Stop the Madness: 6 Steps to Simplify Your

Transcription

0505red_cover.v7
4/19/05
11:30 AM
Page 1
Stop the Madness: 6 Steps to Simplify Your Network Page 51
M AY 2 0 0 5
W W W. R E D M O N D M A G . C O M
CONTENT
COPS
Should IT Be
the Long Arm
of the Law?
Page 42
Reach out and Manage: Windows
Server 2003 Can Help Page 56
$5.95
1
25274 867 27
7
MAY
•
05 >
Thumbs Sideways for Baseline
Security Analyzer Page 33
7 Ways to Get the Most
out of MOM Page 63
Server Management
Shootout Page 36
Mick Montgomery learned a better
way to patrol his content cop beat.
Project3
3/29/05
3:37 PM
Page 1
EMAILS AT LEGAL SPEED.
What was lost is now found with Enterprise Vault 6.0. Manage to locate anything quickly in a maze of communications
data and email. Even elusive PST files. Securely and cost effectively. Finally. Software for Utility Computing. veritas.com
TM
© 2005 VERITAS Software Corporation. All rights reserved. VERITAS, the VERITAS Logo and Enterprise Vault are trademarks or registered trademarks of
VERITAS Software Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
Project6
4/18/05
1:20 PM
Page 1
ADVERTISEMENT
Applying Email Archiving
for Fast, Efficient
Exchange 2003
Migration
W
ith Microsoft Exchange
5.5 entering into a limited support period prior
to its final termination, your organization may be preparing to upgrade to
Exchange 2003. Also, if you currently
use a non-Microsoft email system,
you may be considering a migration
to Exchange 2003.
Email is a mission-critical function
with a wide variety of dependencies.
Making the transition to Exchange
2003 involves several major challenges: extensive project timelines,
considerable costs in terms of infrastructure upgrades and human
resources, and increased business
risks, including email loss, productivity loss during email migration, and
possible compliance issues both during and after the migration.
VERITAS Enterprise Vault helps
you meet each of these challenges.
Reduce Email Volume Prior to
Migration
A significant proportion of the time,
effort, and risk associated with email
migration can be attributed to the sheer
volume of email that must be moved to
new servers. Also, the new Exchange
data stores can end up consuming considerably more disk space than the
original systems due to the loss of single-instance storage. Large-volume
email moves are especially complex if
the migration involves transition from a
non-Exchange email platform.
It takes considerable time to move
mailboxes. Even with the improved
performance in move-mailbox features
in Exchange 2003, it can take several
hours to move a large mailbox. During
this transition, user access to email is
limited. This makes migration planning more difficult and significantly
increases the visibility of the project.
Moving the content of legacy message stores into VERITAS Enterprise
Vault prior to migration reduces load
on the new Microsoft Exchange 2003
systems. In addition, older and possibly corrupt messages are not introduced into the new Exchange stores
where they could cause problems for
the database engine.
The volume of message traffic is
reduced because only tiny versions
of the original email (shortcuts) and
personal address books are sent to
the new message stores. The messages themselves remain safe in
Enterprise Vault. Users can also take
Project5
4/18/05
1:22 PM
Page 1
ADVERTISEMENT
advantage of a simple web-based
Archive Explorer if administrators
want to avoid populating mailboxes
with shortcuts.
Following the migration, VERITAS
Enterprise Vault continues to reduce
storage costs by using advanced compression technologies and sophisticated single instance storage techniques.
Evidence shows that overall storage
in Enterprise Vault can be up to 50%
less than the same email stored in the
native Exchange databases.
Consolidate Message Storage
To reduce demands on their current
Exchange data stores, many organizations set mailbox quotas and
require users to periodically archive
their email into PST files stored on
the users’ local hard drives or on
server-based file shares.
Imposing quotas and forcing
archival into PST files can become
notorious sources of support calls.
Quotas force users to manually whittle down their inboxes, sometimes
resulting in the deletion of an important message with subsequent need
for tape restores. PST files expose
archived messages to the possibility
With proper planning for network
bandwidth and storage I/O, user
access to archived messages in Enterprise Vault is nearly as fast as access to
messages in the Exchange stores.
of loss due to disk crash, lost laptops,
and file corruption.
Using Enterprise Vault, PST files
can be discovered and their content
automatically transferred into the
Vault. Messages from PST files are
merged with the user’s existing email.
Once safely stored in the Vault, users
get seamless and transparent access to
their messages, dramatically reducing
the size of the native Exchange stores.
Perform Fast, Seamless
Migrations
Using Enterprise Vault to assist in
managing Exchange message storage can be a critical success factor
in a migration.
There are a variety of situations
in which Enterprise Vault can be
deployed to assist in email migration.
For example, Enterprise Vault can be
deployed into a legacy Exchange 5.5
messaging system alongside a deployment into the Exchange 2003 system.
Existing email and public folder content in the legacy system is archived
into the Vault so that email migration
consists of simply transferring shortcuts and personal address books to
the new Exchange mailboxes. The
end result is a nearly instantaneous
transition to the new email servers.
Following the mailbox moves, PST
files can be harvested and placed in
the Vault. Transitions from thirdparty messaging systems such as Nov-
Project4
4/18/05
1:23 PM
Page 1
ADVERTISEMENT
ell GroupWise and Lotus Notes are
supported via PST-based migrations.
If moving the entire content of legacy message stores into Enterprise
Vault seems too aggressive, policies
can be put in place to archive older
messages while retaining current
email in the native Exchange stores.
This shortens the migration by reducing the volume of email that must be
moved across the network while
reducing the risk of corruption due to
unforeseen action by migration utilities or administrative error.
If project needs dictate, Enterprise Vault can be installed only in
the destination system. Following
the mailbox moves, older email can
be archived and PST files can be
harvested, thereby reducing the
storage requirements on the new
Exchange servers.
Engaging VERITAS early in the
planning stages for the migration project brings additional benefits because
VERITAS engineers can help identify
the places where Enterprise Vault can
improve efficiencies. The total cost of
Enterprise Vault could be quickly
reclaimed based on reductions in project time and storage requirements.
Streamline Regulatory
Compliance
In addition to the direct risk of data
loss and service interruption during
an email migration, organizations
face indirect costs associated with
assuring compliance both during and
after the migration.
VERITAS has done extensive
research into the technological
challenges involved with maintenance of historical email records.
Retention is only half the equation,
and often the less expensive half.
Full compliance demands that operational procedures include both
comprehensive retention and expedited discovery practices.
Responding to discovery demands
during regulatory audits or litigation
absorbs considerable operational
resources. Not only does discovery
impose costs in terms of time and
resources, the demands of discovery
can burden the IT staff to the point
that they are forced to forgo other
important duties. This degrades service levels.
VERITAS Enterprise Vault is
designed to address the storage
explosion caused by legal and regulatory requirements by providing
innovative tools for searching and
collecting information to aid in
compliance activities.
Messages are tagged upon receipt
and archived based upon retention
policies. If required, each message
depending on the organization’s
retention policies.
can be mirrored onto Write-Once
Read Many (WORM) media as it
enters the Vault, assuring compliance
with requirements to maintain tamper-proof copies.
To increase the evidentiary weight
of its content, Enterprise Vault
audits every event and action from
the moment a message is captured
throughout any subsequent searches, retrievals, analysis, and deletion.
If encryption is required to assure
compliance, Enterprise Vault supports the archival of pre-encrypted
content and unencrypted messages
can be encrypted as they are
archived using industry standard
encryption techniques.
Enterprise Vault also manages content expiry to ensure that any messages exceeding the retention policy
are highlighted via management
reports or automatically destroyed,
manage storage growth while reducing
associated hardware and management
costs. Most importantly, Enterprise
Vault has tools for simplifying archive
search and discovery to reduce compliance and litigation costs.
For more information, visit
www.veritas.com/enterprisevault.
About VERITAS Enterprise
Vault
VERITAS Enterprise Vault software
allows policy-based archiving of business critical information held within
Microsoft Exchange, Microsoft Office,
SharePoint products and technologies,
and within file systems. Archiving
information into Enterprise Vault
enables organizations to more easily
Copyright © 2003 VERITAS Software Corporation. All rights reserved.
VERITAS, the VERITAS Logo and
all other VERITAS product names
and slogans are trademarks or registered trademarks of VERITAS Software Corporation. VERITAS, the
VERITAS Logo Reg. U.S. Pat. &
Tm. Off. Other product names and/or
slogans mentioned herein may be
trademarks or registered trademarks
of their respective companies. Specifications and product offerings subject
to change without notice.
Project2
3/30/05
3:11 PM
Page 1
Finally, A Clear “Right” Choice in Enterprise E-mail Security
SurfControl E-mail Filter 5.0 has broken through, setting a new standard for protection
against spam and e-mail borne malicious attacks. Only SurfControl E-mail Filter gives you
the world's most continuously updated database of harmful URLs, so links to spyware
sites can be blocked at the gateway. And, with automated, customized reports, it's easier
than ever to gain precise visibility into your business operations and ensure legal and
regulatory compliance.
Download a FREE trial today, www.surfcontrol.com
Or call us at 1 800.368.3366
© 2005 SurfControl plc.
Filters
Web, E-mail, IM/P2P, Mobile
Threat Prevention Leadership
Over 20,000 Customers
Largest Content Database
Day-Zero Protection Technology
Global Threat Command Centers
0505red_TOC_3.v9
4/15/05
4:56 PM
Page 1
Redmond
M AY 2 0 0 5
W W W. R E D M O N D M A G . C O M
THE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY
COVER STORY
Content Cops
Should IT be the bad guy?
Many businesses expect IT to use
the equivalent of a radar
gun and monitor employees for
infractions. But laying
down the law can have serious
repurcussions, both for employees
and and the IT departments
doing the watching.
REDMOND REPORT
11 News Analysis
Eight-way Takes a Body Blow
12 Event Log
Windows SBS 2003 SP1, how
WinHEC is shaping up and more.
14 Redmond Roadmap
Microsoft Looks to Yukon for Data
Mining Gold
16 Finding a Collaboration Groove
Page 42
PHOTO BY SIMON WILSON
F E AT U R E S
51 6 Steps to a Simpler Network
There’s a saying in IT that “complexity is the enemy of security.” It’s also the
enemy of efficiency, troubleshooting and other critical network functions.
Here are six ways to untangle that crowded web you’ve woven.
Page 11
Page 56
56 Managing in Isolation
Remote management has never been a Microsoft
strong suit, but Windows Server 2003 is helping
users manage servers that no IT staff can touch.
COLUMNS
6
Chief Concerns: Doug Barney
Police the ’Net
28 Beta Man: Don Jones
When I’m 64
63 7 Tips for MOM
Advice from an in-the-trenches expert for getting the most out of
Microsoft Operations Manager.
Asset Navigator helps you keep
tabs on what you have and how it’s
being used.
21 Many Files Through
a Single View
StorageX takes a
global approach to
streamlining file
management.
23 Restore Those
Lost E-Mails
Recovery Manager lets you do
large-scale, store-level Exchange
backups while still helping to locate
and restore individual messages.
Extend the Limits of Group Policy
71 Mr. Script: Chris Brooke
REVIEWS
19 What You Got?
67 Windows Insider: Bill Boswell
Auto-confirm with PopUp
25 No Scripting Required
ADtoolkit enables anyone to perform
Active Directory group edits.
33 Your Turn
The Good and the
Bad of MBSA
Microsoft’s free vulnerability
scanner works well—as long as you
don’t have to stretch it too far.
36 Redmond Roundup
Keep an Eye on
Those Servers
The right server management tool
closely monitors your network and
offers proactive responses to most
common problems.
73 Security Advisor:
Joern Wettern
Picking the Right Firewall
80 Ten: Paul Desmond
Names for Windows XP sans
Media Player
ALSO IN THIS ISSUE
4
Redmond magazine online
8
Letters to Redmond
79 Ad and Editorial Indexes
0505red_OnlineTOC_4.v5
4/15/05
4:47 PM
Page 4
redmondmag.com
M AY 2 0 0 5
M AY O N L I N E
REDMOND COMMUNITY
REDMONDMAG.COM
Redmond Newsletters
New Online-only Column: Redmond Negotiator
• Redmond Report: Our weekly e-mail
newsletter featuring news analysis, context
and laughs. By Redmond’s Editor in Chief
Doug Barney and Editor Paul Desmond.
FindIT code: Newsletters
Redmondmag.com is proud to announce a new, exclusive column that will be
appearing on our site every month: Redmond Negotiator.
Written by self-described “licensing geek” and negotiating guru Scott Braden,
this column offers you practical, inside tips for understanding Microsoft’s various
licensing agreements and getting your
company the very best deal possible.
To launch the column, Scott’s written a
multi-part series packed with tips
and tricks for those with Enterprise
Licensing 6.0 contracts.
FindIT code: Braden
• Security Watch: Keep current on the
latest Windows network security topics.
This newsletter features exclusive,
online columns by Contributing Editor
Russ Cooper of NTBugTraq fame and
news from ENT.
FindIT code: Newsletters
Discussion and Forums
Post your thoughts and opinions under
our articles, or stop by the forums for
more in-depth discussions.
FindIT code: Forum
Your Turn
The interactivity center of the
Redmond universe, where you get to
express your views.
FindIT code: YourTurn
OTHER 101COMMUNICATIONS SITES
ENTMag.com
Special Report: “Server Hardware Trends”
It’s not just blades and SMP anymore:
Scott Bekker on what to watch in 2005
and beyond.
http://entmag.com/reports
CertCities.com
News: “Microsoft Announces Architect Cert”
High-level board certification is in
development; Microsoft says it wants
to rival Cisco’s CCIE.
http://certcities.com/editorial/news/
story.asp?EditorialsID=823
TCPMag.com
Exam Review: “Cisco’s Remote Access Exam”
Andy Barkl offers an inside look at
this Cisco Certified Network
Professional exam.
http://tcpmag.com/exams
Scott Braden offers his best Microsoft
deal-making tips in Redmondmag.com’s
new monthly column, Redmond
Negotiator. FindIT Code: Braden
MCPMAG.COM
A Mike Gunderloy May two-fer: First, he
cuts through the fabric that shrouds the
four pillars of Longhorn and then picks at
the warts of XML coding practices.
Join Andy Goodman, Microsoft MVP
and Small Business Server expert, for an
online chat for SBS lovers and haters.
The event takes place Tuesday, May 17,
7-8 p.m. ET.
On MCPmag.com weekly: Bill
Boswell’s Q&A, Windows performance
and scripting tips from Don Jones.
MCP Radio
Hear a new audiocast every Monday in
streaming Windows Media Player or
download the MP3 format for portable
listening. Archived shows include
interviews with Windows third-party
movers and shakers from jProductivity,
Raxco Software and ScriptLogic.
Scheduled for May: Sybari and Verisign.
http://mcpmag.com/mcpradio
4 | May 2005 | Redmond | redmondmag.com |
Redmond Radio Now Weekly
Start your week listening to the news that
makes headlines on Redmondmag.com
and ENTmag.com. New Redmond Radio
broadcasts are posted every Monday.
Archived episodes include interviews with
Network Engines’ John Curtis and
Microsoft TechNet’s Scott Stout.
FindIT Code: Radio
FindITCodes
Throughout Redmond, you’ll
discover some stories contain FindIT
codes. Key in those codes at
Redmondmag.com to quickly access
expanded content for the articles
containing those codes.
Some of the FindIT codes for this
month include:
• Goldmine: Check out additional
resources about SQL Server and data
mining (Redmond Roadmap, p. 14).
• ContentCops: More information
covering legal concerns, employee
monitoring policy creation advice
and technical solutions (May’s cover
story starts on p. 42).
• PickFirewall: Follow links
to the vendors mentioned in this
month’s Security Advisor column
(begins on p. 73).
Enter the code in the box at the topright corner of any Redmondmag.com
page. (Note that all FindIT codes are
one word, and are NOT case sensitive.)
Project6
4/1/05
2:50 PM
Page 1
YOUR INFRASTRUCTURE MAY PROTECT EMPLOYEES INSIDE.
What protects employees outside?
She works from home. She works from the road. And she endangers
the network everywhere she goes. That’s why you need Websense
software—to provide security protection at the desktop and beyond.
Close the security gap. Download your free evaluation today.
www.websense.com/mobile3
© 2005 Websense, Inc. All rights reserved. Websense is a registered trademark of Websense, Inc. in the United States and certain international markets.
0505red_Chief_6.v4
4/15/05
4:36 PM
Page 6
ChiefConcerns
Doug Barney
Police the ’Net
S
ometimes when you’re right, you’re right. I have been
right about one thing for the past 10 years, and no it’s
not my view that TV psychic John Edwards and
psycho-babble blowhard Dr. Phil are both snakes. It’s my
long-held belief that a strong, relentlessly applied public
policy is the only way to put a dent in the
number of jerks attacking our computers.
Why am I so irritated? It’s because of
Lauren, my 16-year-old daughter. I’m
used to her ignoring me or rolling her
eyes like I don’t have a clue about anything. But I’m steamed that her laptop
for which I paid good money is totally
unusable, overrun with viruses, spyware
and who knows what else.
I know some of you might blame me
for not loading up her Dell lapper with
protective software, but you’d be wrong.
She has anti-virus and anti-spyware software and the XP firewall is turned on.
Maybe it’s her near-constant use of
IM, but somehow this garbage sneaks
through all those defenses.
I’m also tired of Microsoft taking all
the blame for this. Microsoft didn’t
write these viruses. It’s impossible to
protect PCs that are so liberally connected and incessantly attacked. It’s
time for a major national debate on how
government and law enforcement
should intervene. Of course, trying to
get Fox News and CNN to talk about
hackers is like getting Bill O’Reilly to
admit to sexual harassment. For TV
news, there’s simply no time, what with
the Congressional steroid hearings, the
Michael Jackson trial, Terri Schiavo, the
confirmation of Britney being pregnant
and Ashley Simpson’s horrible singing.
Experts tell me how powerless the
government is against this problem, and
that even if the United States did something to lock down, the Internet is so
universal that attacks would shift to
other countries. Great, so we should just
give up and let software do all the work
it’s failing to do already? Wrong answer.
Can government intervention solve the
problem? Probably not. Can it help
reduce the problem? It’s worth a shot.
We need stronger laws, better enforcement and vastly better forensics. We also
need to look at the informal structure of
the Internet and decide if it’s in the best
interest of our national and personal
security. Is anonymity a good thing if
the bad guys can use it as a hiding place?
What about building an identificationbased subset of the Internet that is far
more secure? You could connect from
your company or home, and based on
your credentials, you could access a limited range of safer sites. Beyond that
horizon—you surf at your own risk.
Busting the Content Cops
If you haven’t already, don’t miss Becky
Nagel’s cover story, “Content Cops,” on
p. 42. In 2001, when I was the editor in
chief of Network Computing magazine, I
met with a Web filtering vendor who
couldn’t stop bragging about his product. The first morning one customer
installed it, the IT folks got an eyeful.
One of their own was looking at Web
sites of a certain orientation. This IT
pro, who was at work earlier than I’ve
ever been, was outed by his peers. To
the vendor, this was a success.
Those IT folks had no business
invading this poor fellow’s privacy,
ruining his reputation and laughing
behind his back. If content must be
tracked to enforce written corporate
policies, HR and management need
to handle these delicate issues, and
they should be well trained. Do
you agree? Disagree? Let me know at
[email protected].—
Redmond
THE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY
MAY 2005
■
VOL. 11
■
NO. 5
Editor in Chief Doug Barney
[email protected]
Editor Paul Desmond
[email protected]
Executive Editor, Reviews Lafe Low
[email protected]
Managing Editor Keith Ward
[email protected]
News Editor Scott Bekker
[email protected]
Assistant Managing Editor, Wendy Gonchar
Web Editor [email protected]
Editor, Redmondmag.com, Becky Nagel
CertCities.com [email protected]
Editor, MCPmag.com Michael Domingo
[email protected]
Editor, ENTmag.com Scott Bekker
[email protected]
Associate Editor, Web Dan Hong
[email protected]
Contributing Editors Bill Boswell, MCSE
Chris Brooke, MCSE
Don Jones, MCSE
Joern Wettern, Ph.D., MCSE
Art Director Brad Zerbel
Graphic Designer Graye Smith
Publisher
Associate Publisher
Director of Print Production
Manufacturing &
Distribution Director
Audience Development Manager
Marketing Manager
Senior Web Developer
Conference Sales Director
Marketing Programs Associate
Henry Allain
Matt N. Morollo
Mary Ann Paniccia
Carlos Gonzalez
Janice Martin
Michele Imgrund
Rita Zurcher
Al Tiano
Videssa Djucich
Enabling Technology Professionals to Succeed
President & CEO
Executive VP & CFO
Executive VP
Senior VP &
General Counsel
Senior VP, Human
Resources
Jeffrey S. Klein
Stuart K. Coppens
Gordon Haight
Sheryl L. Katz
Michael J. Valenti
Redmondmag.com
The opinions expressed within the articles and other contents
herein do not necessarily express those of the publisher.
Postmaster: Send address changes to
Redmond, 2104 Harvell Circle, Bellevue, NE 68005
Project5
4/5/05
11:06 AM
Page 1
ADVERTISEMENT
Slow systems?
Breakthrough technology keeps them running at top speed
One of the most common questions that
comes up when talking about Diskeeper® is
“Why pay for a defragmenter when Windows
has one for free?”
To answer this question, let’s compare
defragmentation
to
housecleaning.
Everyone’s house gets dirty, and there are
basically three ways to handle it:
1. Do nothing. The house gets dirtier and
dirtier, stuff starts to pile up, the smell
gets worse and neighbors start calling
the health department. Eventually the
house gets so dirty that it’s
uninhabitable, so you move out and find
another place to live. (This scenario is
similar to never defragmenting.)
2. Clean it yourself. This usually requires
carving at least an hour or so per day out
of your free time. (This scenario is like
defragmenting your systems with a
manual defragmenter.)
3. Hire a housecleaning service to come in
and clean on a regular basis. (Automatic
defragmentation.)
Do it yourself?
#2 seems like a reasonable solution.
After all, plenty of people clean their own
houses, right? In theory, yes. In reality, things
come up—weekend plans, long work hours,
etc. You might only have a few minutes to
straighten up, or you might skip a couple of
day's worth of cleaning altogether. End
result: the house is rarely as clean as it could
be, and when you do clean, it takes much
longer than it should. Likewise, the process
of manual defragmentation takes so long and
involves so much IT staff time that it rarely
gets done.
The most effective way to keep your
house clean is to have it done automatically,
on a regular basis. And the most effective
way to keep your systems running at top
speed with maximum reliability is to have
them defragmented automatically.
Keep your systems running fast — automatically.
into the evening. And while you like having
a clean house, it’s annoying to have to wait to
eat dinner because someone is polishing the
chrome on your oven door. Or to have to park
on the street because someone was midway
through straightening up the garage just as
you got home from work. The same is true of
defragmentation. A defragmentation run that
kicks off at the wrong time can turn into a
major headache and seriously disrupt your
organization’s workflow.
Automation with convenience
The perfect cleaning service is one that
works around you. You can tell them when
you want them to clean, or they can decide
how often to clean based on how quickly
your house gets dirty. They take care of the
big stuff first—counters, floors, bathroom—
so that you have a clean house as quickly as
possible. Minor chores, like polishing the
chrome in the kitchen or cleaning the garage,
are done at times when they won’t
inconvenience you. And if they do happen to
be cleaning a room you need to use, they get
out of your way immediately.
That’s how Diskeeper 9, The Number One
Automatic Defragmenter™, works.
Diskeeper 9:
The Number One Automatic Defragmenter
Diskeeper is a software system that
completely eliminates the problems caused
by fragmentation. Diskeeper 9 uses unique
adaptive technology that works around your
organization’s workflow. You can implement
Diskeeper 9 on every server and workstation
right from your own desktop. Once
Diskeeper is deployed, the problem of
fragmentation simply goes away. Operation
of Diskeeper 9 is almost completely
transparent, which is why we call it the “Set
It and Forget It”® defragmenter!
See the difference for yourself.
Download the FREE 30-day trial edition of
Diskeeper 9 now!
TRY DISKEEPER FREE FOR 30 DAYS
www.diskeeper.com/redmond2
For volume license pricing and government
or educational discounts, call
800-829-6468 reference number 4319
Find the right solution
Let’s say you hire a cleaning service to
come to your house once a week and scrub
the daylights out of it. They vacuum carpets,
clean windows, polish furniture, organize the
attic, etc., etc. It takes them all day and well
The Number One Automatic Defragmenter
© 2005 Executive Software International. All Rights Reserved. Diskeeper, The Number One Automatic Defragmenter, Set It and Forget It, Executive Software and the Executive Software logo are registered
trademarks or trademarks of Executive Software International, Inc. in the United States and/or other countries. Microsoft and Windows are either registered trademarks or trademarks owned by Microsoft
Corporation in the United States and/or other countries. Executive Software International, Inc. • 7590 N. Glenoaks Blvd. Burbank, CA 91504 • 800-829-6468 • www.executive.com
0505red_Letters.v9
4/15/05
4:44 PM
Page 8
ILLUSTRATION BY JASON SCHNEIDER
Letters to Redmond
Slapstick Security
I’ve just read Mr. Winkler’s article, “Dumb and Dumber,”
in the March 2005 edition of Redmond magazine. It was a
very humorous and thought-provoking read. I currently
work for a small computer-consulting firm in Louisville,
Ky., and we’ve been concerned about some of our clients’
security practices, which were included in this article. I
look forward to reading Ira’s book!
—Michael Morgan
Louisville, Ky.
Excellent article [Ira Winkler’s “Dumb
and Dumber”] in this month’s issue. I’ve
got a similar background and work
on many projects as the information
assurance manager of a large company
(40,000+).
Earlier, during a time when I had my
own business, I did penetration tests
and found very similar results.
—Timothy Hoffman, C++, Security+
Colorado Springs, Co.
I read with great interest Ira Winkler’s
article. The day I heard the term
“social engineering,” my interest in
securing the workplace network/
Internet environment significantly
increased. I don’t have the experience
he and his team have, but I do employ
some of the techniques he uses. I’ve
done security walkthroughs for a few
companies and I’m surprised by the
confidence
that
some
network
admin/security people have regarding
the well-being of their systems. And
the ease with which some people give
up their passwords is totally amazing.
His article provides good lessons for
all of us. Oh yes, I get calls from people stating they’ve been hired to check
out our system, but I know better. I
wasn’t trained in espionage when I was
in the Army, but I’ve picked up a few
tricks from those who have been.
Night and Day
Scott McNealy’s comments (“Think
Sun,” March 2005) make him and his
company seem more pathetic than ever (a
thousand pardons to my Sun peeps out
there). Sun has always had trouble listening to its customers and nothing has
changed. If it wasn’t for the Microsoft
handouts, where would he be? Sun’s
hardware is too expensive. Java may be
developer-friendly, but for end users it’s
still too slow and clunky. Has Scott ever
used his own Sun Java admin tools? And
heaven help the user who has multiple
Java applications that require different
versions of Java Run-time Environments.
As for his comment that he doesn’t
need to run Windows apps because,
“there are no applications inside of Sun
that need Windows,” wake up and smell
the real world outside your office, Scott.
Most of us (i.e., your customers) do have
apps that require Windows. Perhaps it’s
time for Sun to fade into obscurity and
make more room for fresher, faster
competition like Linux and Mac OS X.
—Christopher Vera, GCFA, CISSP,
SCSA, CCNA, MCSE
San Diego, Calif.
Factor of Zero
I very much agree with Doug Barney’s
assessment of how Microsoft’s commitment to announcing realistic delivery
dates for its products and releases cause
much uncertainty [Chief Concerns column, “Blind (Ship) Dates,” March 2005].
Not only does this impact the
planning process for new systems,
upgrades, deployments and budgeting,
but it creates confusion and uncertainty
about current and future licensing costs.
For many products, the value of
purchasing Software Assurance (SA)
along with the license has diminished to
zero, as the SA agreement expires without a new version or upgrade being
delivered. Maybe it’s time for Microsoft
to review its SA policy, and agree to
have the SA coverage date be x number
of years, or when the next version is
delivered, whichever is longer.
Whaddya Think
?!
Send your rants and raves
about stories in this issue to
[email protected].
Please include your first and last
name, city and state.
I think Scott McNealy’s point comes
down to: “If you don’t need all of the
[Microsoft] Office bells and whistles,
why buy them?” And he’s right!
This would add substantial value to the
SA investment, and guarantee the
purchaser some value for their dollar.
—Claude Moore
Colorado
—David Finkelstein
New York, N.Y.
—Thomas M. Hansen
Kansas City, Mo.
Project1
3/21/05
2:21 PM
Page 1
Exchange Server stores & PSTs driving you crazy?
Archive all mail to SQL and save 80% storage space!
Only
$3a9i9lboxes;
m
for 50
$1499ited
lim
for unboxes*!
mail
And ease Exchange back-up & restoration too!
Email archiving solution for internal and external email
GFI MailArchiver for Exchange is an easy-to-use email archiving solution that enables you to archive all internal
and external mail into a single SQL database. Now you can provide users with easy, centralized access to past email
via a web-based search interface and easily fulfill regulatory requirements (such as the Sarbanes-Oxley Act).
GFI MailArchiver leverages the journaling feature of Exchange Server 2000/2003, providing unparalleled scalability
and reliability at a competitive cost. Use it to:
Provide end-users with a single web-based location in which to search all their
past email
Increase Exchange performance and ease backup and restoration
End PST hell by storing email in SQL format
Significantly reduce storage requirements for email by up to 80%
Comply with Sarbanes-Oxley, SEC and other regulations.
Searching for an email
Download your FREE trial version from www.gfi.com/mr
*per Exchange Server
tel: +1 888 243 4329 / +1 919 388 3402 | email: [email protected] | url: www.gfi.com/mr
Project4
3/8/05
2:08 PM
Page 1
:PVSXFBQPO $PVOUFS4QZ&OUFSQSJTF
$FOUSBMJ[FETQZXBSFFSBEJDBUJPO
4QZXBSF UIF OFX OVNCFS POF FOFNZ GPS *5
2ECENT SURVEYS OF )4 SPECIALISTS SHOW THAT SPYWARE
INFECTIONS HAVE REACHED EPIDEMIC PROPORTIONS
1PXFSGVM DPNQSFIFOTJWF TQZXBSF
TDBOOJOH #OUNTER3PYS SCANNING ENGINE USES
THREAT SIGNATURES FROM MULTIPLE SOURCES TO HUNT
3PYWARE IS ONE OF THE MOST SERIOUS SECURITY THREATS AND PRODUCTIVITY KILLERS
DOWN AND DELETE MORE THAN CATEGORIES OF SPYWARE ADWARE AND OTHER
TODAY )TS INSIDIOUS )TS CREATORS ARE WELLlNANCED RELENTLESS AND REMORSE
MALWARE 3PYWARE DOESNT STAND A CHANCE 8FWF SFDSVJUFE BO BSNZ
LESS &OR THE ENTERPRISE COM
UP DPNCBU TQZXBSF .EW SPYWARE COMES OUT ALL THE TIME 4HATS WHY
MON ANTISPYWARE CANT CUT IT
IN ADDITION TO OUR OWN RESEARCH TEAM WE HAVE #OUNTER3PY 4HREAT.ET
$PVOUFS4QZ &OUFSQSJTF
#USTOMERS OF OUR CONSUMER VERSION REPORT NEW POTENTIAL THREATS TO
,OPDL PVU TQZXBSF
4HREAT.ET FOR ANALYSIS 4HEN WE PROPAGATE NEW THREAT SIGNATURES TO ALL
GSPN POF DFOUSBMJ[FE
USERSCONSUMER AND ENTERPRISE 3UNBELT COMBINES FORCES TO HIT SPYWARE
MPDBUJPO #OMPANYWIDE
(ARD 'SFF USJBM 'JOE PVU IPX NBOZ NBDIJOFT JO ZPVS
SPYWARE MANAGEMENT REQUIRES A REAL ENTERPRISE PRODUCT WITH CENTRALIZED
PSHBOJ[BUJPO BSF JOGFDUFE /08 3CAN YOUR MACHINES FOR FREE
MANAGEMENT #OUNTER3PY %NTERPRISE IS JUST THAT A SCALABLE POLICYBASED
$OWNLOAD THE TRIAL AT WWWSUNBELTSOFTWARECOMCSERED
SECONDGENERATION ANTISPYWARE TOOL BUILT FROM THE GROUND UP BY AND FOR
SYSTEM AND NETWORK ADMINISTRATORS TO KILL SPYWARE QUICKLY AND EASILY
-ÕLiÌ -vÌÜ>Ài /i\ £nnn /1/- Ènnn{xÇ® À £ÇÓÇxÈÓä£ä£ >Ý\ £ÇÓÇxÈÓx£ ÜÜÜ°ÃÕLiÌÃvÌÜ>Ài°V Ã>iÃJÃÕLiÌÃvÌÜ>Ài°V
^ÊÓääxÊ-ÕLiÌÊ-vÌÜ>Ài°ÊÊÀ}ÌÃÊÀiÃiÀÛi`°Ê
ÕÌiÀ-«Þ >`Ê/Ài>Ì iÌ >ÀiÊÌÀ>ì>ÀÃÊvÊ-ÕLiÌÊ-vÌÜ>Ài°ÊÊÌÀ>ì>ÀÃÊÕÃi`Ê>ÀiÊÜi`ÊLÞÊÌiÀÊÀiÃ«iVÌÛiÊV«>iÃ°Ê
0505red_Report_11-16.v6
4/15/05
4:50 PM
Page 11
RedmondReport
May 2005
INSIDE:
Microsoft tries to find its
collaboration groove.
Page 16
Eight-way Takes a Body Blow
Beefed-up four-ways and “Truland” take center stage.
BY SCOTT BEKKER AND STUART J. JOHNSTON
After a swift rise and successful reign,
it’s the end of an era for eight-way
x86-architecture servers.
Not long ago the eight-processor
server represented the pinnacle of
Windows scalability. The eight-way
ushered Windows NT 4.0 into the
rarified top 10 of the closely watched
OLTP benchmark, the TPC-C. Later, a
cluster of
eight-ways
running
Windows 2000 and SQL Server 2000
held the top spot on the same
benchmark for months.
In the real world, the eight-way
anchored some of the biggest
Microsoft-based databases. Microsoft
cracked the most recent Winter Corp.
survey of the 10 largest production
databases in late 2003. The servers
running the 5.3TB, 33-billion-row
Verizon Communications database
weren’t on some behemoth like the
32-processor Unisys ES7000. The
database ran on a cluster of Compaq
ProLiant eight-ways.
The eight-way
server took what
is probably its
death blow in
March when
Hewlett-Packard
disclosed plans to
discontinue the
With dual-core processors coming, HP expects four-way servers
line in mid-2006. like the new HP ProLiant DL580 G3 to fill the niche currently
occupied by eight-ways.
Dell bowed out
of the eight-way market in July 2003.
way up to 32. When HP stops selling
HP’s move is especially telling,
its eight-ways, this era of distinct
as the Compaq ProLiant brand it
eight-way x86 units will be over.
inherited was the flagship of the
But it’s out with the old, in with the
eight-way market.
new. HP announced the shutdown of
Dell’s decision came as the costthe ProLiant eight-way line as it
conscious company shifted away from
brought up two new servers based on
the engineering-intensive design of
Intel’s “Truland” platform.
SMP chipsets toward smaller, comTruland includes a chipset and
modity servers. Dell favors two-way
processors that will support 64-bit
servers that function well as nodes in
extensions and dual-core processors
scale-out computing environments.
for the Xeon Processor MP line of
The other x86 server industry giant,
chips designed for four-way and
IBM, continues to sell eight-processor
larger systems. The 64-bit extension
machines. Like Unisys, which also
technology is available in current chips.
offers eight-ways, IBM’s eight-ways are
The first dual-core chip for Truland,
a step in a modular server system that
dubbed “Paxville,” will be available in
can scale from four processors all the
the first quarter of 2006.
“With the emergence of dual-core
processors in the four-processor
x86 market … HP will satisfy the
vast majority of current eight-way
performance requirements with
Microsoft, the 41st-largest U.S.-based corporation on the Fortune 500 list,
four-processor, eight-core ProLiant
maintains a massive internal server infrastructure for its own operations. A
servers,” says Colin Lacey, director of
recent Microsoft white paper describing the internal rollout of Windows Server
platform marketing for Industry
2003 SP1 provides some details.
Standard Servers at HP.
The eight-way could mount a
Forest
Domains
Domain
Total
Users
Controllers
Servers
comeback someday if the scale of
Corporate
9
203
~6,500
65,000
64-bit applications somehow explodes
Pre-production
3
8
38
3,000
or if multi-core technology flops.
Extranet
3
40
~3,400
26,000
Most likely, though, the need for these
TOTAL
15
251
~9,938
~94,000
SMP systems will fade as the number
of cores per processor multiplies.
NewsAnalysis
BytheNumbers
Belly of the Beast
| redmondmag.com | Redmond | May 2005 | 11
4/18/05
11:13 AM
Page 12
RedmondReport
EventLog
A roundup of Windowsrelated happenings
Windows SBS 2003 SP1
Cool your heels for one more month, and Microsoft
should have Service Pack 1 ported to Windows Small
Business Server 2003.
The monumental Service Pack 1
for Windows Server 2003 hit the
Web in late March, five quarters
behind Microsoft’s original schedule of Q4 2003. In addition to bug
fixes, performance enhancements
and security fixes, SP1 also includes
major new features, especially for
server security. The special version
for Small Business Server, like the
small-business product itself, will
be designed to install seamlessly
for organizations with few or no
full-time IT staff. For more information, visit: http://snipurl.com/dvl9.
Windows for Grids SDK
The version of Windows for smallto-medium supercomputing grids
is rescheduled. The public beta of
Windows Server 2003 Compute
Cluster Edition planned for the first
half of this year is now a secondhalf event. General availability is
pushed out into 2006.
Some code is out there for
beavers eager to try the new
code. Microsoft pushed out a
Software Development Kit late
last year and will refresh it this
summer ahead of the beta.
Microsoft executives believe
they see an underserved market
BlogoMSphere
for the Compute Cluster Edition.
While lots of development is
poured into high-end Linux clusters that populate the Top 500
supercomputing list, Microsoft
thinks smaller clusters in the
neighborhood of 16 or fewer
nodes have promise for enterprise
applications. Massive scale-out
clusters will surely figure as proof
points for the technology, but
Microsoft characteristically sees
its best opportunity in a mass
market of modest deployments.
Class of 2006
The year 2006 could shape up
to be a busy one for shops
committed to keeping current on a
Microsoft infrastructure. At the
recent launch of Intel’s “Truland”
computing platform for Intel Xeon
MP-based servers, Microsoft
Corporate Vice President for
Server and Tools Andy Lees listed
a host of products to be delivered
in 2006 that will support the x64
chips and eventual dual-core
architecture of the platform. They
include Exchange Server 12
(previously discussed as coming in
2006 or 2007), Host Integration
Server 2006, Commerce Server
2006, BizTalk Server 2006, icrosoft
Operations Manager and Virtual
Server v2. Stay tuned. This schedule is extremely likely to change.
WinHEC Shapes up To Be a
Major Show
Lees and other Microsoft executives confirmed the Windows
Hardware Engineering Conference
(WinHEC) in Seattle in late April
was to mark the formal launch of
the Windows x64 Editions, which
were released to manufacturing in
late March. They include Windows
XP Professional x64 Edition and
Windows Server 2003 x64
Standard Edition, Enterprise
Edition and Datacenter Edition.
The operating systems are
Microsoft’s stamp of approval on a
wave of 64-bit extension hardware
that is expected to rapidly replace
32-bit x86 systems in the new
shipment category over the next
few months. But helping to usher
in a sea change in computing
won’t be the only reason
WinHEC is important this year.
Pre-conference agendas showed
Microsoft was ready to reveal
extensive details on the Windows
“Longhorn” operating system for
the first time since the Professional
Developers Conference in 2003.
Check Redmondmag.com for
extensive coverage of WinHEC,
and look to next month’s issue for
several in-depth articles on
Microsoft’s next major OS.
— SCOTT BEKKER
Interesting quotes pulled from blogs by current or former
Microsoft employees or about Microsoft technologies.
“I met with Brian Valentine, our Sr. VP in charge of Windows, who asked that I take on running the x64 project. He
points over to [original Windows NT architect] Dave Cutler’s office nearby and says my job will be to make sure Dave is
happy. [Then] Brian lets out a good laugh.”
— One of many tidbits from a lengthy April 5 post aptly named, “Windows Server 2003 SP1 and X64 Editions – A Historical Perspective,” by Clyde Rodriguez,
a group program manager in the Windows Server Division. (http://blogs.technet.com/windowsserver/archive/2005/04/05/403360.aspx)
Project1
3/31/05
12:48 PM
Page 1
Are You Preventing
Exchange Server
Failure, or Just
Preparing for It?
Reactive measures won’t prevent a disaster, repair problems or accelerate performance.
As an administrator, you understand the mission-critical nature of the collaborative information
that flows through your Exchange servers. In today's dynamic business environment, your servers
are strained to the limit, and failure is not an option.
Prepared for the Worst?
To protect the information flow and minimize the cost of unplanned Exchange server downtime and
data loss, organizations devote enormous resources to reactive solutions such as continuous
back-up, monitoring, and high-availability systems. Many organizations also implement Exchange
archive solutions to comply with legal and other regulations such as HIPAA and Sarbanes – Oxley.
Exchange Database Before
• Degraded performance
• Questionable stability
• Bloated message store
• Erratic and strange behavior
• Multiple errors and warnings
• Deleted items still intact
Exchange Database After
• Optimized message stores
• Reduced store size by 38%
• 1557 errors removed
• 232 warnings corrected
• Increased performance & stability
• Deleted items completely removed
Go to www.Lucid8.com/GOexchange
– review the Whitepapers and Case
Studies, then evaluate GOexchange,
and get a FREE t-shirt.*
*see website for details
Reactive vs. Proactive Solutions
Reactive and archive solutions only protect you if your Exchange
databases are healthy. But the Exchange database is the Achilles
heel of the entire operation. Therefore, the key to preventing
server failure is to implement a proactive solution that ensures
the health, stability, and optimization of the Exchange databases.
Protect Yourself with GOexchange
GOexchange, from Lucid8, is the only automated preventative
maintenance solution for Microsoft Exchange 5.5, 2000, and
2003 that prevents disasters, repairs problems and improves
performance. GOexchange minimizes unplanned downtime, checks
and corrects errors, and increases performance and stability
by rebuilding indices and reducing the size of your Exchange
information stores by 30 to 55%.
See for yourself why organizations worldwide are implementing
GOexchange. Download your FREE demo now at www.Lucid8.com,
or call 425.451.2595.
4/15/05
4:50 PM
Page 14
RedmondReport
Microsoft Looks to Yukon for Data Mining Gold
Latest attempt to bring data mining to the masses with SQL Server 2005
hinges on new features, ease-of-use and low cost.
BY SCOTT BEKKER
Of the dozens of feature sets that
Microsoft added or improved since its
last SQL Server release, one area that
received a particularly significant overhaul is data mining. So much so that
Microsoft execuRedmond
tives contend data
mining could go
mainstream when
SQL Server 2005 (“Yukon”) ships in the
second half of this year.
Jamie MacLennan, Microsoft’s data
mining development lead for SQL
Server, describes three pieces of a puzzle
that will make Yukon an “accelerating
factor” for data mining:
• The bundling of new business intelligence, data warehousing and other
database technologies into the core
database at no extra cost will lead to
broad deployment of the technology,
although it won’t guarantee use.
• Microsoft’s focus on ease of use and
integration with developer tools
(Visual Studio 2005 is to ship simultaneously with SQL Server 2005)
should spur usage.
• The low cost compared to traditional
data mining tools will leave customers with money to invest in thirdparty tools or services to get their
data mining projects off the ground.
“A huge number of customers will have
data mining functionality licensed
in their enterprises,” MacLennan
says. “Before, people had to do a
million-plus dollar investment in data
mining tools.” That left little money
for customers to spend on third-party
consulting firms to help with
their implementations.
Microsoft points to the OLAP database world as an example of what
could happen.
Roadmap
“Before SQL Server 7.0, OLAP was a
niche technology with high-end consultants and expensive tools. Now there
are actually more consultants, but you
also have more IT shops doing it themselves. One major leg of the cost is
taken away,” he explains.
If some of this sounds familiar, it is.
Five years ago, Microsoft had similar
hopes of spurring mainstream adoption
of data mining. It included mining capabilities with the OLAP engine in SQL
Server 2000 as part of a business intelligence package called Analysis Services.
A major difference with Yukon, according to MacLennan, is time. With SQL
Server 2000, Microsoft decided to add
data mining functionality late in the
product cycle. “In Yukon, now we’ve had
a long product cycle to develop a robust
feature set.”
Data mining has been around for a long
time, but it’s still a somewhat mysterious
and little-used art. The idea is to take a
huge set of data and run mathematical
algorithms against it to
find hidden patterns
and relationships.
The root of data
mining
involves
statisticians working with existing
data sets to create
data models that
can then be used
within
real
applications to
find correlations or predict
events.
Examples of
applications
that benefit from data mining algorithms
are credit checks, airplane engine failure
predictions and oil/gas exploration.
One of the limits on data mining in
SQL Server 2000 was that it had only two
algorithms—a small number relative to
other data mining tools. Microsoft added
seven more algorithms in Yukon, including regression trees, sequence clustering,
association rules and time series. It also
included a capability called text mining, a
tool for finding trends in unstructured
data such as e-mails and documents.
Microsoft isn’t playing up the new
algorithms much. Data mining users get
the most benefit from decision trees
and clustering algorithms that already
existed in SQL Server 2000, MacLennan says: “I would say the algorithms
are the smallest part of it.”
Instead, Microsoft focused its efforts
on areas where the company often succeeded in the past: ease of development
integration, ease of use for end users
and partner opportunities.
The database and developer teams
worked closely to make it easy for developers to deploy a data mining model. “I
can build a model, and I can put it into
production with four lines of code. It’s
trivial,” MacLennan says. “Or you can
take [SQL Server] Reporting Services,
and put that on top of your models, or
Continued on page 16
GetMoreOnline
Learn more about SQL Server and data
mining. Follow links to resources
including a Microsoft Research paper,
“Finding Trends in Customer Feedback”
and Jamie MacLennan’s Weblog on data
mining. FindIT code: Goldmine
redmondmag.com
Project2
4/19/05
2:55 PM
Page 1
4/18/05
11:13 AM
Page 16
RedmondReport
Continued from page 14
[SQL Server] Integration Services. You
can take this high level work and start
realizing ROI much quicker.”
Starting in Yukon, third-party algorithms will be able to plug in to the database at the same low level as Microsoft’s
own algorithms. That’s a change from
SQL Server 2000, when vendors
attached their algorithms to the database
through an abstraction layer. The new
approach should result in faster performance and better scalability.
Still, Wayne Eckerson, director of
research with The Data Warehousing
Institute (a sister organization to
Redmond magazine), sees stumbling
blocks to data mining becoming widely
used. “The bottom line with data mining is that creating models and scoring
records is not for the masses. It’s for
very specialized people with statistical
skills. However, the output of what
those folks do can be generally
applied,” Eckerson says.
Other vendors, like NCR with
its Teradata database, are also investing
in making the data-modeling process
more seamless and with more
massive scalability, Eckerson says.
But Microsoft does have strength
in its ability to integrate with developer
tools to make it fast and easy
to port data models into real
applications. “That’s probably where
Microsoft is spending more of its
time,” Eckerson says. —
Trying to Find a Collaboration Groove
M
icrosoft’s $120 million acquisition of Groove Networks adds to Microsoft’s growing stack of collaboration technologies.
Integrating the technologies into a cohesive set of products with a coherent storyline that convinces customers to pay
to use them will be the next challenge.
Microsoft has yet to see a runaway success in this category, other than the Outlook-attachment method the company
seems desperate to move users away from, so a complete shake up is entirely possible.
Here’s the current stack of Microsoft collaboration technologies, and where Groove’s Virtual Office currently fits in:
Microsoft SharePoint Portal Server
Microsoft Office Suite
Microsoft’s high-end collaboration solution retails for
$5,619 on top of your server OS price. It is a servercentric, administrator-intensive approach to collaboration
with extensive focus on internal search capabilities.
Microsoft’s offerings already confuse the market somewhat
because this product’s name is so similar to …
Office has two identities. There’s the
Feeling behind the times?
way most people currently use it for
collaboration—sending Word and Excel
documents as Outlook attachments. And
there’s the way Microsoft positions it for
collaboration—a mix of Office suite
hooks into servers like SharePoint Portal
Server. The Outlook-attachment model is
the entrenched collaboration behavior
that Microsoft is trying to combat in order
to raise revenues, streamline work processes and reduce
security exposure. For evidence of Microsoft’s campaign
against the old way of collaborating, look no further than the
Office ads featuring the people with dinosaur heads.
Windows SharePoint Services
This is an add-on available at no additional
charge with Windows Server 2003.
Windows SharePoint Services is still serverbased, like the portal by the same name, but
takes a more decentralized approach.
Administrators enable the capability and
authenticated users can set up and maintain
their own collaboration workspaces.
Groove Virtual Office
Virtual Office differs from the Microsoft
SharePoint technologies in its peer-to-peer, as
opposed to server-centric, orientation. Developed with the special needs of road warriors
in mind, Groove’s technologies facilitate
online and offline work with a lot of thought to
synchronization. It is Microsoft Office-centric,
but duplicates many Microsoft capabilities.
Istanbul
Microsoft’s Istanbul client for Live
Communications Server 2005 is
one of Microsoft’s most visible
attempts to move its collaboration
infrastructure forward. The technology
enables peer-to-peer communication
and collaboration with server oversight. It also drags lots of hooks to tie in the rest of the
Microsoft infrastructure.
— SCOTT BEKKER
Project2
4/4/05
12:31 PM
WORK A
Page 1
drag
LATELY?
Patch Management
and Anti-Spyware
Now Available!
Set yourself FREE with
Desktop Authority 6.5
®
NOW WITH NEW OPTIONS:
PATCH MANAGEMENT
& ANTI-SPYWARE!
FREE! Fully functional, 30-day
trial version and a T-shirt at:
www.scriptlogic.com/6point5
1.800.424.9411
©2005 ScriptLogic Corporation. All rights reserved. ScriptLogic, Desktop Authority, and the ScriptLogic logo are trademarks or registered trademarks
of ScriptLogic Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the
trademarks of their respective owners. While supplies last. Allow 4 to 6 weeks for delivery.
Protect enterprises against security threats
with Desktop Authority, the award-winning
desktop management solution.
• Configure desktops without visiting client machines
• Eliminate time spent writing logon scripts
• Remotely manage and control individual desktops
Project6
2/10/05
2:07 PM
Page 1
3YBARI?!$?(ULAMANREDMONDPDF 0-
iÀ}iÊÃÊÃiVÕÀiÊÊÃÊvÀ>ÌÊÜÀ«>Vi
>`Êi½ÃÊÌÊ>vÀ>`ÊÌÊÃÜÊÌ°®
7ÀÀÞ}Ê>LÕÌÊÛÀÕÃiÃÊ>`ÊÕÜ>Ìi`ÊVÌiÌÊV>Ê`ÊÞÕÊL>V°Ê/>Ì½ÃÊÜÞÊ
ÌÕÃ>`ÃÊvÊV«>iÃÊ>VÀÃÃÊÌiÊ}LiÊqÊvÀÊÀÌÕiÊ£ääÊÀ}>â>ÌÃÊÌÊ
Ã>Ê LÕÃiÃÃiÃÊ qÊ ÀiÞÊ Ê -ÞL>ÀÊ ÌÊ ÃiVÕÀiÊ ÌiÀÊ vÀ>ÌÊ ÜÀ«>ViÃ]Ê
VÕ`}Êi>]ÊÃÌ>ÌÊiÃÃ>}}]Ê>`Ê`VÕiÌÊÃ>À}°
"ÕÀÊÕµÕiÊÃÕÌÃÊÕÃiÊÕÌ«iÊÛÀÕÃÊÃV>}Êi}iÃÊ>`Ê`ÕÃÌÀÞi>`}Ê
>ÌÃ«>Ê >`Ê VÌiÌvÌiÀ}Ê ÌiV}iÃÊ ÌÊ ÃÌ«Ê ÌÀi>ÌÃÊ LivÀiÊ ÌiÞÊ ÃÌ«Ê
ÞÕÀÊ LÕÃiÃÃ°Ê >iÊ ÌiÊ ÛiÊ ÌÊ -ÞL>ÀoÊ >`Ê iÝ«iÀiViÊ ÌiÊ vÀii`Ê vÊ
ÃiVÕÀÌÞÊ>`Ê«À`ÕVÌÛÌÞ°Ê
-
1, Ê/Ê ",/" Ê7",*
/Êi>ÀÊÀi]
ÛÃÌ ÜÜÜ°ÃÞL>À°VÉÀi`äx
0505red_ProdRev.v14
4/15/05
4:48 PM
Page 19
ProductReview
INSIDE:
Check out six server
management solutions in
this month’s Redmond
Roundup. Page 36
What You Got?
Asset Navigator helps you keep tabs on what you have and how
it’s being used.
Asset Navigator
Pricing starts at $395 for Standard Edition; $595 for
Professional Edition; $895 for Enterprise Edition
Alloy Software Inc.
973-338-0744
www.alloy-software.com
BY ERIC JOHNSON
It’s essential to keep track of
your technology assets. It’s
also a colossal task. Using
loosely organized spreadsheets to track all the computers, hardware, software
licenses and IP addresses in
your organization is marginally effective at best. Something invariably slips through
the cracks, which is a waste of
time, money and resources.
If you find you have to
plow through piles of purchase orders to figure out
who’s using all the new
equipment you just received,
that should tell you that you
need a better process. Asset
Navigator is an asset tracking
and management system that
REDMONDRATING
Documentation: 10% ____ 7
Installation 10% _________ 9
Feature Set: 40% ________ 9
Performance: 30% _______ 9
Management: 10% ______ 8
Overall Rating: 8.7
__________________________
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional
can help you get a better
handle on your technology
assets. Then you can throw
away the spreadsheets and
the old manual processes.
Installing Asset Navigator
is a breeze. A familiar
Windows wizard walks
you through the whole
installation procedure. Asset
Navigator also simplifies the
process of getting your asset
data into the system. If you
have your license file handy,
you can import this into
Asset Navigator during
installation. You’ll see a
second wizard the first time
you launch Asset Navigator
that walks you through the
process of getting your data
repository online.
Depending on which
version you’ve installed,
you’ll use a different database engine. The Enterprise
Edition uses a SQL Server
back-end. The Professional
and Standard editions use
Microsoft Access. You can
choose to use an existing
database, create a new one or
import one from Microsoft
Access (if you have previously
Figure 1. Asset Navigator’s main interface resembles Microsoft
Outlook, so there’s a familiar look and feel with folders on the left
and details on the right.
used the Standard or Professional edition and are now
upgrading to Enterprise).
When creating a new
database, you’ll also decide
whether you want to build it
with or without sample data.
Using sample data is helpful
for evaluations or if this is
your first installation of
Asset Navigator and you
need to familiarize yourself
with its functions. Once
you’re finished with the
installation and configuring
the database, you’re ready to
start tracking.
Looks Familiar
When you first launch the
Asset Navigator client, you
should feel right at home. It
looks and acts like Microsoft
Outlook. Everything is
organized into folders with
detailed information listed
on the right side of the
screen (see Figure 1).
Asset Navigator can
store a great deal of data
about the computers in
your environment. It can
tell you the manufacturer,
the user to whom the
equipment is assigned,
peripherals that are
attached, hardware specifics,
software installed, support
contracts and so on.
Manually entering this
mountain of information on
your systems would be a
daunting task. Fortunately,
Asset Navigator also
includes an auditing function. By working through
the deployment wizard (see
Figure 2, p. 20), you can
0505red_ProdRev.v14
4/15/05
4:48 PM
Page 20
ProductReview
configure a package and a
repository that the systems
will use to self inventory and
report back all pertinent
information. At the end of
the deployment wizard,
you’ll have an executable
that you’ll run on the systems you want to inventory.
When you run the
inventory routine, the
system writes a file into the
repository and you later
pick up that information
with Asset Navigator.
You can also automate
this whole process using
logon scripts and Asset
Navigator’s import
scheduling capabilities. You
can track support contracts
on your systems as well, so
you can easily tell if a
system is covered under a
contract or warranty.
Track Everything
In addition to tracking
systems, Asset Navigator
can track peripherals,
software and network
configurations. You can enter
all the peripherals that you
have in the organization
into the Asset Navigator
database. All peripherals,
including keyboards, mice,
monitors, printers and so
on, are tied to the systems on
which they’re installed.
You manage your software
assets in much the same way
with Asset Navigator. You
can even track licenses and
product keys. Say your company purchased five copies
of Adobe Acrobat. You can
record the five license keys
in Asset Navigator and
when you install the software on a particular system,
you can track which key
that system used. This will
help you keep a better
record of software usage.
Network tracking with
Asset Navigator is set up in
a similar fashion. You can
configure all the subnets
you use and keep a complete
picture of which IP addresses
your organization is using.
This is great if there’s a
pool of reserved static IP
addresses for servers or
other special systems that
aren’t managed by DHCP
or some other system. You
can assign the IP and track it
in Asset Navigator.
Asset Navigator also helps
you manage your vendors,
purchase orders and personnel. You can easily enter POs
when you order equipment.
When the equipment
arrives, you can add it to the
Asset Navigator database as
Asset Navigator will track just about anything
you need it to.
new assets. You can also
track people and departments. Overlay your organizational structure and
personnel and tie this information to each individual
asset. Done correctly, you
can see exactly how many
systems a department has or
how many printers an individual is using.
With all this hardware
comes the need to fix it.
Besides its tracking
functionality, Asset Navigator
also contains a help desk
and knowledge base. Users
Figure 2. The Deployment Wizard walks you through the process of configuring the data repository to
pull pertinent data from all your managed systems.
submit trouble tickets that
tie back to the asset with
which they’re having
problems. Technicians can
log short knowledge base
entries that explain how to fix
common issues.
If Murphy’s Law prevails
and you can’t repair the
hardware, you can use
Asset Navigator to assign
a new piece of equipment
from your spare inventory
or cut a new PO to order
a replacement. The help
desk includes Web interfaces
for users and technicians
so tickets and updates can
come from anywhere.
Asset Navigator isn’t a
replacement for a full-blown
help desk suite, but it’s great
for a small shop, or as an
integration point to a larger
help desk platform.
Asset Navigator is truly
an enterprise solution.
It’s easy to use and makes
a great addition to any
administrator’s toolset.
In short, Asset Navigator
will track just about anything
you need it to. If you’re
tired of chasing endless
piles of spreadsheets and
wasting all your free time
trying to keep things straight,
then Asset Navigator can be
a big help.—
Eric Johnson, MCSE2K,
MCDBA, MCSD, MTA,
works for Premiere Global
Services in Colorado Springs,
Colo., where he can indulge his
personal passions for fishing,
woodworking and dogs. He’ll
welcome his first child in June.
0505red_ProdRev.v14
4/15/05
4:48 PM
Page 21
ProductReview
Many Files Through a Single View
StorageX takes a global approach to streamlining file management.
StorageX
Pricing starts at $2,000 per managed server
NuView Inc.
281-497-0620
www.nuview.com
BY CHRIS WOLF
When I first checked out
StorageX, it looked like a
branded version of Microsoft’s
Distributed File System.
“Why use the free product,
when I can spend thousands
of dollars on something else?”
I sarcastically thought to
myself. After getting to know
StorageX a little better,
though, I realized that initial
impression was way off base.
With Windows Distributed
File System (DFS), you configure a single starting point
for all network file access—
the DFS root. You can
also associate this with a
single mapped drive for
your users. The DFS root
REDMONDRATING
Documentation: 10% ___ 10
Installation 10% ________ 10
Feature Set: 40% _______ 9
Overall Rating: 9.2
________________________
Key:
10: Exceptional
Receiving a rating
of 9.0 or above, this
product earns the
Redmond Most Valuable
Product award.
includes links to all
other shared network
resources, giving users
and applications a single
starting point. With a
single, logical access point
for network resources,
you’re free to move data to
different physical locations
on the network without
impacting users.
All you need to modify is
the link at the DFS root
that points to the physical
location on the network.
With DFS, you can also
set up replicas for each
DFS link, which lets you
automatically provide for
fault tolerance by having
one logical link point to
replicated data stored in
two or more physical
locations. Using redundant
links also offers the
following advantages:
• You can take down file
servers for maintenance
without affecting users.
• Run backups on a standby
server that’s a replication
target in the DFS hierarchy,
giving you greater flexibility
with your backup window.
• The network infrastructure is more resilient to
system failure.
Figure 1. The StorageX Logical View outlines your shared storage
in an easily understandable format.
Much More Than DFS
The core operation of
StorageX functions just like
DFS, but StorageX offers
much more. StorageX’s
adaptation of DFS starts
with what’s called the Global
Namespace. The Global
Namespace uses Microsoft’s
existing DFS technology
and provides the same
transparent access to shared
files. Clients connecting
to a network share are transparently redirected to an
actual physical server.
Besides the file access,
StorageX’s management and
reporting features are what
really sold me. For starters, in
the StorageX management
user interface (UI), you can
view your storage resources
from a physical or logical
perspective. The Logical
View (see Figure 1) shows
shared storage resources in
the same tree format that
connecting clients would.
Physical View (Figure 2, p.22)
lets you view and manage the
physical storage topography.
Get It Started
Deploying StorageX was
simple. I popped in the
setup CD and installed the
product on my designated
DFS root server—that was
it. Had I chosen to go with
a second root server for
fault tolerance, I would
simply have to repeat the
installation process.
StorageX supports both
stand-alone and domainbased DFS roots, as well as
Network Appliance Filer
hosted roots. StorageX lets
you logically organize all
roots under a single Global
Namespace. It supports
configuring the DFS root
on a server cluster as well,
which was helpful.
My next task was to configure the DFS root. What especially impressed me here was
0505red_ProdRev.v14
4/15/05
4:48 PM
Page 22
ProductReview
that StorageX includes a
“Namespace Creation Policy”
feature. This automatically
searches the network for
shares and populates the
namespace based on the
shares it finds. If you have an
existing DFS structure in
place, there’s no need to
reinvent the wheel because
StorageX can detect that, too.
With StorageX finding so
much on my test network, I
was considering the possibility
of using it in my garage to
search for a few missing tools.
After running the relatively
simple New DFS Root
Wizard and a Namespace
Creation Policy, I had my
entire logical file system
online and configured within
a few minutes. Had I started
from scratch and created
brand-new file shares and a
DFS hierarchy, I would’ve
set up a folder tree under the
Logical View portion of the
UI. With the logical view in
place, I would’ve added links
to the physical servers on my
network. The StorageX UI
works just like Windows
Explorer, making it easy to
add folders and links to the
Global Namespace.
I also liked the fact that my
only software installation was
on the root server. There
were no agents to install on
any other server on the
network. The root server
supports both CIFS and NFS
shares, making it easy to link
to both Windows and
Unix/Linux file servers.
From Skeptic
to Believer
StorageX’s Administrative
View (Figure 3) was a
revelation. From here you
can schedule replication
jobs to run between replica
links (folders with the
same logical target, but
with multiple physical
locations), all without
having to install any agents
on the target systems.
With the disaster recovery
policies, you can have
StorageX monitor a primary
server and automatically fail
over to a standby server
when it detects failure. The
product’s Migration Policies
let you physically move data
from a server that’s running
out of space to another
server. Once it completes
the move, all links are
automatically updated to
reflect the new physical
storage location. StorageX
has an Archival Migration
Policy that lets you archive
files to alternate storage
Figure 3. The Administrative View lets you schedule storage
replication tasks.
Figure 2. The Physical View gives you a look at your storage
topography, and provides management tools.
based on criteria such as last
time accessed, size and age.
StorageX also has several
reports you can schedule on
a nightly, weekly or monthly
basis. These reports provide
details on functions like the
status of nightly replication
jobs, so you can quickly see if
your replicated links were
synchronized. The fact that
software installed on one box
lets you do all this while
managing your file system
storage across your network
is quite impressive.
With such a positive
experience managing file
shares, I decided to see if
StorageX could manage all of
my data, in addition to shared
CIFS and NFS file systems.
To provide the end-toend protection I’m looking
for, StorageX would need to
work with both file systems
and databases; unfortunately, it
doesn’t. NuView representatives said database support was
in the company’s future plans.
The First Step to
Recovery
The first step on the road to
recovery is to admit that you
have a problem in the first
place. If your organization has
an unmanageable assortment
of file shares scattered about,
you have a problem.
With that in mind, the
logical file management view
that StorageX presents can be
just the therapy you need.
Your users will no longer
need to remember where a
file is in order to access it. All
they’ll need to know is the
location of the StorageX
global namespace root, which
you can automate by giving
them a mapped drive, just like
any other network share.
With some thoughtfully
considered management tools
to back up a product that you
can fully deploy within hours,
StorageX helps you take
steps toward simplicity.
This is a breath of fresh air in
a storage market that has
become progressively more
complex in recent years.
Now, if StorageX could only
find those missing tools in
my garage …—
Chris Wolf, MCSE, MCT,
CCNA, is an instructor with
ECPI Technical College and a
leading industry consultant. He’s
the author of Troubleshooting
Microsoft Technologies
(Addison Wesley), co-author of
Windows 2000 Enterprise
Storage Solutions (Sybex) and
a contributor to the Windows
Server 2003 Deployment Kit
(Microsoft Press). You can reach
him at [email protected].
0505red_ProdRev.v14
4/15/05
4:48 PM
Page 23
ProductReview
Restore Those Lost E-Mails
Recovery Manager lets you do large-scale, store-level Exchange backups, while still
helping locate and restore individual messages.
Quest Recovery Manager for Exchange
$8 per mailbox
Quest Software Inc.
949-754-8000
www.quest.com
BY CHAD TODD
In a perfect world, your
Exchange databases would
remain forever small and
cause you no problems,
and users would never
delete mail by mistake, only
to ask you to restore it. But
that’s not reality. Databases
quickly grow larger than
we’d like and we frequently
have to decide which is
more important—quicker
backups or quicker restores.
Indeed, backup and recovery
are a fact of life for the
Exchange administrator.
There are two types of
Exchange backups, storelevel and message-level
(a.k.a. brick-level), each with
their benefits and drawbacks.
Store-level backups back
up the database and
REDMONDRATING
Documentation: 10% ____ 8
Installation 10% _________ 8
Feature Set: 40% _______ 9
Overall Rating: 8.7
________________________
Key:
10: Exceptional
message logs while bricklevel backups back up each
individual message.
Quest Recovery Manager
(QRM) gives you the best
of both worlds. It works
with your backup software
to give you quicker storelevel backups, while still
being able to easily restore
individual messages. QRM
can recover selected
messages, files attached to
selected messages or a
folder and all the messages
it contains. It supports full,
differential and incremental
backups. The software
you use to back up your
Exchange Server will
dictate which method you
should choose.
Recovery in Store
Store-level backups are much
quicker than brick-level
backups. They’re great for
recovering a failed Exchange
Server, but not so great for
individual messages. To
recover an individual message
in Exchange 5.5 or Exchange
2000, you have to build a
recovery server to mimic
your production server.
This means installing
Figure 1. Quest Recovery Manager walks you through the process
of restoring messages on your Exchange Server.
Exchange and its service
packs, restoring the database
and logs to the recovery
server, then using a tool like
Exmerge or Outlook to
connect to the recovery
server to export the mail to
personal storage (PST) files.
This is a time-consuming
process to say the least.
Thankfully, recovery is
greatly improved in
Exchange 2003. You can use
a Recovery Storage Group
on your production server
instead of building a recovery server. However, you still
have to use a tool like
Exmerge to retrieve the
missing mail. Exchange 2003
Service Pack 1 lets you
restore an entire mailbox
without Exmerge, but not an
individual message.
Brick-level backups avoid
all of this. Open your backup
software, choose the message
to restore and voila—the
message is back. Brick-level
backups use the Messaging
API (MAPI) interface to log
on to each mailbox, so each
message is enumerated, read
and backed up. The downside is, by independently
backing up each message,
brick-level backups lose
the single instant storage
that Exchange provides.
Consequently, the backup
takes a lot longer and
uses a lot more disk space
than just backing up the
store itself.
You can also use QRM to
work from an off-line copy of
your database. The program
can access backup media from
Windows Backup (NT 4.0,
2000 or 2003) or Veritas
Backup Exec (7.3, 8.6, 9.0 or
9.1). QRM catalogs the tape
and restores the database to a
specified folder. This method
doesn’t require that you use
backup software for recovery.
0505red_ProdRev.v14
4/15/05
4:49 PM
Page 24
ProductReview
I used QRM to restore
mail from an Exchange
2003 server using Windows
Backup. It took about 20
minutes to extract the 3GB
perform a hard recovery on
the .edb file if the log files or
.stm files are missing.
If you’re using a backup
utility other than Windows
Quest provides great documentation, but
you won’t need it ... I found QRM to be easy
and intuitive.
database and restore the
mail. I also used QRM
against a copy of my
database restored to an
Exchange 2003 Recovery
Group. In both cases, QRM
performed flawlessly on
the first try.
Another approach is to
copy the Exchange message
files from your production
server. You would do this
when using QRM to restore
messages from a failed server.
Then you would have QRM
Backup or Veritas Backup
Exec, this is the preferred
recovery method. Have QRM
access a database restored to
an Exchange 2003 Recovery
Storage Group, add the
database to the recovery
group and then restore it
with your backup software.
If you’re not using
Windows Backup or Veritas
Backup Exec and you don’t
have Exchange 2003, then
you’ll have to use a recovery
server to restore your mail.
This is because Exchange
5.5 and Exchange 2000 don’t
provide Recovery Storage
Groups. To account for this,
QRM provides a feature
called Exchange Server
emulation. It makes a server
other than your real
Exchange Server appear to
be your Exchange Server.
You can then restore your
Exchange backups to this
server and use QRM
to retrieve your mail.
However, you can’t use
Exchange Server emulation
on a machine that already
has Exchange installed.
The QRM Exchange
Server emulation supports
backup products from
Veritas, HP, Legato, IBM,
CommVault and CA.
I highly recommend
QRM as a replacement for
brick-level backups and as
a disaster recovery tool.
Quest provides great
documentation, but you
probably won’t need it.
I found QRM to be easy
and intuitive.
QRM makes it easy to
search for missing mail
without having to know
its precise location. All
in all, QRM is a helpful
addition to any Exchange
administrator’s toolbox.—
Chad Todd, MCSE: Security,
MCSE: Messaging, MCSA,
MCT, CNE, is the author of
Hack Proofing Windows
2000 Server (Syngress Publishing). He’s co-owner of
Training Concepts, a company
that specializes in Windows
2000 and Cisco training. Reach
0505red_ProdRev.v14
4/15/05
4:49 PM
Page 25
ProductReview
No Scripting Required
ADtoolkit enables anyone to perform Active Directory group edits.
Javelina ADtoolkit 3.0 (formerly ADvantage)
$995 for one or two licenses; $796 for three or four
licenses; $746.25 for five to nine licenses; Other
pricing available for 10 or more licenses
Javelina Software
302-422-0230
www.javelinasoftware.com
BY JEREMY MOSKOWITZ
I’m not a scripter. If I was, I’d
be performing feats of magic
on a regular basis, like adding
and deleting users, changing
parameters and modifying
Active Directory. But I’m not
a scripter, which is a bit of a
problem, because I really
want and need to be able to
do those things.
Enter Javelina’s ADtoolkit
3.0 (formerly called Javelina
ADvantage). As I see it,
ADtoolkit 3.0 does what a
savvy AD scripting guru
would do. It also packs a
bunch of useful bulk AD
operation features into one
powerful utility.
Group Therapy
ADtoolkit is easy to navigate
and use. It provides a list of
available directory objects—
Users, Groups, Contacts,
Computers, Files and Shares
and Directory Tools—from
which you can choose a group
to bulk edit.
After you’ve chosen a group
to edit (I’ve selected Users in
Figure 1), choose the action
you wish to perform—Add,
Modify, Delete, Reports,
Reset Passwords and Search
and Replace. Once you’ve
selected the action, you can
then import only those users
you need to update or edit.
You can do this with the
Select Users option (that will
let you select an entire
domain or any specific AD
organizational unit) or with
the Import Users button.
Once you’ve imported a
group of users, you’ll see the
users who will be affected by
your global edits laid out in
a grid. This can get a bit
confusing if you don’t have
any previous experience
working with AD groups.
Note the tabs going horizontally across the screen in
Figure 1. Choose the list or lists of users you need to modify, then
the action you need to perform.
Figure 1. Each of those tabs
represents a category of
features you can modify.
Modifying information inside
any tab affects all users in the
grid. You can also change a
specific property for a specific
user in the grid, thereby
affecting only that user.
Options entered in the grid
overwrite options in the tabs.
For example, you can grant a
certain level of access to all
users in a grid, but provide
greater access to those within
the group who are managers.
You would apply the group’s
access using the tabs, then
increase the manager’s access
within the grid.
Once you have your edits
ready to go, run a simulation
to determine precisely what
will happen when you hit the
“go” button. ADtoolkit
generates a clear report to
describe which users (or
whatever the target of your
group edits is) will be affected
and what will happen. This
simulation report is a nice
touch, considering that, if you
made one false move at this
point having already made a
series of global changes, you
could bulk-change your way
right out of a job.
ADtoolkit also lets you call
out exceptions on access control lists stored on file servers
and/or in AD. Under normal
circumstances, for example,
after you delete a user from
AD, you can still see “Account
Unknown” signifiers all over
AD and the file system to
REDMONDRATING
Documentation 10% _____ 8
Installation 10% ________ 10
Feature Set 40% ________ 8
Performance 20% _______ 8
Management 20% _______ 7
Overall Rating: 8
________________________
Key:
10: Exceptional
which that user previously
had access. ADtoolkit lets you
quickly detect and clean up
those stale entries. Look
under the Files & Shares
menu to clean up the file
system, and Directory Tools
to clean up AD.
Knowledge Is Power
The user interface design
is good if you know what
you’re doing. A step-by-step,
Wizard-driven interface
would be welcome, in addition to its current “free-form”
approach. It does help to have
a bit of AD background or
experience to navigate the
interface, but it’s not essential.
If you need a way to
bulk-edit your AD groups, it
would be well worth your
while to take ADtoolkit out
for a test drive.—
Jeremy Moskowitz, MCSE,
MCSA, is founder of
Moskowitz Inc. His latest
book is Group Policy, Profiles,
and IntelliMirror for
Windows 2003, Windows
XP, and Windows 2000
(Sybex). You can reach him at
[email protected].
Project1
3/30/05
11:23 AM
Page 1
Project1
3/30/05
11:24 AM
Page 2
0505red_BetaMan.v8
4/15/05
4:35 PM
Page 28
BetaMan
Don Jones
When I’m 64
T
o say “64-bit computing is here” is a bit misleading.
Windows Server 2003 x64
Actually, 64-bit computing has been with us for some
Version reviewed: RC2
time. Perhaps the most visible proof of this is Intel’s
Current status: RC2
Itanium family of 64-bit processors, which introduced a
whole new computing architecture and required a special
version of Windows (available in the
Win2000 family).
However, the Itanium never became
as popular as even the DEC Alpha
processor, which wasn’t exactly a
bestseller, despite its technological
merits. HP recently dropped out of
Itanium development, leaving the
processor’s future (or at least its
market viability) in question.
Then AMD snuck in from the
sidelines with its AMD64 architecture.
Many computers are now running
Athlon64 processors in 32-bit mode
that are completely compatible with
existing 32-bit applications. Users and
administrators may not even realize they
have a 64-bit processor lurking under the
hood and waiting to be unleashed.
either platform. The 64-bit processor
simply packs a bigger punch, paving the
way for 64-bit applications and the
eventual demise of the 32-bit platform.
(While Microsoft has committed to
shipping Longhorn for both 32- and
64-bit platforms, the market may only
be interested in a 64-bit version of
whatever follows Longhorn.)
Technically Speaking
Naturally, Win2003 x64 requires an
x64 processor. It supports the AMD
Opteron, Intel Xeon EM64T and
Intel Pentium EM64T processors.
You need at least 512MB of RAM and
4GB of disk space. The Enterprise
Edition of Win2003 x64 supports up
to eight processors while the Standard
The 64-bit processor simply packs a bigger punch, paving
the way for 64-bit applications and the eventual demise of
the 32-bit platform.
The marketability of the AMD64
architecture got a big boost when
Intel jumped on board with its own
compatible version, the EM64T.
Generically referred to as x64, this
platform will see its first full-fledged
64-bit version of the Windows server
operating system this year when
Windows Server 2003 x64 ships.
Cosmetically, Win2003 x64 is
identical to its 32-bit cousin. In fact, if
you weren’t paying attention, you might
not realize you’re running a 64-bit OS at
all, which is exactly the point. Your
Windows experience will be identical on
Edition supports four. You’ll also
need your processor running at
1.4GHz for the Opteron, 2.8GHz
for the Xeon or 3.2GHz for the
Pentium. If you’re using Intel
processors, Microsoft recommends a
3.6GHz Xeon or Pentium.
Memory-wise, you can plug in up to a
whopping 32GB on Standard Edition.
The Enterprise Edition supports an
unbelievable 1TB of RAM. (Remember
when Bill Gates told us 640KB was
enough memory for anyone?)
The real power of the x64 architecture
is that it runs 32-bit applications
Expected release: Sometime in 2005
seamlessly. The Itanium runs 32-bit
apps in a WOW64 subsystem, which
provided fairly lackluster performance
in most situations. Therefore, x64
makes a more compelling argument for
phased migration to 64-bit computing.
The 64-bit version of Windows does
pretty much everything 32-bit does—
Active Directory stores can exceed 2GB
in size, Terminal Services are present and
so on. It’s pretty much indistinguishable
from 32-bit Windows, except in one
critical area—performance.
While you can never judge the
performance of an operating system
from beta or even release candidate
code, 64-bit Windows is already
remarkably faster than 32-bit
Windows. My testing shows that a
64-bit application running on 64-bit
Windows is several times faster than
the same application’s 32-bit version
running on 32-bit Windows. All of
this software was in beta, so I’m not
revealing specific numbers (in fact,
the beta licensing agreement forbids
it), but suffice it to say, the difference
is profound.
Application compatibility was seamless.
I installed several 32-bit applications,
including Exchange Server, SQL Server
and Internet Security and Acceleration
Server, and they all ran without a hitch.
That’s an important feature, because
many application vendors are not
likely to release 64-bit versions in the
BETAMAN’S ROUTINE DISCLAIMER
The software described here is incomplete
and still under development; expect it to
change before its final release—and hope it
changes for the better.
Project6
2/28/05
11:22 AM
Page 1
Middleware is Everywhere.
Can you see it?
5
2
4
3
1
Key
MIDDLEWARE IS IBM SOFTWARE. The powerful DB2
Information Management Software Family. With industry
1.Takes virtual tour of vacation spot.
2. Books flight with partner airline.
3. Dispatches service automatically.
4. Analyzes schedule data dynamically.
5. Business results reach new heights.
leading DB2 and Informix®databases, it’s the most complete
information management solution available. Built on open
standards, it lets you access content from various sources.
Integrate information, boost productivity, stay compliant. Plus
gain insight to make better business decisions. On demand.
Middleware for the on demand world. Learn more at ibm.com/information
IBM, the IBM logo, DB2, Informix and the On Demand logo are registered trademarks or trademarks of International Business Machines Corporation in the
United States and/or other countries. ©2005 IBM Corporation. All rights reserved.
0505red_BetaMan.v8
4/15/05
4:35 PM
Page 30
BetaMan
near future. For its part, Microsoft
will probably ship 64-bit versions
of its major server products, especially
SQL Server, in fairly short order.
The open source world isn’t
sitting still on the 64-bit issue. There
have been stable x64-compatible
builds of Linux available for some
time now. At http://snipurl.com/dl82,
you’ll find a comparison of Intel and
AMD x64 processors running the
Gentoo x64 build of Linux. Red Hat
also has x64-compatible and Itaniumcompatible builds (lest you think that
platform was Windows-specific).
choice for new purchases starting even
now. Even if you don’t plan to install an
x64-specific operating system, x64
systems can continue to run what you
already have in place.
Once Win2003 x64 ships, however,
there will be little reason (other than
perhaps price, which has yet to be
announced) not to upgrade. Your
applications will continue to run, the
look and feel of the operating system
won’t change, and you won’t need
additional training. You’ll get improved
performance and the ability to immediately upgrade applications to 64-bit as
Choosing the x64 platform is pretty much a no-brainer. It’s where
computing is headed.
I’m not going to get into the whole
Windows/Linux debate. I’m simply
making the point that Microsoft is
neither the only x64 OS on the planet
nor is it leading the charge. The
existence of competition from Linux
on x64 processors is further evidence
of the platform’s market viability.
It’s a pretty safe bet for any
business to go ahead and purchase
x64-based systems. In fact, I’d go
so far as to say that any future
purchases should always be
Don’t Forget XP
Microsoft is also releasing Windows
XP x64, which will support the
Athlon64 processor in addition to
Opteron and Intel EM64T processors.
x64-based systems. With the end
of the 32-bit computing platform
so clearly in sight, purchasing
32-bit systems doesn’t seem like a
sound financial investment.
64-bit Is Here to Stay
Choosing the x64 platform is pretty
much a no-brainer. It’s where computing is headed. Its compatibility with
existing applications makes it an easy
versions become available. Given how
touch-and-go past computing revolutions have been (remember the awkwardness involved in moving from
Windows 3.x to Windows 95?), the x64
move feels stress-free and simple.
Microsoft has committed to the
32-bit platform through Longhorn at
least, so your existing investments are
already protected. Assuming every
32-bit server you have today is
capable of running Longhorn (which
remains to be seen—minimum
system requirements haven’t been
announced, but they’re certain to be
steep), you can continue to mix 32-bit
and x64 systems in your environment
while running a consistent operating
system across the board. Since the
next version of Windows after
Longhorn is probably six years or
more down the line, it’s a safe bet that
your existing 32-bit hardware
resources will be fully depreciated
and ready for replacement by then,
meaning 32-bit computing will die of
natural causes and be replaced by x64.
I’ll make it simple—64-bit is here
to stay and it looks like x64 is going
to be the platform to which we all
gradually migrate over the next few
years. Microsoft’s introduction of an
x64 version of Windows was all but
inevitable, and future versions
of Windows (including Longhorn
and beyond) will be available for
this new platform.
The migration is painless. Just
install Win2003 x64 and you’re up
and running with no additional
learning curve, no application
compatibility issues that I saw and
noticeably enhanced performance.
Microsoft is betting the bank
on x64. The recently announced
Windows Compute Cluster Edition
will only support x64 processors,
not 32-bit and not Itanium. Part
of Microsoft’s High Performance
Computing (HPC) for Windows
Server 2003 initiative, Windows
Compute Cluster Edition will
cluster relatively inexpensive servers
in parallel-processing configurations
designed for massively better
performance than single machines
achieve today. Look for a formal
beta of the HPC edition sometime
in late 2005 (it’s based on the
Win2003 SP1 codebase).
Start inventorying your servers
to find out which ones already have
x64 processors hiding in them, and
get ready to upgrade to Win2003
x64. You’ll be glad you did.—
Don Jones is a contributing editor for
Redmond magazine and the founder
of ScriptingAnswers.com, a Web site for
automating Windows administration.
His most recent book is Managing
Windows with VBScript and WMI
(Addison-Wesley). You can e-mail him
at [email protected].
GetMoreOnline
You can learn more about the
Opteron processor and Intel’s EM64T
architecture at Redmondmag.com.
FindIT code: BetaMan64
redmondmag.com
Project7
1/7/05
3:56 PM
Page 1
VOTED #1
BY
DON’T
REDMOND READERS
TELL
MOM!
CALL 1-860-674-1700 NOW
AND HAVE
ARGENT
MONITORING YOUR ENTIRE INFRASTRUCTURE
BEFORE YOU GO HOME.
WWW.ARGENT.COM
Project10
1/17/05
2:21 PM
Page 1
0505red_YourTurn.v8
4/15/05
5:00 PM
Page 33
YourTurn
Redmond’s readers test
drive the latest products.
The Good and the Bad of MBSA
Microsoft’s free vulnerability scanner works well—as long as you
don’t have to stretch it too far.
BY JOANNE CUMMINGS
Those who are charged with managing
just a handful of machines sing the
praises of Microsoft’s Baseline Security
Analyzer (MBSA) fairly readily. Those
who need more of an enterprise-level
tool to lock down hundreds or
thousands of machines, however, find
that MBSA’s shortcomings quickly
become apparent.
MBSA does have a lot going for it. In
addition to being free, it’s a simple
vulnerability scanner that’s easy to use
and configure, most users say. The latest
version (1.2.1) checks for configuration
errors and security holes not only in
Windows 2000, XP and Windows
Server 2003, but also key Microsoft
applications like Office, IIS, SQL
Server and Internet Explorer.
“At first, I used MBSA quite a bit,”
says Ben Hearn, systems administrator
at Cincinnati, Ohio-based financial
services firm GAFRI. Hearn is responMicrosoft Baseline Security
Analyzer (MBSA)
Free
Microsoft Corp.
800-426-9400
www.microsoft.com
sible for managing more than 1,200
Windows XP servers. “I’ve really gotten
away from using it at all now because it
just proves to be too cumbersome when
you’re dealing with lots of machines.”
Hearn’s primary complaint is the lack of
flexible reporting capabilities or any
sort of standard report formatting.
“MBSA can scan an entire domain of
1,200 computers, but then it generates
one giant list of results,” he says.
“There’s no good built-in way to see the
percentage of my machines that are
missing patches.”
through MBSA’s XML-based results to
better understand the most critical issues.
He takes the newest scan results and the
results he has saved from the last time he
ran an MBSA scan. “I take both XML
files and flatten them,” he says. “Then, I
[MBSA] is good in security issues, like making
sure IE or the IIS server is set properly.
Justin Clutter, CIO, Appserve Technologies
MBSA scans every computer within
an organization and returns a full list of
items. Those items designated with a
green check are checked out as secure.
Others are flagged for remediation.
That’s about as deep as MBSA’s reporting goes, and it’s not deep enough for
most users. “It just takes too long to try
and decipher the list,” says Justin Clutter, CIO of Appserve Technologies
LLC, a small hosting services provider
based in Dallas, Texas. “Most of the
time, you’ll get the little green check
back, but what I really want to see are
the critical issues that need fixing.”
Clutter says he wishes the MBSA
reports were integrated with something
like SQL, so he could import the scan
results into a database and make it easier for users to run exception reports.
“Integration with SQL would be great,”
agrees Jeff Hinrichs, technical lead at
Dermatological Lab and Supply Co., in
Council Bluffs, Iowa. He also agrees that
MBSA’s reporting is its weakest feature.
“What I want it to do is throw flags to
show me what’s different. Right now, it
can’t do that for me.” Hinrichs has built
his own workaround so he can sort
run a standard DIFF tool on it to find the
differences between the two files.”
Without this extra step, Hinrichs says
it’s difficult to see what has changed and
what needs his immediate attention.
“Maybe 90 percent of my machines are
updated for this patch, but that means
there are 10 percent that didn’t take it
and that’s what I need to know about.”
Questionable Results
Another thing users have noticed is that
MBSA’s reported vulnerabilities don’t
always match those reported by other
tools, like Windows Update and
Windows Software Update Services
(WSUS). “When I use MBSA to scan
one of my servers, it comes back saying
that four critical updates could not be
verified or need to be updated,” Clutter
says. “But when I go to the WSUS site, it
says the server is completely up-to-date.”
In most cases, this is because Windows
Update focuses on OS updates, whereas
MBSA also checks for application-level
vulnerabilities like those found in Office
and IIS. “They work off different databases at Microsoft, so that’s why you get
the conflicting results,” Clutter explains.
0505red_YourTurn.v8
4/15/05
5:00 PM
Page 34
YourTurn
However, some cases aren’t quite
as clear-cut. Stephen Olson, owner
of SJO Computer Services in
Millerstown, Pa., says he often
receives MBSA scan results that are
less than definitive. “I just ran a scan
and it told me that it couldn’t verify
whether I needed a certain update,” he
says. “It turned out that it was an
update for Windows Media Player 9,
Although Microsoft says you can use
MBSA across a network and multiple
domains, most users say its network
support is not a strong suit. For example, MBSA can scan Office for vulnerabilities, but you need to do the scans
from a local machine, not via a network.
“That’s really annoying,” says GAFRI’s
Hearn. “I’m not about to physically go
to each machine. It’s almost a tease.”
Wish List for MBSA
F
or a free tool, Microsoft’s Baseline Security Analyzer does quite a bit. Still,
most users would like to see some features added in future releases. Here
are a few things for Microsoft to ponder:
Better reporting. Make it easier to slice and dice reports, perhaps by
providing back-end integration with SQL Server.
Clearer results. Sync up the databases for the various vulnerability
scanners—Windows Update, WSUS, MBSA—so each tool provides the same
information and downloads.
Better network support. Make it easier to schedule scans across a large
network, and provide a way to scan across domains with different admin passwords.
Mitigate the false positives. Provide a way to customize scans for each
computer, obviating the problem of receiving reports for applications and versions that may not be loaded.
Update the patch certainty. Change the way patches are named and implemented so this tool and others like it can detect patches more accurately. — J.C.
but we had already upgraded to Windows Media Player 10. MBSA couldn’t
tell that and so it was flagged as a
possible vulnerability.”
The problem, Olson says, is that
there’s no way to configure MBSA so it
doesn’t flag those types of issues. “It just
keeps reporting it every time I do a
scan, which can be a pain,” he says.
In other cases, MBSA will report that
it is unsure whether or not a patch has
been installed on a scanned machine,
an event that Hinrichs attributes to
Microsoft’s less-than-linear patchnaming policy. “MBSA should be able
to look at the version number of a
DLL and tell you whether the patch is
installed or not,” Hinrichs says. “If you
install a patch from Microsoft, but
Microsoft can’t detect that it’s
installed, well that’s a problem.”
Similarly, users needing to scan multiple
servers across domains can run into password issues. “If you try to run an MBSA
scan across two domains where the admin
username and password aren’t the same—
which technically, they shouldn’t be—it
doesn’t work,” Clutter says. “There’s no
way to designate that the two domains use
different passwords, so you end up having
to scan them separately.”
Smaller Is Better
There is good news for MBSA. Those
who use MBSA to scan single computers or smaller environments give the
tool high marks for its comprehensive
scanning and ease of use.
SJO’s Olson uses it to support his
clients, which are primarily one-person,
small or home office environments. “It’s
a great tool,” he says. “It doesn’t do any-
thing that I couldn’t do manually, but
it’s very easy to run and it’s nice to have
this little report come out.”
Olson says he uses the MBSA reports to
give his customers peace of mind. “They
can look and see that their computer has
strong security, according to Microsoft,
and it gives them a good feeling.”
Because Olson runs MBSA on single
computers, the tool’s reporting capabilities are more than adequate for his needs.
Plus, he says, MBSA is reliable. “The
thing has run flawless every time,” he
says. “It’s definitely a comprehensive
and easy way to keep your Microsoft
computer updated.”
Going Beyond the OS
Others say MBSA’s biggest asset is its
ability to go beyond the OS to ferret out
holes in various applications. “It’s good in
security issues, like making sure IE or the
IIS server is set properly,” Clutter says. “I
use it to make sure that I have everything
locked down.”
This helps Clutter ensure his servers
won’t be easily hacked. “If somebody
hacks into one of my machines and
decides to install the FTP service on my
domain controller, I can run this utility
and see that right away,” he says. “It lets
you spot application-level things like
that quickly.”
Brendan O’Connor agrees. As the
network and systems administrator for
the William Floyd School District in
Mastic Beach, N.Y., he uses MBSA to
lock down every machine before it
enters the school network. “It’s one of
the steps we take when we create an
image now,” he explains. “We put on
Windows, all the Service Pack updates
and all the Office applications before
it goes out the door, but then we
run MBSA to make sure we haven’t
missed anything,” he explains. “It’s a
good baseline tool, and it’s free, so you
really can’t complain too much.”—
Joanne Cummings is a freelance technology
journalist. You can reach her via e-mail at
[email protected].
Project6
3/29/05
10:47 AM
Page 1
Fr:
barely managing your e-mail system
To:
managing it while you check your voicemail
EMC EMAILXTENDER® SAVES YOU TIME AND MONEY WITH A SMARTER WAY
TO MANAGE E-MAIL. Now you can handle everything from mailbox management to policy
administration and corporate records with one solution. A solution built to lower your storage
costs, streamline operations, and enable compliance. It’s what you need to gain control, minimize
risk, reduce cost, and go home on time. Finally. To learn more, visit www.EMC.com/legato.
EMC, EMC2, Legato, and where information lives are registered trademarks of EMC Corporation. © 2005 EMC Corporation. All rights reserved.
0505red_Roundup_35-41.v13
4/19/05
10:33 AM
Page 36
RedmondRoundup
Keep an Eye on Those Servers
The right server management tool closely monitors your network
and offers proactive responses to most common problems.
BY NELSON AND DANIELLE RUEST
You can’t let your guard down when it
comes to server management. It can be
too costly to just let your servers sit
there and hope they’re functioning at
full capacity.
Whether or not your company has
consolidated servers, closely managing
those servers is critical. Consolidation
reduces the total number of servers and
makes each one that much more important (see “You’re Fired,” p. 28, December 2004). On the other hand, if you
still have servers deployed everywhere
fulfilling all sorts of functions, you need
to keep a close eye on them to ensure
that they’re carrying their weight and
not draining corporate resources.
You need the right server management
tool to keep watch—one that will not
only monitor, but proactively correct
problems as they occur. It’s much better
to be told that a server was running out of
disk space and that the problem has been
fixed than to watch that server come to a
screeching halt because its drives are full.
We stress tested six server management tools for this roundup: Microsoft
Operations Manager 2005, Altiris
GetMoreOnline
Follow links to more information about
role-based server administration,
MOM 2005 solution accelerators and
the MOM 2000 Resource Kit. Plus,
access a sample operations schedule for
managing Windows 2003 servers.
FindIT code: EyeOnServers
redmondmag.com
Server
Provisioning
Suite
6.0,
LANDesk Server Manager 8.5, Argent
Guardian 8.0, Fidelia NetVigil 3.6.3
and up.time 3.0.9. While products
like the two highest-scoring tools
from Altiris and LANDesk provide
complete server provisioning, others
focus specifically on server monitoring
and service level maintenance.
We put each product through its paces
on multiple servers running Windows
• Capacity for integration to specific
server roles
• Support for industry standard
operational
models
such
as
the Information Technology Infrastructure Library (ITIL)
• Support for integration of standard
operating procedures in heterogeneous or homogeneous environments
• Script programming and extensibility
of the system
You need the right server management tool to keep
watch—one that will not only monitor, but proactively
correct problems as they occur.
Server 2003, all configured for various
roles. This way we knew what to manage
at the individual server level and what to
manage on all servers. We could then
concentrate on managing the specific
aspects of each particular server role.
For example, on Active Directory
Domain Controllers, you must manage
the size of the NTDS.DIT file that
stores Active Directory. You also need
to make sure replication is working
properly and doesn’t hog all your bandwidth. That’s why server management
tools need specific role-based management packs—detailed feature sets that
tell you what to manage and monitor
for servers fulfilling specific roles like
Domain Controller, SQL Server and
Exchange server.
You should keep these characteristics
in mind when considering a server
management package:
• Ease of installation and deployment
• Ability to monitor servers and
provide scripted responses to
common problems
• Support for Web-based Enterprise
Management (WBEM)
You also need to know what you should
do and when. How often should you perform each activity? What should you do
daily, weekly or monthly? Are there any
ad hoc management or monitoring tasks
you should perform? See “Get More
Online” to access a sample management
schedule to help with these decisions.
Evolving Gracefully:
MOM 2005
Microsoft Operations Manager (MOM)
2005 is another step in the evolution of
Microsoft’s grand plans for systems
management and server monitoring.
While it stands on its own as a powerful
server management and monitoring
tool, Microsoft plans to combine MOM
and Systems Management Server into
a single provisioning package called
Microsoft System Center, but that won’t
happen for a while.
Improvements to MOM 2005 include
the new administrator and operator
4/19/05
10:34 AM
Page 37
In this Roundup
$40,000 for the first 100 managed
devices
Fidelia Technology Inc.
www.fidelia.com
609-452-2225
TING
L RA
RAL
OVE
Fidelia NetVigil 3.6.3
0%
ty 1
ibili
tens
d Ex
0%
1
g an
ion
ptin
ntat
Scri
ume
0%
Doc
M1
WBE
for
20%
port
les
Sup
r Ro
erve
%
for S
s 10
port
dard
Sup
Stan
for
0%
et 2
port
S
e
r
Sup
u
t
Fea
20%
ent
loym
/Dep
tion
alla
Inst
consoles (see Figure 1, p. 38). The new
look is similar to Outlook and offers
quick access to remote control, IP
configuration, the management console, Event Log and other tools. You’ll
use the administrator’s console for
deployment and configuration, as it
includes detailed information on
deployment procedures.
MOM’s agents now work with the
local system account on Windows 2000
servers or the network service account
on Windows Server 2003. The latter
grants agents only the required access,
so Windows Server 2003 deployments
are now more secure. MOM 2005 also
has a new agentless management mode,
which monitors systems through
Microsoft remote procedure calls
(RPC). This mode is for monitoring
servers where you can’t install an agent
for performance reasons.
MOM 2005 is more manageable
and scalable than earlier versions.
For example, MOM management
groups can now include up to 3,500
agent-managed servers and 60 agentless
systems. A management server can
support 1,200 agent-managed systems
and a management group can have up to
10 management servers. A management
group can also process up to 120,000
alerts per day, a considerable improvement over the previous version.
MOM 2005 uses management packs
for role-based server management that
cover Active Directory, Exchange, SQL
Server, Terminal Services and even the
Microsoft Baseline Security Analyzer
servers. Microsoft releases new
management packs every time it
updates a product in the Windows
Server System (WSS) group.
MOM 2005 also includes the MOM
Connector Framework, which lets you
integrate third-party tools with MOM,
offering a broader view of the network.
Smaller enterprises can opt for the
MOM 2005 Workgroup Edition (WE),
designed to simplify managing smaller
environments. MOM WE is a good
addition to a small business manage-
REDMONDRATING
1: Virtually inoperable
or nonexistent
5: Average, performs
adequately
10: Exceptional
7
5
3
8 10 6
8
7
7
6
7
8
6
8
7.1
8
5
5
8 10 7
8
7.2
8
5
8 10 5
8
8
7.5
8 8.5 8
9 10 7
7
8.3
9
9 10 8
7
8.7
Argent Guardian 8.0
$15,000 for every 10 managed
Windows servers; $3,000 for each
Unix server license
Argent Software
www.argent.com
860-674-1700
8
up.time 3.0.9
$695 per server, $95 per network
node, 20 percent annual support fee
uptime software inc.
www.uptimesoftware.com
416-868-0152
Microsoft Operations
Manager 2005
$729: MOM 2005 Server License;
$2,689: MOM 2005 Operations
Management License five-pack;
$499: Workgroup Edition (manages up
to 10 devices)
Microsoft Corp.
www.microsoft.com
800-426-9400
LANDesk Server Manager 8.5
$299 per server
LANDesk Software
www.landesk.com
800-982-2130
Altiris Server Management
Suite 6.0
$253 per node (no additional cost for
management server components)
Altiris Corp.
www.altiris.com
888-252-5551
9
8
4/19/05
10:34 AM
Page 38
RedmondRoundup
ment toolkit, even though it’s limited to
monitoring 10 servers.
The Complete Package:
Altiris Server Management Suite 6.0
Altiris Server Management Suite (SMS)
supports every phase of a server’s
lifecycle—managing server deployment;
inventory; desired state management;
software and patch delivery; recovery
and problem resolution; and health
monitoring. SMS does more than MOM
2005, which is focused on monitoring
and problem resolution. Altiris SMS
provides complete server management
and provisioning for a lower cost than the
full version of MOM.
Altiris SMS has a nicely designed
step-by-step process for connecting the
notification server to a database server
and creating the Altiris database. For
server management, SMS provides
availability and performance monitoring, uptime reporting, trend analysis,
service restarting, automated system
snapshots before configuration changes
and so on. Because it starts with a complete inventory of a system’s settings
and resources (see Figure 2), the Altiris
SMS can provide details about a server
from the moment it’s deployed to its
ultimate retirement. Historical reports
Figure 1. The MOM 2005 operator console
has the same look and feel as Outlook
2003, and gives you immediate access to
information about managed systems.
Figure 2. The Altiris Console provides
comprehensive information about any
server in your network from any location.
show what happened to a system
throughout its service cycle.
Altiris also offers a comprehensive
client management suite that works off
the same console. If you’re looking for a
complete systems management suite,
this may well be the one.
Deployment Choices:
LANDesk Server Manager 8.5
Like Altiris, LANDesk offers a complete server lifecycle management tool
in LANDesk Server Manager (LSM).
Version 8.5 lets you inventory servers,
deploy software and patches, perform
real-time monitoring, restart services
and servers, and ensure that servers are
up and running on a constant basis.
LANDesk redesigned this new version
from the ground up. One interesting
aspect of the new LSM is the on-demand
agent, with its small, event-related footprint. When the agent needs to do something, it loads itself into memory. Once
it’s done, it automatically unloads itself.
This is pretty cool because it makes the
most of available resources.
LANDesk uses an interface during
installation that automatically checks for
prerequisites. If any prerequisite is missing, you can’t install the software. You can
also install LSM separately from the full
LANDesk Management Suite. Like
MOM and Altiris SMS, LSM can run
with MSDE, but also supports SQL
Server and Oracle databases. We prefer
SQL Server because it’s fully relational
and considerably cheaper than Oracle.
After installing the LSM core server,
activate it to collect system information.
To deploy agents, you first must discover
devices, using any of several methods.
The easiest is using an IP range. It’s surprising the Windows edition doesn’t
include an Active Directory-based discovery method. This would greatly simplify discovery because all servers have an
AD account. When items are discovered,
select the ones to target (see Figure 3).
After this, they’re fully managed devices.
From this point, you can manage security patches and software deployments;
use real-time monitoring to view both
hardware- and software-related events
and predict potential failures; recover
crashed servers; and control performance
and availability on your servers. LSM is
easy to use once it’s configured and the
Web interface lets you access services
from anywhere in your organization.
One tip though—on Windows Server
2003, add the LSM Web site to the Local
Intranet zone to enable single sign-on.
Like Altiris SMS, LSM is a good
choice for complete server management.
A Unique Agentless Approach:
Argent Guardian 8.0
Argent takes an agentless approach to
server management, which has less
Figure 3. The LANDesk console is
completely Web-based.
Project5
4/11/05
4:43 PM
Page 1
ADVERTISEMENT
Security Event Management for
the Rest of Us
Monitoring your servers isn’t supposed to be a challenge. That’s why
ServerVision is different. It makes
server and event log monitoring fast
and easy, so you can manage your
Windows servers without frustration.
ServerVision gives you powerful monitoring with automated actions and
alerts based on criteria you set, and
you can use it as a low-cost intrusion
detection tool.
You can view services running, event
logs, disk space, memory and performance, without having to sift
through a mountain of details. The
GUI is simple and wizards help to get
things done fast. ServerVision allows
you to centrally monitor the health,
security, performance, and availability
of all your Windows machines (servers
or workstations). Like MOM
(Microsoft Operations Manager), you
get access to all aspects via an MMC
snap-in, or remotely via a web-based
interface. The MMC snap-in can be
used when working locally on the
machine and can monitor a remote
system over the network.
To monitor remote systems, use the
deployment wizard within the MMC
snap-in to deploy ServerVision onto
another system. You can create automated actions such as running a program, restarting a service, or rebooting
a system—as well as sending you
alerts—based on events or thresholds
you define. You can also set up custom
responses that can be active permanently, or only for set times on set
days, and a response can be built from
multiple response actions.
ServerVision monitors all logs,
including the additional logs supported
by Windows 2003/.NET. If a response
includes sending e-mail, complete event
details are included in the e-mail. To
minimize security threats to a server,
the server should be current with any
patches that are released. Once an
update is available, it should be installed
Increase server
uptime without
wasting YOUR
time. Server
Monitor Software
DONE RIGHT!
Easy, powerful server and
event log monitoring: Get a
quick view of server status, prioritized event logs, disk space,
memory, CPU performance,
and more—all without having
to sift through a mountain of
details. And setting it all up is a
snap with our straightforward
user interface and wizards.
Automated responses and
alerts:
Create
automated
actions such as running a program, rebooting a system, or
restarting a service—as well as
sending you alerts—based on
events or thresholds you define.
Detailed analysis reporting:
Create detailed reports on
event logs, performance, services, and more.
Configurable trend analysis:
Create and view performance
trends, in intervals from minutes to months.
Easy on your budget: Pricing
starts at $50 per server. Free
trial: Download a copy at
www.sunbelt-software.com
/redsv1.
as soon as is practical, in order to minimize the “attack surface” on a computer. Integrating with the free version of
HFNetChk (it must be installed on any
monitored system for this functionality
to work), ServerVision monitors the
security profile of your Windows computers. It automatically checks for relevant updates at set intervals, so you
don’t have to remember to manually
scan computers.
ServerVision’s performance monitoring can capture performance data at
any interval, and can cover days, weeks
or even months. Sophisticated
smoothing lets you see the underlying
trends, and you can change the time
values on particular areas of interest
for more granularity. For example, you
might collect CPU utilization, network traffic and web server usage data
for a week, at 10 second intervals, and
then display a chart of the information
for the whole week.
The security event log is the thing
you want to pay specific attention to.
It allows you to collect, analyze, correlate, and respond to security threats in
a fast friendly way. Many admins do
not even crack open the manual for
ServerVision, and as a matter of fact, it
was built with that in mind. Who
reads manuals these days anyway?
Sunbelt Software Tel: 1-888-NTUTILS
(688-8457) or 1-727-562-0101
Fax: 1-727-562-5199
[email protected]
© 2004 Sunbelt Software. All rights reserved. ServerVision is a
trademark of Sunbelt Software. All trademarks used are owned by
their respective companies.
4/19/05
10:34 AM
Page 40
RedmondRoundup
overall impact on the server and its
operation than products with agents.
Argent Guardian uses special application programming calls to collect data on
Windows machines. For Unix, it relies on
telnet or the Secured Shell (SSH). You do
need enterprise credentials for this
because the system actually logs on to the
target machines to collect data. It supports server roles through data collection
rules including Active Directory, Terminal Services, Event Log, performance
and even several machine-specific collections like HP, Dell, Cisco, Compaq and
so on. These rules are designed to support service level agreements (SLA), a
key aspect of server management.
Installation is easy, and Argent
Guardian performs item discovery right
up front. This way you know you’ll be
managing all your systems. Another nice
touch is that AD is the default discovery
method when installing on Windows,
making discovery very effective. Argent
also supports several other discovery
methods, mostly based on TCP/IP.
Argent supports several databases. In
fact, it offers the widest database support
of the products included here. By default,
Argent targets a Codebase (or dBase IV
format), but it also supports SQL Server
7 and 2000, Microsoft Access and Oracle
8 and above. Codebase turned out to be
just fine and was completely automated
by the setup process.
Figure 4. Argent Guardian’s interface reflects a more traditional service management
approach. It also offers a separate Web-based interface.
your entire WAN at a glance on the startup screen. Larger networks have to subdivide monitored servers into regions
with about 100 servers per region, which
is the recommended sizing from Argent.
Argent covers a lot of monitoring
ground and supports more than just
servers. So if you want a solid networkmonitoring tool, Argent Guardian could
be the tool for you.
On with Open Source:
Fidelia NetVigil 3.6.3
Fidelia NetVigil also takes a different
approach to server management. First of
all, the software runs on top of open
source components—the database is
If you’ve already covered your server provisioning and only want to
monitor your servers, look to products like MOM, Argent or up.time.
Argent has specific rule sets for SQL
Server, Exchange, AD and so on. There
are also several canned reports for network traffic, system uptime, monitoring
trends and performance data. The
console is simple and easy to use (see
Figure 4). It is not Web-based by default,
but Argent provides a downloadable Web
console. The default interface is the closest to a traditional monitoring tool interface with maps built right in. This is cool
for large organizations, because you have
MySQL and the Web server is Apache.
This means you can’t have Internet
Information Services (IIS) running on
the destination server running NetVigil.
The NetVigil package is complete—it
puts all the required components into a
single installation file.
Fidelia NetVigil is installed as the
default Web site, so you’re brought to the
console automatically. Sign in is very
“Unix-like.” You need to sign in as the
“superuser” to administer the system.
Default passwords and login information are displayed right on the login
screen, so it’s hard to miss.
To begin the discovery process, log in
as localuser and create devices to
be used in your discovery process.
NetVigil can manage several different
device types (see Figure 5, opposite
page), so it’s really up to you as to what
you want to manage. Once you’ve
created the managed devices list, log off
as a user and log in as a “superuser” or
administrator, as only administrators
can perform discovery.
Perhaps because of this, the actual
discovery screen is buried under the
“superuser” menu. You can set up discovery jobs to run immediately or run them
on a schedule. As a “superuser,” you can
set up different departments and create
additional users that play varying roles in
the server management process.
NetVigil is based on the concept of
tests. When you’ve discovered and identified the devices to manage, NetVigil
runs regularly scheduled tests against
them. In the event of a test failure, it
runs a set of actions against the machine
that failed the test. Those “Action Profiles” can include sending e-mails or
pager messages, or running scripts to
restart a service or even a server.
There are two classes of profiles for
users and administrators. If you have a
4/19/05
10:34 AM
Page 41
RedmondRoundup
Figure 5. Fidelia NetVigil uses a Web interface driven by an Apache Web server. As you
can see, it supports several different types of devices.
machine that supports a key group of
users in your network, you can warn
them when a test fails on the server.
Administrative profiles relate to complex
operations like rebooting a server or
restarting a service. These profiles support service level agreements.
You manage much of NetVigil through
scripts and XML file modifications. It is
quite powerful in that regard. If you don’t
mind programming and digging into
XML data to modify settings and system
operations, this could be the program for
you. It requires a lot of technical background to get this product running properly, so it’s not as well suited for the
average admin. To its credit, Fidelia offers
a lower cost version called Helix. We
haven’t tried it out, but hopefully it’s
easier to use than NetVigil.
screen. One nice touch is that this screen
tells you right away what you need to do.
Move to the Config screen to add systems individually. This can be time consuming if you have hundreds of servers.
There are two ways to manage systems.
Systems with up.time installed are added
as a managed system and provide
performance data. If there’s no agent
present, up.time can still monitor, but
can’t collect performance data. You’ll
eventually have to deploy up.time to each
server. Because it’s a Windows Installer
file, it should be pretty easy to do, but
you’ll need a separate deployment tool. If
you’re running AD, you can deploy
up.time with a Group Policy object.
Once you’ve added systems, move to
the Radar Scan tab to see the status of
Web-based Monitoring:
up.time 3.0.9
up.time is a service and application monitoring tool that generates event-based
alerts. It works completely through a
Web interface, so you need to have IIS
installed on the server to run up.time.
You get to the up.time console by
opening a Web browser to http://localhost:9999, the default installation port.
Log in as admin with a default password
of admin. Like Fidelia, the up.time
screen tells you the username and the
password, so it’s hard to miss.
The first thing it asks for is the license
file. Cut and paste this into the license
dialog box. Then you’ll get the welcome
Figure 6. up.time provides extensive
information on the status of each managed
system by clicking on the links along the left
side of the up.time window.
your systems. To view information on an
individual system, click on it (see Figure
6). Once a system’s detailed view is open,
you can explore an extensive range of
information about that server. up.time
also provides detailed reports on
monitored systems and can group both
systems and users into discreet containers
for delegation. up.time’s ease of use is
most impressive. Everything is simple
and straightforward with elements where
they should be in the menus.
For monitoring, up.time supports root
cause analysis, workload analysis, disk
and file system monitors, performance
monitors and even user access to systems. Its canned reports include a lot of
information out of the box, and you can
easily modify them to meet your own
needs. This is a good, straightforward,
simple-to-use monitoring tool.
Powerful Choices
Altiris and LANDesk have a much
broader feature set than the others.
They really do more than straight
server monitoring. The Altiris suite is
a complete server-provisioning tool
for bare metal to retirement. It also
has the lowest cost. LANDesk is also
highly recommended, but it lacks
some of what Altiris offers.
We especially liked the MOM 2005
operator’s console interface because it is
so much like Outlook 2003. Argent and
Fidelia also have strong offerings with
powerful features, but seem better
suited in a heterogeneous environment
than a Windows-centric world. If
you’ve already covered server provisioning and only want to monitor your
servers, look to products like MOM,
Argent or up.time.—
Danielle Ruest and Nelson Ruest (MCSE,
MCT) are authors of multiple books
focusing on systems design, administration
and management. They run a consulting
company that concentrates on IT
infrastructure architecture and change and
configuration management. You can reach
them at [email protected].
0505red_F1Cops42-49.v13
4/15/05
4:39 PM
Page 42
Mick Montgomery reached
a happy medium with his HR
department on monitoring
responsibilities and found
some tools to make the job
less onerous.
0505red_F1Cops42-49.v13
4/15/05
4:39 PM
Page 43
CON TENT
COPS
BY BECKY NAGEL
Many businesses
expect IT to use
the equivalent of a
radar gun and
monitor employees
for infractions. But
laying down
the law can
have serious repercussions, both for
employees and the
IT departments
doing the watching.
hen Mick Montgomery was hired as an Internet/
intranet technologist by Ontario, Canada-based
Wescast Technologies five years ago, he knew
that part of the job would be wearing the “Content Cop” badge,
enforcing the company’s Web and e-mail usage policies.
It quickly became the most despised part of his day.
“I’d literally have to go through logs … line by line and look
for abuse,” he recalls of the manual process then used to investigate complaints. “It was painful, extremely painful.”
That pain is felt everywhere in organizations that conduct
employee monitoring. Employees may feel like Big Brother is
checking up on them, the IT department is usually tasked with
slogging through logs and records and reporting findings, the
human resources unit has to take action to discipline a wayward
worker, and the legal department must decide what employee
behavior crosses the line.
IT normally finds itself in the uncomfortable middle. Even
with the policy and technology advances of the past few years,
ever-present conflicts over the who, how and why of employee
monitoring remain.
If you haven’t yet found yourself caught up in this issue—poring
over logs to determine if a .jpg was purposely downloaded, dealing with HR issues you’d rather not know about, struggling
through the many ethical and legal quandaries that can arise—
chances are you soon will.
W
Legal Liability
One of the main reasons companies implement employee monitoring and filtering tools is to protect themselves from legal
liabilities like sexual harassment, discrimination and insider
trading. Due to recent regulations like Sarbanes-Oxley and
HIPAA (the Health Insurance Portability and Accountability
Act) in the United States, these concerns are only growing.
Those laws are a big factor in the push for monitoring,
according to Doug Towns, a labor and employment lawyer
0505red_F1Cops42-49.v13
4/15/05
4:39 PM
Page 44
CONTENT COPS
with Atlanta-based Jones, Day, Reavis
& Pogue, who counsels corporations
on employee monitoring and privacy.
Employers that don’t monitor could
one day face a lawsuit for a possible
(and arguable) “affirmative obligation”
to do so. “We all know … the employer
has to keep the workplace free of sexual
harassment, which includes making
sure that inappropriate comments or
conduct are not occurring in the
workplace,” Towns explains. “Well,
does that extend so far to say that the
company does not just have the right
to—but has the duty to—go out there
and filter something?”
While all company departments—IT,
HR, legal and corporate—can usually
agree on at least the legal benefit of
such monitoring, it’s the other uses, as
well as IT’s role and responsibility
in maintaining and enforcing such
policies, that have turned this chore into
one of the most dreaded in all of IT.
Crimes and Misdemeanors
B
supposed to be monitoring is probably not opening up the
company to a privacy lawsuit because of the aforementioned
“all-or-nothing” nature of privacy laws. However, he can be
individually sued for harassment, stalking and/or other liabilities if he acts on the information gleaned.
The biggest issue—and one that the experts we talked with
say can arise more often than you might think—is child pornography. Because possessing child pornography is a crime, IT
employees must be extremely careful when they run across
suspicious images. “If you ever see [child pornography], push
away from the computer and do not touch anything again,
until [police] are on the scene,” says SANS Institute Director
Stephen Northcutt. “That [rule] must not ever be violated.”
A similar inviolable rule is reporting any evidence of child
pornography you find—even if your employer discourages
or forbids it. Not reporting it will leave you personally liable.
Michael Haisley, an incident handler for the SANS Internet
Storm Center, found himself in such a situation when
setting up a system for a district attorney’s office a few
years back.
If you ever see [child pornography], push away from the computer For one job, his team found
and do not touch anything again, until [police] are on the scene.
that an assistant district attorney
was viewing child pornography.
Stephen Northcutt, Director, SANS Institute
The attorney was fired, but the
of monitoring and whether it’s applied unevenly—are usually office told his team not to report it. “This was an election
not grounds for bringing lawsuits against a company under year—the prosecutor didn’t want it to be pursued as far as
privacy statues. However, other liabilities could be applied; law enforcement goes, because you don’t want that type
for example, there could be a discrimination suit if repercus- of scandal when you’re facing an election,” Haisley recalls.
While his team didn’t report it to local law enforcement,
sions for violating usage policies were stronger against
they did report it to U.S. Customs, the federal agency in
women or minorities.
Misusing information gleaned from monitoring can also get an charge of investigating child pornography. Customs “handled
IT employee in hot water. For example, if an IT staffer shares it directly with virtually no assistance from the local district
information learned via monitoring with someone who doesn’t attorney’s office,” he says.
According to Haisley, the pressure to hide child pornog“need to know,” he can be sued under defamation statutes, if
the information is untrue, or “public disclosure of private facts,” raphy or other violations, such as fraud, isn’t uncommon,
as it’s called in many states, if the information is true. According and it’s one reason he likes to design employee monitoring
to Towns, IT employees have been sued under such “gossiper” systems to instantly report violations to multiple people in
statutes, making it imperative that IT managers ensure that various departments across the company. “If the informathose handling employee monitoring duties are experienced tion is disseminated quickly to several sources,” he says, “it
gets a lot harder to silence that information, whether it be
enough to do so.
Another issue is employee misuse of such systems. An IT for a political motive or for a profit motive.”
— B.N.
employee who reads every e-mail of an employee they’re not
efore you pin on that content cop badge, make
sure you’re aware of the many legal issues
surrounding the responsibilities you’re about to
take on; if not to better protect your company, at
least to protect yourself.
The most common legal issue surrounding employee monitoring is privacy. According to labor and employment lawyer
Doug Towns, however, this issue has pretty much been
decided in favor of employers by U.S. courts, including a
case where it was determined an employer had the right to
monitor, even though the company in question told its
employees it wasn’t monitoring (Smyth v. Pillsbury Co.).
In fact, U.S. case law is so favorable to employers that only
one state—Connecticut—requires employees to sign a policy
acknowledging that they’re being monitored. Still, it’s a good
idea to do so, no matter where your company is located,
Towns says.
Because privacy is an “all-or-nothing” right, he explains,
issues of how companies implement monitoring—the extent
Project5
4/12/05
5:27 PM
Page 1
Visit us at Tech Ed 2005 and play in our
TEXAS HOLD’EM POKER TOURNAMENT
0505red_F1Cops42-49.v13
4/15/05
4:39 PM
Page 46
CONTENT COPS
Not in Your Job Description
Projects that start for legal liability reasons often expand to include monitoring
employee productivity, which is when
conflicts arise in the role IT should play.
While some don’t have a problem
monitoring employee usage—as one
reader puts it, “The network belongs to
the company, and they set the rules.
What’s the problem?”—others say they
resent the chore because it places an
undue burden on their shoulders.
Laans Hokanson, a network administrator in Petersburg, Va., says for
years he’s fought “tooth and nail”
monitoring parameters. For example,
Pratt says that although “it’s outside the
scope of IT’s day-to-day job to provide
carte blanche monitoring,” he has no
problem monitoring for evidence
collection after a problem is identified.
Craig Reeds, manager of technology
development for Western Construction Group, says he’s much more
comfortable conducting employee
monitoring at his current job, where
it’s only performed on request, compared to the constant monitoring
expected by his former employer.
“You monitor people if you have a
The way a lot of [monitoring] systems have
been developed in the past, we’ve had IT
making policy decisions, and that’s something
IT’s not really trained to do—they’re just
being stuck into that position.
Michael Haisley, Incident Handler, SANS Internet Storm Center
against
implementing
employee
monitoring at his government agency,
in part because he doesn’t feel it’s his
job as a network administrator. “It’s
not that I have a moral problem with
it, just that I don’t want it to be part of
my job description—it’s not what I
signed up to do,” he says. “I like
problem solving, I don’t like running
around and busting people. If I wanted
to do that I’d have become a cop.
“I don’t go to people’s cubicles and
see what magazines they read; why
should the content of their Internet
access be my responsibility?”
Dave Pratt, a network administrator
in Diamond Springs, Calif., also
believes
that
monitoring
for
productivity isn’t his responsibility:
“Would the facilities department be
responsible for supervising an employee
whose job included the use of a hammer
or screwdriver on the production line?”
he asks. “Are computers any different?”
Protector or Spy?
One way to minimize the conflict and
gain IT buy-in is by changing the
problem; you don’t monitor people
just to find a problem,” he says.
Eric, a systems administrator from
Maine who asked that his last name
not be used, never quite felt comfortable with the chore, especially when
he felt the monitoring was being used
unfairly. Once he became suspicious
that a manager was looking for any
reason to fire an employee, so instead
of sending his standard report (that
would have detailed this particular
employee’s searching of job sites during his lunch hour), he sent over the
raw, unedited logs, which were virtually indecipherable.
“I gave them exactly what they
asked for,” he says. “I was trying not
to get too personally involved … but
trying to make sure everyone had a
fair chance.”
Reducing the chance of unfair
requests is one reason Reeds likes the
way the system works at his 40-person
headquarters, where all monitoring
requests must be approved by the
CEO, instead of being submitted to
Reeds directly. “The dangers of having
one person being able to request monitoring is that they may not have all
the information or they may not have
the [monitored subject’s] best interests
at heart,” he explains.
Michael Haisley, an incident handler
for the SANS Internet Storm Center,
says he often designs his monitoring
systems to alert more than one person
to policy violations—preferably one
in HR and one in IT. “It gives the
information a balance,” he says. “The
way a lot of these systems have been
developed in the past, we’ve had
IT making policy decisions, and
that’s something IT’s not really
trained to do—they’re just being
stuck into that position.”
Dealing with the Fallout
It’s an uncomfortable position to be in,
especially when the results of that
monitoring start to bear bitter fruit.
Many sources express dismay that
their findings may be used to fire
someone, especially when the system
is being used unfairly.
For example, some employees are
treated differently from others for the
same infractions, usually based on rank.
One reader who asked to remain
anonymous says that when his company
implemented Web filtering, “lowerlevel employees had the book thrown at
GetMoreOnline
Delve deeper into the monitoring issue:
Check out additional resources on legal
concerns, employee monitoring policy
creation advice and technical solutions
mentioned in this article.
FindIT Code: ContentCops
redmondmag.com
them, while higher-level employees
whose habits sometimes bordered on
the illegal, got away scot-free. It was a
terrible thing to be involved in.”
The inequality in reprimands is so
widespread that Stephen Northcutt,
director of the SANS Institute, a security training company, says most IT
Project13
2/10/05
3:40 PM
Page 1
0505red_F1Cops42-49.v13
4/15/05
4:39 PM
Page 48
CONTENT COPS
11 Questions to Drive Your
Employee Monitoring Policy
1. Why Are You Implementing
Monitoring? Are you implementing it solely
to protect the company from various liabilities,
or will the company also monitor employee
productivity? If liability only, how will you ensure
that the system is used only for that goal?
2. What Violates Policy? What liability
does the company want to protect itself from,
and therefore what behavior is unacceptable? If
you’re also monitoring for productivity, you need
benchmarks to determine what is considered
acceptable personal usage, in terms of both time
and actions (unacceptable sites, inappropriate
language or jokes in e-mail and so on).
3. What Will You Be Monitoring?
Question No. 2 will determine whether monitoring
Internet usage will be enough, or if you’ll also need
to implement e-mail and desktop monitoring.
4. Will You Be Monitoring,
Filtering or Both? Does the company have
a “trust the employees” philosophy, or is it important
to implement filtering to stop violations before they
happen? What combination of technologies best fits
the project’s goals (as well as network security), yet
preserves company culture?
5. How Will You Monitor? Will
monitoring be constant, random, upon request or
some combination? If constant, does human
resources/IT have the manpower to take on the
challenge? If random, what system will you have in
place to ensure that it’s truly random? If upon
request, what checks and balances will be in place
to ensure that the system isn’t abused? If it’s a
combination, what will be used when?
6. Are Different Levels of
Monitoring Needed? Some companies
will have separate levels of monitoring depending on
the employee group: Heavier monitoring for lowerlevel employees, less for higher-level and/or “creative” employees, to virtually non-existent monitoring
for the highest levels. Does your company need such
levels, and if so, what’s appropriate for each?
7. Who Will Be Notified of
Violations? Who should receive notifications
of violations? Will they be kept within HR, or will IT
be notified as well? Will several people be notified in
order to ensure the information is fair and acted
upon, without expanding beyond the “need to
know” boundary?
8. How Quickly Should Violations
Be Reported? Some companies need to
know about possible violations immediately due to
union contracts. Does your company have any such
restrictions? What type of report schedule (daily,
weekly, monthly) makes the most sense for all
involved in the project (e.g., daily for HR to act upon,
weekly or monthly for IT to check against false
positives and fine-tune the system)?
9. What Software or Other Solutions Can Make the Chore Easier?
What software options are available that can meet
the exact monitoring and reporting needs of your
project? Will these software solutions allow (or can
they be customized to allow) the IT department
minimum involvement in the process? If not, who
will be responsible for the analysis of any reports:
IT, or a properly trained HR resources employee, for
example? Is outsourcing an option?
10. How Will You Handle
Violations? What will the repercussions of
any violations be? How do those repercussions
grow as the number of violations grows? In what
situations is a simple warning appropriate? Will
the type of discipline vary depending on the level
of the employee who violated the policy?
11. How Can the System’s
Fairness Be Communicated?
According to Dr. Theresa Wellbourne, whose
company monitors employee satisfaction and
productivity, morale from a firing that employees
don’t see as fair—even if it’s justified—can kill
productivity for three to five weeks. “It ends up
being a justice issue,” she explains. “When you
take action, people need to understand why.”
— B.N.
pros in his classes simply don’t bother
to monitor vice presidents and above.
While he understands the reasons
behind such a policy, Towns says most
of his law firm’s clients instead appoint
more senior IT people to monitor
the highest-level executives. “Most
companies would be reluctant to say
there are certain individuals who do
have privacy and who we would never
review,” he explains. “That’s clearly not
what most companies would want to
argue if there was ever an allegation
either of harassment, discrimination or
some type of fraudulent misconduct by
individuals at a certain level.”
Reeds says what he dislikes most
about being his company’s content
cop is “the knowledge that I’m stuck
with afterward. Sometimes, it totally
changes your perception of a person,
and it’s difficult to deal with them
knowing what you know.”
Given
those
concerns,
it’s
important to choose your employee
monitoring staff carefully. “There’s a
lot of research that shows certain
personality types end up doing better
in certain types of jobs,” says Dr.
Theresa Wellbourne, founder and
CEO of the employee relationship
consulting firm eePulse Inc. and a
former human resources professor.
Look for someone “who doesn’t
identify on an emotional level with
people’s problems, so they can just be
very fact driven. They’re probably
going to be better at doing it.”
Getting Help
While the human issues side can be
significant, so can the monitoring
burden, especially if you’re still manually combing through e-mails and
Internet logs, as Montgomery once
did. “I’d get one or two [monitoring
requests] a week, and as soon as I’d
get them it didn’t matter what I was
doing—it was top priority,” he comments. “I knew immediately that two
to three hours of my day were going
to be spent extracting this data.”
Then, a few years ago, an HR representative asked whether Montgomery
could automate the process such that
4/15/05
4:39 PM
HR could have direct control, running
and analyzing the reports. “I had a
small party in my office,” he laughed.
“I was right on board with it.”
If your company makes the same
choice, one possible starting point is
reducing access to inappropriate material. “Rather than busting somebody
for having 20 gigs of porn, just don’t let
them get there,” Northcutt says.
But filtering alone won’t work for
many corporations. To further reduce
the burden, Haisley recommends
designing your system to limit what it
tells you: “Configure the alerts
and rules so that you [only] get a
notification on something that
obviously violates your policy, so
you’re not wading through literally
everything everyone does.”
Haisley is particularly fond of new
reporting tools that allow an HR
department direct access to reports and
alerts, thus reducing both the time IT
spends on this chore as well as its exposure to the information. He’s found
features in Microsoft’s ISA Server 2004
particularly useful, citing its ability to
filter based on user groups and its
customized rule sets for e-mail alerts.
He also likes Snort, saying the open
source tool is an excellent option for
cash-strapped IT departments. Snort
allows you to create the same kinds of
reporting rules as ISA Server, he says,
albeit with more work.
When developing custom reporting,
Haisley strongly recommends building in context on either side of any
alert—for example, all Web pages visited before and after a suspicious
download—to make it easy to track
back the history of reported violation.
But you don’t have to rely on custom
solutions. Some companies choose to
outsource the chore, while others turn
to off-the-shelf monitoring packages.
These include PixAlert Suite, which
scans employee desktops for pornographic images, and Wavecrest’s Cyfin
Reporter, a Web monitoring product
that runs a number of custom reports.
Cyphin Reporter has allowed
Wescast’s Montgomery to step away
from the day-to-day beat. Now, his
Page 49
main employee monitoring responsibility is watching the back end of the
system—making sure the software and
the reports are running correctly—
while only occasionally delving deeper
into reports.
And that’s exactly the way it should
be, according to Haisley. “By staying a
little bit involved, [IT makes] sure the
system is working, and they also make
sure if there’s a false positive or a
problem with the system, they’re
dealing with it,” he says. “They’re
going to have the technical knowledge
to recognize things that HR will not
be able to recognize.”
Make Policy a Priority
Before you decide on a monitoring
solution, though, you need to establish
a policy. It’s essential that the policy
cover all aspects of not only why the
company is monitoring, but what
exactly it will monitor, how it will monitor and the steps for both reporting
and dealing with violations (see “11
Questions to Drive Your Employee
Monitoring Policy,” opposite page).
It’s so important that employeemonitoring software vendors often
consult for free with customers. “It is a
way for IT and the business sponsors,
whether it’s HR, internal monitoring,
compliance or even CEOs, to really
work together to make sure they’ve
looked at the issue from all angles,”
says Jack Managan, director of marketing for PixAlert.
“You have to have a policy that’s
signed off on,” says Montgomery.
“Without a policy, you don’t have anything to stand on, nothing behind you
to say ‘This is why we’re doing this,
this is corporate policy, the executives
have signed off, the board has signed
off, you have signed a document
saying you agree to this.’ If you don’t
have that, you can’t do anything.”
Montgomery worked with his company’s HR department to develop a
policy and implement a technical solution that has all but eliminated his role
in the process, making him more commissioner than beat cop. “The only
time I get involved now is if HR gets
into a situation where there’s going to
be a serious reprimand, up to and
including termination of an employee,”
he says. “They’ll ask me to go through
the report and validate that what they
see is correct.”
A fair, detailed policy can also
make all the difference for the
individual IT employees charged with
monitoring. Hokanson, who’s fought
against IT monitoring for years in his
workplace, says he might be more open
to the idea if a solid policy were in place.
Until then, he says, “I don’t want to get
0505red_F1Cops42-49.v13
Mick Montgomery worked with his
company’s HR department to craft a
monitoring policy that makes him more
commissioner than beat cop.
into the situation where IT is enforcing
HR policies that are ambiguous.”
While many argue that enforcing
this policy shouldn’t fall on the IT
department’s shoulders, Montgomery
counters that it’s the only way to
create a livable employee-monitoring
solution. “You’re going to start dealing
with Internet issues because [IT is the
one] giving employees Internet access.
That’s the reality.”
But monitoring doesn’t have to be
overly burdensome. As Montgomery
points out, he and his crew have found a
happy medium, a solution every IT
department should explore. “If IT doesn’t have a dialog with HR, then IT ends
up bearing the entire brunt of it.”—
Becky Nagel is the editor of
Redmondmag.com, as well as sister sites
CertCities.com and TCPmag.com. You can
reach her at [email protected].
Project6
4/14/05
3:36 PM
Page 1
0505red_F2Simplify_51-54.v8
4/15/05
4:43 PM
Page 51
There’s a saying in IT that
“complexity is the enemy of security.”
It’s also the enemy of efficiency, troubleshooting
and other critical network functions.
Here are six ways to
untangle that crowded web
you’ve weaved.
BY BILL HELDMAN
ILLUSTRATION BY RYAN ETTER
H
as your single LAN of the ’90s evolved into a
gargantuan enterprise? If your shop is like
most, it started out with a handful of
Windows NT, Unix and Novell servers on a little
network. Now you’re awash in a sea of servers (for which
you might have little solid software and hardware inventory
information); you’re reasonably certain some percentage
of your equipment has little to no fault-tolerance or
redundancy protection associated with it; bandwidth usage
is out of control; you’re nowhere near level-set in terms
of your end-user computers’ OSes, Office and miscellaneous
application installations, not to mention BIOS versions; and
you’re vulnerable to the virus du jour. On top of it all, your
mobile and wireless users are increasing at an astronomical rate.
Sound familiar? If so, you’re probably wondering how to
make sense of it all—or if that’s even possible at this point.
Well, here are some practical steps you can take to simplify
your network.
Start with the Subnets
First, take a look at your subnet structure, because
nowhere can things get more kludged than a poorly
engineered subnet plan. It can start with a wonderful idea
like the 10-dot private addressing scheme. Then you add a
bizarre subnet mask to it, assign a subnet to each little
handful of users in various corners of the building, and
wind up with a rat’s nest. To top it off, you associate the
whole thing with switched VLANs. Poorly engineered
TCP/IP subnet plans are difficult to understand (especially
at 3:00 a.m. when you’re trying to figure out the problem
with your network), and might needlessly stress network
switch and routing gear. If this is you, re-invent your subnet plan. Use standard subnet masks, and break things out
into logical divisions. The subnets will fall right out at you.
VLAN
1-4
Switch,
Floor 3
4/15/05
4:43 PM
Page 52
VLAN
1-4
10.17.10.x – 255.255.128.0
10.18.10.x – 255.255.128.0
10.19.10.x – 255.255.128.0
10.20.10.x – 255.255.128.0
10.21.10.x – 255.255.128.0
10.22.10.x – 255.255.128.0
10.23.10.x – 255.255.128.0
10.24.10.x – 255.255.128.0
10.25.10.x – 255.255.128.0
Switch,
Floor 3
Switch,
Floor 2
Switch,
Floor 2
Switch,
Floor 1
VLAN
1-4
10.3.1.x – 255.255.255.0
10.3.3.x – 255.255.255.0
10.3.4.x – 255.255.255.0
10.3.5.x – 255.255.255.0
10.3.6.x – 255.255.255.0
10.3.7.x – 255.255.255.0
10.3.8.x – 255.255.255.0
10.1.10.x – 255.255.128.0
10.2.10.x – 255.255.128.0
10.3.10.x – 255.255.128.0
10.4.10.x – 255.255.128.0
10.5.10.x – 255.255.128.0
10.6.10.x – 255.255.128.0
10.7.10.x – 255.255.128.0
10.8.10.x – 255.255.128.0
Switch,
Floor 1
VLAN
1-4
10.1.1.x – 255.255.255.0
10.1.2.x – 255.255.255.0
10.1.3.x – 255.255.255.0
10.1.4.x – 255.255.255.0
10.1.5.x – 255.255.255.0
10.1.6.x – 255.255.255.0
10.1.7.x – 255.255.255.0
10.1.8.x – 255.255.255.0
Figure 1. This building has an unwieldy
and overly complex subnet structure, with
multiple subnets per floor and limited IP
addresses per subnet. This will eventually
lead to problems.
Figure 2. The re-engineered subnet plan is
less confusing, more logical and simpler. As
you can see, there is one subnet per floor, and
double the number of IP addresses available
per subnet.
Take a look at Figure 1, and note that
Floors 1 and 3 (we can presume the other
floors as well) have a 255.255.128.0
subnet mask, meaning that each subnet
has half the available IP addresses that
it normally would. (For simplification
and clarity, avoid using anything other
than a straight Class A, B or C mask.)
Further, the second octet is incremented,
and the third octet is the same in all
subnets. While this works, it’s messy and
confusing because there are eight subnets
per floor. As you go up the floors, you
have to remember which grouping of
subnets belongs to which floor.
Now look at the revamped subnet
structure in Figure 2, in which the first
floor’s eight subnets are isolated with a
normal Class C subnet mask. It’s much
easier to tell at a glance which floor you’re
dealing with now, and you don’t run the
risk of running out of IP addresses for a
given subnet. Whether you keep the
VLANs is a networking decision, but in
either case you’ll have to go in and tweak
the closet switches on each floor to
reflect the new addressing scheme.
the database, preventing Windows from
automatically discovering and creating
records for the device (which happened
to me in one of my jobs). Also, you
increase the chance of errors due to
replication latency, and the complexity
of the installation confuses people that
have to follow your lead. Besides all
that, you simply don’t need a bunch of
name servers on your network.
A well-architected name server implementation requires only a handful of
servers for even the largest of enterprises.
In the case of name server quantities, less
equals more. Here are some of the most
important considerations:
• If you have to maintain WINS, no
more than three WINS servers is a
pretty good rule of thumb, regardless
of the size of the organization.
• If you can avoid it, do not use the
LMHOSTS file on the local client
computer or on servers, as this
creates even more complexity and
difficulty in troubleshooting.
• If you use an image to install clients,
disable LMHOSTS lookup in your
client network configuration. In cases
like this, LMHOSTS is blank. If a
computer tries to find a host and
resorts
to
LMHOSTS,
the
LMHOSTS lookup will fail, of
course, but the computer wasted time
performing a useless exercise.
• If you can get by without WINS, do
so, sticking strictly with DNS for
name resolution. However, realize that
Simplify Your
Name Resolution
A big offender in adding
unnecessary complexity to
the network is the proliferation of
WINS and DNS boxes. By keeping a
multitude of name servers in your environment, you run the risk of an amateur
administrator keying a static record into
unless everything is up-to-date—all
applications, servers and users—it may
be tough to dispense with WINS, at
least for the next several years.
• Try to keep your internal DNS
environment to three servers.
I’m not a fan of forest administrators
keeping a secondary DNS server, as
this, too, adds complexity. However, I
understand why an admin would want
to maintain his own DNS server. The
trick here is to have one or two top
people (keepers of the root) architect
and manage the DNS deployment, and
communicate on a routine basis what’s
happening, so that it’s understood how
DNS will roll out. Otherwise, the
servers will procreate like rabbits and
no one will be able to resolve a name.
It is vital that someone own the DNS
implementation, lock, stock and barrel.
Simplification Through
“Stream”-lining
Applications
Suppose you were told you
could package all of your users’ apps with
a simple, wizard-driven product, store
them on a server as a file and send the
resulting application icons to a designated
set of users. When a user clicks on one, a
small percentage of the app streams to the
user’s computer, then launches.
This is the idea behind “streaming
applications.” The app acts like it’s running locally, but in fact nothing is
installed on the user’s desktop—no Registry entries, no files. That certainly simplifies your network, but it goes even
further than that: the program isn’t even
installed on the server. The idea revolves
around the packaging software watching
an app install itself, then creating a file
that represents the app to the server and
to the user. The app thinks it’s running in
the regular framework for which it was
written, but in reality, the user is simply
utilizing a cache file on his computer.
In this scenario, the user clicks an application and part or all of it—depending on
whether it’s a desktop or mobile user—is
streamed to his computer, as opposed to
running directly from the server, as in the
Citrix/Terminal Services model. The
program instead runs from the app-
Project1
4/4/05
10:45 AM
Page 1
7i ÃÞÃÌiÃ } `Ü]
µÕVÞ LÕVi L>Vt
,iVÛiÀ Õ« Ì £ää¯ v ÞÕÀ VÀÌV>
`>Ì> Õ« Ì ä¯ v>ÃÌiÀ ÜÌ 7
,iVÛiÀÞ >>}iÀ Ó°ä°
7Ì iÜ ,iVÛiÀÞ >>}iÀÁ Ó°ä] }iÌÌ} ÞÕÀ ÃÞÃÌiÃ >`
`>Ì> L>V Ã v>ÃÌiÀ >` i>ÃiÀ Ì> iÛiÀt ,iVÛiÀÞ >>}iÀ
Ó°ä iÝÌi`Ã «ÜiÀvÕ ,iVÛiÀÞ *ÌÒ «ÀÌiVÌ LiÞ` Ìi
«iÀ>Ì} ÃÞÃÌi Ì «ÀÌiVÌ «ÀiVÃiÞ Ìi wiÃ ÞÕ VÃi ÞÕÀ
ÃÃVÀÌV> ÃiÀÛiÀÃ] ìÃÌ«Ã] >` ÌiLÃ° 7i > ÃÞÃÌi
LiViÃ ÕLÌ>Li À ÕÃÌ>Li] Ã«Þ À Ì L>V Ì > Ü }`
ÃÌ>Ìi° 9Õ½ ÀiÃÌÀi Ìi ÃÞÃÌi Ì «iÀviVÌ i>Ì Õ« Ì ä¯ v>ÃÌiÀ
Ì> ÜÌ VÛiÌ> iÌ`Ã] ÜÌÕÌ Ã} À ÛiÀÜÀÌ} >Þ
Û>Õ>Li `>Ì>° 9Õ V> ÀiÃÌÀi i ÃÞÃÌi >Ì > Ìi] À ÌÕÃ>`Ã v
ÃÞÃÌiÃ ÃÕÌ>iÕÃÞ] vÀ > ViÌÀ>] ÀiÌi V>Ì° />Ì «ÀÌiVÌ
iÝÌi`Ã Ì Li V«ÕÌiÀÃ iÛi Üi ÌiÞ >Ài `ÃViVÌi` vÀ
Ìi iÌÜÀ] LiV>ÕÃi Ìi iÜ ->ÀÌÝ 7â>À`Ò >ÜÃ Li ÕÃiÀÃ Ì
µÕVÞ >` i>ÃÞ ÀiVÛiÀ ÌiÀ Ü ÃÞÃÌiÃ Ìi wi`° 7i ÃÞÃÌiÃ
v>] LÀ} Ìi L>V ÀiVÀ` Ìi ÜÌ ,iVÛiÀÞ >>}iÀ Ó°ä°
,i«>À°
,iVÛiÀ°
VViiÀ>Ìi°
7HATS .EW IN 7INTERNALS 2ECOVERY -ANAGER "ROADER RECOVERY CAPABILITIES
s
s
0ROTECTION FOR MORE THAN THE /3
2ECOVERY 3ETS NOW FOR SYSTEM FILES PROGRAM FILES USER SETTINGS AND USER DATA
&LEXIBILITY IN PROTECTION WITH CUSTOM 2ECOVERY 3ETS
s
5SING THE NEW 2ECOVERY 3ET %DITOR ADMINISTRATORS CAN DEFINE CUSTOM 2ECOVERY 3ETS TO INCLUDE
OR EXCLUDE FILES DIRECTORIES FILE EXTENSIONS REGISTRY KEYS AND VALUES
4RUE NETWORK FLEXIBILITY
s
2ECOVERY -ANAGER PROVIDES COVERAGE FOR ANY SYSTEM THAT CAN BE REACHED BY 4#0)0
2ECOVERY PROTECTION AND SELFSERVICE FOR MOBILE 0#S
s
s
2ECOVERY 0OINTS CREATED EVEN WHEN NOT CONNECTED TO THE NETWORK AND STORED LOCALLY ON THE MOBILE 0#
3YSTEM ADMINISTRATOR CAN ENABLE SELFSERVICE RECOVERY FOR MOBILE 0# USERS FROM THEIR LOCAL 2ECOVERY 0OINT
AND SELFHELP FOR LOST FILES
!DVANCED MANAGEABILITY
s 3MART"IND © PROVIDES THE ABILITY TO BIND AN !CTIVE $IRECTORY NODE TO A 2ECOVERY 0OINT SCHEDULE
s 2ECOVERY -ANAGER NOTIFIES SYSTEM ADMINISTRATORS BY EMAIL OF KEY EVENTS IMPACTING COMPLETION OF 2ECOVERY 0OINTS
%NHANCED SECURITY
s
2ECOVERY -ANAGER ENCRYPTS DATA MOVED ACROSS THE NETWORK BETWEEN 2ECOVERY -ANAGER HOSTS AGENTS
AND BOOT CLIENTS
-IGRATION 7IZARD TO FACILITATE MIGRATING FROM 2ECOVERY -ANAGER TO 2ECOVERY -ANAGER i>À Àit
£nää{änn{£x
ÜÜÜ°ÜÌiÀ>Ã°V
¥7INTERNALS3OFTWARE,07INTERNALSAND7INTERNALS2ECOVERY-ANAGERAREREGISTEREDTRADEMARKSOF7INTERNALS3OFTWARE,0 2ECOVERY0OINT3MART&IX7IZARDAND3MART"INDARETRADEMARKSOF7INTERNALS3OFTWARE,0 !CTIVE$IRECTORYISAREGISTERED
TRADEMARKOF-ICROSOFT#ORPORATIONINTHE53ANDOROTHERCOUNTRIES
4/15/05
4:43 PM
streaming server. The
app-streaming servers represent the apps to your Citrix
or Terminal Services servers and
they, in turn, represent them to the
user. You don’t even have to have a Citrix
or Terminal Services box to use streaming app server software. Two major players in this space, AppStream and
Softricity, both allow you to host the
apps without Citrix or Terminal Services.
Simplify by
Standardizing
When it comes to Total Cost
of Ownership (TCO), one of
the worst things you can do is maintain
an installed base of every version of
Windows and Office under the sun. By
level-setting your users’ OSes and
application versions, you gain some
important simplification benefits:
• You avoid having to carry around a
bevy of CDs
• Support costs are greatly reduced
• Upgrades are easier (“Let’s see, is it
SP4 for Win2K and SP1 for XP or
vice-versa?”)
• Training is easier
• You don’t have to cope with software
glitches spread across four or five
version levels.
I’ve seen shops with Windows 3.11, 95,
98, ME, NT, 2000 and XP—even a couple of old DOS machines. There are
shops where a small percentage of the
user-base insists on staying with WordPerfect instead of joining the rest of the
Office crowd (or vice-versa). One time,
my CFO was adamant that he would not
migrate to Outlook calendar from his
“Act!” program—never mind that the rest
of the enterprise was scheduling meetings in Outlook he wouldn’t show up for
because he didn’t know he was invited.
The same thing goes for servers—keep
them level-set for greater efficiencies.
One trend starting to take hold in the
server world is the idea of “automatic
provisioning.” You have a rack of “bare
metal” servers sitting in your data center,
just waiting for loads to increase. When
they do, your management software is
smart enough to provision (some call it
“inflate”) a new server for the need,
Page 54
regardless of where the need is. This
sort of provisioning technology might
require standardization, at least in terms
of the OS and associated service packs
and security updates.
Simplify Automatically
Savvy administrators know
how important automation is
to making, or keeping, a network simple. And they get help from
today’s
management
tools
like
SMS/MOM, Altiris, NetIQ, LANDesk
and others, which have come a long way
from the days of SMS 1.0. One overlooked area of automation, though, is in
configuration management. If you’ve
ever had to go through and change the
subnet mask on a couple hundred closet
switches all over your company, you’ll
love this class of software.
Suppose, in the example above, that
you have 250 network switches sitting in
25 different closets around your company and decide to re-engineer your subnets, as advised in Step 1. Without
automated configuration management,
you’ll have to either Telnet, or HTTP,
into each switch to make the configuration change, or visit each switch with a
laptop and null modem cable to make
the change on a per switch basis.
Configuration management software
discovers the managed devices. Once it
does, you set up the subnet change and
issue the command to all 250 switches at
once. Cool, huh?
Simplify Your Printing
Question: What procreates
faster than warm, moist yeast?
Answer: Printers!
In a 12-story building of about 900
users, guess how many printers my
shop supported? 900! The printer
insanity has to stop.
To simplify this grotesque situation,
consider leased, networked, enterpriseclass Multi-Function Devices (MFDs)
that can print in color and black and
white, fax, scan and copy. (Some of them
make espresso and heat up your morning
bagels, too.) Several strong vendors play
in this space including Ricoh, Canon and
Xerox. These devices can be centrally
managed, they’re rugged and aren’t
subject to breakdowns like the little
ink- and laser-jet units are. Users can
send a variety of jobs to them—whether
it’s scanning a document on the platen
to send to the desktop or sending a
500-page report from the desktop to hit
the three-hole paper bin.
Because of the tremendous duty-cycle
these MFDs can handle, you can design
an implementation that strategically
locates them around the building—
instead of in every nook and cranny in
your office. Best of all, with the right
leasing plan, support is handled by the
leasing company, freeing you up for
more important duties.
Don’t Put It Off
Many of these tips take time to implement. Some, like the subnet, require a
great deal of preparation and testing. You
may feel like you don’t have the time and
resources to undertake some of these
changes, but consider the alternative: having an inefficient, needlessly complex network that slows you down every day. In
the end, the extra effort you spend now
will save you much effort in the future, not
to mention money that you can spend on
something other than aspirin.—
Bill Heldman is an analyst with Enterprise
Management Associates (EMA) in Boulder,
Colo., a leading market research firm focusing on all aspects of enterprise management
software and services. Bill has more than 14
years experience working with distributed
systems, applications and networks. His current focuses at EMA include desktop, applications, systems and services management,
configuration change management and
enterprise application integration. Contact
GetMoreOnline
Find more ways to simplify your network:
Storage, Backups, Phone via VoIP and
Server through virtualization. Plus, follow
links to the vendors mentioned here.
FindIT code: 6Simplify
redmondmag.com
Project5
4/1/05
2:42 PM
Page 1
0505red_F2LightsOut56-60.v8
4/19/05
2:30 PM
Page 56
Remote management has never been a Microsoft
strong suit, but Windows Server 2003 is helping
S
users manage servers that no IT staff can touch.
ystems administrators stuck with the job of
managing Windows servers tucked into
buildings that have no IT presence
have long complained about their
plight, but Windows Server 2003 is
giving them cause for hope.
Windows NT Server and Windows 2000
Server were difficult to maintain, monitor and customize,
with little of the sophisticated scripting capabilities that
Unix and mainframe system administrators use routinely.
Neither made it easy to perform everyday maintenance
or emergency response without third-party tools to automate common functions or apply changes to a group of
servers at once.
“When Microsoft talked about Windows in the data
center three or four years ago, it was really kind of laughable,” according to Jean-Pierre Garbani, vice president of
computing systems research at Forrester Inc.
Windows Server 2003 was intended to change that perception, and make Microsoft a contender in the market for
servers that can be maintained without an IT person on site
to baby-sit them—and thus a contender in the enterprise data
center. To a large extent, Garbani says, it has done just that.
Microsoft has been trying to improve remote
administration and management of its servers since the
first version of NT shipped. The goal is to match or
exceed the remote-management functions of data-center
managers like Unix machines and mainframes, according
to Ward Ralston, senior technical product manager in the
Windows Server Division. “With Windows Server 2003,
you can choose to remotely perform server management
tasks that previously could be done only locally,” he says.
Tools within Windows 2003 fall into four categories:
• Remote administration with Terminal Services, which is
built into the OS and allows two simultaneous remote
connections with no additional license costs. It’s designed
to allow server administration and configuration functions
on servers located anywhere on the network. The Remote
Desktop MMC snap-in allows support for additional
machines, and can remotely administer Win2K servers.
4/19/05
2:30 PM
Page 57
Managing
in Isolation
BY KEVIN FOGARTY
• Branch office/remote (BO/R) servers allow administrators
to remotely control servers that don’t have a monitor,
keyboard or mouse, as might be the case in either a
cluster arrangement or in a branch office, to discourage
users from tinkering with their local server. BO/R also
includes Emergency Management Services, which lets
administrators re-start or remotely install software on a
server whose OS isn’t responding.
• The command-line interface in Windows 2003 is
much more capable than in previous versions because of
enhancements to the Windows Management Instrumentation (WMI) API. WMI gives administrators
access to all shells and utilities in Windows 2003, and
enables them to write extensive scripts to automate
functions across one or many servers.
• The Windows Server 2003 administration tool pack,
included in Windows Server 2003 CDs, includes simplified interfaces for remote-management functions to
make it easier to administer servers, networks, directories
and storage.
“When you add up all those things, [Microsoft’s] story is
pretty good, especially for the money you spend,” according
to Peter Pawlak, a senior analyst at Directions on Microsoft,
a research company in Kirkland, Wash. “You spend a fraction of what you would in the Unix world and get 80 percent of the functionality; and it’s not just limited to
Windows Server 2003. Some of those functions were there
in Windows 2000 and can be used on NT and XP as well.”
Easier Living Through Scripting
For many users, it’s the base functions rather than the addon products that they find particularly useful—especially
given they come with no additional cost.
David Chacon, technical services manager for the IS
department at PING Golf in Phoenix, Ariz., is particularly fond of the enhancements to WMI, an application
programming language that first appeared in Windows
2000. WMI makes for simplified, richer scripting by
providing access to operating system services that are
otherwise inaccessible.
4/19/05
2:30 PM
Page 58
Managing in Isolation
“Before WMI existed, if you wanted
to kick off automated processes to
migrate something, or handle login
scripting, or monitor the status of a
machine or an application, there was
no way to do it in the OS itself,” says
Chacon. You could do it with DOS
batch files, or you’d have to get some
third-party application.”
In Windows 2003, Microsoft
enhanced WMI’s automation capabilities, making it much easier to work
with. For example, the SMTP Event
Consumer function that enables
WMI to e-mail an administrator
when it notices a problem event
wasn’t available in Win2K.
Versions in XP and Windows 2003
also include more functional utilities
and a simpler command set. Rather
than having to write a script for every
event and server you want to track,
WMI now includes viewers or shorthand commands to let administrators
view logs, query specific nodes and
handle other functions with pointand-click or single-line commands.
The scripts Chacon’s group wrote to
manage 30 physical servers on the
1,000-person company’s main campus
aren’t nearly as complex as the functions available in some of Microsoft’s
higher-end products. “But if you can
automate status monitoring that keeps
you from having to go to 500 worksta-
that Microsoft is featuring PING in a
series of case studies and ads.
“My picture’s been up in so many
places they’ve hung it up on our office
bulletin board and are calling me ‘Mr.
40 percent,’” Chacon jokes. The automated scripting has saved 800 hours
worth of work, while making it possible to share data with customers
securely and maintain the uptime of
critical order-processing applications.
Assessing the Add-ons
In addition to base functions that come
with Windows Server 2003, Microsoft
touts add-on utilities such as Microsoft
Operations Manager (MOM) as important components of its management
When Microsoft talked about Windows in the data center three
or four years ago, it was really kind of laughable.
Jean-Pierre Garbani, Vice President, Computing Systems Research, Forrester Inc.
It also made it much easier to configure and maintain the “very complex”
configurations on PING’s 500 workstations, many of which run several
applications and few of which can be
down at any one time without dire
consequences.
Shadowy Changes
It’s Windows 2003’s ability to shield
users from changes on the network
that’s particularly valuable to Bruce
Haff, director of IT at K2 Sports on
Vashon Island, Wash.
The Volume Shadow Copy function
in 2003 lets Haff and his crew
temporarily map users in a remote
office to a data volume on any server in
[Today] you spend a fraction of what you would in the Unix world
and get 80 percent of the [management] functionality; and it’s
not just limited to Windows Server 2003.
Peter Pawlak, Senior Analyst, Directions on Microsoft
tions individually and spend 20
minutes on each, that time adds up
quick,” Chacon says. “That’s versus a
couple of days setting up and testing a
script, then letting it take over.”
PING has one full-time staffer who
uses Terminal Services and other
command-line-interface tools to
monitor system status and keep
the applications running. The new
WMI scripts saved 40 percent of
his time, a significant savings in a 15person IT department—so much so
lives any more. So we can move
volumes around, or move data to
completely different servers and the
users would never know.”
the network, rather than the one that is
closest to them. Haff’s crew can then
remotely update, reboot or make any
other changes to the server without the
users even knowing they’d been moved
off the server in their own office.
“It used to be if we wanted to
expand a volume or something, we had to let everyone know and re-map the
drives,” he says. “This
way, the users don’t have
to know where the data
lineup. But users warn that MOM
comes with a fairly steep learning curve
for the more powerful functions, which
have to be scripted carefully.
It’s fairly easy to tell it to trap critical
events from all the server logs and
present them to a server admin first
thing in the morning, however. “That
saves us about a half hour every day,”
Haff says. “It used to be that we’d have
to check the log on each individual
server. This consolidates things.”
MOM 2005 is designed to monitor
the status of every machine in the network, the health of the applications
running on them and to automate
many required maintenance tasks. It
brings Windows systems-management
capabilities up to par with mainstream
Unix products from IBM and HP, Garbani says. MOM still trails those of
BMC and Computer Associates, he
says, which are both well ahead of IBM
and HP in the feature/function race.
“The last version of MOM (2000),
for example, would have been good in
1995. With MOM 2005, it’s still a
good product, but it is more like a
2002 version of the best systems
management,” Garbani says.
Project2
4/8/05
1:30 PM
Page 1
4/19/05
2:30 PM
Page 60
Managing in Isolation
The major thing missing is the ability to map applications to specific
servers, databases and network services so that you can get a picture not
only of what server’s running what
applications, but the condition of the
various components on which a single
application depends, Garbani says
redmondmag.com
which tracks performance data and
extrapolates trends to identify problems as they’re developing. CHOA
has servers in geographically dispersed areas of the hospital complex,
which makes it difficult for a technician to go work on them in person
when there’s a problem.
“With AppManager, we can configure
it to see the trend and jump in before it
becomes a problem. So it will notice if
the database is slowing down, or
you’re running low on disk space,
rather than waiting until the problem
happens and then thinking what
you’re going to do about it,” Brummer
explains. “We want to be able to head
it off at the pass.”
MOM is also reactive, not proactive,
so by the time it notices a server is
down or the Internet’s inaccessible,
“it’s already become a problem,” says
Steven Brummer, client/server design
supervisor for Children’s Healthcare
in Atlanta (CHOA).
CHOA does its systems monitoring
with NetIQ’s AppManager product,
On the Horizon
Microsoft is also working on a host of
usability and manageability functions
that it will release with an update
to Windows 2003 due out later this
year, code-named R2. It will deliver
Windows Server Update Services
(WSUS), a new, twice-renamed
version of the free Software Update
GetMoreOnline
Go to Redmondmag.com to read
about Microsoft’s plans for improving
its systems management utilities.
FindIT code: LightsOut
Services. WSUS is a more advanced
application that can help administrators
define by administrative group, server
classification or end-user role what
machines should get automatic
updates. It can also direct users to
internal servers rather than Microsoft’s
site for patches and OS updates.
It’s those kinds of internal support
functions that seem attractive to most
users, despite Microsoft’s efforts to sell
add-on products like MOM 2005.
Scripting and remote access to functions
enabled by WMI let administrators do
what they need to do, while excess bells
and whistles cost more and deliver
fewer critical functions.
As Brummer says, “If I had a big
budget to go buy something, I’d go
out and get another person, not a
piece of software.”—
Kevin Fogarty is a freelance writer who
has been covering the IT world since
1991 at publications including Network
World, Computerworld, Bio-ITWorld,
Baseline and Ziff Davis Internet. Reach
Project6
1/6/05
5:17 PM
Page 1
By day three,
Jack was finally
enjoying his
IT training.
Unfortunately, you can’t dream
your way to certification.
• Microsoft
• Cisco
Our accelerated programs, featuring our exclusive 3 1/2 step method,
• Oracle
makes learning fast and effective. In less than two weeks, you’ll
• Sun
return to your job empowered with the knowledge, confidence
• Linux
and certification you need to advance your career…and your life.
• CISSP
TM
To find out more about our all-inclusive certification programs,
• C EH
call 800-698-5501 or visit www.trainingcamp.com.
• CompTIA
Enter the special promotion code “HELP” and receive a 20%
• UNIX
discount on select courses.
• Forensics
Project2
4/8/05
1:07 PM
Page 1
2EDMOND-AY%CORA?RPDF 0-
0505red_F2MOM63-65.v10
4/18/05
10:56 AM
Page 63
7 Tips for
MOM
Advice from an in-the-trenches expert for
getting the most out of Microsoft
Operations Manager.
BY TIM CORNETT
erver management is critical
in nearly any shop, but even
more so in larger environments. The larger the environment, the more critical it becomes.
Here at the Kentucky Department
of Education Office of Education
Technology (OET), we provide
technical standards and services to
all 1,400 K-12 public schools, for
nearly 700,000 student and staff users
throughout the Commonwealth.
Our infrastructure consists
of 180 fully managed and
monitored domains
ranging in size from 200
to 110,000 users.
For the past two years,
our three-member OET
Directory Services Team
has had great success
using Microsoft Operations Manager (MOM) to
monitor this infrastructure.
Since implementing MOM, we’ve
reduced the number of break/fix help
desk tickets by more than 90 percent
for monitored machines and related
services. Just the fact that we can
monitor and maintain an environment
of about 400 servers and nearly three-
S
quarters of a million users with three
people speaks to MOM’s abilities in
massive enterprise settings. During
that time, we’ve learned a thing or
two about using MOM. We hope you
can benefit from these tips for getting
the most out of MOM.
Tip #1: Take Advantage of the
Management Packs
Microsoft currently lists 132 management packs and 13 product connectors
at http://snipurl.com/dlcl.
Management packs contain
scripts, performancegathering tools and
Knowledge Base
information for
components MOM
can monitor (more
about the Knowledge
Base later). Product
connectors allow MOM
information to be forwarded
to other management products such
as HP OpenView or Tivoli TEC for
consolidated alerting.
The Active Directory management
pack has been worth its weight in gold
to the OET Directory Services Team.
On several occasions MOM has alert-
ed the team to replication problems
that were quickly resolved using its
Knowledge Base.
And it goes beyond software monitoring. The Dell Hardware management pack (we use identically
configured Dell PowerEdge 2600
servers) alerts the team to potential
hardware
You’ll
need to
determine which management packs fit into your
environment, but be
careful to install only the
minimum number of packs
necessary to fulfill your
monitoring requirements.
Every management pack
adds work to your management servers and adds size
to the agents deployed on
your managed machines.
failures from our domain controllers.
It provides information about memory errors, predicts hard drive failures,
chassis intrusion and many other
hardware-related items.
0505red_F2MOM63-65.v10
4/18/05
10:56 AM
Page 64
7 Tips for MOM
Tip #2: Know Your Ports to
Head off the Storm
Firewalls are an integral part of
any organization’s security
infrastructure, but they can also
wreak havoc on a MOM deployment.
OET found this out the hard way
when a rogue firewall rule produced
a communications failure between
the MOM management servers
and a number of their managed
servers. Alerts destined for the
management servers were dropped
by the firewall due to port restrictions, so the MOM operators never
knew the alerts were happening.
In the meantime, those same firewall
rules were blocking replication.
The result was an ugly mess of
replication failures that took several
days to reconcile once the rogue rule
was discovered and corrected.
The MOM 2005 Security Guide
(http://snipurl. com/dldi) details
all the ports needed for MOM to
function properly.
Tip #3: Play by the Rules
Once you’ve established communication between the individual
MOM components and successfully
deployed the agents, you can begin
tweaking the MOM rules and
scripts. Depending on the size
of your environment, this
can take 10 minutes or
10 months.
The directory services
team at OET added nearly
20 new rules and turned
off several noisy rules while
running MOM 2000 SP1. Noisy
rules are those that spit
out events or alerts en masse or
unnecessarily. Examples in MOM
2000 SP1 include rules that send
successful Netlogon events to
the management servers. In an
environment with a large number
of users, this can grow your MOM
database tremendously. We also
significantly tuned performance
monitoring rules to reduce the size
of the database.
MOM
2005 is
a more pleasant experience right out of the box
than the pervious version,
as many of the noisiest
rules have been eliminated. Before you make any
rule changes, document
and test each individually.
If you find yourself making
several new rules, create a
folder specifically for your
rules so that other administrators can easily find
them. We’ve found that
creating a folder for each
MOM administrator is
helpful. An example is
shown in Figure 1.
Tip #4: Increase Your
Knowledge Base
As you create new rules and groups
of rules, MOM lets you add them to
its database. When the Operator
Console raises alerts, you can add
your problem resolution steps into
MOM 2005 by selecting the alert,
right-clicking on the Company
Knowledge Base tab, clicking
Edit and entering the properly
formatted information.
This has proven very beneficial
for OET. It reduces the number of
Tier 3 support calls, which translates
into lower support costs. Adding the
Figure 2. The Office of Educational
Technology formats Knowledge Base
information so it can recall that data
for troubleshooting.
Figure 1. Creating a Rule Group Folder
makes it easier for other administrators to
find and use rules.
name of the person entering the
information (Figure 2) and the date to
the Knowledge Base gives the MOM
operator a person to contact if there
are questions about the solution.
Tip #5: Keep MOM Secure
MOM agents stored on domain
controllers require special permissions to run vast suites of scripts.
To help keep the security folks
happy, MOM 2005 agents can run
under a reduced security context
on domain controllers without
impacting their effectiveness. This
is accomplished using a “MOM
Action Account.”
That account—which you can
use to install agents, run scripts
and gather data from managed
machines—must be part of the Local
Administrators (not Domain Admins)
and Performance Monitor users
groups. It must also have the “Log
on Locally” and “Manage Auditing
and Security Log” rights made active
in the Default Domain Controller
Security Policy, which the local
Administrators group does by default
in Windows 2003. All of the security
settings and permissions required
for properly operating MOM are
detailed in the MOM 2005
Security Guide.
0505red_F2MOM63-65.v10
4/18/05
10:57 AM
Page 65
tool regardless of the size of your computing environment. With all the
changes and new features MOM 2005
has to offer, an upgrade from MOM
2000 SP1 is a must. —
Figure 3. If you see this alert, KB article 889054 is where you need to look for answers.
Tim Cornett, MCSE, MVP, is a
Principal Consultant at Keane Inc.
and is currently assigned to the Kentucky
Department of Education as an
infrastructure architect. He appreciates
the finer things in life, like a loving family
and detailed technical discussions. You can
reach him at [email protected].
Tip #6: Eliminate
Replication Headaches
MOM 2005 suffers from some of
its predecessor’s ailments. The
Microsoft Knowledge Base article
889054 references a problem that
occurs when the replprov.dll tries to
access an invalid pointer. It generates
error messages when the file can’t
determine the replication status of the
domain controller.
This alert can cause major
headaches if you’re monitoring
anywhere from a handful to
hundreds of domain controllers, but
fortunately the hotfix is available and
works well. If you see the alert (as
presented in Figure 3), you’re a
prime candidate for this hotfix,
which is applicable to both MOM
2000 and 2005.
Tip #7: Consider Trading Up
If your business only requires
“best effort” uptime, then don’t worry
about purchasing a monitoring product. However, if your customers are as
finicky as mine, MOM is a solid
GetMoreOnline
Log on to Redmondmag.com to read
our MOM 2005 Your Turn and product
review, plus this month’s Redmond
Roundup on server management tools.
FindIT code: 7MOMTips
redmondmag.com
Project8
2/15/05
12:31 PM
Page 1
0505red_Winsider.v8
4/27/05
10:38 AM
Page 67
WindowsInsider
Bill Boswell
Extend the Limits of Group Policy
Y
ou’ve certainly worked with Group Policies if you have
Windows 2000 or Windows Server 2003 deployed
anywhere in your organization (and the clock is ticking
on NT4, by the way, in case you haven’t yet completed your
migration). You’ve probably customized password policies,
locked down a few security settings, instituted a login script and possibly redirected
the My Documents folder. However,
quite a few of you stop short of getting
the full value out of Group Policies
because of their perceived limitations.
Scavenger Hunt
Let’s review a few terms and processes
before we talk about how to overcome
some of those limitations—perceived or
otherwise. Group Policies control
member servers and desktops in
much the same way that a host directs
participants in a scavenger hunt. You
give the players clues for finding certain
items in certain locations. Some of those
items are themselves clues for finding
other locations with even more clues, all
of which eventually lead to a prize—or
the edge of an unfinished freeway overpass
if the player incorrectly interprets any
of the clues.
Group policy “clues”—by which I
mean the configuration information—
come in the form of Group Policy
Template (GPT) files stored in the
Sysvol folder on each domain controller.
Each type of Group Policy uses a unique
GPT file format. For example, security
policies are stored in Gptmpl.inf files,
folder redirection policies are stored in
Fdeploy.ini files, and the Logon/logoffStartup/shutdown scripts use Script.ini
files as well as the scripts themselves.
The Group Policy Editor (GPE) is
the tool for creating and modifying
the GPT files. Figure 1 shows the
GPE display you’ll see when setting a
policy to prohibit creating new jobs in
Task Scheduler.
Enabling this Prohibit New Task
Creation policy makes an entry in a
file called Registry.pol. The entry
looks something like this:
[Software\Policies\Microsoft\
Windows\TaskScheduler5.0;
TaskCreation;Â;^D;^D]
Group Policies rely on a set of
client/server transactions to deliver GPT
files to computers within the domain for
processing. A service called the Client
Side Extension (CSE), running on each
member computer, manages the client
side of the transaction. A CSE downloads and processes only the type of
GPT files it needs from Sysvol.
Targeting Group Policy
For Group Policies to work effectively,
each CSE needs a way to distinguish
between “GPT files I need to download,” and “GPT files that don’t concern
me.” To help clarify this distinction,
Microsoft uses a term called Group Policy
Object, or GPO.
A GPO is not a “thing.” You can’t point
your finger at a certain data structure and
say, “That’s a GPO.” Instead, GPOs
distinguish one set of GPT files from
another in Sysvol and in Active Directory.
In Sysvol, GPT files are stored in
separate folders with names that correspond to each GPO’s Globally Unique
Identifier (GUID). You can see these
GPO folders from any member
computer within a domain by opening an
Explorer window and entering this path:
\\<domain_FQDN>\sysvol\<domain_
FQDN>\Policies
Figure 1. The Group Policy Editor console, showing a modification to an Administrative
Template setting.
Each GPO is represented in AD by a
Group Policy Container (GPC) object.
You can see these objects in Active
Directory Users and Computers. Select
View | Advanced Features from the
main menu then drill down to System |
Policies. See Figure 2 on p. 68 for an
example of this view.
You can link GPC objects to the
domain object, as well as OUs and site
objects. CSEs use these links to
determine which GPOs contain GPT
files that should be processed. You can
0505red_Winsider.v8
4/27/05
10:38 AM
Page 68
WindowsInsider
Figure 2. The Active Directory Users and Computers console, showing the Group Policy
Container objects.
also filter access to GPC objects based
on GPC access permissions and by
Windows Management Instrumentation
(WMI) selection criteria.
So here’s a quick synopsis of the Group
Policy delivery mechanism: CSEs at
member servers and desktops download
GPT files from GPO folders in Sysvol
based on links and filters associated with
GPC objects in AD. Whew.
Policy Extension Limitations
By default, Windows 2003 has 11
CSEs that appear to encompass most
operations required for centralized
management, but the stock CSEs have
some distinct limitations. For example,
Administrative (ADM) Template
policies manipulate the Registry by
placing entries in four special Policy
keys, two in HKEY_CURRENT_USER
and two in HKEY_LOCAL_MACHINE.
The Administrative Template CSE
updates the entries in these volatile
policy areas so the entries don’t “tattoo”
(or make changes to) the Registry.
This trick only works if an application
developer writes the code so the app
looks for Registry settings in both the
volatile Policies keys and keys in the
normal Registry location for that
application. For example, the Prohibit
New Task Creation policy only works
because the developer of Task Scheduler
coded the application to look for a
TaskCreation entry under:
Some Microsoft applications include
support for ADM template Group Policy
settings. For example, Microsoft Office
components, including Visio, have ADM
template files available for download
at http://snipurl.com/dm10.
You can also create custom ADM template files using Microsoft’s ADM files as
a guide. I often do this when a Microsoft
application recognizes a policy entry in
the Registry, but the canned ADM file
doesn’t include the setting. For example,
Outlook 2003 has a Registry setting that
forces Outlook (running in Cached
Mode) to query a Global Catalog server
to view the Global Address List, rather
than caching a copy of the Offline
Address Book. This lets desktop users
see address list changes immediately,
rather than waiting for the daily update
to the Offline Address Book. The Outlook 2003 ADM file does not have a setting for this Registry entry. Here is a
custom ADM file that makes the
required entry:
CLASS USER
CATEGORY "Microsoft Office
Outlook 2003 Custom Settings"
POLICY "NoOABDownload"
KEYNAME
Software\Policies\Microsoft\Office\11.
0\Outlook\Cached Mode
PART "Use local cache for address
lists" CHECKBOX
VALUENAME DownloadOAB
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END PART
END POLICY
END CATEGORY
END CLASS
Third-Party Options
Most third-party applications aren’t
coded to take advantage of volatile
Policy entries in the Registry. If you
want to use Group Policies to control
Registry entries for these applications,
you can create custom ADM templates
that change the Registry values directly. This makes a permanent change that
has to be reversed before removing the
policy setting. It’s similar to the way
classic NT system policies behaved.
However, trying to manage dozens
or hundreds of applications using
relatively permanent Registry hacks
isn’t necessarily a passport to stable and
happy professional employment. Also,
you might be frustrated by other
\Software\Policies\Microsoft\
Windows\TaskScheduler5.0.
Customize Those Group Policies
Figure 3. Group Policy Editor showing a few of the additional extensions installed by
DesktopStandard’s Policy Maker.
0505red_Winsider.v8
4/27/05
10:38 AM
Page 69
WindowsInsider
built-in group policy limitations, like
the inability to use Software Restriction
Policies as a general purpose desktop
lockdown tool and the complexity of
provisioning and de-provisioning users
as they move from one department to
another within a large organization.
Given these drawbacks, it’s not
surprising that most third-party vendors
have published Group Policy add-ons
to fill the gap in Microsoft’s offerings.
For example, DesktopStandard (formerly
AutoProf) has a utility called Policy
Maker that is essentially a suite of
Client-Side Extensions that enhance
and expand the functionality of group
policies. You can find that at
www.desktopstandard.com. Full Armor
Software also has many useful group
policy extensions at www.fullarmor.com.
One of the DesktopStandard
extensions is available for free. It lets
you manage Registry entries without
the need to create custom ADM files.
It’s available at http://snipurl.com/dm19.
This Registry extension, along with the
remaining 20 or so DesktopStandard
extensions, uses the existing plumbing in
Group Policies so it doesn’t require a
special database, Schema modifications
or other support infrastructure. It does
make additions to the Group Policy
Editor (shown in Figure 3, opposite
page) and requires additional CSEs on
each client. These CSEs come in an MSI
package that can be deployed with—you
guessed it—Group Policies.
Both Microsoft’s and Policy Maker’s
group policy extensions use text files to
communicate setting changes to CSEs.
Each extension stores configuration
settings in an xml file in Sysvol.
If you use Microsoft’s Group Policy
Management Console (GPMC)—
available as a free download from
http://snipurl.com/8s8i—you’ll notice the
GPMC doesn’t display third-party extension settings like those used by DesktopStandard and Full Armor. The GPMC
can’t interpret the GPT files used by
those extensions. Individual vendors supply their own tools, but if you just want to
see Resultant Set of Policy (RSoP)
information, you can use Microsoft’s
GPInventory tool. This is also a free
download from http://snipurl.com/2ks6.
Flex Those Group Policy Muscles
Don’t let either the real or perceived
limitations in Microsoft’s default
Group Policies prevent you from taking full advantage of this technology.
For just a few dollars per node, you can
get highly granular control of your
users, desktops and servers—with very
little effort in the initial configuration.
If you have your own favorite Group
Policy management tool or custom
ADM file, feel free to send it along.
We’ll publish them on
Redmondmag.com.—
Contributing Editor Bill Boswell, MCSE,
is the principal of Bill Boswell Consulting
Inc. He’s the author of Inside Windows
Wish to access your data from anywhere?
With RADMIN,®it’s easy.
RADMIN is reliable and secure remote control software
designed to work on and monitor the remote computers just if
they were right there in front of you. RADMIN proved itself as
incredibly fast and easy to learn and use. RADMIN is a
complete remote control solution with such features as file
transfer, NT security, Telnet-access and multiple connections
support built in.
RADMIN is the most cost-effective solution which
may be deployed over a corporate network at an
affordable price.
Download the free 30-day trial version
And see for yourself!
See details at:
www.radmin.com
Project5
3/29/05
10:38 AM
Page 1
0505red_Mr.Script.v7
4/19/05
11:24 AM
Page 71
Mr.Script
Chris Brooke
Auto-confirm with PopUp
S
cripting is all about automating repetitive tasks that
would otherwise take hours or even days. By its very
nature, an automated task should be one that requires
no intervention. In the real world, however, this is rarely the
case. Some automated tasks require lots of intervention
while others require at least occasional
verification, along the lines of “Hit
<Enter> to proceed” or “Do you want
to overwrite this file?”
Whenever I need this type of occasional confirmation in a script, I tend to
use the “messagebox” (MsgBox) function. It stops script execution and waits
for a response, such as clicking <OK>.
The problem is that it will wait forever
for a response that 99 times out of 100
is going to be simply clicking <OK>.
Meanwhile, your script just sits there.
Other times a script may not require
interaction, but you do want to display
status information. For this, I tend to use
WScript.Echo. This works fine as long as
you know your scripts are going to be
run using CScript.exe. All “echoed” data
is displayed in the command window and
script execution proceeds. However, if
WScript.exe is used to run the script, or
someone runs it by double-clicking on it
in Explorer, all those “echoed” messages
will be displayed in a messagebox
window—each time forcing a mouseclick before the script will continue.
Now, if you’re the only person who ever
runs your scripts, it’s easy to remember to
always use CScript. However, if you ever
send out scripts for other admins or even
users to run, you can never be certain
they’ll run the script as expected.
Thankfully, there’s an alternative for
either of these cases: the PopUp function
of the WScript.Shell object. This little
gem works almost exactly like a messagebox, except that it allows you to enter a
timeout value in seconds. If the user
doesn’t respond to the PopUp, the script
will continue after the timeout expires.
You can then code the script to respond
appropriately. Here we instruct the script
to take different actions on its own,
rather than relying on the user to click
<OK> or <Cancel>.
<package>
<comment>
PopUpTimeout.wsf
Display notifications with default
timeout so that script continues
</comment>
<job>
<runtime>
<description>
This script demonstrates the
PopUp function
</description>
<example>
C:\cscript PopUpTimeout.wsf
/File:c:\logfile.txt
</example>
<named
name="File"
helpstring="The name of the file to
save data"
type="string"
required="true"
/>
</runtime>
<object
id="objShell"
progid="WScript.Shell"
/>
<object
id="objFSO"
progid="Scripting.FileSystemObject"
/>
<script language="VBScript">
Option Explicit
Dim objFile
Dim strFilename
Dim iReturn
strFilename=Wscript.Arguments.
Named.Item("File")
If objFSO.FileExists(strFilename) Then
iReturn=objShell.PopUp _
("Adding Entry to File." & vbCrLf
& "Click Cancel to abort", _
10, "Creating Entry",
vbInformation+vbOKCancel)
If iReturn=vbCancel Then
objShell.PopUp _
"The Entry was not added!", 5, _
"Update Failed!",
vbExclamation+vbOKOnly
WScript.Quit
End If
'Open the file for appending
Set objFile=objFSO.OpenTextFile
(strFilename, 8)
objFile.WriteLine "File updated: " &
Now
objFile.Close
Else
'Create the file
iReturn=objShell.PopUp _
("Do you want to create the file: " &
strFilename, _
10, "Create File?",
vbQuestion+vbYesNo)
If iReturn<>vbYes Then
objShell.PopUp _
"The File was NOT Created!",
5, _
"File Creation Failed!",
vbExclamation+vbOKOnly
WScript.Quit
End If
Set objFile=objFSO.CreateTextFile
(strFilename, 1)
objFile.WriteLine "Log file:"
objFile.WriteBlankLines 1
0505red_Mr.Script.v7
4/19/05
11:24 AM
Page 72
Mr.Script
objFile.WriteLine "File updated: " &
Now
objFile.Close
End If
check for each possible entry and process
accordingly. For the record, allowing the
PopUp to timeout returns a value of -1,
which means the script will time out.
</script>
</job>
</package>
Adding the Entries
The logic for this section is very
similar to creating the file, except that
doing nothing results in the script
proceeding, rather than stopping. The
only action that will cause the script to
stop is clicking <Cancel>.
Just a Mouse Click Away
This script starts by taking a file name as
a command-line argument. The script
then checks to see if the file exists. If it
does, it will add the data—in this case,
simply a date/time stamp—to the file. If
the file doesn’t exist, the user is asked if
the file should be created.
Creating the File
We use a simple If/Then statement to
verify the user selected <OK> to create
the file. Any other input (including
waiting until the PopUp times out)
causes the script to exit without the file
being created. If you wanted to, you could
Not Waiting for an Answer
We used PopUps for the “failure” messages in each section, as well. The difference here is that we didn’t wait for a
result. Indeed, we aren’t even checking
for a returned value. That’s why the only
button in these Windows was <OK>,
because at this point it doesn’t matter
what you do; the script is going to quit.
Each of these methods has its place.
The first method is useful when you
need to verify entry before proceeding. If
no one is sitting at the computer to provide that verification, you would prefer
the script exit gracefully, rather than wait
for an answer in perpetuity. On the other
hand, sometimes you just want to provide the opportunity to change a setting
or file location from the default. If no
answer is given in the required time, the
default values are used and execution
continues. Finally, there are times when
you simply want to provide a notification
to the user, but not risk inadvertently
halting the script with a messagebox.
PopUp isn’t a perfect replacement
for WScript.Echo and won’t substitute
for every MsgBox. Used appropriately,
however, it’s a powerful addition to your
scripting toolbox. —
Chris Brooke, MCSE, is a contributing editor
for Redmond magazine and director of
enterprise technology for ComponentSource.
He specializes in development, integration
services and network/Internet administration.
E-mail Chris at [email protected].
THIS TEST RESULT
BROUGHT TO YOU
BY TRANSCENDER
®
L O O K S L I K E S O M E B O D Y J U S T A C E D T H E I R C E R T I F I C A T I O N E X A M.
With Transcender test preparation software, you will, too. No other software prepares you better. In fact,
we back it up with an industry-best, 100% guarantee. How’s that for confidence? As for dance moves,
you’re on your own. Visit http://www.transcender.com/studyguides or call 1-866-639-8765.
© 2005 Kaplan IT, Inc. All rights reserved. TRANSCENDER® Kaplan IT, Inc. All rights reserved.
0505red_SecAdvisor.v6
4/15/05
4:54 PM
Page 73
SecurityAdvisor
Joern Wettern
Picking the Right Firewall
W
elcome to my inaugural Security Advisor column.
Like many of you I’ve read this feature since its
inception and developed a lot of respect and
admiration for Roberta Bragg, who has been this magazine’s
Security Advisor from the beginning. I’ll try to uphold
Roberta’s standard of delivering
meaningful, timely and interesting
discussion of security-related
topics, and know you’ll join me in
wishing Roberta all the best in her
future endeavors.
Much of my work over the last few
years has revolved around firewalls,
coinciding with a period in which the
firewall industry has changed in significant ways, moving beyond low-level
functionality and into the higher-level
application realm. Let’s take a look at
what’s been happening, and what it can
mean for your environment.
Hardware vs. Software
Smackdown!
Let me start with one of the most persistent myths in the firewall world. I
often hear the statement, “Hardware
firewalls are more secure than software
firewalls.” According to this theory, a
firewall with a single-purpose operating
system, such as ScreenOS, used by
Juniper Networks’ NetScreen appli-
ances, has a very small attack surface.
Running a firewall on a multi-purpose
operating system, like Microsoft Internet Security and Acceleration (ISA)
Server 2004 on Windows Server 2003,
creates a larger attack surface; the more
complex operating system requires
additional services, thus creating additional targets for attackers and reducing
system stability.
In theory this is true; but in reality,
hardware-based firewalls aren’t neces-
No serious firewall
today relies on packet
filtering alone.
sarily more secure. It’s been my experience that many of these firewalls
don’t have required security patches
installed because re-imaging the ASIC
chip that contains the firewall’s OS is
A Brief History of Firewalls
T
raditional firewalls operate at Layers 3 and 4 of the
Open System Interconnect (OSI) model. The earliest
firewalls were Layer 3 devices, operating at the Network Layer. Such firewalls perform simple packet filtering, examining each packet passing through and making a
decision about whether to forward or drop the packet. For
example, a firewall that only allows outgoing Web traffic would
contain a rule that allows packets with destination port 80 from
any internal IP address to any IP address on the Internet. To
allow the return packets from Internet-based Web servers a
second rule is required: Allow packets with source port 80
from any IP address on the Internet to any internal IP address.
It didn’t take hackers long to figure out that such rules allow
them to send any traffic they choose into someone’s internal
network as long as the attack tools use port 80 as the source
port. Because of such vulnerabilities, no serious firewall today
relies on packet filtering alone.
Stateful, or circuit-level, inspection was developed to
address the limitations of packet filtering. This type of protection operates at Layer 4, the Transport layer. Stateful firewalls
examine entire connections between computers, instead of
just single IP packets. In the example of outgoing Internet traf-
fic, a stateful firewall allows incoming packets from port 80 on
an external computer only if they belong to a connection that
was initiated to that port from an internal computer. Other
incoming packets are dropped, even if their TCP source port is
80. In addition, stateful inspection also tries to ensure the
integrity of the connection itself, guarding against attacks such
as TCP session hijacking, which is an attempt to take control
of an existing, legitimate connection.
The problem with relying on packet filtering and stateful
inspection alone is that most attacks today use legitimate
ports and allowed connections. If you’re not providing access
to a Web server, you can easily protect your network by configuring your firewall to drop all traffic addressed to port 80 on
your computers. If you have a public Web server, though, you
have to allow inbound traffic to the server on port 80. Packet
filtering and stateful inspection allow all such traffic to reach
the server. Hackers know this and most of today’s attacks use
allowed connections. This means that most of today’s attacks
aren’t based on bypassing packet filters or playing tricks with
TCP connections. Instead, they attack applications, such as a
Web server, mail server, or even a client program like a browser over valid connections and allowed ports.
— J.W.
Project3
4/11/05
4:19 PM
Page 1
REAL SECURITY
¨
REAL CROSS-PLATFORM
REAL SUPPORT OPTIONS
4/15/05
4:54 PM
Page 75
SecurityAdvisor
too daunting a task for many network
administrators. On the other hand, I
generally find that administrators regularly apply security patches to multipurpose operating systems and
firewall software. In addition, welldesigned firewall software, such as
ISA 2004, blocks disallowed network
traffic before the OS and its network
stack can process it, removing the OS
as an attack vector altogether.
The line between hardware and software firewalls continues to blur. Con-
sider that Network Engines sells a firewall appliance that runs ISA 2004,
combining elements of both hardware
and software firewalls. The distinction
is becoming less clear all the time.
Protecting Layer 7
Traditional firewalls operating at Layers 3 and 4 of the Open System Interconnect (OSI) model are unable to
protect against newer attacks because
they don’t inspect traffic at the application layer, or Layer 7 (see “A Brief His-
The Windows Firewall
Windows XP and Windows Server 2003, Service Pack 1 include the same built-in firewall. How does the Windows Firewall compare to the other firewalls covered here?
First, the Windows Firewall is a personal firewall designed to protect a single
computer; as such, it’s no replacement for network firewalls that inspect all
incoming and outgoing traffic. But that doesn’t mean you should neglect the
Windows firewall if your network is already protected by a firewall.
One primary use of the Windows Firewall is for laptop computers, for which it
should be mandatory. Enabling it ensures that nobody can establish an incoming
connection to your computer. When traveling I often connect my laptop directly
to the Internet without the protection of a corporate firewall. In such a situation I
want to be sure that my computer blocks all incoming connections. Sure, the
Windows Firewall has limited alerting capabilities and doesn’t check outgoing
traffic, but sometimes a simple solution that can accomplish a limited goal without
confusing users is a good thing.
Things are different for computers connected to your corporate network. You
may think the Windows Firewall provides no benefits if your network is already
protected by a firewall, but think again. A firewall at the edge of your network
protects against attacks from the Internet, but the Windows Firewall can also
protect your servers and client computers against attacks from internal users or
internal computers infected by malicious programs.
Before enabling the Windows Firewall on all computers, though, do some
research. Do you have remote management tasks, such as centralized software, patch
or anti-virus management? They can require remote access to computers, which
means ensuring that the Windows Firewall is configured to allow such connections.
Fortunately, you can configure many aspects of the Windows Firewall centrally via
Group Policy, using separate policies based on whether a computer is connected to
your corporate network or not. This means you can remotely manage a laptop while
it’s connected to your network, and enable it to block incoming connections on its
own when it’s used on the road.
Until you’ve investigated the right configuration for your network, consider
disabling the Windows Firewall via Group Policy to ensure that your management
programs continue to work. For laptop computers, disable the Windows Firewall
only while connected to the corporate network, and enable it while connected to any
other network.
— J.W.
tory of Firewalls,” p. 73). Most firewall
manufacturers responded to this by
adding application-layer filtering to
their products. When performing this
inspection, a firewall takes a single
packet, or assembles several packets
that make up application traffic, and
makes forwarding decisions based on
that traffic. An application-layer firewall can also help secure traffic that
uses secondary connections, such as
FTP. FTP uses a control connection
between the client and the server to
negotiate a secondary connection for
the actual data transfer. Application
support lets a firewall monitor the control connection and then allow the secondary connection using the port that
the client and server agree on.
Some vendors have come up with colorful marketing terms for Layer 7 filtering; Check Point Software
Technologies, for instance, calls it
Application Intelligence. No matter the
term used, application-layer filtering is
crucial to protect today’s networks.
Application-layer capabilities are what
most differentiate firewalls today, and
finding the right firewall for your exact
needs can be a complicated task.
This is because vendors vary greatly
on what they consider applicationlayer filtering to be. One vendor’s fine
print reveals its “strong” applicationlayer capabilities are limited to blocking ActiveX and Java programs.
Others have more capable solutions,
but suffer a significant performance
hit because their firewalls weren’t
designed to do Layer 7 filtering. But
several products give you detailed
control over a large range of application-layer protocols without impacting network performance too much,
so do your homework.
Firewall Decision Points
In addition to Layer 7 filtering, you’ll
also want to consider these criteria in
your firewall buying decision:
• Protocol support. Does it support
the protocols you use in your network,
4/15/05
4:54 PM
Page 76
SecurityAdvisor
and does it perform the filtering you
need? How detailed is the inspection
for the protocols it supports? For
example, ISA 2004 supports most protocols typically used in a Microsoft networking environment. If you need
application-layer protection for protocols more prevalent in a Unix environment, ISA Server may not be the right
firewall for you.
one of the market leaders. You may find
a better and cheaper solution for your
network, but before making a purchasing decision, make sure management
backs your decision.
• Performance. Firewall vendors
try to dazzle you with numbers about
how much network traffic their
firewalls can handle. Often these
numbers aren’t important, because
Sometimes a simple solution that can accomplish a limited goal
without complicating things for users is a good thing.
• Ease of use. This isn’t just an issue of your Internet connection turns into a
convenience. If configuring the firewall
bottleneck before the firewall does.
is difficult, you’re likely to create an inse- Instead, look for numbers that show
cure configuration, which can allow
typical application-layer filtering
hackers to break through even the best
network throughput.
firewalls on the market.
• Support. The quality of customer
• Certifications. Many firewall vensupport varies widely among firewall
dors have chosen to obtain Common
vendors. Consult with your colleagues
Criteria or ICSA Labs certification for
and search the Internet to find out
their firewalls. These certifications
whether a firewall vendor can provide
assure that the firewall has passed rigthe quality of technical support
orous independent testing.
you need.
• Features. Most firewalls can do
• Expertise. Review whether
more than filter network traffic.
your staff can adequately support
You can find firewalls that are also
the firewall. If your company is
VPN servers, caching servers,
Windows-focused, avoid a Unix-based
anti-virus gateways or intrusion
firewall, and vice versa.
detection systems (IDSes). If you need
any of these features, ensure that
Recommendations
they’re integrated well and that the
Of all the criteria, application-layer
integration provides value over standprotection is the most important
alone solutions.
feature of firewalls today.
Go to Redmondmag.com
• Price. In the
For most buyers it should
and follow links to the
firewall industry,
be the first item evaluated.
vendors mentioned here.
FindIT Code: PickFirewall
more expensive
Two of the most advanced
doesn’t necessarily
application-layer firewalls
equate to better performance. Prices
today are Check Point’s FireWall-1
for firewalls with similar features can
and Microsoft’s ISA Server. Take a
vary by thousands of dollars. When
good look at one or both of them
comparing prices, make sure you
(evaluation versions of both are
account for the price of optional
available). Cisco’s PIX firewall, the
features, client licenses, maintenance
most popular hardware firewall, is very
fees and additional license costs
good at packet filtering. But if you add
due to future network growth (see
application-layer filtering capabilities
“Firewall Pricing,” this page, for
via add-ons, you may see performance
more information).
degradation. WatchGuard Technologies
• Reputation. Management somehas recently added new features to its
times mandates buying a firewall from
line of firewalls, and provides some of
Firewall Pricing
Firewall prices range from hundreds of
dollars to hundreds of thousands of
dollars. Assessing costs should
always be the last step in deciding on
a firewall product, because when
you’re comparing firewall prices,
you’re comparing apples with
oranges—with a few lemons thrown
in. For example, some firewalls are
licensed based on seats, others on
concurrent connections. Still others
require a per-processor license. If
client licenses are required, will your
calculation be the same when your
company grows?
Additional features are another issue:
Do the built-in reporting capabilities of
one firewall match those that have to
be purchased separately with another
product? Does installing software on a
Linux platform instead of a Windows
platform really save you money? Is
centralized management something you
really need?
Because one organization’s firewall
requirements aren’t the same as those
of another, I recommend evaluating
pricing as the last item. First, make a
list of all firewall products that meet
your minimum requirements and try to
assign a value to the additional features each has. If you start comparing
prices at this point you’ll get much
more meaningful results.
— J.W.
the best application-layer protection
among hardware firewalls.—
Joern Wettern, Ph.D., MCSE, MCT,
Security+, is the owner of Wettern Network
Solutions, a consulting and training firm.
He has written books and developed training
courses on a number of networking and
security topics. In addition to helping
companies implement network security
solutions, he regularly teaches seminars and
speaks at conferences worldwide. Reach him
at [email protected].
Project12
1/13/05
12:09 PM
Page 1
0505RED_MCP TechLib v1
4/14/05
9:32 AM
Page 1
SPECIAL
FREE Reports
in our
Tech
Library
REPORT
Featured eBook of the Month,
Sponsored by Quest
Visit the MCPmag.com Tech Library for in-depth,
technology specific reports for IT managers and
professionals. These free reports are available in PDF
format and cover topics ranging from Group Policies to
Exchange Server 2003. You can also download free white
papers and view webcasts from top industry vendors.
Check it out today! MCPmag.com/techlibrary
0505red_AdIndex_79.v2
4/18/05
11:16 AM
Page 79
RedmondResources
ADVERTISING SALES
Henry Allain
Publisher
949-265-1556 phone
949-265-1528 fax
[email protected]
West
AD INDEX
Matt Morollo
Associate Publisher
508-532-1418 phone
508-875-6622 fax
[email protected]
East
HI, AZ, UT, TX, NV, CO, NM, OK, CA,
NE, KS, ND, SD, WY, MT, ID, OR,
WA, AK, BC, Alberta, Saskatchewan,
Manitoba, Pacific Rim, Australia, New
Zealand, India, Pakistan
MN, IA, MO, AK, LA, WI, IL, MS, MI,
IN, OH, KY, TN, AL, GA, ME, NH, VT,
MA, RI, CT, NY, PA, NJ, DE, MD, WV,
VA, NC, SC, FL, Quebec, Ontario,
Europe
Dan La Bianca
Western Regional Sales Manager
818-674-3416 phone
818-734-1528 fax
[email protected]
JD Holzgrefe
Eastern Regional Sales Manager
804-752-7800 phone
253-595-1976 fax
[email protected]
IT Certification &
Training—USA, Europe
Al Tiano
Advertising Sales Manager, IT
Certification & Training
818-734-1520 ext.190 phone
818-734-1529 fax
[email protected]
Production
Kelly Smith,
Associate Production
Coordinator
818-734-1520 ext.164 phone
818-734-1528 fax
redmondadproduction@
101com.com
Online Sales—ENTmag.com
and TCPmag.com
Tanya Egenolf
Adverstising Sales Manager
760-722-5494 phone
760-722-5495 fax
[email protected]
Advertiser
Page
URL
Alloy Software
Altiris
Argent Software
CrossTec
DesktopStandard
Dorian Software
Ecora Corporation
EMC Legato
Executive Software
Famatech
Geeks on Call
GFI Software
GOexchange
IBM Corporation
ipMonitor
Lightspeed Systems
MCPmag.com Tech Library
NetSupport
Network Instruments
PrepLogic
Quest Software
Scriptlogic
Shavlik Technologies
Sunbelt Software
SurfControl
Sybari Software
The Neverfail Group
The Training Camp
TNT Software
Transcender
32
15
31
74
47
77
62
35
7
69
70
9
13
26,27,29
59
65
78
60
24
55
C4
17
C3
10,39,66
2
18
50
61
45
72
www.altiris.com
www.argent.com
www.crossteccorp.com
www.DesktopStandard.com
www.doriansoft.com
www.ecora.com
www.legato.com
www.executive.com
www.famatech.com
www.geeksoncall.com
www.gfi.com
www.goexchange.com
www.ibm.com
www.ipmonitor.com
www.lightspeedsystems.com
www.techlibrary.com
www.netsupport-inc.com
www.networkinstruments.com
www.preplogic.com
www.quest.com
www.scriptlogic.com
www.shavlik.com
www.surfcontrol.com
www.sybari.com
www.neverfailgroup.com
www.trainingcamp.com
www.tntsoftware.com
www.transcender.com
Veritas
C2,C2a,
C2b,1
5
53
www.veritas.com
Websense
Winternals
www.websense.com
www.winternals.com
EDITORIAL INDEX
Corporate Headquarters: 9121 Oakdale
Ave., Ste. 101Chatsworth, CA 91311,
www.101com.com
Media Kits: Direct your Media Kit requests
to Matt Morollo, Associate Publisher,
508-532-1418 (phone), 508-875-6622 (fax),
[email protected].
Reprints: For all editorial and advertising
reprints, contact Valeo IP at 888-VALEOIP or
e-mail: [email protected].
List Rentals: To rent REDMOND’s or other
101communications’ publications postal,
telemarketing or e-mail lists, please contact
our list manager: Worldata, 3000 N.
Military Trail, Boca Raton, FL 33431-6375,
1-800-331-8102, www.worldata.com
CONFERENCES
TechMentor Conferences: contact Al Tiano,
Sales Manager, 818-734-1520 ext. 190,
[email protected].
The Data Warehousing Institute: contact
Diane Smith, Exhibit Sales, 206-246-5059
ext.108, Denelle Hanlon, Publication and
Sponsorship Sales, 206-246-5059 ext.102,
[email protected]. FCW Events
and Conferences: contact Lucy Cooley,
Events Director, 703-876-5081, lcooley@
101com.com. Syllabus Conference and
Exhibition: contact Anne Morris, Exhibit
Space or Sponsorship, 818-734-1520
ext.219, [email protected].
© 2005 by 101communications. All rights
reserved. Reproductions in whole or part
prohibited except by written permission.
Mail requests to “Permissions Editor,”
c/o REDMOND magazine, 16261 Laguna
Canyon Road, Ste. 130, Irvine, CA 92618.
The information in this magazine has
not undergone any formal testing by
101communications and is distributed
without any warranty expressed or implied.
Implementation or use of any information
contained herein is the reader’s sole
responsibility. While the information has
been reviewed for accuracy, there is no
guarantee that the same or similar results
may be achieved in all environments.
Technical inaccuracies may result from
printing errors, new developments in the
industry and/or changes or enhancements to
either hardware or software components.
REDMOND magazine (ISSN: 1081-3497,
USPS: 0015-657) is published monthly by
101communications LLC, 9121 Oakdale
Avenue, Ste. 101, Chatsworth, CA 91311.
Periodicals postage paid at Canoga Park, CA
91304-9998, and at additional mailing
offices. Annual subscription rates for U.S.
$39.95 (U.S. funds). Postage for
Canada/Mexico $15 (U.S. funds); and
International $25 (U.S. funds). Subscription
inquiries, back issue requests, and address
changes: Mail to: REDMOND magazine,
2104 Harvell Circle, Bellevue, NE 68005,
e-mail [email protected] or call
866- 293-3194 for U.S. & Canada; 402-2936851 for International, fax 402-293-0741.
POSTMASTER: Send address changes to
REDMOND magazine, 2104 Harvell Circle,
Bellevue, NE 68005. Canada Publications
Mail Agreement No: 40039410. Return
Undeliverable Canadian Addresses to
Circulation Dept. or DPGM 4960-2 Walker
Road, Windsor, ON N9A 6J3. Copyright
2005 by 101communications LLC. All rights
reserved. Printed in U.S.A.
Company
Page
URL
Advanced Micro Devices Inc.
Alloy Software Inc.
Altiris Corp.
Argent Software
BMC Software
Check Point Software
Technologies Ltd.
Cisco Systems Inc.
Computer Associates
International Inc.
Dell Inc.
DesktopStandard Corp.
Fidelia Technology Inc.
Hewlett-Packard Co.
IBM Corp.
Intel Corp.
Javelina Software
LANDesk Software
28, 30
19, 20
36-38, 41, 54
36-38, 40, 41
58
www.amd.com
www.altiris.com
www.argent.com
www.bmc.com
75, 76
76
www.checkpoint.com
www.cisco.com
58
11, 63
65
36, 37, 40, 41
11, 28, 58, 63
11, 58, 63
28, 30
25
36-38, 41, 54
www.ca.com
www.dell.com
www.desktopstandard.com
www.fidelia.com
www.hp.com
www.ibm.com
www.intel.com
www.javelinasoftware.com
www.landesk.com
Microsoft Corp.
11, 12, 14, 16, 19, www.microsoft.com
21, 23-25, 28, 30, 33, 34, 36-38, 40, 41, 49, 51, 52,
54, 56-58, 60, 63-65, 67-69, 71-73, 80
NCR Corp.
16
www.ncr.com
NetIQ Corp.
54, 58
www.netiq.com
Novell Inc.
51
www.novell.com
NuView Inc.
21, 22
www.nuview.com
Quest Software Inc.
23, 24
www.quest.com
Unisys
11
www.unisys.com
uptime software inc.
36, 37, 40, 41
www.uptimesoftware.com
WatchGuard Technologies Inc. 76
www.watchguard.com
This index is provided as a service. The publisher assumes no liability for errors or omissions.
0505red_Ten_80.v5
4/15/05
TEN
4:55 PM
Page 80
Names for Windows XP sans Media Player
By Paul Desmond
T
his column requires a bit of
introduction, in part because the
meat of the column, the actual 10
items, won’t take up much space, and
I’ve got to fill the page somehow.
First the European Commission (EC)
found Microsoft guilty of antitrust
violations and forced it to sell in
Europe a version of Windows XP
without the Windows Media Player, to
level the playing field for other media
players. As if that and a fine of more
than $600 million weren’t harsh
enough, the EC also demanded (free)
naming rights for the new version.
Including its initial proposal, Microsoft
submitted 10 names for consideration, all
of which the EC rejected. But not without
good reason. The EC, it turned out, came
up with a name of its own: Windows XP
Home Edition N and Windows XP
Professional Edition N. The N, of course,
refers to the Windows Media Player—as
in, “no,” “nay,” “never,” “nein,” “non,”
“nej.” I can hear the Brits now: “Brilliant!”
When this news broke, our News Editor, Scott Bekker, was without Internet
access, left alone in his office with nothing to do but think—a volatile situation.
Sure enough, Scott called me up and
said, “This is a natural Ten column.”
I readily agreed and immediately sent
e-mail to Microsoft’s PR folks, asking for
the list of rejected names, and explaining
why I wanted them. “It’s Bekker’s fault,”
I said. “It was all his idea. Don’t blame
me.” Not that it mattered. “We are
not able to participate in this particular
opportunity,” a spokesman replied.
GetMoreOnline
Read more about the naming
debacle, and the rest of the saga
on Microsoft’s problems with the EC,
on Redmondmag.com.
FindIT code: ECNames
redmondmag.com
Not one to let a good column idea die
for a small matter like a near-complete
lack of facts, I have decided to instead simply guess what the rejected names were.
Windows XP Reduced
Media Edition.
I say “near-complete” lack of facts
because we do know that this name was
rejected. And I can see why. “Reduced
Media” just doesn’t have the same
marketing panache as “N.” I’m sure the
EC was simply trying to save Microsoft
from making a horrible, costly mistake.
Windows XP Stick in
Your Eye Edition.
This was Bekker’s contribution to
the madness that he, after all, started.
It is much appreciated, but I have
to believe that, had his Internet
connection gone out again, I would’ve
gotten a couple more ideas out of him.
Windows XP King
Solomon Edition.
This one got some consideration
from the European Union countries
that still have a monarchy, which
thought Microsoft was throwing them
a bone. Then the collective, “Hey, wait
a minute, wise-guy” hit, at which
point Britain threatened to revoke
Bill Gates’ honorary knighthood.
Windows XP Pepé
Edition.
The EC saw right through this attempt
at subliminal messaging on Microsoft’s
part. “Pepé,” of course, refers to Pepé
Le Pew, the amorous skunk with the
French accent. Pepé was lovable and
certainly tried hard, but let’s face it—he
stunk, mon ami.
Don’t Buy This
Edition of Windows
XP Edition.
Subtle, yes?
Windows XP Happy?
Happy Now? Edition.
Inspired by the scene from “High
Anxiety” when the bellboy that Mel
Brooks had been bugging for a
newspaper brings it to him while he’s
in the shower and whacks him with it,
a la the shower scene from “Pyscho.”
“Here, here’s your paper! Happy?
Happy now?” If you haven’t seen the
movie, do yourself a favor and go get it
right this minute. (Cloris Leachman as
Nurse Diesel is priceless.)
Windows XP CEE.
EC regulators almost went for this
one, figuring it was somehow related
to the Windows CE handheld OS.
Then they found the secret Microsoft
memo that spelled out the real
meaning: Crappy European Edition.
Windows XP EuroTrash Edition (with
Pop-Ups!).
This edition comes with a free copy
of the Cracker song, “Euro-Trash
Girl,” which of course plays only
on the Microsoft Media Player.
Windows XP Less Is
Less Edition.
In the era of low-carb, low-fat, loweverything diet plans, Microsoft figured
a “low-app” approach might fly. But the
whole weight thing is largely a U.S.
problem, and the EC wasn’t biting.
Windows XP
YDWNSMPYAGNSMP
Edition.
Give up? C’mon, it’s obvious.
This is the You Don’t Want No
Stinkin’ Media Player, You Ain’t Got
No Stinkin’ Media Player Edition.
Desmond is editor of Redmond magazine.
Reach him at [email protected].
Project4
4/11/05
4:33 PM
Page 1
To d a y,
the world.
To m o r r o w, t h e
Tw i n C i t i e s .
Up to your neck in patches?
Introducing Shavlik HFNetChkPro™5. With 50 awesome new features,
it helps you cut a mountain of patch management tasks down to size.
Keeping your workstations and servers updated with the latest patches can be
overwhelming, particularly when you’ve got better things to do. That’s why new
Shavlik HFNetChkPro™5 is available with a variety of time-saving capabilities such
The newest release of the
industry standard security
patch management solution!
as distribution servers, SafeReboot™, email notification, and enhanced graphical
reporting. Plus, it integrates seamlessly with our upcoming anti-spyware product,
Shavlik NetChk™ Spyware. To download our trial version, visit www.shavlik.com,
call (800) 690-6911 or email us at [email protected].
Secure Your V i sion.™
Shavlik drives patch management solutions for these industry leaders:
SHV HF5 ad Redmond031005.indd 1
4/11/05 10:09:27 AM
©2005 Quest Software, Inc. All rights reserved. Quest and Quest Software are trademarks or registered trademarks of Quest Software.
All other brand or product names are trademarks or registered trademarks of their respective holders. 4/2005/IRedmond
Project4
4/1/05
2:36 PM
Page 1
Full compliance.
Without penalties.
Now you can report, enforce and
comply with Quest.
Finally, you can comply with the many internal policies and external
requirements. Reduce administrative overhead, IT expense and day-to-day
management time. Streamline IT operations, improve compliance and ROI at
the same time. Quest provides a solution with comprehensive reporting and
enforcement products for your Active Directory, Exchange, and Windows
infrastructures.
Quest—Microsoft’s 2004 Global ISV Partner of the Year—helps you leverage
your existing infrastructure, allowing you to get more from your Windows
environment.
Find out more. Learn how to report, enforce and comply. Get your free
white paper titled: IT Compliance Strategies for Improved ROI today.
———————————————————————————————————
Visit www.quest.com/Comply to get your free white paper.
———————————————————————————————————
Application Management | Database Management | Windows Management

Stop the Madness: 6 Steps to Simplify Your

Transcription

Similar documents

Mission College

Microsoft Windows Server Codename "Longhorn"

EZStream - ClearOne

matthias kolowrat

REDMOND EYE DOCTORS

konfig - Auto-Trol Technology

African Youth data points – ¼ of worlds next workforce

I Hate Comic Sans!

MOVE - IN READY IN CHALIMAR [email protected] www