” says Adam Field, a senior
technologist at Content Master (www.contentmaster.com)
who has 10 years of Exchange expertise.
“Take some time to learn Windows PowerShell—you’ll
need it,” he says. “PowerShell represents an entirely new
way to manage key functions in your Exchange environment and practice makes perfect.”
50 | May 2007 | Redmond | Redmondmag.com |
Take some time to learn Windows
PowerShell—you’ll need it. PowerShell
represents an entirely new way to manage
key functions in your Exchange environment
and practice makes perfect.
Adam Field, Senior Technologist, Content Master Group Ltd.
In terms of preparing AD for the move to Exchange
2007, the Schema Master has to have Microsoft
Windows Server 2003 SP1 or Windows Server 2003 R2
installed. You’ll also need at least one domain controller
in each AD site that contains Exchange 2007 running
Windows Server 2003 SP1. The AD domain functional
level must be Windows 2000 Server-native or higher for
all domains in the AD forest where you’ll be installing
Exchange 2007.
You might be wondering if you’ll have to prepare the
schema and AD before installing Exchange, as you did in
previous versions. Well, that depends. Exchange 2007 has
several different preparation switches you can run with the
setup.com, including the following:
• /preparelegacyexchangepermissions (to grant
Exchange permissions where necessary);
• /prepareschema (to update the schema for
Exchange 2007);
• /prepareAD (to configure global Exchange objects
in AD).
Figure 2. The Exchange Management Console is split into console (left), result (top), work (bottom) and action (right) panes.
Besides preparing your AD, you’ll need to prepare the
domains into which you plan on installing Exchange
2007. Use the /preparedomain and/or
/preparealldomains command (which will provide permissions on the domain container for your Exchange
servers, permission for Exchange Organization Administrators and a list of other necessary configuration and
0507red_F2Exchange49-55.v8
4/17/07
2:24 PM
Page 51
permission changes) to prepare your domains for
Exchange 2007.
You don’t have to run these switches manually. They will
run automatically when you install your first Exchange
2007 server in your organization. However, depending on
the size of your organization, you may decide to prepare
AD in advance.
You may wonder how you would do this if your current
network only uses 32-bit 2003 servers, since Exchange 2007
has a 64-bit requirement. However, you can use the 32-bit
trial version of Exchange 2007 to begin deployment preparations throughout AD, and in your domains.
Top 5 Tips for
Exchange Server
2007 Planning
Henrik Walther is an Exchange MVP, technical
writer, messaging specialist at Interprise Consulting and author of the book “How to Cheat
at Configuring Exchange Server 2007” by Syngress Publishing. He recently gave Redmond
his top five deployment tips:
Run an Exchange Server 2007 readiness
check using the Exchange Best Practice
Analyzer (ExBPA) tool. The ExBPA report will
give you a clear picture of what you’ll need
to change in your environment before you
begin the transition process to Exchange
Server 2007 (Exchange 2007). Use ExBPA
version 2.7 so you can take advantage of the
Exchange 2007 Readiness Check feature.
To move over to Exchange 2007, your
legacy Exchange organization must be
running in native mode. In order to be able to
switch the organization to native mode, any
Exchange 5.5 Servers (and earlier) must be
properly decommissioned and removed from
the Exchange organization before you can
deploy Exchange 2007.
Make sure that the schema master
Domain Controller in your Active
Directory is running Windows Server 2003
with at least Service Pack 1 (SP1). This is also
true for any Global Catalog servers (in each
AD site) in which you plan on deploying
Exchange 2007.
Unlike Exchange 2003 and 2000,
Exchange 2007 doesn’t use routing
groups. Instead, it takes advantage of the existing AD site topology and the underlying net-
1
2
3
4
It’s a good idea to test the health of your Exchange environment with the Exchange Best Practice Analyzer Tool
(ExBPA version 2.7), which was developed by the Microsoft
Exchange Team. You’ll find it at www.exbpa.com (you’ll be
re-routed to a Microsoft site that presents Microsoft
Exchange Analyzers—once there, simply select ExBPA 2.7).
The tool has a new feature called the Exchange 2007
Readiness Check. You can use this to scan your existing
topology to ensure readiness. You can also perform a deep
analysis of each Exchange 2000/2003 server to verify that
it has all the necessary updates and configuration for an
Exchange 2007 deployment.
work to transport messages between Hub
Transport Exchange 2007 servers. This
means you should plan your AD site topology
wisely, before transitioning to Exchange
2007. It also means you should suppress link
state updates, as there’s a chance routing
loops may occur when they’re enabled. If you
only plan on creating one routing group connector between the legacy routing group and
Exchange 2007, you won’t have to suppress
the link state updates.
Always deploy the Exchange 2007 Client
Access server role first. Exchange 2003
and 2000 front-end servers don’t support
proxy clients for Exchange 2007 Mailbox
servers. Also, keep in mind that Exchange
2007 doesn’t support public folder access via
the Outlook Web Access (OWA) 2007 interface. In fact, you won’t be able to access a
public folder database stored on an
Exchange 2007 Mailbox server. So if your end
users require public folder access via a
browser, keep an Exchange 2003 or 2000
server in the organization. Public folder
access via the OWA 2007 interface will be
included in Exchange 2007 SP1.
Speaking of Outlook, many are wondering
whether or not you can install Outlook 2007
on the same system running Exchange 2007.
“With previous versions of Exchange, this
was not possible due to an incompatibility
with the Outlook MAPI binaries, and the versions that shipped with Exchange,” says
Stephen Griffin, creator of MAPIEditor.
“Microsoft Exchange Server 2007 no longer
ships with the client-side binaries. Now [you
can] install Outlook 2007 on the same server
upon which you’ve installed Exchange 2007.”
—J.P.B.
5
| Redmondmag.com | Redmond | May 2007 | 51
AMDAd_may07.final
4/17/07
10:29 AM
Page 1
8
Reasons to Move to
®
Microsoft Exchange
Server 2007 on AMD
EFFICIENCY
X 64 POWER
That is what you need in the
datacenter. With Exchange now
running on 64-bit servers, efficiency is what you’ll get, especially from AMD64 technology.
The AMD OpteronTM processor
is designed to enable 64-bit
computing while remaining
compatible with the vast x86
software infrastructure, and
allows you to migrate seamlessly to 64-bit computing and
multi-core technology. This
means you can have access to
improved system efficiency
and application performance for
both multi-tasking and multithreaded applications without
changing the processor footprint. That is efficiency.
As a native 64-bit application,
Exchange Server 2007
provides higher performance
because it breaks 32-bit
memory and I/O barriers,
increasing the capability of
each server running Exchange.
The Direct Connect Architecture
of AMD OpteronTM processors,
with HyperTransportTM technology
and integrated memory controller, reduces traditional bottlenecks inherent in legacy frontside bus architectures, offering
high-throughput responsiveness and scalability for your
applications. That is power!
CONFIDENCE
Exchange’s new local and
cluster continuous replication
models for high availability of
the mailbox data store also
provide support for backups
without impacting production
environments. With normal
server configurations now able
to contain up to 1,000 mailboxes
per processor core, this is an
important feature. You can
deploy AMD64 technology with
confidence, knowing that AMD
provides solutions that are
compatible, reliable, stable, and
supported by a world-class
ecosystem. This level of
confidence puts you in the
driver’s seat.
Configure your next AMD Exchange server at:
www.dell.com/exchange
About the authors
Danielle Ruest and Nelson Ruest (MCSE, MCT, MVP) are multiple book authors focusing on systems design,
administration, and management. They run a consulting company that concentrates on IT infrastructure
architecture, change and configuration management. You can reach them at redmondmag@reso-net.com.
www.reso-net.com
HIGH PERFORMANCE
Exchange 2007 running on
AMD OpteronTM processors
provides great performance.
Exchange Server 2007 enables
new levels of operational
efficiency through capabilities
that optimize hardware and
networking investments and
features that help make
administrators more productive.
The AMD OpteronTM processor
delivers stable, long-term
solutions with exceptional
performance and performanceper-watt that can help enhance
your company's productivity.
Now, that is performance!
AMDAd_may07.final
4/17/07
10:30 AM
Page 2
Exchange Server, Microsoft’s flagship e-mail management system, is undergoing a major facelift in version 2007.
For the first time, Exchange will offer a platform for unified messaging, expanded access mechanisms, message control
and hosted messaging service, that provides a secure, one-stop communications tool. Since email is now the mission
critical application, organizations will be looking to a rapid migration to this powerful new version. But, Exchange 2007
now runs exclusively on x64 hardware giving it access to the performance gains 64-bit processing provides. As an IT
professional, you need to look now at how you’ll make the migration, especially if you are currently running only 32-bit
systems. Better yet, we think it is time to consider changing your server processor infrastructure. Here are eight reasons why you should consider moving to Exchange 2007 and 64-bit computing on AMD processors. We think they
provide a compelling picture for changing the server infrastructure in your organization as you move to Exchange 2007.
A RCHITECTURE
Exchange 2007 now includes
new server roles designed to
drive deployment efficiency.
Each role is responsive to the
number of processors or processor cores the server includes.
The AMD OpteronTM processor
with Direct Connect Architecture
provides the foundation for
balanced, scalable servers that
are easy to manage and
operate in today’s thermally and
electrically limited datacenters.
The AMD64 common core
architecture allows you to
minimize the cost of transition
and maximize past investments
in hardware, software, and
personnel.
N IMBLE
Email system usage grows with
time; every administrator knows
this. The AMD OpteronTM processor
with Direct Connect Architecture
enables you to easily transition
to multi-core technology at your
desired pace without sacrificing
current performance and investments, and will provide an easy
upgrade path to Quad-Core
AMD Opteron processors in
2007. That’s nimble!
G UARD
Email security is the most important aspect of any Exchange
architecture and Exchange 2007
is no slouch in this regard. The
new Edge Transport server role
provides a host of anti-spam
and data protection features.
AMD OpteronTM processors
include Enhanced Virus
Protection* (EVP), which can
help protect against viruses,
worms and malicious attacks,
and improve the integrity of
office networks. Are you ready
to guard your email?
E VALUATE
Evaluate your options now!
AMD Opteron processor-based
systems offer great value.
These systems are found in
many Dell servers including
PowerEdge 2970 and
PowerEdge 6950. Both Dell
servers offer leading performance/watt, and are designed to
reduce complexity and simplify
operations. Whether you’re
planning your Exchange 2007
deployment or just buying new
servers, find out which AMD
Opteron processor-based Dell
server is right for you. Are you
ready for action? Then move
to AMD on Dell.
©2006 Advanced Micro Devices, Inc. All rights reserved. AMD, the AMD Arrow logo, AMD Opteron, and combinations
thereof are trademarks of Advanced Micro Devices, Inc. HyperTransport is a licensed trademark of the
HyperTransport Technology Consortium. Microsoft and Windows are registered trademarks of Microsoft Corporation
in the U.S. and/or other jurisdictions. Other names are for informational purposes only and may be trademarks of their
respective owners.
* Enhanced Virus Protection (EVP) is only enabled by certain operating systems, including the current versions of
the Microsoft® Windows®, Linux®, Solaris, and BSD Unix operating systems. After properly installing the appropriate
operating system release, users must enable the protection of their applications and associated files from buffer
overrun attacks. Consult your OS documentation for information on enabling EVP. Contact your application software
vendor for information regarding use of the application in conjunction with EVP. AMD strongly recommends that users
continue to include third-party antivirus software as part of their security strategy.
Trademark Attribution: AMD, the AMD Arrow logo, AMD Athlon, AMD Opteron, AMD Turion, AMD Sempron. AMD Geode, and
combinations thereof are trademarks of Advanced Micro Devices, Inc. in the United States and/or other jurisdictions. Other names
used in this presentation are for identification purposes only and may be trademarks of their respective owners. Windows Vista is
either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. ©2006 Advanced
Micro Devices, Inc. All rights reserved.
0507red_F2Exchange49-55.v8
4/17/07
2:24 PM
Page 54
Exchange Server 2007
• Edge Transport (ET): This type of server is placed on
the edge of your network as a standalone server. It’s not part
of the AD domain, so it has to use ADAM and EdgeSync
to handle recipient lookups and spam filtering. This role
handles all incoming and outgoing Exchange mail. You
can also use the ET server to perform anti-virus and antispam protection, and lock down your messaging security by
applying ET rules that examine messages based on your criteria. Keep in mind that while you can combine other roles
on a single system, the ET role must reside alone.
Figure 3. The Troubleshooting Assistant lets you choose from
a list of symptoms, then helps you determine the problem.
Experts agree testing with this tool will help. “Administrators planning on migrating to Exchange 2007 should
reference Microsoft’s best practices for Exchange 2007,”
says Dave Goldman, Exchange escalation engineer and
author of the Offline Address Book Integrity (OABInteg).
“I would also suggest becoming very familiar with the
Exchange Best Practice Analyzer Tool. With any planning, administrators should set up a sandbox for testing to
ensure that when they’re ready to set up in production,
they can avoid any unnecessary downtime.”
Exchange Server Roles
When deploying Exchange, it’s good to note that the setup
process lets you choose the server role for your messaging
environment. There are five different server roles from
which to choose, each one designed to perform a specific
function. The roles include the following:
With any planning, administrators should set up a
sandbox for testing to ensure that when they’re
ready to set up in production, they can avoid any
unnecessary downtime.
Dave Goldman, Exchange Escalation Engineer, Microsoft
• Hub Transport (HT): This role handles internal mail
flow and routing, similar to a Bridgehead server in previous Exchange environments. When installed in an environment with an ET server, the HT server will work with
it hand-in-hand. Messages coming in through the ET
server will be passed to the HT and vice-versa. However,
you can configure the HT role to perform most of the
same features as the ET server. If you don’t need the
added protection of an ET server, install the HT on a
member server connected to your domain, so it doesn’t
require ADAM and can still send/receive mail from the
Internet. Part of your planning should include deciding
whether or not you want an ET server and how you’ll configure your HT server.
• Mailbox: This hosts both mailbox and public folder databases and provides calendar access and messaging-records
management. You’ll have to specifically enable the public
folders, as they’re not enabled by default in Exchange 2007.
Figure 4. You can configure the alias, server and SMTP
address of your e-mail list members.
• Client Access (CA): This role is similar to the frontend server for an Exchange 2000/2003 infrastructure.
Users connect to this server from their mail clients (e-mail
clients that support MAPI, POP3 or IMAP4, mobile
devices that use at least Windows Mobile 5.0, and/or a
Web browser).
54 | May 2007 | Redmond | Redmondmag.com |
Figure 5. Outlook Web Access now behaves much more
like Outlook in native mode.
0507red_F2Exchange49-55.v8
4/17/07
2:24 PM
Page 55
• Unified Messaging (UM): This merges VOIP with
your Exchange mailbox. This means you’ll be able to access
your voicemail, fax and e-mail from one location, using
Figure 6. You can configure the security settings of an
Exchange 2007 server in Edge Transport mode.
multiple access interfaces (phone, e-mail or Web browser).
For this to work properly, you’ll need an IP-PBX or VOIP
gateway (if you have a legacy PBX). If you plan on using
UM with Exchange 2007, you should seek out the assistance
of a UM specialist. Properly configuring this role requires a
significant amount of knowledge of PBXs and Exchange 2007.
Migration Plan
There’s quite a difference between installing Exchange
into a new environment and transitioning or migrating
from an existing Exchange organization. Every organization will be different, so there’s no single right way. It’s
important to begin your transition by using the ExBPA
tool with the Readiness Check as mentioned earlier, to
ensure that you’re fully prepared.
If you plan on transitioning, your first task is to install
the Client Access Server role. Install this in each site that
will contain a mailbox server. The next step is to install
and configure your ET servers (if you plan on using them).
Then set up an HT server (which can work with Exchange
2000/2003 bridgehead servers). You’ll need these to work
with your Mailbox and UM servers.
Figure 7. The meeting scheduler lets you check on the
availability of all participants.
Next, deploy your Mailbox servers. Then you can start to
move mailboxes over using either the Move-Mailbox
cmdlet or the Move Mailbox Wizard. Once you’ve finished moving all your mailboxes and other necessary
resources (like public and system folders), you’ll be ready
to decommission your Exchange 2000/2003 servers.
Figure 8. You can also share calendars through Outlook
Web Access.
Keep in mind that both Exchange Server 2000 and 2003
support features that are no longer supported in 2007. If
you plan on using those features, you’ll need to keep at
least one Exchange
2000 server running. Exchange 5.5
isn’t supported at
Learn more about upgrade
all for transitioning requirements and best practices for
purposes. To
an Exchange 2007 migration at
Redmondmag.com.
migrate from 5.5,
you’ll first have to FindIT code: Exchange0507
transition to
Exchange 2000 or 2003 and then move towards 2007.
GetMoreOnline
To Read or Not To Read: There’s
No Question
Exchange 2007 will require a lot of preparation and reading. The good news is that there are plenty of sites already
posting articles about how to plan, configure and troubleshoot your Exchange 2007 world. It would be wise to
take advantage of all this free advice.
Having a proper foundation and proper preparation are
essential. Engineers in Italy recently propped up the Leaning Tower of Pisa to keep it from toppling to the ground.
They say it will stand for another 300 years thanks to the
efforts of the impressive technology that pulled it back to a
safer position. That just goes to show you that besides
properly laying the groundwork, you’ll need to be prepared for disaster recovery as well—but that’s a topic for
another day.
J. Peter Bruzzese (jpb@cliptraining.com), MCSE
2003/2000/NT, is a private training consultant and technical
author. He just released his latest book, “Tricks of the Vista Masters.” He is the lead developer for cliptraining.com, which provides educational clips to teach users about Vista and Office 2007.
| Redmondmag.com | Redmond | May 2007 | 55
3_07_Redmond_Dorian_WTB.ai
133.00 lpi
15.00° 1/31/2007
45.00°
0.00°
75.00°
1/31/2007
Yellow Process Black
12:20:16
12:20:16PM
PM
Cyan 10:44
Process AM
Magenta
Process
Project2 Process
2/9/07
Page
1
57
0507red_WinInsider57.v7
4/17/07
11:36 AM
Page 57
WindowsInsider
by Greg Shields
Isolation Automation
Exploration: Part I
E
ntire books have been written on network security
and IPSec. Full of three-letter acronyms for
encryption technologies and concepts like “data
integrity” versus “data authorization,” network security can
make your head swim.
Before Windows Vista, setting up
IPSec for system-to-system authentication was complex, sometimes requiring
hundreds of filters to secure traffic
between domain controllers while at
the same time not inhibiting log-ons
for older operating systems. When a
non-IPSec-aware client tried to connect to an IPSec-enabled server, it
often resulted in no connection at all.
Thankfully, with Windows Vista’s
improvements to IPSec, it all gets a lot
easier. It’s now possible to create isolation groups that mandate machine-tomachine authentication between sets of
computers on your network.
Additional Authentication
So what’s an isolation group? It’s a way
of using network rules to further protect potentially open spots on your network. Let’s say an administrator
accidentally shares a sensitive folder on
your file server with Full Control permissions to the Everyone group. Suddenly, all that sensitive data is
immediately exposed to anyone. If the
data is on a human resources or other
highly sensitive server, you’re really in
trouble. Isolation domains leverage
IPSec to ensure that any machine
attempting to connect to that share
must authenticate via Kerberos before
it can transfer data. Think of an isolation domain as an extra access control
list (ACL)—like NTFS and share permissions—but way down at the net-
work level. This extra computer-based
ACL ensures that only the correct
machines get access to sensitive data
and can only transfer that data securely.
Here’s how it works. When you log in
to a computer, your user account goes
through a Kerberos authentication
process that ensures you are who you say
you are. Adding in an isolation group
with IPSec means that any time your
computer tries to access another computer, the computer itself goes through
an additional authentication. If your
computer successfully authenticates,
then you can access the data. This
other computers. This group can be for
all machines in the Active Directory
Kerberos boundary, or can be an identified list of machines by IP address.
Authentication can occur for either
inbound or outbound traffic, or both.
• Authentication Exemption: This
will create a group of machines exempt
from any authentication requirements.
• Server to Server: This will create an
authenticated connection between two
specific groups of computers. Think of
this as the “one-to-one” connection
where the Isolation group would be the
“many-to-many” connection.
• Tunnel: Like Server to Server, but
usually used for bridging traffic across
the Internet, this will create an authenticated connection between two computers utilizing an Internet-facing
gateway server.
• Custom Connection: A connection that can be created using a combination of the four different rules.
So what’s an isolation group? It’s a way of using network rules to
further protect potentially open spots on your network.
assumes of course that you then have the
correct share and NTFS rights. If your
computer can’t authenticate, the server
either rejects the request or allows a fallback to clear text communication.
All this was possible in Windows 2003,
but IPSec was notoriously difficult to set
up. In Windows Vista, IPSec configuration has been merged with the Windows
Firewall and is now called Windows
Firewall with Advanced Security.
In setting up an isolation group, four
types of canned rules are available or a
custom rule can be created:
• Isolation: This will create a group
of machines that are isolated from
Next month I’ll give step-by-step
instructions for setting up an isolation
group on your network and go over
some other tips on how to protect your
network from the inside out.
Greg Shields (gshields@redmondmag.com),
MCSE: Security, CCEA, is a principal consultant for 3t Systems (www.3tsystems.com)
in Denver, Colo. A contributing editor to
Redmond magazine and a popular speaker
at TechMentor events, Greg is also the resident editor for Realtime Publishers’ Windows
Server Community, www.realtimewindowsserver.com, providing daily
commentary and expert advice for readers.
| Redmondmag.com | Redmond | May 2007 | 57
Project1
4/10/07
10:01 AM
Page 1
59
0507red_SecAdvisor59-60.v8
4/17/07
10:58 AM
Page 59
SecurityAdvisor
by Joern Wettern
Patch It Up
A
pplying security patches to your desktops is
The New WSUS
necessary, but it’s often tedious and annoying.
Microsoft is putting the finishing
touches on version 3.0 of its WSUS.
After some practice with the first two
versions—which didn’t win any prizes
for features or usability—Microsoft
seems to be getting it right this time.
Like the previous versions, WSUS 3.0
lets you set up either a simple patch
management system for a smaller office
or a hierarchical structure for a larger
organization with multiple offices. You
can choose which updates are installed
on which computers and whether or not
this should happen automatically or only
after you’ve reviewed and approved the
updates. You can use Group Policy to
easily configure the update mechanism.
This is especially true for administrators
responsible for small- to medium-sized networks.
Fortunately, there are some tools to help you out.
Patching has come a long way since
the days of Windows NT. Back then, it
meant installing a Service Pack to
Windows when you could find the
time. Microsoft’s quality control wasn’t
up to snuff on some of those service
packs. After a few bad experiences,
some IT professionals even decided to
skip the odd-numbered service packs.
Today, anyone who is responsible for
securing a network knows that taking
such a leisurely attitude can spell disaster. They need to install new hot fixes
as soon as they’re available. The days
following Patch Tuesday—the second
Tuesday of every month when
Microsoft releases most fixes for its
products—tend to be the busiest in IT
shops everywhere.
By now, most organizations have
adopted some type of patch management
strategy. Larger organizations often have
full-time staff tasked with rolling out
updates and administering management
software like Systems Management
Server. At the same time, many smaller
and medium-sized organizations struggle
with finding the right solution. Luckily,
there are some solutions available that
can help you keep your systems up-todate without breaking the bank. Let’s
look at the new version of Microsoft’s
Windows Server Update Service
(WSUS) and Shavlik Technologies
LLC’s HfNetChkPro.
Before using any patching solution, I
evaluate it by several criteria. First and
foremost, it has to quickly make newly
released updates from Microsoft (and
preferably other vendors) available to
client computers. It must also reliably
detect which updates are needed and
which ones are not. After all, you don’t
want your patch management solution
to apply the wrong updates or roll back
previous system states.
Figure 1. Besides new reporting and management features, WSUS also sports a
new interface that makes this tool easier to use.
Most of the solutions available today
generally meet these requirements.
Where they differ is in usability, manageability, reporting and how much
granular control they offer. A good
patch management solution lets you
control which updates can be applied
and creates easy-to-use reports to let
you know which updates have been
successfully deployed so you can troubleshoot any problems.
The biggest addition to version 3.0 is
vastly improved reporting, which now
uses the Microsoft Report Viewer (see
Figure 1). These reports are useful for
finding information about specific
patches. You can also use the reports to
assess how well your patch deployment
is working. The administration tools
for WSUS have also been completely
revamped, making WSUS 3.0 a mature
patch management product.
| Redmondmag.com | Redmond | May 2007 | 59
0507red_SecAdvisor59-60.v8
4/17/07
10:58 AM
Page 60
SecurityAdvisor
One of the most appealing features of
WSUS is its price. It’s free—sort of. It
runs under Windows Server, so you’ll
need to be running that. All but the
smallest organizations typically run this
on a dedicated server, so you’ll have to
budget for the hardware and the operating system license.
Patch Possibilities
Many companies will indeed be happy
with Microsoft’s tool, but there are good
reasons to consider the other alternatives. Foremost among those reasons is
that someone other than Microsoft will
double-check the updates.
Some other advantages to using thirdparty patch management tools are that
they include patches for non-Microsoft
products, they review any patch classifications and they add additional quality
control tests for updates. Many patch
management vendors also have mechanisms with which to recall problematic
patches more quickly than WSUS.
HfNetChkPro (short for Hotfix Network Check and pronounced H-FNetcheck Pro) from Shavlik is one of
my preferred tools because of Shavlik’s
quality control and support for some
non-Microsoft software, such as Adobe
Acrobat and Firefox.
For example, HfNetChkPro found
that one of my servers was missing 17
patches. WSUS showed that it was
completely up-to-date. The reason for
the discrepancy wasn’t a flaw in
WSUS, but rather Shavlik’s decision to
scan for more items, including fixes for
isolated problems.
Unlike WSUS, HfNetChkPro can
run without agent software on the
client computers. WSUS depends on
the client computers to check in with
the update server at regular intervals,
download updates and install them.
HfNetChkPro can work the same way,
but you can also have it actively connect to computers, check their status
and push out updates, instead of
depending on them to check in with
the server. This gives you real-time
control over the patch process. You
also can configure HfNetChkPro to
work in an entirely hands-off manner.
Whether you use WSUS,
HfNetChkPro or another solution, the
good news is that patch management
tools have matured. There are excellent
tools available to ensure that your computers are up-to-date without requiring
you to go to each of them with a CD full
of updates.This means there’s no excuse
for having any computers in your network that aren’t up-to-date with any and
all applicable security patches. —
Joern Wettern (jwettern@redmondmag.com),
Ph.D., MCSE, MCT, Security+, is the
owner of Wettern Network Solutions, a consulting and training firm. He has written
books and developed training courses on a
number of networking and security topics, in
addition to regularly teaching seminars and
speaking at conferences worldwide.
Project3
4/16/07
1:29 PM
Page 1
May 20-22, 2007 I Westin Mission Hills Resort, Rancho Mirage
Build a Solid Foundation
for the Agile Enterprise
Enterprise Architecture Summit returns
with more in-depth sessions and
content designed to deliver the most
essential and up-to-date information
on best practices and strategic designs
in the real world—to assure you
that your organization is equipped to
respond to the future IT challenges and
opportunities. Learn about the latest
advances in service-oriented architecture,
legacy migration, business process
re-engineering, outsourcing, and more
from some of the top experts in the field.
Event Highlights:
Enterprise Architect Classic Golf Tournament
I
Walt Disney Studios on Meeting the Strategic Challenges of EA
I
The Open Group on the Evolving Role of the EA
I
IBM Corporation on Realizing Business Agility in SOA
I
Troux Technologies on Business Intelligence for IT
I
Burton Group on SOA: Evolving the Development Environment
I
And much more….
Score a Hole-in-One—Win a Porsche!
Register today for Enterprise Architect Summit and you
could be eligible to play in the Enterprise Architect Classic
Golf Tournament. Network with your peers as you play the
renowned Pete Dye eighteen-hole
course. See Web site for
full details.
Secure your spot at this exclusive
event today!
Past sponsors and exhibitors include:
Microsoft
Sun
BEA
Metallect
Compuware
DataDirect
Sonic Systems
Sparx Systems
Actional
Above All Software
Fiorano
Troux Technologies
Herzum Software
Infravio
Blue Titan
Software
Netegrit
Westin Mission Hills
Resort & Spa,
Rancho Mirage,
California
Platinum Sponsor
Call 1-800-280-6218 today or visit us online at www.enterprise-architect.net/summit
Project3
4/16/07
3:40 PM
Page 1
New York
September 16-19, 2007
New York Marriott at the Brooklyn Bridge
Bridge the Gap between Today’s Knowledge
and Tomorrow’s Toolset at VSLive! New York
Join us as VSLive! returns to the New York Marriott
63
at the Brooklyn Bridge, September 16-19, 2007. Over
four action-packed days, VSLive! New York will
provide a depth of resources and perspectives to help
you be productive now and prepare for the near future.
Attend SQL, .NET 3.0, and ASP sessions featuring
practical techniques for writing software with today’s
tools. From ASP.NET AJAX and data binding, to VB,
C# and the .NET Framework, we have you covered.
Our speakers have years of experience mastering the
tools you need to get your job done.
Learn cutting-edge techniques for today and
tomorrow in sessions on VSTS, SharePoint 2007,
Atlas, .NET 3.0 technologies including Windows
Presentation Foundation (WPF), Windows
Communication Foundation (WCF), and Windows
Workflow Foundation (WF), and much more.
VSLive!—The Best Independent
Microsoft Conference Around
Choose VSLive! for:
• Top Speakers and Educators
• Total Coverage of New and Existing
Technologies
• In-depth Workshops
• Networking Opportunities
• Great Locations
• Membership to the Virtual VSLive! Online
Community
More talent, information, learning and networking
under one roof at one time for the best value!
» Register by the Super Early Bird Deadline of
July 11, 2007 and save $300!
Visit www.vslive.com/newyork for more details. • 1-800-280-6218 – www.redmondevents.com
Sponsored & Presented by
0507red_Index_63.v1
4/17/07
1:28 PM
Page 63
AdvertisingSales
RedmondResources
AD INDEX
Matt Morollo
VP, Publishing
508-532-1418 tel
508-875-6622 fax
mmorollo@1105media.com
West/MidWest
East
Advertiser
Page
URL
Acronis, Inc.
C3
www.acronis.com
AppDev Training
20
www.appdev.com
AMD
52,53
www.amd.com
www.avepoint.com
16
www.avepoint.com
Beyondtrust
Brocade Communications
Systems
35
C2
www.beyondtrust.com
www.brocade.com
CNS Software
39
www.cns-software.com
Digiscope
11
www.lucid8.com
Diskeeper Corporation
6
www.diskeeper.com
Dorian Software
Enterprise Architect Summit
56
61
www.doriansoft.com
www.enterprisearchitect.net/summit
ESET LLC
5
www.eset.com
GOexchange
19
www.goexchange.com
ipMonitor Corporation
22
www.ipMonitor.com
iTripoli Inc.
15
www.itripoli.com
www.netikus.com
Dan LaBianca
JD Holzgrefe
Netikus
13
Director of Advertising, West
818-674-3417 tel
818-734-1528 fax
dlabianca@1105media.com
Director of Advertising, East
804-752-7800 tel
253-595-1976 fax
jdholzgrefe@1105media.com
NetSupport Software
40
www.netsupport-inc.com
NORTHERN Parklife, Inc.
39
www.northernlife.com
Raxco Software
31
www.raxco.com
Sanbolic, Inc.
29
www.sanbolic.com
SAPIEN Technologies, Inc.
26
www.sapien.com
IT CERTIFICATION &
TRAINING: USA, EUROPE
Special Operations Software
24
www.specopssoft.com
St. Bernard Software
C4
www.stbernard.com
Western RegionalSales Manager
CA, OR, WA
209-473-2202 tel
209-473-2212 fax
bhalldorson@1105media.com
Al Tiano
The Training Camp
58
www.trainingcamp.com
Advertising Sales Manager
818-734-1520 ext. 190 tel
818-734-1529 fax
atiano@1105media.com
TS Factory
21
www.tsfactory.com
UltraBac Software
48
www.ultrabac.om
VMWare
3
www.vmware.com
Western Governors University
21,60
www.wgu.edu
Danna Vedder
PRODUCTION
Wiley Publishing
37
www.wiley.com
VSLive New York
62
www.vslive.com
XenSource, Inc.
8
www.xensource.com
EDITORIAL INDEX
Company
Page
URL
Adobe Systems Inc.
60
www.adobe.com
Kelly Ann Mundy
Akonix Systems Inc.
46
www.akonix.com
Production Coordinator
818-734-1520 ext. 164 tel
818-734-1528 fax
redadproduction@1105media.com
AOL LLC
45
www.aol.com
AVIcode Inc.
12
www.avicode.com
Blue Coat Systems
46
www.bluecoat.com
Centeris Corp.
27
www.centeris.com
Centrify Corp.
27
www.centrify.com
Citrix Systems Inc.
41
www.citrix.com
SALES
Bruce Halldorson
Microsoft Account Manager
253-514-8015 tel
775-514-0350 fax
dvedder@1105media.com
Tanya Egenolf
Advertising Sales Associate
760-722-5494 tel
760-722-5495 fax
tegenolf@1105media.com
CORPORATE ADDRESS
1105 Media, Inc.
9121 Oakdale Ave. Ste 101
Chatsworth, CA 91311
www.1105media.com
MEDIA KITS: Direct your Media Kit
requests to Matt Morollo, VP, Publishing,
508-532-1418 (phone), 508-875-6622
(fax), mmorollo@1105media.com
REPRINTS: For all editorial and advertising
reprints of 100 copies or more, and digital
(web-based) reprints, contact PARS
International, Phone (212) 221-9595,
e-mail: 1105reprints@parsintl.com, web:
www.magreprints.com/QuickQuote.asp
LIST RENTAL: To rent this publication’s email or postal mailing list, please contact
our list manager Merit Direct:
Jeff Moriarty
333 Westchester Ave., South Building
White Plains, NY 10604
jmoriarty@meritdirect.com
(518) 608-5066
Redmond (ISSN 1553-7560) is published
monthly by 1105 Media, Inc., 9121 Oakdale
Avenue, Ste. 101, Chatsworth, CA 91311.
Periodicals postage paid at Chatsworth,
CA 91311-9998, and at additional mailing
offices. Complimentary subscriptions are
sent to qualifying subscribers. Annual
subscription rates for non-qualified subscribers are: U.S. $39.95 (U.S. funds);
Mary Ann Paniccia
VP, Print & Online Production
Julie Lombardi
Production Manager
Canada/Mexico $54.95; outside North
America $64.95. Subscription inquiries,
back issue requests, and address
changes: Mail to: Redmond, P.O. Box
2063, Skokie, IL 60076-9699, email
RED@1105service.com or call (866) 2933194 for U.S. & Canada; (847) 763-9560
for International, fax (847) 763-9564.
POSTMASTER: Send address changes to
Redmond, P.O. Box 2063, Skokie, IL
60076-9699. Canada Publications Mail
Agreement No: 40039410. Return Undeliverable Canadian Addresses to Circulation Dept. or DHL Global Mail, 7496 Bath
Rd Unit 2, Mississauga, ON, L4T 1L2.
© Copyright 2007 by 1105 Media, Inc. All
rights reserved. Printed in the U.S.A.
Reproductions in whole or part prohibited
except by written permission. Mail
requests to “Permissions Editor,” c/o REDMOND, 16261 Laguna Canyon Road, Ste.
130, Irvine, CA 92618.
The information in this magazine has not
undergone any formal testing by 1105
Media, Inc. and is distributed without any
warranty expressed or implied. Implementation or use of any information contained
herein is the reader’s sole responsibility.
While the information has been reviewed
for accuracy, there is no guarantee that the
same or similar results may be achieved in
all environments. Technical inaccuracies
may result from printing errors and/or new
developments in the industry.
eBay Inc.
64
www.ebay.com
FaceTime Communications
46
www.facetime.com
Google
64
www.google.com
IBM Corp.
45
www.ibm.com
Jabber Inc.
45
www.jabber.org
Lucid8
12
www.lucid8.com
MessageLabs Ltd.
46
www.messagelabs.com
NetPro Computing Inc.
12
www.netpro.com
Oracle Corp.
30
www.oracle.com
Quest Software Inc.
27
www.quest.com
Red Hat Inc.
27
www.redhat.com
Salesforce.com Inc.
64
www.salesforce.com
SAP AG
30
www.sap.com
Shavlik Technologies LLC
59
www.shavlik.com
St. Bernard Software
17
www.stbernard.com
SurfControl plc
46
www.surfcontrol.com
Symantec Corp.
46
www.symantec.com
Trend Micro Inc.
46
http://us.trendmicro.com
Vericept Corp.
46
www.vericept.com
VMware Inc.
30, 41
www.vmware.com
Webroot Software Inc.
12
www.webroot.com
Websense Inc.
45
www.websense.com
WiredRed Software
46
www.wiredred.com
Yahoo! Inc.
45
www.yahoo.com
Zenprise
12
www.zenprise.com
This index is provided as a service. The publisher assumes no liability for errors or omissions.
| Redmondmag.com | Redmond | May 2007 | 63
0507red_Foley64.v6
4/17/07
11:36 AM
Page 64
FoleyOnMicrosoft
by Mary Jo Foley
Software+Services Madness
M
icrosoft has been desperately seeking ways to
differentiate itself from the rest of the Software as
a Service (SaaS) pack. Even though Microsoft is
charging full steam ahead into the software services realm,
the Microsofties don’t want to be seen as Johnny-come-lately
to a world already dominated by
Google, eBay and Salesforce.com.
That’s where Microsoft’s “Software+
Services” (S+S) strategy comes into play.
S+S, according to the Softies, is a superset of SaaS. It’s SaaS done right.
There’s only one problem: No one at
Microsoft or anyone who watches it
seems to be able to succinctly explain
S+S. Microsoft tried to get the message
out to market researchers and analysts at
the end of February, but no one with
whom I spoke seemed to understand the
subtleties of Redmond’s message.
I’m going to give it a whirl. After chatting with Microsoft Director of Platform Strategy Tim O’Brien, I feel ready
to try to decipher S+S for the masses.
Microsoft’s competitors—like Adobe
with Apollo and Salesforce.com with its
Salesforce.com Offline Edition client
app—are gradually acknowledging that
an all-services approach leaves many
business customers cold, says O’Brien.
They want offline capabilities, even if
they’re relying on SaaS applications.
For business customers, “network
dependency is a nonstarter when it
comes to line-of-business applications,”
says O’Brien. Consequently, everyone’s
trying to figure out how best to move to
the middle. O’Brien says Microsoft’s
stance is “anyone can get reach.”
“The real battle is on the client,”
O’Brien posits, and desktop software
has always been Microsoft’s strong suit.
However, Microsoft is no slouch on
the Internet-based services side either,
O’Brien says. The company doesn’t get
enough credit for its Internet savvy,
which it has demonstrated by running
highly scalable Hotmail, Xbox Live
and other consumer-side services.
O’Brien itemizes current and future
Microsoft services into three buckets:
Foundation services, like Microsoft’s
long-rumored LiveDrive cloud-based
Services companies like Google
and Salesforce.com often
underestimate the types of
back-end infrastructure that
are needed to properly field
enterprise-ready software.
storage; Attached services, such as disaster recovery, anti-spam and Windows
Defender; and Finished services, like
Windows Live and Office Live.
Services companies like Google and
Salesforce.com often underestimate the
types of back-end infrastructure that are
needed to properly field enterprise-ready
software, he explains.
What you need in order to do it all,
O’Brien says, is “a platform.” That
doesn’t mean .NET or some kind of
development platform, which is what
Microsoft usually means when it uses the
“P” word. In the S+S case, “a platform”
is synonymous with vision (I think).
64 | May 2007 | Redmond | Redmondmag.com |
These are the elements of Microsoft’s
S+S platform, according to O’Brien:
• Experience: As in the interface.
Depending on the access point
(whether a PC, browser or mobile
device), you get a different look/
feel/interaction.
• Delivery vehicle: There are several,
including hosted on premise, hosted in
the cloud, 100 percent shrink-wrapped
software, try-before-you-buy, pay-asyou-go and managed services, like
Microsoft’s “Energizer” desktopmanagement offering.
• Federation: How do users validate/
authenticate/manage when one vendor
doesn’t own all the pieces? The pie-inthe-sky answer is the identity metasystem. S+S will provide some elements of
this system (via Microsoft CardSpace,
Active Directory and Live ID).
• Composition: All of the bits aren’t
located in one place in the S+S world.
Composite applications and mashups
are the new “it” apps.
• Monetization: Online ads aren’t
the only way to make software services
pay for themselves. Subscriptions, pay
as you go, traditional shrink-wrap plus
maintenance and other to-be-determined
mechanisms will also fuel S+S.
As usual, Microsoft believes it can be all
things to all people. The S+S arena is just
another example of that belief.
What do you believe? Is Microsoft
well-positioned to take on Google,
Salesforce.com and other services competitors? Or is Microsoft’s desktop
legacy holding the company back from
being able to move ahead in the brave
new SaaS/S+S world?—
Mary Jo Foley (mjfoley@redmondmag.com)
is editor of the new ZDnet “All About
Microsoft” blog and has been covering
Microsoft for about two decades.
Project5
2/12/07
11:14 AM
Page 1
Project1
1/16/07
9:56 AM
Page 1