The 800-Pound The 800-Pound

Transcription

0306red_cover.v2
2/14/06
10:45 AM
Page 1
Spyware: Readers Strike Back! 39
MARCH 2006
The
W W W. R E D M O N D M A G . C O M
800-Pound
Gorilla
$5.95
1
25274 867 27
7
MARCH
•
03 >
Can Microsoft Be Knocked
Off Its Perch? 28
New Column
Mr. Roboto: Automation
for the Harried Administrator 50
Your Worst IT Nightmare 45
Project2
1/20/06
10:55 AM
Page 2
Get your FREE trial version of
GFI MailSecurity today!
GFI MailSecurity for Exchange/SMTP is an email content checking,
exploit detection, threats analysis and anti-virus solution that removes
all types of email-borne threats before they can affect your email users.
GFI MailSecuritys key features include multiple virus engines, to guarantee
higher detection rate and faster response to new viruses; email content
and attachment checking, to quarantine dangerous attachments and
content; an exploit shield, to protect against present and future viruses
based on exploits (e.g., Nimda, Bugbear); an HTML threats engine, to
disable HTML scripts; a Trojan & Executable Scanner, to detect malicious
executables; and more.
GFI MailSecurity for Exchange/SMTP Features
Multiple virus engines
Norman Virus Control and BitDefender virus engines included
Kaspersky and McAfee virus engines optional
Trojan & Executable Scanner
Email content and attachment checking
Exploit shield
HTML threats engine disables HTML scripts
Best of breed Exchange and gateway message scanning technology
Spyware detection
Detection of attachment extension hiding
Embedded mail scanning
Approve/reject quarantined mail using the web-based moderator
Seamless deployment with Exchange Server
User-based, flexible rules configuration
Checkmark and ICSA certified
Used by customers like Caterpillar, IBM, NASA, US Navy, Fujitsu and
many others
GFI MailSecurity supports multiple virus engines
t e l : + 1 ( 8 8 8 ) 2 4 3 4 3 2 9 | f a x : + 1 ( 9 1 9 ) 3 7 9 3 4 0 2 | e m a i l : s a l e s @ g f i u s a . c o m | u r l : w w w. g f i . c o m / r m s
Project2
1/20/06
10:54 AM
Page 1
Whos guarding your mail server?
Fifi = a single anti-virus engine!
Buster = the real thing!
Onl
$925 fo y
r
users! 50
Get the leading email content security & anti-virus solution!
Multiple virus engines
Exploit shield & HTML threats engine
Email content checking/filtering
Trojan & executable analyzer
Get a FREE trial version today from www.gfi.com/rms
Project2
1/4/06
11:14 AM
Page 1
0306red_TOC_1.v5
2/14/06
2:20 PM
Page 1
Redmond
MARCH 2006
W W W. R E D M O N D M A G . C O M
Winner for Best
Computer/Software
Magazine 2005
THE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY
REDMOND REPORT
9
Vista Security:
Worth Paying For?
Why the next version of Windows
may not be as secure as you think.
10 Next Chapter Opens for
Open Formats
Massachusetts reaffirms its open
format vision with new CIO.
12 Windows Vulnerabilities
for Sale
COVER STORY
ILLUSTRATION BY GERAD TAYLOR
The 800-Pound
Gorilla
Hackers sold the WMF zero-day
exploit for as much as $4,000 on
Russian black market Web sites.
Windows and Office each dominate
the landscape, like King Kong on Skull
Island. What would it take to shoot
this monkey down and give other
species a fighting chance?
Microsoft Banishes Beta
Smaller, faster Vista test cycles
already improving feedback.
COLUMNS
Page 28
4
39 Reader Tips: Do Away with Spyware
Many programs block spyware, but few know how
to get rid of it. Redmond readers offer some clever
ways to banish these nasties.
45 Never Again
Page 39
What’s the worst thing that’s happened to you in
your IT career? Readers share their scariest
on-the-job experiences, and you can learn from
their mistakes.
22 Beta Man: Don Jones
Windows Goes High Performance
50 NEW COLUMN
Mr. Roboto:
Don Jones
Service Pack It Up
52 Windows Insider:
Greg Shields
Down the Winding InfoPath
REVIEWS
13 Kill Two Birds
with One Stone
NetChk Protect combines the
functionality of Shavlik’s
patching and anti-spyware
tools in a single console.
16 Schedule Jobs
the Easy Way
The latest version of
SmartBatch helps
you centralize and streamline
Windows job scheduling.
Barney’s Rubble: Doug Barney
Linux (and the Mac) Aren’t
Even Trying
FEATURES
20 Manage the Forest
and the Trees
Administer your entire
Active Directory domain from
one location.
25 Your Turn:
BizTalk Server: Getting
Better All the Time
Users say Microsoft BizTalk
Server 2004—and the 2006
version—significantly ease
enterprise application integration.
57 Security Advisor: Joern Wettern
That Isolated Feeling
64 Foley on Microsoft:
Mary Jo Foley
Is Microsoft Buying into the Web
2.0 Hype?
ALSO IN THIS ISSUE
2
Redmond Magazine Online
6
[email protected]
63 Ad and Editorial Indexes
COVER ILLUSTRATION BY GERAD TAYLOR
0306red_OnlineTOC.v6
2/14/06
10:53 AM
Page 2
Redmondmag.com
MARCH 2006
REDMOND COMMUNITY
Redmond Newsletters
• Redmond Report: Delivered to your
inbox three times a week—featuring news
analysis, context and laughs. By Redmond’s
Editor in Chief Doug Barney.
FindIT code: Newsletters
• Security Watch: Keep current on the
latest Windows network security topics.
This newsletter features exclusive,
online columns by Contributing Editor
Russ Cooper of NTBugTraq fame.
FindIT code: Newsletters
Discussion and Forums
Post your thoughts and opinions under
our articles, or stop by the forums for
more in-depth discussions.
FindIT code: Forum
Your Turn
The interactivity center of the
Redmond universe, where you get to
express your views.
FindIT code: YourTurn
OTHER 101COMMUNICATIONS SITES
RCPmag.com
Winning the Linux Wars
Can you sell against free? Get the partner
perspective on taking on open source.
FindIT code: RCPLW
ENTmag.com
Upgraded Backup Tool Restores to
‘Dissimilar’ Hardware
UBDR Gold restores files to a machine
not physically identical to the one the
backup was performed on.
FindIT code: ENTUPT
CertCities.com
Forcing Group Policy Application
Derek Melber on ensuring Group Policy
configurations you set up stay that way.
FindIT code: CCGPA
TCPmag.com
Q&A: Are You Experienced?
Break into the networking field.
FindIT code: SMExp
REDMONDMAG.COM
Want More of What You Read
in Redmond? Visit the TechLibrary
on Redmondmag.com!
The TechLibrary section of Redmondmag.com is your
resource for more in-depth information for the topics
we cover here in Redmond. For example, right now in
the TechLibrary you can download a free, expanded
copy of this month’s cover story on p. 28, “The 800Pound Gorilla” (FindIT
code: GORPDF), in which
author Doug Barney offers FindIT code: GORPDF
even more on the challenges Microsoft faces in the future. And since we
know you can never have too much disaster recovery
information, we’ve also just posted a PDF featuring an
expanded version of last month’s cover story, “Worst
Case Scenarios” (FindIT code: WCPDF).
All PDFs in our TechLibrary are free, although a
one-time registration is required. Get these resources
today and find out more about what our
TechLibrary has to offer (FindIT code: TechLibrary).
FindIT code: WCPDF
• MCP Radio: Host
Michael Domingo interComing to
views Zenprise Marketing
MCPmag.com
Manager Ahmed Datoo
in March:
and Macrovision Product
• Recovering from
Manager Bob Corrigan
Chaos: Disaster Recovery
• SBS Live! Microsoft
Tales from the Trenches
MVP
and Small Business
• What’s all the hubbub Office Servers? Read
Mike Gunderloy’s take Server expert Andy Goodman
around security patches
on MCPmag.com.
heads this one-hour SBS
from non-Microsoft
troubleshooting chat on March 21
sources? Mike Gunderloy takes
a closer look at how our patching
practices can be better
• Greatest Scripting Hits: Don Jones
Throughout Redmond magazine,
looks at his most popular scripts ever
you’ll discover some stories contain
• Your Network Troubleshooting
FindIT codes. Key in those codes at
Redmondmag.com to quickly access
pains can be eased here: Send
expanded content for the articles
your networking woes to
containing those codes.
[email protected] with “IT
Just enter the code in the box at
Help” and get assistance from our
the top-right corner of any page
sharp networking and server experts
on Redmondmag.com. Note that all
FindIT codes are one word, and are
Chris Wolf, Zubair Alexander and
not case sensitive.
Sekou Page
MCPMAG.COM
2 | March 2006 | Redmond | redmondmag.com |
FindITCodes
Project7
1/11/06
11:17 AM
Page 1
WE FIND THEM
BEFORE THEY FIND YOU.
Web Security
Web Filtering
Endpoint Security
Websense® Security Labs
TM
You can’t afford to sit around and wait for the next attack, and neither can
we. Websense® Security Labs™ scans over 350 million websites a week,
discovering spyware, viruses and other web-based threats before they get
to you. Get proactive. www.websense.com/security
© 2006 Websense, Inc. All rights reserved.
0306red_Rubble4.v6
2/13/06
3:14 PM
Page 4
Barney’sRubble
Doug Barney
Linux (and the
Mac) Aren’t Even Trying
S
ay what you will about Larry Ellison and Scott
McNealy, when they tried to topple the Microsoft
desktop monopoly with thin clients, they put their
hearts into it. Like you, I got pretty sick of the speeches,
grandstanding and pithy quotes, but at least they were out
there mixing it up.
It ultimately didn’t work (Citrix
owns the thin client space and they all
run Windows!), but they gave it their
best shot.
Today’s XP rivals consist of a dozen or
more flavors of Linux clients, and the
Mac. The programmers building Linux
take it seriously—but none of the companies selling (or giving away) this stuff
really seem to care about
desktops and laptops.
Right now the Linux
PC market is fragmented
worse than a champagne
glass at a Jewish wedding.
Meanwhile, we’ve never
been called by Apple asking us to review its latest
machines (and the company never
thanked me for a recent gushing editorial or two), nor is it telling us why
Apple is such a great alternative for the
enterprise. In love with its iPod success,
the company barely seems to care about
the Mac—unless it is to gain a couple of
home market share points.
Linux is a newer entrant and its failure
is more egregious. For more than a year
I tried to put a major Linux exec on the
cover. Every time I had something lined
up with Novell, its leader would quit or
get the boot. At least Novell gave us the
time of day.
Red Hat is another story. For that
same year I pestered the company seeking an interview with the CEO—with
no response. I’ve never seen such a
PR black hole. Finally, after calling his
office directly, Red Hat got back to
me, and in no uncertain terms told me
that Linux at this point is not an alternative to Windows clients, and it isn’t
competing with Microsoft in this
space. Shocked? So was I! Linux is an
alternative, if companies like Red Hat
want it to be.
A unified Linux with easy
installation, application support, and a decent array of
drivers could be a worthy
alternative—could. And Red
Hat—more than anyone—
could make this happen.
This is all pretty funny.
Redmond magazine serves the Windows
community, yet we’re interested in presenting alternatives to Microsoft. But
the alternatives aren’t interested in presenting themselves! That’s why it’s easy
to say they aren’t serious about competing with Microsoft.
In this market, if you play dead, you
are dead. What do you think about the
so-called alternatives to Microsoft? Tell
me at [email protected].
See You in Orlando!
Later this month Redmond magazine
will be in Orlando for our TechMentor
conference. There’s still time to register
at http://techmentorevents.com. If you
show up, make me buy you a beer.—
Redmond
THE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY
MARCH 2006
■
VOL. 12
■
NO. 3
Group Publisher Henry Allain
Redmond Media Group
Editorial Director Doug Barney
Redmond Media Group
Group Associate Publisher Matt N. Morollo
Redmond Media Group
Editor in Chief Doug Barney
[email protected]
Editor Keith Ward
[email protected]
Executive Editor, Reviews Lafe Low
[email protected]
Editor at Large Michael Desmond
[email protected]
News Editor Scott Bekker
[email protected]
Managing Editor, Wendy Gonchar
Web Editor [email protected]
Editor, Redmondmag.com, Becky Nagel
CertCities.com [email protected]
Editor, MCPmag.com Michael Domingo
[email protected]
Editor, ENTmag.com Scott Bekker
[email protected]
Associate Editor, Web Dan Hong
[email protected]
Contributing Editors Mary Jo Foley
Don Jones
Greg Shields
Joern Wettern
Art Director Brad Zerbel
Senior Graphic Designer Alan Tao
Director of Marketing Michele Imgrund
Senior Web Developer Rita Zurcher
Marketing Programs Associate Videssa Djucich
Director of Print Production Mary Ann Paniccia
Enabling Technology Professionals to Succeed
President & CEO
Executive VP & CFO
Executive VP
Senior VP & General Counsel
Senior VP, Human Resources
Jeffrey S. Klein
Stuart K. Coppens
Gordon Haight
Sheryl L. Katz
Michael J. Valenti
Redmondmag.com
The opinions expressed within the articles and other contents
herein do not necessarily express those of the publisher.
Postmaster: Send address changes to
Redmond, P.O. Box 2063, Skokie, IL 60076-9699
Project6
1/13/06
3:53 PM
Page 1
! !
ª3FE)BU*OD"MMSJHIUTSFTFSWFEi3FE)BUwBOEUIF3FE)BUi4IBEPXNBOwMPHPBSFUSBEFNBSLTPSSFHJTUFSFEUSBEFNBSLTPG3FE)BU*ODJOUIF64BOEPUIFSDPVOUSJFT-JOVYJTBSFHJTUFSFEUSBEFNBSLPG-JOVT5PSWBMET"%464
0306red_Letters_6.v4
2/13/06
2:30 PM
Page 6
[email protected]
Stand Up
I’m stunned that Redmond’s advice to those threatened with
software audits is to roll over for these thugs [“Software Raids: Surviving an Audit,” January 2006]. The BSA and SIIA are shakedown
organizations, lacking the force of law. The proper response to such
gross intrusions of privacy is to fight them tooth and nail. If the software audit blackshirts start harassing you, quickly move to open
source software. Better to have an open source transition plan ready
to go the moment a threatening letter appears in your mailbox, than
to have to deal with the likes of the BSA and SIIA marauders. Make
it as costly as possible for them to audit you, and ensure that you
move to products whose vendors are respectful of the fact that
violated customers don’t buy twice.
Micah B. Haber
Nashua, N.H.
Roundup Rebuttal
By reviewing an older version of Camtasia Studio (“Allow Me to Demonstrate,” February 2006), Redmond has
done a disservice to its readers. They
were led to believe that Mr. Jones was
reviewing the latest version, when in
fact he reviewed the 2003 version. The
current edition of Camtasia Studio is
significantly different.
This is a disservice to TechSmith, but
much worse, to Redmond readers who
look to the magazine as a resource for
their purchasing decisions. If the reviewer had called TechSmith or visited the
Web site, he would have learned about
the current version. I look forward to seeing a review of Camtasia Studio 3.1 in
your magazine so your readers can learn
Troy Stein
about its new features.
TechSmith
Contributing Editor Don Jones responds:
I was very clear about which version I
reviewed. I realize new versions of products
are continually released, but publication
deadlines are often far in advance of actual
publication date and we can’t delay publication until every company involved has
released their latest and greatest. The 3.1
version of Camtasia came out in January
Busted Stuff
[In reference to Barney’s Rubble, “A
Tangled Web of Services,” January
2006] The reason for fatter clients is
pretty obvious—disk space is a cheap
commodity, and shows every sign of
getting cheaper.
But, there are many vested interests
limiting effective net bandwidth, and not
a lot of real competition in most places.
Oh sure, one day we’ll all be on fiber or
secure 100GB wireless, but until then,
best keep your valuable stuff on your
Owen Gilmore
pluggable USB drive.
Every Rose Has Its Thorn
After reading the December 2005 column, “Rose-Colored Google Glasses,” by
Doug Barney, I feel his portrayal of
Google as a dime-a-dozen, Web-based
Internet company is all wrong.
Although Open Office has next to no
market share, it doesn’t mean that the
programs are useless. For a small business
that can’t afford steep license fees, it
would truly be a great alternative. It’s also
great to repair corrupt office documents.
Open Office could very well be a threat
to Microsoft Office if Google could
implement it correctly.
Barney also claims “Google isn’t so
much an innovator as it is an imitator.”
I haven’t seen anything that has come
out of the Microsoft machine that’s
truly innovative for 10 years. Using
“Microsoft” and “innovation” in the same
sentence makes me nauseous. However,
Google as a search engine was the first
full-text search engine. I would categorize this as “an act of doing something
different,” which is Barney’s definition
of innovation. Seeing the reaction from
Microsoft in response to anything that
Google does is very entertaining, and
downright pathetic. Marc Read, MCP
San Mateo, Calif.
Nevada, Iowa
2006. The Redmond Roundup had been in
the works for months and came out in the
February 2006 issue (the completion of which
occurred in mid-January).
I’ve used Camtasia for several years and
generally like it. I’ve produced about 14 hours
of training videos with it and I understand it
pretty well. Sometimes the ratings encompass
things that aren’t easy to make clear in the
next. For example, I felt Camtasia is indeed
easy to use, but for tasks like adding annotations, editing annotations and modifying captured video, I felt Captivate was easier. Look
for a follow-up review of the 3.1 version of
Camtasia coming up on Redmondmag.com.
Project1
2/1/06
12:20 PM
Page 1
Introducing a version of the future
that’s compatible with the present.
It’s easy to add a mobile email solution when it works with
®
TM
your current email solution. The Palm Treo smartphone
is compatible with multiple email servers and vendors.*
Plus, it’s easy to manage, deploy and secure. With
integration this simple, the future is looking bright.
Try the Treo smartphone with GoodLink enterprise
email free for 30 days. Find out more today at
palm.com/business.
The Treo smartphone is now available on Windows Mobile® and Palm OS® platforms.
Wireless service plan required. Wireless coverage may not be available in all areas and is subject to interruption. Email and web require wireless data services and ISP,
additional charges apply. *Third party software may be required, sold separately. Screen image simulated. ©2006 Palm, Inc. All rights reserved. Palm and Treo are among the
trademarks or registered trademarks owned by Palm, Inc. Other brands are trademarks of their respective owners.
Project4
1/24/06
11:51 AM
Page 1
Your weapon: CounterSpy Enterprise.
Centralized spyware eradication.
Console, you have the ability to centrally control
what actions are taken when these monitors detect
change on the desktops.
Spyware: the new number one enemy
for IT. Recent surveys of IT specialists show that
spyware infections have reached epidemic
proportions and that existing antivirus tools are not
enough to fight the war on spyware. Spyware is one
of the most serious security threats and productivity
killers today. For the enterprise, common antispyware and
antivirus can’t cut it.
CounterSpy Enterprise: Knock out spyware
from one centralized location. Company-wide
spyware management requires a real enterprise product
with centralized management. CounterSpy Enterprise is
just that: a scalable, policy-based, antispyware tool built
from the ground up for system and network administrators
to kill spyware quickly and easily.
Real-time protection. Active Protection™ Monitors
The best spyware database in the
industry. Period. CounterSpy Enterprise’s
database has been independently validated as the best
antispyware database in the industry. Why? It benefits from
multiple sources for new spyware definitions, including
Sunbelt’s Research Team, information collected from
consumer users through Sunbelt’s ThreatNet™, and
Microsoft. No other antispyware product can claim that!
Free trial. Find out how many machines in
your organization are infected NOW. Scan the
machines in your enterprise for free.
Download the trial at www.sunbelt-software.com/csered.
deliver real-time desktop protection to workstations to
reduce the chance of spyware infection. From the Admin
SPECIAL OFFER: Evaluate the FREE trial and get a
“HIT SPYWARE. HARD.” t-shirt: www.sunbelt-software.com/csered
Sunbelt Software
Tel: 1-888-NTUTILS (688-8457) or 1-727-562-0101
Fax: 1-727-562-5199
www.sunbelt-software.com
[email protected]
© 2006 Sunbelt Software. All rights reserved. CounterSpy and ThreatNet are trademarks of Sunbelt Software. All trademarks used are owned by their respective companies.
0306red_Report_9-12.v4
2/13/06
3:07 PM
Page 9
RedmondReport
March 2006
INSIDE:
Windows vulnerabilities
sold on Russian black market.
Page 12
Vista Security: Worth Paying For?
Why the latest version of Windows may not be as secure as
you think.
BY MICHAEL DESMOND
Outgoing Microsoft executive Jim
Allchin has been stumping hard for
Windows Vista, as the much-anticipated client operating system enters its
stretch run. By the time you read this,
the nearly feature-complete beta 2 of
Vista should be in testers’ hands. But
while Vista offers a host of improvements over Windows XP—including
the touted Aero Glass GUI—the most
compelling reason to step up to Vista
could be security, Allchin argues.
He has a point. Windows XP SP2
patched a lot of holes in the Windows
foundation, but it clearly did not finish
the job. Internet Explorer remains a busy
route for malware infection, and Windows’ user privileges structure ignores
that most basic tenet of security—thou
shalt not run as root.
One look at the list of security-centric
improvements in Vista, however, shows
that Microsoft is working to plug the
remaining holes. Among the changes:
Windows Service Hardening: Prevents compromised Windows services,
which run silently in the background,
from making changes to key file system
or Registry settings.
Internet Explorer Protected Mode:
IE7 will run on Windows XP, but
under Vista it gains the benefit of
“protected mode” operation, which
denies the browser the right to change
user settings or data.
Hardware Level Data Protection:
The new BitLocker secure startup feature provides full volume encryption,
locking up Windows system files and the
hibernation file. Hardware hooks for the
Trusted Platform Module (TPM) 1.2
chip should ease management.
Bi-directional Firewall: The Windows Firewall will finally assess and filter both inbound and outbound
application traffic. The client firewall
can be managed via Group Policy.
Network Access Protection: Once
Windows Server “Longhorn” gets
deployed, client-side agent software
will enable servers to assess the security
state of client systems and prohibit
entry to those that fail.
Perhaps most important is User
Account Control (UAC): It allows users
with restricted system rights to enter a
password and gain administrative privileges for a specific task, such as installing
a device driver (see Figure 1). Today,
such a task requires logging out of the
limited rights account and logging back
in as an administrator. No surprise, many
users simply log on as administrators all
the time and leave their PCs wide open
to manipulation by uninvited malware.
UAC finally applies a model that has
been employed in the Linux world
for years.
It’s an impressive list, but Gartner
Inc. Vice President and Distinguished
Analyst Neil MacDonald contends
that it remains incomplete. While consumers and small businesses should be
well-served, the new security tweaks
fall short for most enterprises. MacDonald singles out service hardening,
which prevents malware from hijacking background processes.
“Microsoft is late putting it into the
operating system and they are only doing
it for Windows services. It’s another one
Figure 1. Making a change that requires
admin privileges? You’ll be challenged to
provide a password each time.
that’s a great step in the right direction,
but if I want full functionality, I am going
to look at a third-party product,” MacDonald says, citing Symantec’s Critical
System Protection as an example.
He also voices concerns about gaps in
features such as BitLocker full volume
encryption, which can house keys on
USB dongles. “The drawback is, if I
stick those keys on the USB dongle,
and I leave the dongle in the laptop …
then I’ve just blown my protection,”
says MacDonald, who wonders why the
encryption won’t extend to devices like
USB hard drives. “There are bits and
pieces Microsoft is tackling here.”
Windows Vista could create new security concerns, as well. The powerful
desktop search feature is a vast improvement over the clumsy facility in Windows XP. One possible enhancement is
the ability to search on metadata keywords input by users. But MacDonald
thinks the feature may compound a
long-standing problem with Microsoft
Office and other files.
“The issue is the inadvertent disclosure
of metadata,” MacDonald says. “Now
you can take a file and add even more
metadata to it, and you have layers of
metadata as it were.”
Microsoft has released client-side tools
for Office that let users strip metadata
| redmondmag.com | Redmond | March 2006 | 9
Project2
2/6/06
2:37 PM
Page 1
Fig. 1a
Seeing desktop management problems everywhere?
The solution is here.
See back for details and
FREE t-shirt offer.
Project2
2/6/06
2:38 PM
Page 2
Desktop Authority®
Triumph over your worst desktop management phobias.
Script writing stress syndrome? Compliance access issues?
Deep-seated spyware phobia? Now there’s a comprehensive,
award-winning solution that relieves these conditions —
and more — by centralizing desktop management for you.
With Desktop Authority®, you can gain control over desktop
management and break through to heightened productivity.
Download the FREE 30-day trial now and get a FREE T-shirt!
www.scriptlogic.com/inkblot
© 2006 ScriptLogic Corporation. All rights reserved. The ScriptLogic and Desktop Authority logos are registered
trademarks of ScriptLogic Corporation in the United States and/or other countries. All trademarks used are owned
by their respective companies. T-shirt offer valid while supplies last. Allow 4 to 6 weeks for delivery.
2/13/06
3:07 PM
Page 10
RedmondReport
such as author names, company data,
and hidden revision marks from documents, but no such tool has been
announced for metadata applied to
files within Windows Vista. And the
lack of a managed solution—such as a
metadata scrubber at the gateway—
means IT managers could face another
hard-to-manage conduit for information leakage.
“It’s a problem now and Vista’s
features only make it worse,” says Philip
Boutros, chief technology officer of
Bitform Technology, a firm that specializes in scrubbing metadata from documents. “There are client side products,
but they create no defense in depth and
there is no global management. There is
no commercial server side solution that I
know about.”
Windows Vista brings important
and effective improvements to
Windows security. The question is,
are those enhancements really compelling enough to prompt a switch?
“It’ll raise the bar. But again, I don’t
think people will race out and buy
Vista,” says MacDonald. “We got a lot
of the goodness in XP SP2, in terms
of security.”
Next Chapter Opens for Open Formats
Massachusetts reaffirms its open format vision with new CIO.
BY MICHAEL DESMOND
When former Massachusetts CIO
Peter Quinn resigned his post on Jan.
9, it looked like the months-long
effort to require open, standardsbased file formats in state government
might fail. The initiative has drawn
strong opposition from Microsoft,
which has thousands of copies of
Microsoft Office installed on systems
in the state government.
In his resignation letter, Quinn cited
political pressure and difficult working
conditions created by the high-stakes
standoff. The conflict hit a low point last
Nov. 26, when The Boston Globe published a front-page article detailing a
state investigation into improperly managed travel by the CIO. Those allegations were quickly discredited—Quinn’s
manager Eric Kriss approved all the
travel—but the damage was done.
Now it appears the
format push could get a second wind,
with the appointment of Louis
Gutierrez as CIO of the Information
Technology Division (ITD) on Feb. 6.
A statement released by Massachusetts
Administration and Finance Secretary
Thomas Trimarco specifically notes
that “Gutierrez will be responsible for
overseeing the final stages of implementation of the state’s new Open
Document format proposal, to go into
effect in January 2007.”
But even if the state mandates
standards-based file formats, it doesn’t
BytheNumbers
Critical Patch Intervals Increase
Microsoft almost indisputably spends more money, time and effort on security than
any other company. That’s not really a compliment, however—if its products weren’t
so laden with security holes, the company wouldn’t have to dedicate so many
resources to the issue.
However, all that attention hasn’t shortened the cycle between a critical vulnerability being found in one of its products and a patch being released for that vulnerability. Washingtonpost.com IT security reporter Brian Krebs recently did
some digging and found that the “critical vulnerability/patch” cycle actually takes
longer than it did several years ago.
Year
2003
2004
2005
Number of
Critical Patches
33
29
37
Average No. of Days
from Report to Patch
90
134
133
Stephen Toulouse, a security program manager at Microsoft, verified the figures. He told Krebs that the longer cycle starting in 2004 is likely due to extra
diligence on Microsoft’s part, making sure the patches work across the breadth
of the network, and that they don’t break anything else.
It’s also worth noting that there hasn’t been an appreciable rise in critical
vulnerabilities in the last three year (a “critical” vulnerability is general regarded
as one that will give a successful attacker full control of a system). Krebs’ article
can be found at http://tinyurl.com/8un7f.
— KEITH WARD
mean Microsoft’s goose is cooked. In
January, Trimarco’s office lauded an
announcement that Microsoft would
submit its XML-based Office schema
to standards body Ecma International.
“If Microsoft follows through as
planned, we are optimistic that Office
Open XML will meet our new standards for acceptable open formats,”
Trimarco said in a statement.
In short, we could end up where we
started—with Microsoft Office firmly
ensconced on tens of thousands of
government PCs in Massachusetts.
Project7
9/15/05
3:01 PM
Page 1
2/13/06
3:07 PM
Page 12
RedmondReport
Windows Vulnerabilities for Sale
Hackers sold the WMF zero-day exploit for as much as $4,000 on
Russian black market Web sites.
BY MICHAEL DESMOND
When the WMF zero-day exploit
emerged for a previously unknown
Windows flaw, it prompted a lot of
concern. After all, the lack of advance
warning meant that PC owners were
unable to harden their PCs against the
attack. That concern took on a new
tenor when researchers at Kaspersky Lab discovered that hackers
had been selling the exploit on
the black market for as much
as $4,000.
For Shane Coursen, senior
technology consultant for
Kaspersky, the discovery is
part of a larger trend. “We really
started seeing [this activity]
ramp up early last year. To somebody in our field, it comes as no
surprise whatsoever.”
According to Kasperky spokesperson
Derek Lyons, hackers in Russia started working in early December to
develop an exploit against a flaw in
the graphics handling engine of Windows. Within a week or so, the group
crafted WMF files that would allow
code to execute on Windows PCs.
The exploit turned up for sale from at
least two different groups around the
middle of December.
Security firm F-Secure reported the
existence of the WMF exploit on
Dec. 27. Microsoft produced a
patch for the flaw on Jan. 5, a
few days ahead of the scheduled Patch Tuesday release.
The timeline underscores
an undeniable trend in malware activity. “What these guys
are doing is writing these little programs to be used for little more
than Internet crime and financial
gain,” Coursen says.
Spyware and adware companies
tap the secretive market for blackmarket malware to spread their wares,
Coursen says. The WMF exploit, for
instance, was used to install a variety
of spyware packages, including one
that posed as anti-virus software. The
demand makes for a thriving black
market in code exploits.
“These adware companies are hiring
professional programmers to write programs that are able to bypass security
measures, and they are paying pretty
top dollar for their skills,” says
Coursen, who calls the $4,000 price tag
for the WMF exploit “a steal.”
Microsoft is striving to combat the
issue with initiatives like Trustworthy
Computing and the Secure Development Lifecycle (SDL), which employs
rigorous security planning and review
in the code design process. The goal is
to eliminate flaws such as the one
exploited by the WMF malware.
Coursen lauds the Microsoft effort,
but he’s not getting his expectations
up. “I think we can look forward to
less exploitable code, but something
that is completely unexploitable? No,
we’ll never see that.”
Microsoft Banishes Beta
Smaller, faster Vista test cycles already improving feedback.
BY MICHAEL DESMOND
Microsoft has changed the way it
delivers pre-release versions of Windows Vista to testers. Rather than ship
occasional beta versions for review,
the company has opted for more frequent test releases under the Community Technology Preview (CTP)
Program. In effect, the switch breaks
large beta releases into a series of
smaller CTP releases.
“Our partners and customers requested regular access to builds so that they
can more frequently test the code,” says
Michael Burk, product manager for the
Windows Client Division at Microsoft.
Microsoft has employed a CTP program before, for instance in the run
up to SQL Server and Visual Studio
2005. The up-tempo testing is working with Vista—Burk says the last
Vista CTP produced “double the
amount of feedback” compared to that
from the beta 1 release.
A feature-complete CTP release in
February corresponded to the planned
release of Vista Beta 2. From that
point forward, Microsoft plans to
eliminate full beta and release candidate milestones. It’s quite possible
future product launches could adopt
the same methodology.
“The development goals and needs of
every team at Microsoft are different,”
Burk says. “But we’ve seen evidence
that more frequent releases of code can
lead to better end results, so it’s likely
that CTPs or similar programs will be
used more often.”—
0306red_ProdRev13-21.v6
2/14/06
2:32 PM
Page 13
ProductReview
Kill Two Birds with One Stone
NetChk Protect combines the functionality of Shavlik’s patching
and anti-spyware tools in a single console.
NetChk Protect
Pricing starts at $35 per set
Shavlik Technologies LLC
800-690-6911
www.shavlik.com
BY CHAD TODD
There are two ongoing and
inescapable tasks that any
network administrator must
face—patch management
and spyware prevention.
Both are as essential as they
are incessant.
If you aren’t diligent
about applying software
updates, you open your
network to security vulnerabilities on out-of-date
machines. Waiting a few
months to patch a machine
can mean the difference
between being hacked and
being secure. Last year,
Gartner Inc. predicted that
90 percent of all Internet
attacks during 2005 would
be against previously
patched security holes.
REDMONDRATING
Documentation: 15% ____ 8
Installation: 10% ________ 9
Feature Set: 35% ________ 9
Performance: 30% _______ 8
Management: 10% ______ 9
Overall Rating: 8.5
__________________________
Key:
1: Virtually inoperable or nonexistent
5: Average, performs adequately
10: Exceptional
You could set your machines
to automatically install all
updates from the Windows
update site, but that may
cause more problems than it
solves. This approach doesn’t
allow for testing, which is
essential—especially in larger
environments. It’s one thing
to have a “bad” patch take
down 20 users. It’s quite
another when that same
patch takes down 2,000 users.
A tool that automates patch
management and facilitates
testing is a must.
Keeping a diligent eye on
spyware is just as critical as
timely patch management.
Spyware that sneaks onto
your systems can gather personal information about your
users’ Internet habits, and
relay that to advertisers who
bombard them with targeted
pop-up ads. It can also kill
productivity due to computer
instability and unbearably
slow network performance.
Most anti-spyware products manage one machine at
a time. You install the client
and configure locally on
each machine, then check in
continually to make sure
Figure 1. From the NetChk Protect console, you can choose which
machines to scan and whether you want to scan for spyware or
patch status.
updates and scans are occurring as they should. Managing spyware this way will
work, but it’s inefficient to
say the least. In larger environments, it’s virtually
impossible. Shavlik’s NetChk
Protect gives you a central
console with which to manage both patching and spyware prevention for all of
your machines.
Patch Management
NetChk Protect works simply and automatically. It will
scan your Windows-based
machines and determine
their patch status. Then it
generates a status report for
each machine, which can be
sent to you automatically via
e-mail notifications.
Once you know which
patches need to be applied,
you can push them out
immediately or schedule
them for later—during the
evening or weekends. After
patches are applied, you can
reboot your machines automatically or manually.
NetChk Protect uses XML
and cabinet (CAB) files
maintained by Microsoft to
determine the patch state of
a machine. It compares the
file versions on the computer it’s scanning with the
XML file versions. Depending on the type of scan being
performed (quick scan or full
scan), it may also compare
the file checksums.
NetChk Protect copies all
patches to the target
machines and uses
Microsoft’s Qchain.exe to
install them all at once. This
lets it deploy all patches with
only one reboot. All scanning and patching takes
2/14/06
2:32 PM
Page 14
ProductReview
place behind the scenes. The
only thing your users will
notice is whether or not a
reboot is required.
The software offers four
levels of patching, depending
on which version you select:
• NetChk Patch, Basic
Edition: This supports up to
500 machines, provides limited reporting and can run
up to 13 different scanning
threads at once.
• NetChk Patch, Audit
Edition: This provides all of
the functionality of NetChk
Patch, Basic Edition. It supports an unlimited number
of machines, provides more
robust reporting and can run
up to 256 different scanning
threads at once.
• HFNetChkPro: This
provides all of the functionality of NetChk Patch, Audit
Edition. It supports the
SafeReboot feature, gives
you access to different
schedulers, auto-deployment
features and pre- and postinstallation scripts. You can
export reports in a number
of different formats.
• HFNetChkPro Plus:
This provides all of the functionality of HFNetChkPro.
It also lets you deploy custom patches, supports a
Microsoft SQL database for
storing those patches and
can preserve bandwidth over
WAN links by using distribution servers.
Spyware Scanning
You have two general options
to scan for spyware with
NetChk Protect—consolebased scans and machinebased scans. Console-based
scans run over the network
from the console machine.
This can cause a lot of net-
work traffic, but it works
without having to copy anything to the target machine.
A machine-based scan copies
an instance of the spyware
scan engine to the target
machine and runs the scan
“locally.” This improves the
scan speed, as each machine
is responsible for running its
own scan. Machine-based
scans also dramatically reduce
network traffic.
that you want to patch and
choose “Deploy patches.” You
can select to deploy all patches or certain patches based on
their criticality level. At this
point all of the patches are
pushed to the selected
machines.
Simplified ScanningWhether scanning for patch
status or spyware, you can
scan computers by name, IP
Within an hour of installing the software, I had
already scanned all eight of my machines for
spyware and missing patches and deployed all the
up-to-date patches.
NetChk Protect identifies
and categorizes instances of
spyware based on its perceived level of threat. The
software will kill any destructive or invasive processes
associated with the spyware.
It then deletes all associated
files, folders and registry data.
You can also have the suspected spyware files quarantined in a secure area if you
wish to inspect them later.
This also provides rollback
functionality. If a necessary
program or file is inadvertently removed, you can easily
restore it from the quarantine
area. Removing spyware may
or may not require that you
reboot the target machine,
but if so you can do it manually or automatically.
The interface for NetChk
Protect is very straightforward and easy to navigate.
For example, first it will ask
you what you want to scan.
After completing the scan, it
displays a summary report of
what it found. Click on details
and then right click on the
machine, group or domain
address, domain name or
Active Directory Organizational Unit (OU) structure
(see Figure 1). You can also
create machine groups and
target your scans toward
these groups. This lets you
establish a test group for
safely and securely testing
patches before rolling them
out to your entire network.
NetChk Protect supports
network scanning of the following clients:
• Windows NT 4.0
• Windows 2000
• Windows XP (although
you’ll have to disable simple
file sharing for the scan to
work properly)
• Windows Server 2003
To scan a machine—any
machine—you’ll need
administrative rights to that
machine (which shouldn’t be
a problem). You’ll also have
to start the Server service
and the Remote Registry
service, and enable file and
print sharing. Finally, you’ll
need access to the remote
machine over TCP ports 139
and 445, and the %system-
root% share (i.e. C$) must
be accessible.
Installing NetChk Protect is
a breeze. If your system doesn’t have all the requisite software components, it will
automatically download and
install the missing pieces during setup. The readme file
says that you won’t have to
reboot after installation, but I
was prompted to reboot my
laptop after installing NetChk
Protect. It’s always a good
idea to do so anyway.
When I first started using
NetChk Protect, I thought
I might be doing something
wrong because using it was
so easy. Within an hour of
installing the software, I
had already scanned all
eight of my machines for
spyware and missing patches and deployed all the upto-date patches.
I was also pleasantly
surprised to learn that
NetChk supports updates
for more than just
Microsoft products. In my
testing, I was able to update
my Adobe Reader and
RealPlayer software as well.
NetChk Protect does a
great job of keeping your
machines clean of spyware
and up to date with the latest
patches. If you’re responsible
for patch management and
spyware control for your
network, you owe it to yourself to give it a try.—
Chad Todd, MCSE:Messaging,
MCSE:Security, MCT, CEH,
is the co-owner of Training
Concepts (www.training
concepts.com), which specializes
in Windows, Exchange, ISA and
Cisco training and consulting.
You can reach him at
[email protected].
Project3
2/14/06
11:31 AM
Page 1
2/14/06
2:32 PM
Page 16
ProductReview
Schedule Jobs the Easy Way
The latest version of SmartBatch helps you centralize and
streamline Windows job scheduling.
SmartBatch 2006
Standard Edition: $695 per single- or dual-processor
computer, $295 for each additional processor
Enterprise Edition: $1,295 per single- or dual-processor
computer, $495 for each additional processor
Remote agent: $595 per computer
Online ToolWorks Corp.
503-297-0609
www.onlinetoolworks.com
BY BILL HELDMAN
There’s an endless array of
jobs you must run to manage
today’s intricate, multi-platform environments. You
might have one batch file
that routinely deletes temp.
files from your servers,
another that periodically
extracts data from a mainframe, and a script file that
performs a whole series of
complex tasks.
Most of these jobs connect
to a host of different systems, manage just about
every type of file, run on a
variety of schedules and have
all sorts of outcomes. So how
REDMONDRATING
Documentation: 15% ___ 10
Installation 10% ________ 10
Feature Set: 35% ________ 9
Overall Rating: 9
__________________________
Key:
10: Exceptional
do you rope all these activities into a single framework
that you can easily manage
from a central location?
That’s where SmartBatch
2006 comes in.
Figure 1. The SmartBatch interface is easy to navigate and includes
plenty of options for specifying job parameters.
Getting Started
The folks at OnlineToolWorks clearly get what it
means to be a busy Windows
administrator. They know the
things you’ll need and—just
as important—the things you
don’t need. There is a “quickup-and-running” sensibility
built into SmartBatch. The
installation process is simple.
You can be fully functional in
virtually no time. It comes
in a Standard and Enterprise
edition. The primary difference between the two is
that the Enterprise edition
supports agent-based operations across your entire fleet
of servers.
SmartBatch has an eloquent interface (see Figure
1). It’s easy to understand
and navigate and still comes
with plenty of tutorial
screens to help you along
the way. I particularly liked
the SmartBatch multimedia
overview because it lets you
watch the keystrokes
required to assemble your
jobs into a cohesive group.
SmartBatch doesn’t help
you craft your own batch files
or scripts. The assumption is
that you’ve already done that
work up front. When you
have assembled a collection of
pre-scripted tasks that you’re
ready to run, SmartBatch
helps you generate numerous
different schedules and
tie them to your job scheduling operations.
The idea is relatively
straightforward: First you
create your computer groups
and schedules. Then set up
your operations—these are
the batch files, scripts or programs you need to run. Next,
you’ll want to group similar
operations into a single step.
Then group multiple steps
into a single job. When you’re
finished, you’ll have multiple
jobs running, all working
from different calendars, and
configured to notify you or
another designee (the Enterprise edition has different
user designations that allow
for more granular security
control) of operational status.
Scheduling Routine
Suppose you want to free up
disk space on your file
servers by periodically purging unnecessary files and
unused data. The data sits on
three different computers,
and you have a variety of
user and database files occupying the space on those
servers. Here’s how you
might work out a SmartBatch job scheduling routine
(note that you’ll need the
Enterprise Edition of Smart-
2/14/06
2:32 PM
Page 17
ProductReview
Batch 2006 and a remote
agent for each computer):
• Create a group that
includes the computers on
which you need to work.
• Create a calendar with the
days and times you want to
run your jobs.
• Set up each operation (see
Figure 2) so it initiates a single maneuver you wish to
perform. For this example, I
call a command window and
pass in the command to
delete all temp files from the
volume’s C drive.
• You’ll need a second
operation to purge the D
drive. You could also create a
batch file with the necessary
commands and call it from
the operation instead.
• Create an operation that
calls stored procedure(s) to
groom your database files.
• Once all operations are
in place, link them together
as steps.
• Create a job that ropes
in all your file-server grooming steps.
• Repeat the process for
other automation operations.
• Assign an operator to
monitor your jobs and select
notification options.
You can perform the same
operations on either a computer group or a single computer, especially when it’s a
globally applicable operation. For example, you could
do the above temp file delete
operation on a pre-defined
group because it’s almost a
given that every computer
has a C drive with .TMP
files to delete.
Showstoppers
With the SmartBatch Standard Edition, the idea is that
you’re only going to use it
on the machine upon which
it is installed. With the
Enterprise Edition, you get
extensibility, which lets you
run SmartBatch operations
on multiple computers,
each of which has to have
an agent installed.
If there are any showstoppers or problems with SmartBatch, it is the agent issue.
Many administrators are hesitant to install an agent com-
tions use MSDE, which is a
huge plus.
Both editions of SmartBatch
support notification, native
Windows and Web administration interfaces, dependencies, error recovery, .NET
programming interfaces, and
a “Runbook”—a place where
you can detail instructions for
the folks who will run and
troubleshoot the jobs you’ve
established. This last element
is a very mainframe-like capa-
can be a big help. The simplicity and centralization is
well worth the price of
admission. With careful
planning and attention to
detail, you can set up a jobscheduling environment
that will free up your time
for more important tasks.
If you’re just beginning to
use batch files and scripts to
lasso in those infernal manual operations, get them ready
and then try SmartBatch. It
Figure 2. The operational schedules and procedures set the parameters within which your jobs will run.
ponent on a server because it
may introduce new problems.
Agentless management software is often weak in the
knees, so I can see why
OnlineToolWorks felt it
could only provide sufficient
performance by using
onboard agents.
The Enterprise Edition
also lets you use SQL
Server as the database
for the SmartBatch job
scheduling data. However,
by default, both the Standard and Enterprise edi-
bility to carefully monitor
your operations. The Enterprise edition includes a Diagram View (similar to
Microsoft Operations Manager), fault-tolerance and
load-balancing, as well as
remote agents.
Finding Free Time
If you’re an administrator
grappling with numerous
job-scheduling operations—whether they’re
scripts, batch files or
executables—SmartBatch
was designed and written by
a long-time Microsoftfriendly company that truly
understands the needs of
Windows administrators.—
Bill Heldman is an instructor at
Warren Tech, a career and technical high school in Lakewood,
Colo. He is a contributor to Redmond and several other technology publications. He has also
authored several books for Sybex,
including the CompTIA IT
Project+ Study Guide. Reach
him at [email protected].
Project5
2/3/06
1:45 PM
Page 1
Most People Don’t Have ESP. B
With the Enterprise System Protector (ESP)
Microsoft Exchange disasters... you will
While Exchange is down, employees can’t communicate, salespeople
don’t sell, compliance can’t be kept, reputations are at risk, and
customers can’t do business with your company.
Lucid8’s ESP Suite combines two powerful disaster prevention
solutions—GOexchange and DigiVault—at a savings of 20% off
the individual programs. Prevent disasters with GOexchange and
depend on minute-to-minute data protection with DigiVault. Protect
your vital E-mail system with a comprehensive solution that delivers
Disaster Prevention, Optimization, and Recovery for Microsoft
Exchange.
on ESP Suite
refer to offer code 8479
These are just some of the organizations currently enjoying the
benefits of ESP...shouldn’t you?
– Tiffany’s
– Welch Foods
– Blue Cross/Blue Shield
– Mellon Financial Corporation
– American Eagle Tanker
– NATO
At Lucid8, we go beyond the sixth sense.
To save 20% on ESP for Exchange, visit www.lucid8.com/espsuite
to download a trial version or call 425.456.8479.
Su
pr
Project5
2/3/06
1:46 PM
Page 2
P. But You Can...
P)
l
Suite from Lucid8, you won’t just recover from
prevent them from ever happening.
Customer Perspectives
“We knew we had issues, however, the number of errors and warnings that existed in the database was far more
than we would have suspected. GOexchange worked as expected, solved every problem, reduced the databases by
48%, automatically notified us, and even provided a great report upon completion. Excellent product and people!”
Joshua Nunes, IT Director, Perseus Group
“When I first downloaded your product I was very skeptical of your promises for improvements on my Exchange
server. After the first maintenance run, I’m now a true believer of your product.”
Raul Ramos, Director of Information Systems, The First Tee
Analyst Perspectives
“Microsoft Exchange Server, like any complex database system, slowly degrades over time. Without routine
maintenance, decreasing performance, increased warnings and errors accumulate and database fragmentation
transpires, leading to Exchange disasters. Given the significance of email in today’s business environment, it is
important that businesses proactively address server degradation before it occurs.”
Ray Paquet, Vice President & Distinguished Analyst with Gartner
“Companies often overlook their e-mail infrastructure as an area where minor adjustments can deliver significant
ROI. Solutions such as Lucid8’s GOexchange help Microsoft Exchange administrators reduce the time they spend
supporting Exchange, lower overall IT costs and improve end user productivity by proactively managing and
maintaining Exchange servers, thereby, increasing the likelihood that minor server problems are resolved before
they culminate into a major disaster.”
Rebecca Wetteman, Vice President of Research, Nucleus Research
2/14/06
2:32 PM
Page 20
ProductReview
Manage the Forest and the Trees
Administer your entire Active Directory domain from one location.
Active Adminstrator 4.0
$12 per user
ScriptLogic Corp.
561-886-2400
www.scriptlogic.com
BY RICK A. BUTLER
While the tools that come
with Windows Server work
just fine for most Active
Directory management
tasks, they aren’t really set
up to manage your entire
enterprise from a single spot.
You have to at least connect
to a domain and look at its
properties or connect to a
local system to see the GPO.
You don’t really have a clean
interface for all-encompassing GPO management right
out of the box. Usually, you
have to customize the
Microsoft Management
Console to build an interface
that pulls in the entire forest.
Active Administrator
fills that gap by taking a
top-down approach to
administering your entire
AD domain. ScriptLogic
has taken some major steps
forward with the 4.0 release
REDMONDRATING
Documentation: 20% ____ 9
Installation: 20% ________ 9
Feature Set: 20% ________ 8
Overall Rating: 8.6
__________________________
Key:
10: Exceptional
of Active Administrator,
which is poised to be a solid
enterprise AD management
tool. (You can read the
review of Active Administrator 3.0 in the November
2003 review archives at
Redmondmag.com.)
The new version has a host
of improvements. My personal favorite on the new feature
list is AD Object Restore. If
you’ve ever done something
as boneheaded as wiping out
the CEO’s user account or
blowing away an entire
organization unit (OU), you
will love this one as much as I
do. AD doesn’t have any sort
of object level recovery to
easily fix this problem, and as
you know, you can’t just
recreate an object or objects
you’ve accidentally deleted. If
you’ve found yourself in this
situation, you know it usually
meant making the walk of
shame to the tape vault.
After finding the correct
backup tape, you’d have to
restore a domain controller
and do an authoritative
restore in Directory
Services Restore Mode
(DSRM)—all the while
praying there haven’t been
many changes to AD since
your inadvertent delete.
With Object Restore, you
Figure 1. Active Administrator’s Object Restore window lets you
specify object and attributes to restore.
can easily restore a single
object in AD—whether a
single account or an entire
OU—without the usual
madness. Life hasn’t been
this good since single mailbox restores in Exchange.
Active Management
Active Administrator 3.0
introduced Active Templates
as a means of delegating and
managing the permission levels in AD—without providing
unnecessary privileges. These
templates are really cool if
you absolutely need to know
who has what level of permission. You can create a template defined by permissions.
Users are assigned roles based
on an AD task, so you can do
things like provide users
“almost” administrative access
to their machine or give junior administrative rights to a
help desk technician. The
Active Templates let you provide the right amount of
access your users need to get
their jobs done without providing too much access. If you
need to customize the templates for specific tasks and
permissions, you can certainly
do that as well.
In version 4.0, these
templates are actually selfhealing, using a service that
fixes anomalies within the
templates. If a setting were
changed in the policy, a service in Active Administrator
would revert that setting
back to how it was originally
specified in the template. It
would also alert you to the
change.
2/14/06
2:32 PM
Page 21
your forest, figure
out where it’s
linked, review statistical information,
copy to another
domain
and adjust it
accordingly. It also
keeps a historical
record of your
GPOs so you’ll
know who changed
what and when
those changes were
Figure 2. In the Group Policy Offline Repository, you can select,
made. If any change
edit and report on GPOs.
you make doesn’t
This is a cool upgrade from Active
work out the way you or one of your
Administrator 3.0, where you would
admins had intended, just roll it back.
have to review your templates regularly
Another of Active Administrator 4.0’s
to ensure compliance.
new features that applies specifically
In short, when you set role-based user
to GPO management is the Offline
security to a specific standard, it stays
Repository. If you frequently have to
that way. With some GPO settings, a
change your GPOs, this repository is
savvy user can make certain changes to
very helpful because you can isolate
the GPO, whether or not he is authoryour GPO, make your changes offline
ized to do so by IT management. Active
without affecting your production
Administrator keeps the settings as spec- environment and publish it back when
ified in the template.
you’re ready for it to go live.
The Offline Repository also has a
Auditing Made Easy
check-in/check-out management
If you have to monitor AD security and
structure that lets you control who’s
you have multiple domain controllers,
authorized to make changes and how
you have to visit each DC and scroll
frequently they can do so, should you
through each log to find the events
have multiple administrators managyou’re hoping aren’t there. Active
ing GPOs. There’s even a nifty reportAdministrator’s AD Auditing (which has
ing tool you can use for review or to
been part of Active Administrator since
produce a maintenance record book
version 3.0) is cool because you can now
(for you old school techies out there).
check these event logs from one location.
I like this tool and I think ScriptLogic
You can also configure the logs to
did well with the additions and
send alerts for certain events. For exam- enhancements to the 4.0 release. Active
ple, if one of your administrators on the Administrator is simple to get up and
other side of the country goes messing
running and easy to use. If you need
around with your “Computer’s” consome serious configuration managetainer or users, you’ll know about it
ment for your AD forest, you’d do well
right away—not after something has
to consider it.—
already gone wrong.
Rick A. Butler, MCSE+I, is the Director
of Information Services for the United
Get a Handle on GPOs
States Hang Gliding Association. You
Active Administrator gives you easy
can reach him when he lands at mcpmaaccess to solid GPO management [email protected].
tures. You can look at each policy in
IT Education
online from
an accredited
university.
Master’s degree
specializations include:
• Project Management
and Leadership
• Information Security
• Network Architecture
and Design
• Business Administration
(MBA)
• IT General
You may be closer than you think.
You can apply to earn credit
for the technical knowledge
and skills you have gained
from real-world experience,
training, certifications (such
as CCNP,® MCSE, CISSP,® and
PMP ®), and previous education.
1- 888 - CAPELLA ext. 22041
www.capella.edu/redmond
Capella University is accredited by The Higher
Learning Commission and a member of the
North Central Association of Colleges and
Schools, 30 N. LaSalle Street, Suite 2400,
Chicago, IL 60602-2504, (312) 263-0456;
w w w. n c a h i g h e r l e a r n i n g c o m m i s s i o n .o r g .
Capella University, 225 South 6th Street,
9th Floor, Minneapolis, MN 55402.
© 2006 Capella University
0306red_BetaMan22-23.v7
2/14/06
10:42 AM
Page 22
BetaMan
Don Jones
Windows Goes High
Performance
W
hat was once old is new again. High-performance
computing (HPC) has returned as one of
the biggest trends in computing—with a big
difference. Back in the day (the early 1990s) you could
drop $40 million on a Cray Y-MP supercomputer.
Now, thanks to cheap, off-the-shelf
components (COTS), new Intel- and
AMD-based HPC servers make sense
from both a financial and technological
perspective. For example, you can pick
up a four-way, 2.2GHz AMD Athlon64
server with 4GB of RAM for about
$4,000. As far as the technology goes,
the point of HPC these days is to rely
less on a single massive machine and
more on compute clusters—groups of
interconnected machines that divide
the workload among themselves.
Windows Compute Cluster
Server 2003
Version Reviewed: Beta 2
Current Status: Beta
Expected Release: 2006
In fact, universities and research institutions have been using Linux-based
supercomputing clusters for years. The
Beowulf Project (www.beowulf.org) can
give you some guidance on building clusters of Linux-based servers.
It’s little wonder that Microsoft is
looking for a piece of the HPC action. I
got a good look at Windows Compute
Cluster Server 2003 (CCS2003) at a
recent Microsoft briefing. Remember
that the “C” in COTS stands for cheap.
CCS2003 (which is based on Windows
Server 2003, hence the name) will actually cost less per socket than other editions of Windows. This won’t be a
bargain-basement version of Windows,
however. It’s being put together specifically to address HPC concerns.
As a result, you won’t be able to install
this special version of Windows on any
computer that isn’t part of a dedicated
computational cluster. It’s also only
available in an x64 edition—the theory
being that nobody would want to build
a computational cluster out of legacy
32-bit hardware.
What Is a Compute Cluster?
A compute cluster is a single-head node
that accepts computing jobs and distributes the workload across at least two
attached nodes. CCS2003 won’t support
high availability for the head node, so
make sure it’s already running on highly
available hardware. This is the brains of
your HPC operation, so it has to stay up.
You can have as many attached compute nodes as you can afford. As we’ve
learned from distributed computing
projects like SETI@home (which is an
excellent real-world example of how
you would use a compute cluster), the
more compute nodes, the merrier.
To avoid bottlenecks that can limit the
number of nodes in your compute cluster, you’ll want to use switched gigabit
Ethernet as a minimum—a 10 gigabit
Ethernet or Myrinet network is even
better. CCS2003 includes Windows
Sockets Direct Interface, which is specifically designed to take advantage of these
types of high-speed connections.
You’ll have to tune your applications to
run on a cluster. To give you an idea of
the old-school, hardcore nature of this
type of computing, look at the programming languages that CCS2003’s components support out of the box: Fortran77,
Fortran90 and C. Yikes. Configure the
system to submit applications to the cluster’s scheduler on the head node, and to
run completely unattended using only
data files (and not keyboard commands
or mouse clicks) for input.
You’ll also have to be fluent in several
new acronyms if you’re going to set up a
compute cluster. MPI (Message Passing
Interface) is an industry-standard application programming interface designed
for rapid data exchange between compute nodes in HPC environments.
Microsoft’s MPI (MSMPI) is a version of
the Argonne National Labs Open Source
MPI2 implementation that supports
more than 160 function calls. Applications submitted to CCS2003’s job scheduler need to support this.
As you might expect, CCS2003 makes
heavy use of Microsoft’s infrastructure
components. For example, all nodes have
to belong to the same Active Directory
domain so you can manage them as a
unit and share security information.
What It Isn’t
CCS2003 is not the same kind of clustering as Windows Cluster Service.
While CCS2003 is designed to have
several computers interconnected,
those computers work together to solve
computationally intensive problems,
rather than provide failover or fault tol-
BETAMAN’S ROUTINE DISCLAIMER
The software described here is incomplete
and still under development; expect it to
change before its final release—and hope it
changes for the better.
0306red_BetaMan22-23.v7
2/14/06
10:42 AM
Page 23
BetaMan
erance. You won’t run Exchange Server
on CCS2003. In fact, unless you have
some heavy-duty number crunching to
do, CCS2003 probably isn’t for you.
The thought of deploying and managing a dozen or so compute nodes
sends a chill down my spine, and not
just because the data center housing
so deployment to bare-metal machines
is easier (CCS2003 includes RIS).
Standard backup and restore techniques apply, so whatever you’re
already using should work fine. Of
course, the usual MMC snap-ins will
let you control the entire cluster. The
setup process for Compute Cluster is
Unless you have to do some serious number crunching, such as
simulating nuclear explosions, modeling fluid dynamics or
assessing potential oil deposits, CCS2003 may not be for you.
them is going to need heavy-duty air
conditioning to avoid a meltdown. In
an era when everyone’s downsizing the
data center, CCS2003 heads in the
opposite direction.
Microsoft feels your pain. CCS2003
includes a command-line interface to
help you to create and submit jobs.
You can use Remote Installation Services (RIS) to deploy compute nodes,
also straightforward, using a standard
Wizard-based interface.
CCS2003 loves networks and wants to
connect to as many as possible. A private
network for administrative traffic, the
MSMPI network for exchanging cluster
communications and data, and a public
network like your corporate intranet.
This last conduit also lets applications
like Systems Management Server (SMS)
and Microsoft Operations Manager
(MOM) get into the compute cluster’s
head node for management purposes.
So you could have each CCS2003
machine connected to as many as three
networks at once.
Too Much Horsepower?
Unless you have to do some serious
number crunching, such as simulating
nuclear explosions, modeling fluid
dynamics or assessing potential oil
deposits, CCS2003 may not be for you.
Still, CCS2003 makes HPC accessible
to organizations that never would have
considered it before.—
Don Jones is a contributing editor for
Redmond and the owner of Scripting
Answers.com, a Web site for automating
Windows administration. His most recent
book is Windows Administrator’s
Automation Toolkit (Microsoft Press).
Reach him at [email protected].
MS SQL Server security
requirements giving you
a headache?
DB Audit Expert addresses key MS SQL
Server security concerns that include database
security and vulnerabilities assessment,
database access and user activity auditing,
business and regulatory compliance.
DB Activity Tracking • Data-Change Tracking • Multiple
Auditing Methods • Centralized Control • Real-time Alerts
Audit Trail Monitoring and Alerting • Robust Reporting
Audit Storage Performance Management
Protect Your MS SQL Data
without the headaches!
For more information visit us at
http://www.softtreetech.com/no_headaches
Project6
12/8/05
1:44 PM
Page 1
0306red_YourTurn_25-27.v6
2/14/06
11:28 AM
YourTurn
Page 25
Redmond ’s readers test
drive the latest products.
BizTalk Server: Getting Better All the Time
Users say Microsoft BizTalk Server 2004—and the 2006 version—
significantly ease enterprise application integration.
BY JOANNE CUMMINGS
When it comes to enterprise application
integration (EAI), Microsoft’s BizTalk
Server is tough to beat. For most Windows shops, its ease-of-use, resiliency
and performance are giving even Web
services a run for its integration money.
In some cases, BizTalk can also be easier and less expensive to implement than
Web services. Erickson Retirement
Communities in Baltimore, Md., used
BizTalk Server 2004 to build a system
that integrates 10 separate applications
to create a resident demographic management system (DMS). David Clausen,
systems architect at the company, and
his colleagues ultimately determined
that they wouldn’t have been able to create a Web service for all their systems on
time and within budget. BizTalk was
market issue,” says Summers, enterprise architect at Software Architects, a
consulting firm in Dallas. After thinking about building that level of core
functionality into a Web service with
limited management capabilities, they
often opt for BizTalk. “After some consideration,” he says, “the conversation
will shift to BizTalk.”
Vertically Challenged
Microsoft has a variety of BizTalk
vertical accelerators ready to support
numerous industries, like retail, financial services and healthcare. These
accelerators are intended to ease integration with applications that adhere to
industry-specific protocols.
BizTalk’s HL7 support sold Clausen
and his colleagues at Erickson Retire-
Using BizTalk and the vertical accelerators as integration points
also helps tie in key business processes.
equipped with the level of integration
functionality they needed to get up and
running quickly. For example, it could
already communicate with flat files, FTP
and HL7 (Health Level 7— a health
care networking protocol).
Others still consider Web services the
easier option for both development and
management, but that’s not always the
case. Most users can build something relatively quickly, but they often haven’t
thought through the problems of maintaining a Web service to ensure its continued resiliency and performance.
That’s frequently the case with
Jonathan Summers’ clients, who often
express an initial preference for Web
services. “For them, it’s a speed to
ment Communities. “That was really the
key for us,” Clausen says, adding that his
company spent $70,000 in software and
hardware on its BizTalk implementation.
He says it was money well spent.
Before deploying BizTalk, says
Clausen, integrating with an HL7
application meant writing code from
scratch and parsing out complex protocols. The HL7 accelerator treats the
entire protocol as XML schemas, and
lets Clausen use the BizTalk map to
convert outgoing data to HL7. Then he
configures the map and accelerators to
convert incoming data to whichever
format he requires for his internal
structure and database. “It really
streamlined the whole process,” he says.
Microsoft BizTalk Server 2004
Enterprise Edition: $24,999 per
processor
Standard Edition: $6,999 per
processor
Microsoft Corp.
800-426-9400
www.microsoft.com
Using BizTalk and the vertical accelerators as integration points also helps tie
in key business processes, Clausen says.
For example, Erickson’s DMS, based on
BizTalk Server 2004, now includes an
“eventing” system whereby any constituent system can post an “event” and
make that information available in real
time to any other integrated system.
When DMS receives a new resident,
for example, it publishes an event. That
becomes a message in the BizTalk Message Engine, explains Joe Schneebaum,
senior software engineer at Erickson.
There are about four other applications
that subscribe to that event, he says,
because new residents need immediate
access to certain services when they
move in. “The residents need to be able
to get fed in our dining halls, request a
shuttle to the mall and so on,” he says.
Before Erickson started using BizTalk,
it took a day or so for the IT staff to
ensure that each system had access to the
proper data when a resident arrived. The
real-time “eventing” system helps them
ensure that an incoming new resident’s
data is populated throughout its systems
almost immediately. “Within one minute
of becoming a resident,” Schneebaum
says, “you can eat your first meal here.”
2/14/06
4:12 PM
Page 26
YourTurn
Power at a Price
While BizTalk scores high on the
application and process integration
scale, that comes at a price. BizTalk’s
installation, configuration and deployment mechanisms can be cumbersome,
time-consuming and unforgiving, say
Clausen and other BizTalk users.
Software Architects’ Summers points
to the need to properly configure
accounts and accurately establish database permissions—and to get it right
the first time. “If you get anything
wrong, the whole thing gets rolled
back,” he says. “The product doesn’t
make many allowances for errors.”
Others have had a similar experience
during deployment. “BizTalk is a
nightmare to deploy,” says Yitzhak
Khabinsky, software architect at
Odimo Inc., an online retailer based in
Sunrise, Fla. He uses BizTalk 2004 to
integrate with applications from
Odimo’s trading partners, such as
MSN, Amazon, Yahoo! and Google.
He says BizTalk requires a multi-step
manual deployment process.
Configuration and deployment does go
faster with practice, others say. The
BizTalk 2004 configuration and setup
guide is a very specific three-page document. “You have to follow it exactly,” says
Erickson’s Schneebaum. He eventually
had to supplement the process with his
own steps customized for his organization. In his three-tiered infrastructure
that includes development, test and production environments, he claims he can
wipe it out and rebuild it within an hour.
For a product with such a convoluted
GetMoreOnline
Read more about what to expect in
BizTalk 2006, and see the full list of
available vertical accelerators.
FindIT code: BetterBiz
redmondmag.com
configuration and deployment process,
users say, the documentation is fairly
sparse. Fortunately, there are numerous
online resources to fill that void.
Summers agrees with that assessment.
He called the documentation “bare,” and
says the one book about BizTalk Server
2004 he knows of didn’t come out until
the summer of last year. He found what
he needed online. “There was a grassroots effort put together by one of the
BizTalk MVPs, who compiled help files
from blog entries, called the Bloggers
Guide to BizTalk,” he says. “That was
one of the key sources of information.”
Still Under Construction
BizTalk 2004 is missing some key
features, such as a strong administrative
toolset and robust encryption capabilities. For example, Erickson needed
to build its own encryption into its
BizTalk implementation for communicating with two of its external trading
partners. “BizTalk only supports S-
LAUNCH YOUR CAREER
THROUGH THE ATMOSPHERE!
Wireless Network Certification training is on us this
time! Be among the first 20 to purchase Microsoft MCSE
Training and get LearnKey’s CWNA training free!
visit: www.learnkey.com/redmondmag
Increase your salary potential . . .
LearnKey Career Tracks guide you through the
courses you’ll need to get the career you want.
Download your Career Tracks guide at
www.learnkey.com/redmondmag to get on
track and begin your career journey.
1.800.865.0165
learnkey.com/redmondmag
AUTHORIZED
Cisco® Training
©2006 LearnKey, Inc. All Rights Reserved. Source Code #4141-717 LK120705
2/14/06
11:28 AM
Page 27
YourTurn
Up Next
Here are some key features users are
looking forward to in the forthcoming
BizTalk Server 2006:
Better documentation. A better
effort has been made to provide realworld help in the documentation for 2006.
Easier installation, configuration and deployment. BizTalk 2006
will offer a raft of changes, including a
more modular approach that lets users
install and configure only the features
MIME, which really didn’t suit our
purposes,” Clausen says. “It would be
nice if they offered better encryption.”
While BizTalk 2004 is well integrated with Microsoft SQL Server, the
overall level of integration could be
tighter, says Clausen. Fortunately for
him, his SQL Server administrator at
Erickson was able to take on BizTalk
administrative duties as well. Clausen
they need, when they need them. Configuration mistakes will no longer affect
the entire package.
Administrative capabilities. The
new version will include server health
monitoring and a new “applications”
concept that significantly eases adminlevel deployments.
Business Activity Monitoring
(BAM). BAM now lets users access a
Web portal to identify and track key performance indicators from within BizTalkintegrated applications.
also feels the administrative tools
could be improved, especially for
server health monitoring.
One reason users appreciate a tool
like BizTalk is that enterprise application integration can be one of the more
boring tasks facing an IT professional,
says Erickson’s Schneebaum. “One
thing Microsoft did really well with
BizTalk was make the rote, mundane
Flat file wizard. A new wizard
eases the building of flat file schemas
to the point where they can be
offloaded to business analysts, without
further burdening developers.
Data interchange processing.
BizTalk 2006 offers a new recoverable
interchange processing capability.
Encryption. Users would like to see
stronger encryption than the S-MIME
support in BizTalk 2004. Early testers
of 2006 say this issue may not be
addressed until future versions. — J.C.
tasks of data interchange more appealing to a developer by giving them rich
tools for development and good, fast
schema editors. You might still not
want to do it at seven in the morning,
but it’s less painful.”—
Joanne Cummings is a freelance technology
journalist based in Massachusetts. You can
each her at [email protected].
Windows and Office each dominate the
landscape, like King Kong on Skull Island.
What would it take to shoot this monkey down
and give other species a fighting chance?
0306red_F1Gorilla.v6
2/14/06
10:47 AM
Page 28
800-Pound
ILLUSTRATION BY GERAD TAYLOR
W
hen it comes to clients, Microsoft is in the catbird’s seat.
Despite the Mac, thin clients like Sun Rays, and dozens
of iterations of desktop Linux, Windows is on at least
nine out of 10 clients. And almost every one of those is
running some version of Microsoft Office.
Microsoft critics claim that there’s competition and viable alternatives, but
only the truly passionate among them buy Macs, or load desktop Linux and
open source Office alternatives like OpenOffice.
What conditions would be necessary to turn the fringe into the mainstream
and end Microsoft client domination forever? Is there a perfect software storm
that could wash away Office and XP like so much flotsam?
A key to understanding Microsoft’s exalted position is to realize that Office
and Windows are mutually supporting entities: Windows came first, then shepherded Office applications into its healthy market share, starting with Excel and
And that position is fortified by an array of ancillary products, including
Windows Servers; Active Directory; Outlook; Exchange; SQL Server
and so on. For better than a decade, Microsoft has been building an
elaborate technology quilt that makes it difficult to break away from the
family. Even if, for example, another database or e-mail system works better,
IT usually opts for the Microsoft solution due to its tight integration with
the installed base.
The Microsoft Quilt—Domination Through Integration
Word. Through an absolute commitment to exploiting Windows, Office has
become more and more entrenched. Now Office is part of the Windows ecosystem, and its popularity likewise makes Windows indispensable, creating dual
and intimately connected monopolies. Thus, anyone hoping to unseat one has
to deal with the other.
10:47 AM
BY DOUG BARNEY
2/14/06
Can Anything Threaten the Microsoft Desktop Empire?
Gorilla
The
Page 29
2/14/06
10:47 AM
Page 30
The 800-Pound
Gorilla
“As a corporation we’ve standardized on Active Directory
and Exchange, XP, Office and, soon, SharePoint. And it took
years to get to this point,” says an IT pro who asked not to
be identified. “Individual offices might go off the reservation
about one application or another, but it would never change
the monoculture. Decisions are firmly top-down.”
In order to compete, non-Microsoft Office suites and PC
operating systems have to offer the same level of integration. That is perhaps one reason the European Commission is trying to force Microsoft to fully document its
Windows interfaces, giving competitors the same ability to
integrate as Redmond itself.
Politics of Switching
No level of integration will matter, however, unless the
decision makers give the green light. And entrenched management thinking will keep Microsoft solidly in place,
according to Edward Bailey, with HVAC distributor Carrier
Great Lakes in Livonia, Mich. “The top management here
are e-mail users only—nothing more. [The issue is] mostly
cost more than anything else. We are using AD and Group
Policy for control of the environment and Windows Server
2000 and 2003 are working very well for us. We also use
Exchange—again working wonderfully well,” says Bailey.
Sydney McCoy says management at his company could
be persuaded to switch—with hard numbers. “If it can be
demonstrated that necessary functionality and full compatibility exists, with no demonstrative impact to productivity
or processing overhead, then potential open source licensing cost savings and broad-based support and acceptance
would likely be overwhelmingly welcomed throughout
management,” says McCoy. “I’ve been dabbling with the
potential substitution of a SLES [SuSE Linux Enterprise
Server] file and print server, but the biggest obstacle is our
inexperience with the platform, rather than any potential
licensing costs vs. savings. As go the bean counters and
lawyers, so follows the entire staff.”
All About the Beans
Ah yes, the beans. Open source fans tout the cost savings:
after all, it’s pretty hard to beat
free. Even in this arena,
Is Microsoft Losing Its Grip?
ony Bove has written the book on getting
off of Microsoft—literally. His book, aptly
titled Just Say No to Microsoft, talks about
how and why you should look at alternatives. Bove talked to Redmond magazine about potential Windows/Office tipping points.
T
What events or factors could cause
the Microsoft XP and Office monopolies
to crumble?
Tony Bove: It’s happening now. The company as it is
today just wasn’t made for these times. As Gates himself pointed out in his recent memo to Microsoft executives, a “services wave” of applications is about to reach
millions of users, and Microsoft needs to catch up. But
the move to offer a services platform for developers
puts Microsoft between a rock and a hard place with
regard to its existing software business models. So
Microsoft has to start over.
The latest Gates memo indicates that Microsoft faces
competition on all fronts—not just Windows; not just
Office. Open source software threatens everything
from server and client systems to e-mail clients and
servers, databases and applications. Mac OS X is a
threat to Microsoft’s entire computing experience.
Even though the vast majority of everyday computer
users are stuck in Windows XP, the cutting edge of
innovation is happening elsewhere.
What would
cause a
mass move
away from
Microsoft to
alternatives?
More bad press
about viruses and malTony Bove
ware. It amazes me that
the industry and press still
refer to new outbreaks as “computer
viruses” and “computer adware and spyware,” rather
than what they really are: Windows, Outlook, IE and
Office viruses and malware.
Office has matured to the point that it’s not only easy
to clone but easy to improve upon. Windows is under
constant attack from Linux and Mac OS X. The reason
people give for needing to use Windows—because
they need to run certain applications—is quickly eroding. To use the new Internet services, all you need is a
computer that runs a browser.
I think [potential] missteps by Microsoft in the coming
year—with Vista, and with advertising-supported software—
will reduce the Microsoft monopoly enough to enhance
competition and spark more innovations. At some point a
low-cost, non-Windows computer will be very popular for
the consumer market, and so will Apple Macs on the
“high end.” It’s only a matter of time.
— D.B.
Project1
1/9/06
10:32 AM
Page 1
2/14/06
10:47 AM
Page 32
The 800-Pound
Gorilla
though, open source contenders still have to prove themselves, as costs other than the software must be considered.
“Any consideration of a replacement to Microsoft products
would have to entail administration, deployment, security
and upgrades, at a minimum,” says JC Warren, a network
management specialist for a high tech company. “I’d have
to be dramatically dissatisfied with our current product
suite to even begin to consider alternatives. If an alternate
product suite could be found that would improve user productivity, I’d then have to consider the costs of deployment, administration, etc., in order to get a handle on the
total cost to switch. Then we’d need to factor in the learning curve for users to attain their previous functional state.
Any time lost is money lost to my employer.”
Tech Support
Downtime also costs money, and tech support is a huge
tipping point factor. “I’ve had former colleagues relate
the horror stories of being forced to switch to an open
source product by misguided management, only to strip
it out after it proved totally unsupportable in a corporate
environment,” says Warren.
For Microsoft challengers to make
inroads, it’s clear that tech support
will need to improve. Fortunately for them, Microsoft
may have provided an opening. “For some products,
Microsoft has stopped having higher-level support available during evenings and weekends,” laments Karl W.
Palachuk, of KPEnterprises Business Consulting Inc. “So
a call might get escalated during the week, but you’re
back to Tier-One [support] on Friday night and all weekend. In other words, the highest level of support for the
biggest problems is only available during business hours,
during the week. In what universe does this make sense?
I’m not ready to make the switch today, but I find myself
surprisingly open to the possibility.”
Even with some level of dissatisfaction, though, the
Microsoft Quilt concept continues to give it an advantage,
says Jason Thompson, a consultant architect in Arlington, Va.
“My network has three players; Cisco, Dell and Microsoft.
All software is from Microsoft, so we know that it works well
together. If we do have problems, we only need to call one
place. For me to leave Microsoft, a single vendor would need
to support database, e-mail, Web, etc., from a single, highly
supported platform. IBM is the only vendor I currently know
that can accomplish this, but [it isn’t] competitive in price.”
Another aspect of support working in Microsoft’s favor is
the army of IT pros trained on its software. “Businesses
Why I’m Sticking with Windows
By David R. Bayer
A
s network administrator for a small
part of a very
large heterogeneous network,
I’ve had to weigh the pros and
cons of alternate OSes for my corner of the world. Even in my small area of
responsibility—250 workstations, three servers and one
virtual server—we’re running various versions of Windows and Macs, along with Windows and Linux servers.
This is all part of a large Active Directory network
(30,000-plus nodes). There are several things that prevent me from really migrating away from Windows.
The first, and most important, reason is the remote control capabilities we get with AD and Group Policy. Controlling logins, software updates and distribution and
various other items are a big plus for us. I haven’t heard
of a good way to do that on Linux yet, and haven’t gotten
buy-in from management for Apple’s Open Directory.
Another biggie is user education. The best users I
have are now comfortable running Windows and making
some tweaks, things like video resolution changes and
other such tidbits. In a network the size of ours, those
users are heavily relied on to help nearby users with
easy-to-solve problems, leaving LAN admin and desktop
support to handle more involved issues. Most users still
fall into the category of “if it’s not obvious and easy, I
can’t find it or do it.”
Another reason we stay with Windows is for messaging solutions such as Exchange. Entourage on the Mac
doesn’t do nearly as good a job interfacing with an
Exchange server as Outlook does on the PC (although
Entourage is much better in Office 2004 than earlier versions). Exchange is very convenient and streamlined for
combining messaging and calendaring, and other solutions don’t do as good a job or have as nice an interface
(at least the ones I’ve seen).
Microsoft Office is available on the Mac, and Sun’s
OpenOffice is available on Linux. Both options seem to
have very good compatibility with the ubiquitous Windows versions of Microsoft Office. I enjoy getting to
work with Macs and Linux boxes, but at this point it just
doesn’t seem practical, on multiple levels, to migrate to
another option.
Bayer is LAN manager, Divisions of Hematology/
Oncology and Nephrology at Vanderbilt University
Medical Center.
2/14/06
10:47 AM
Page 33
Why I Ditched Windows
By Rob Hughes
I
did a basic cost-benefit analysis when considering a
migration, as my network was then mainly Windows,
with one Linux box and two Solaris boxes for testing. It had reached the point where I was mostly running
around trying to fix various problems with Windows,
both at the server and on the client. I needed to add several boxes for a new project and looked at the cost of
doing it on Windows vs. Linux, as what I needed could
be done on either platform. I found that in that situation,
with Linux, I could get by with two fewer systems [and
decided to move to Linux]. Since the migration, I spend
very little time doing administration on my network, and
most of my time doing research. I’m using Linux, BSDs
and Solaris as both client and server OSes.
Two of the main advantages of KOffice [the office software that runs on the KDE Linux desktop environment]
and OpenOffice are Opendoc/XML compatibility and
cross-platform support. KOffice doesn’t currently run
easily on Windows, but KDE can be compiled under
cygwin if you’re fairly patient (big package, long compile
time). And there’s a lot of talk of porting KDE/QT (QT
being already available) to Windows when version 4 of
both products are released.
would not go to alternatives such as Linux or OpenOffice
unless the support staff were readily available to resolve
issues. Currently, Linux and Unix professionals are in short
supply and thus command higher wages. Just look at the
demise of Novell,” says Allen Thomas, systems engineer
with Lockheed Martin in Baltimore, Md.
Given these factors, it’s clear it will take more than
just management buy-in, cost savings which may or may
not appear and improved, across-the-board tech support
to loosen the Microsoft desktop stranglehold. The products and platforms have to be comparable (or better) in
quality. Are they?
Big Mac Attack
In the case of Apple, the answer is clearly yes. If Redmond
reader response is indicative of the industry, the Mac has a
clear client edge over Linux as a Windows alternative.
Many readers hype their switch to the Mac, while almost
no one mentions moving to Linux PCs.
Perhaps the Mac has an edge because it has the polish of
an OS with two decades’ worth of evolution, is backed by a
commercial company and has solid application support,
including an official and up-to-date version of Microsoft
Office. And because there’s less malware, troubleshooting
and help desk tasks are less onerous.
XML, being text,
is pretty easy to
manipulate programmatically.
Opendoc also
doesn’t use any
binary “blobs” within
the XML schema like
Microsoft Office 2003
does, which makes trying to
use Office 2003 files with anything
other than Office nearly impossible.
Another advantage is that I can read and write most
other file formats, including Microsoft formats, giving me
good compatibility with whatever someone sends me.
I find these tools offer really good performance and
flexibility—and, being open source software, integration/
extension possibilities are limited only by the amount of
time and effort one is willing to put into a project. At the
end of the day, what I’m talking about here is openness.
Not just in the published sense (open standard format),
but in the true sense of an Open Standard format.
Rob Hughes is an escalation engineer with a
technology company.
But even with those advantages, the Mac hasn’t made
significant inroads into the Wintel space. That may be
changing, however, with Apple’s switch to Intel processors. The Intel machines could be cheaper in the long
run (the early units have premium pricing), perhaps
pushed by low-cost marketing powerhouse producers
like Dell. Macs that could compete with PCs on the cost
and speed side would certainly be a cause for concern
in Microsoftland.
Another advantage Intel processors will provide, and
which could prove significant, is the ability to run Windows alongside the Mac OS. “If the future generation
Macs (the ones using Intel processors) can run Windows
software effectively, I’d switch in a heartbeat,” says Jerry
Koch, chief technical officer for WebNow1 LLC. “I’m
sick and tired of Microsoft getting rewarded for its failures, like selling anti-spyware software because its OS
has so many holes.”
David Cantrill, a London-based Redmond reader,
echoes that sentiment. “What have I discovered in my
time with a Mac? It works. No viruses, no spyware and
consequently no AV software to constantly update. I can
still do everything I did on my PC and don’t need to
worry that I’m going to lose all my information by having to reformat the thing. Microsoft better hope Vista
2/14/06
2:14 PM
Page 34
The 800-Pound
Gorilla
creates a whole new ball of momentum, or this mag will
be retitled Cupertino sometime in the next three years,”
says Cantrill.
Desktop Linux—Untapped Potential
Linux PCs are much rougher around the edges than Macs,
no doubt about it. They’re still much more difficult to
install and use than Windows and Macs, often lacking anything but the most basic instructions. That leaves a dedicated group of hard-core, tech-savvy consumers, hobbyists
and geeks to tweak and improve it, just as they did with
Altairs 30 years ago.
But these pioneers are small in number, and on the corporate side, things are even worse. The few widespread
adoptions are almost all among the Linux vendors themselves—companies like IBM, which has more than 10,000
desktops running Linux. Peruse the Red Hat Web site, and
you’ll find 38 case studies, only two of which mention
Linux desktops to any degree.
One bright spot, which could portend a tipping point, is
in a market not yet dominated by Microsoft, or any other
vendor for that matter: those who are too poor to even have
considered a computer in the past. Nicholas Negroponte,
of the MIT Media Lab, and his team have designed Linux
laptops for the third world. For about $100 the machines
come with a range of applications, 1GB RAM, peer-to-peer
capabilities and wireless connectivity. Negroponte hopes
Market Share
Linux has 3 percent desktop
market share and will have 6
percent two years from now
(2008), IDC says. Meanwhile,
the Mac is generally thought
to have slightly less than 3
percent market share.
that as many as 150 million units will
be built in the next two years.
That’s a lofty goal; but even if only a tenth of those get
built, it still means 15 million Linux laptops will be in
use. At that price, and with that kind of base, it becomes
an interesting and proven proposition for lots more folks.
Add some polish and some apps and you may just have a
popular, new portable platform.
Whither Office?
If Windows on the desktop could be toppled, what about
Kong’s other arm—Microsoft Office? Much as with desktop
Linux, the potential is there, but the open source competition still has a way to go.
One user tried OpenOffice, but the performance simply
wasn’t there. “Upon reading benchmarks of the new
Top Tipping Points
>> A unified or dominant Linux client – such a
client could have better driver and apps support
>> Intel-based Macintoshes – cheaper Macs
running XP or Vista alongside Mac OS X could appeal
to Windows shops
>> Third-world $99 Linux laptops – a huge base
of Linux clients could jumpstart the apps markets
>> Dell selling Macs or solid, reliable and
usable Linux PCs – a trusted low-cost supplier
could give these machines corporate cachet
>> A bug-laden, insecure Vista – if Vista is a
huge pain to secure, and requires loads of training,
an alternative may not be viewed as altogether
disruptive
>> A bug-laden, insecure Internet Explorer –
if IE7 is no better than today’s browser, corporations
could move in droves to Firefox, which already has
about 10 percent market share
>> Major change in Office 12 causes disruption –
interface and file formats (if native XML is really supported, are file formats still a lever?)—like with Vista, the
Office suite, code-named Office “12,” could be as tough
to move to as Office rivals
>> Dramatically improved Windows interoperability with Linux or the Mac – if Linux and the Mac
become a seamless part of the Microsoft Quilt, IT
objections will be answered
>> Brand new computing paradigm/architecture –
just as the PC killed off the Apple II, a compelling new
approach could sweep away legacy Windows and Office
>> Web services take over and bring back
the Network Computer – if Web services become
dominant, fat client PCs won’t be necessary
>> Open Source becomes a broad corporate
mandate – if open source offers a compelling ROI,
CEOs could mandate a move away from Microsoft
Project3
8/2/05
10:58 AM
Page 1
Peace of Mind...
Offered by Citrix Education
Whether you choose Training or Certification, Citrix Education offers you
peace of mind by providing you with the knowledge and skills to achieve the
following benefits:
• Ensures skills and knowledge are current and can be applied on the job
• Increases value and productivity of IT professionals
• Improves reliability and efficiency of the Citrix environment
• Exposes IT professionals to new products and functionality
• Helps IT professionals troubleshoot problems without the help of
technical support
Visit www.citrix.com/edu/redmond to find out which training courses and
certifications are right for you!
©2005 Citrix Systems, Inc. All rights reserved. Citrix® is a registered trademark of Citrix Systems, Inc. in the United
States and other countries. All other trademarks and registered trademarks are the property of their respective owners.
2/14/06
10:47 AM
Page 36
The 800-Pound
Gorilla
StarOffice/OpenOffice versions that have up to 10 times
the processing overhead compared to the Microsoft products we already license, there’s just no way to justify consideration in a shared environment,” says Sidney McCoy.
On the other hand, critics claim that Office suffers serious
feature bloat, perhaps providing an opening. “I would
absolutely move away from Office and XP for the majority of
my users, if I could have a solid desktop and office suite with
Microsoft has responded by proposing its own XMLbased format others can support, but that Redmond
ultimately controls. That makes it less appealing to many,
and, ironically, may lead to a move away from Office. “The
XML stuff and the Open format specification of OpenDocument is extremely relevant for any organization that
considers control over its data a priority, rather than giving
that control to a single vendor via proprietary formats
In Microsoft’s Corner:
Keeping Windows Large and in Charge
>> The Microsoft Quilt – XP and Office aren’t standalone but work closely with other Microsoft tools
>> The sheer number of applications – no one can
match the volume of Windows programs
>> Custom Corporate Client Code – internal applications developers have written billions of lines of Windows code that would have to be re-crafted
>> Active Directory – the standard corporate directory
works best with Microsoft tools
>> Exchange – Exchange works with Outlook, which
works with Office, which works with XP ...
similar core functionality and interactions as XP and Office.
That seems to be a rather broad stroke until you evaluate
what “core functionality and interactions” really means to a
given set of users, and the respective business processes. In
most cases, Office and XP are overkill in function and cost,”
says Yusuf F. Abdalhakim, of Abdalhakim & Associates, an IT
consultant with 20-plus years of experience.
In addition to the footprint, interoperability is another
potential tipping point away from Microsoft. OpenOffice
cracked the door open for the OpenDocument file format,
an XML format derived from StarOffice that may be able
to break Microsoft’s deathgrip on productivity file formats.
If these file formats become open, Office suddenly
becomes less necessary.
Cool Tool
Code Weavers
(www.codeweavers.com) has a
tool, called Crossover Office,
which is a version of WINE that
lets Linux run key Windows apps.
WINE essentially implements the
Windows API set on Linux.
>> Office training – as tough as it can be to use, no
program has more training muscle behind it than Office
>> Office file formats – many shops use Office just
so they can share files with partners
>> OEM lock-in – PC vendors unanimously support
Windows, not Linux or the Mac
>> Price/Performance – competition has pushed
PC prices to an all-time low
>> The Groove factor – Ray Ozzie, one of three
CTOs, is planning to bring rich collaboration technologies
to the Office suite, code-named Office “12,” and Vista
and forced upgrades in order to maintain supported
status,” says Rob Hughes, an escalation engineer with
a technology company. “The fully documented nature
of OpenDoc would also play on the enterprise development side, as things like integration with various sorts
of database back-ends and so forth are all greatly eased.”
From Hunter to Hunted
There’s no doubt that right now, Microsoft is sitting
pretty. But there’s accumulating evidence that its place
on the perch could be getting more precarious. In fact,
according to author Tony Bove, who’s written a book
on how to swear off of Microsoft completely (read the
sidebar, “Is Microsoft Losing Its Grip?” on p. 30), the
possible seeds of its demise can paradoxically be found in
its overwhelming success.
“Microsoft is essentially held back by its monopoly and the
complexity of its products, and can’t innovate fast enough
without hurting its existing business,” Bove says. “That
wasn’t always the case—in the early days of the monopoly,
Microsoft was invincible. There was so much activity on
so many fronts that the company was a moving target.
Now … the company has become a big fat target.”—
Doug Barney is editor in chief of Redmond magazine. Contact
him at [email protected].
Project1
2/13/06
2:38 PM
Page 1
NTAVO Thin Client Terminal
Start Your Virtual Office Weight Loss Program
Start Your Virtual Office Weight Loss Program
75% Lower TCO
Than Standard PCs
Starting at $149
Secure thin client access to any application. NTA Virtual Office™
advanced thin-client terminals are ICA, RDP, and PXE capable and
support server-centric computing in any enterprise environment.
Access Windows, Linux, UNIX, and mainframe applications.
No client applications to load and no hard drive to fail. More
options at lower costs than competing products. Used by
leading companies worldwide. From Devon IT.
Visit ntavo.com
1.888.524.9382
[email protected]
© 2004 Devon IT, Inc. NTA Virtual Office is a trademark of Devon IT, Inc. All other products and trademarks referred to are property of their respective owners.
Project1
1/13/06
11:24 AM
Page 1
0306red_F2SpyTips.v6
2/13/06
3:18 PM
Page 39
Many programs block spyware,
but few know how to get rid of it.
Redmond readers offer some clever
ways to banish these nasties.
BY DOUG BARNEY
W
e all know spyware is bad stuff, the real question is: How to get
rid of it. To find out, we went to the experts—you, the Redmond
reader. Dozens of you responded to our pleas. Here are the best
bits of spyware removal advice, sprinkled with a healthy dose of
anger and frustration.
Removing Aurora
Aurora is a nasty bit of adware/spyware that can be a real pain to root out.
Redmond reader and IT Specialist Robert Butler knows. “I’ve discovered that
Aurora changes the file names of the files it uses to re-infect the host. Aurora
also apparently hijacks some legitimate running processes,” Butler explains.
Butler has spent hours trying to clean Aurora out of sytems. “I’ve found that one
needs to boot in command prompt safe mode and delete the file c:\winnt\ceres.dll.
The file will not delete in normal mode and will regenerate the software if not
2/13/06
3:18 PM
Page 40
Reader Tips: Do Away with SPYWARE
deleted. No anti-spyware software will
delete the file either.”
Aurora also seeds confusion, says
Butler. “Aurora is part of a group
from Direct Revenue that includes:
ABetterInternet, ABI Network, Ceres,
Aurora, WinFixer, Direct Revenue and
Search Assistant.”
The confusion extends to Aurora
Networks, a technology company that
has nothing to do with the spyware,
but finds itself mistaken for the malefactor. The firm has gone so far as to
publish helpful updates and links for
managing the Aurora spyware threat
on its Web site.
That site includes a link to the Aurora authors’ own removal tool. It would
seem foolish to trust such a tool, but at
least one reader, Scott Davidson,
owner of ARX Computers, had good
luck with the Aurora-built fix.
“In the effort to stay ‘legal,’ many
spyware purveyors offer uninstall programs. They don’t make it easy to
find, but they’re out there on a regular basis,” says Davidson. “You may
be leery of using it, but I figure this
company has already had its way with
this computer, so going back for
more shouldn’t do additional
damage. The uninstall program for Aurora works
like a charm. However,
remember the best tool
for fighting spyware
in general is
System Restore.”
Matt Yeager also tried
Joey Heape
the Aurora removal tool,
after seeing positive
feedback on a number of forums.
He says the tool removed the pernicious spyware.
“A malware company you can
trust? I don’t think so,” Yeager
writes. “A malware company
that’s worried about prosecution is
probably more like it.”
More Aurora Horror
Joey Heape ran into trouble after giving his 13-year-old children their own
A Bloody Irish Answer
By Kevin Jordan
H
ow can IT professionals hope to put an end
to the malware scourge? Kevin Jordan, of
Belfast, Ireland, offers an idea.
Kevin Jordan
“Here in Belfast we have a shop called B&Q and it’s a
hardware/home/garden improvement type of place. Now in there they sell
nice, handy lengths of timber. Sand one end until it’s rounded and provides a
nice tight grip, allowing both hands to hold roughly four feet of 6x4. Find out
from the local authorities who the onion is that wrote the spyware code. Go
around to his/her (you never know) workplace or home using transport of
your choice—preferably low-budget airline or bus because you’re already out
the price of the lumber. Apply the said piece of timber several times to the
body of the numpty who’s responsible for causing this irritation. Before
he/she loses consciousness, try to find out anything about his/her contacts
and pass this info on to like-minded people you know.
Hopefully this will mitigate the cost of the timber and transport by
spreading it about and eventually these people will give up their activities
since it’s hard to type with broken fingers.
Incidentally, in order to comply with health and safety legislation, it may
be prudent to wear some form of protective gloves and visor, just in case
some loose splinters are flying about.”
Kevin Jordan is a presales IT consultant.
PC. The kids recently complained
about slow performance, and Heape
discovered the system was riddled
with malware. Heape, who is director
of media & technology for
the South Carolina Bar, ran
a host of free spyware killers,
as well as Microsoft
AntiSpyware, but to
no avail.
“I learned about killing
processes, HijackThis, etc. I tried
CounterSpy (home version, I actually use the enterprise version at
our office), Ad-Aware (I own a copy
of this for my workstation), you name
it, I tried it,” Heape recounts. “Needless
to say, I ended up reformating.”
Stuffing Surf Sidekick
Another tough customer is Surf Sidekick, which can seem impossible to
dispose of. But for the patient and
technically adept, there is a removal
procedure that can help you. (Go to
Redmondmag.com and use FindIT
code: SpyTips for a direct link to the
procedure.) This heads up comes courtesy of Ryan Carrier, ISA CCST III,
and an IT pro at Fraser Papers Inc.
“My worst experience with spyware?
How about spyware (or maybe it was a
virus) that replaces the host file so you
can’t go to Microsoft, Symantec and
other sites you need to remove it. If you
repair the host file, it gets replaced
again! Shuts down the browser when
certain words are typed in Google (like
‘virus,’ ‘spy,’ etc.). And it disables Task
Manager and any [other] program that
looks like a task manager. I was eventually able to find one that wasn’t recognized by the spyware,” recalls Carrier.
“The fix ended up being a combination of spyware detection tools, a task
manager not recognized by the virus,
going into safe mode and a pinch of
luck!” Carrier says.
Prevention Through Privileges
Many spyware problems result from
users running Windows with full
administrative privileges, says reader
Rick Lobrecht. He urges IT managers
to set up accounts with normal user
2/13/06
3:18 PM
Page 41
privileges. “Your spyware problems will Shared Computer Toolkit for
disappear,” he says.
Windows XP.
Paul Witting is emphatic
The free software helps
in his agreement. “DO
keep users from changNOT RUN WITH
ing settings and
LOCAL ADMIN PRIVinstalling software, and it
ILIGES,” he writes. “I
defines what changes
know it’s a pain, as way too
can be made to
much stuff still insists on havhard drives. This tool is
ing admin rights, but the
largely aimed at shared
difference this one little
computers in public places
Rick Lobrecht
piece of preventative
such as waiting rooms and kiosks, but
maintenance makes is
could be just the trick for the spyware
night and day.”
sponges in your shop.
Witting describes his company as
There’s a similar third-party tool, as
having to deal “with the most nefariwell, called Deep Freeze. This tool
ous corners of the Internet day in and
allows users to make whatever misday out.” And yet, none of its PCs
chief they can get away with, after
have suffered an infection. He credits
which the admin can restore the origrestricting administrative privileges
inal system state. Some labs have the
for the difference.
systems automatically rolled-back
every night, to make sure everything
The Microsoft Way
will be working in the morning,” says
Microsoft offers a number of tools,
a senior systems engineer who asked
including spyware blocker Windows
not to be identified.
Defender (formerly known as
Microsoft AntiSpyware). It also has a
A Virtual Solution
new tool to protect computers used
Several readers suggested virtualizaby more than one person, which
tion as a solution. “I use Virtual PC
reader Byron Hynes is a fan of. Hynes with undo on,” says Dave Cline. He
suggests downloading the Microsoft
describes how “all changes to the vir-
Spyware Removal: The Unabridged Version
3
1
Here is my standard removal procedure, up-to-date
as of the new year:
System Restore—ask how long the problem has
occurred and whether the user made any major
changes to the system since then. If it’s a new problem
surfacing in the last few days, roll it back two weeks. This
fixes some of the nastiest problems cold. Explain that System Restore does not affect data like documents and
music, but any programs installed in the last couple weeks
will need to be reinstalled. This is an overlooked and very
useful tool for all problems, not just spyware.
Boot into Safe Mode w/Networking, go to Control
Panel then Internet Options. Delete temporary Internet files, cookies and clear history. Set Internet zone
security back to Default if it’s on “Custom.” Check
“Trusted Sites” zone and make sure it’s clear (sometimes spyware will add their sites to it). Check Cookies
setting, make sure it’s Medium, not “Accept all cookies.”
2
tual hard drive are dumped each time
I reboot the machine,” erasing infections from the previous session.
Reader J.D. Norman, who is CTO
of PCS Enterprises Inc., says virtualization simplifies his life. “Turn on
snapshots, and if there is a problem,
roll back to a previous snapshot,” he
says. “Makes it easier to move the user
to a different PC, too.”
Charles Hodgkins uses what you
might call manual virtualization to
keep his kids’ surfing from messing
up his system. He describes two
tricks: “One is to use a removable
disk tray like those from Addonics.
This way I keep a separate drive for
the kids, which I can reformat as
needed, and keep a drive for myself
that I keep locked way from the kids.
Another is once I get the machine set
up the way I like, I create an image
using Acronis True Image that I write
onto several CDs or DVDs. That
way, I can easily re-create a drive as
required,” Hodgkins explains.
“Of course, I also disable every service I can, as well as keep my computers behind a NAT router and enable
software firewalls on all of them. This
doesn’t stop everything, but it helps.”
By Scott Davidson
Uninstall all known spyware programs you see in
Control Panel Add/Remove Programs. Sometimes
they demand Internet access to remove themselves,
which is why we’re using Safe Mode w/Networking.
Make sure the user is not using these programs. I had
a customer who was annoyed that I removed his
Alexa toolbar.
Run the latest CWShredder, owned by Trend Micro
for the moment. Takes one minute, can help.
OPTIONAL, only for severe infestations: Install and
update Ad-Aware. Scan and clean. Install and
update Spybot, without using their TeaTimer or active
protection. Scan and clean.
Run HijackThis and take out all suspicious-looking
items, looking them up on Google if needed to make
sure they’re not legitimate programs.
Reboot in normal mode and install Microsoft AntiSpyware, update, scan, clean.
Continued on p. 42
4
5
6
7
2/13/06
3:18 PM
Page 42
Reader Tips: Do Away with SPYWARE
Handy Tools
removal tools: SpyBot Search
Today’s anti-spyware tools usually do
& Destroy, Lavasoft’s Ada great job blocking the nasties, and as
Aware Plus, and Trend Micro’s
such, you should have plenty of this
Anti-Spyware. I also use
software on hand (and installed!).
avast! antivirus software,
Here’s a few of the tools
which also finds maliRedmond readers enjoy.
cious spyware. The
John Richardson, it seems,
company also
has used them all. He
has what they
applied HijackThis,
call their BART CD
Spybot S&D [Search & Destroy], Ad(Bootable Antivirus &
Aware, Microsoft AntiSpyware and
Recovery Tools CD),”
John Richardson explains Olin, who also
Bullet Proof Soft on a customer’s
PC infected with more than 20 differsuggests switching to the Firefox
ent Trojans and numerous spyware
Web browser.
infections. Richardson, an MCSE
“It is so much easier to keep spyware
BCNTS and BCCTS who is owner of
from ever entering the box than
Austin, Texas-based computer support
cleaning it up afterward,” says Sysfirm BrainWerkz, also singles out
tems Administrator Eric Wallace. He
EWIDO as an important tool.
urges people to use Javacool’s Spy“This was a slow process (taking
wareBlaster, which uses the ActiveX
three-plus hours to complete) that ran “kill bit” to lock-out known spyware
exclusively under Safe Mode and
programs. He also tells users to never
worked wonders. As there were two
log on as an Administrator unless
separate accounts on the Windows
installing software.
XP Pro system, I made sure to run the
“It’s not a panacea,” he says, “but just
apps under both profiles to catch any
these two steps will probably make a
lurking bugs,” he says.
huge difference in anyone’s spyware
A good rule of thumb is a layered
arrival. Prevention is the key!”
approach, just as with firewalls, antiWallace goes a few steps further. “I
virus, and anti-spam. IT Specialist
only browse with Firefox with AdBlock
Charles Olin has a set of tools he likes extension and Filterset.G, which preto use when combating threats. “I
vents ads and spyware-type content
generally use three or more spyware
from loading. Then I run a couple of
Spyware Removal: The Unabridged Version
8
Reboot and browse the Web for a couple minutes,
going to a few different sites, and see if you get
repeated adware-style popups still. If you do, go back to
HijackThis and be more heavy-handed, you probably
missed something.
While doing this, explain to the user how to avoid this
problem in the future. “Be very skeptical of free programs, especially toolbars, search bars, shopping helpers,
music download programs, bargain finders, screensaver
programs, security applications, etc. Be wary of officiallooking security warnings.” List the legit anti-virus and antispyware programs and explain that for every legit one,
there are 25 charlatans. “The same scumbags who put the
spyware on your computer in the first place are the ones
trying to sell you a bogus antivirus/anti-spyware program.”
Some of the worst kinds of spyware regenerate them-
9
other anti-spyware programs, including Lavasoft Ad-Aware and Spybot
S&D, both of which have some preventive measures as well. And I’m looking into downgrading my IE and Firefox
process privileges, since I’m usually
logged in as an administrator—and
domain privileges—when at work.”
Bill H. has also been hit with spyware, though to be fair, Bill deflects
the blame. “It was my wife who
caused the trouble ... lots of tension
followed, of course!” Bill used
HiJackThis and posted the results to
a Web forum on the TomCoyote
Forums Web site. “There are some
very generous souls who patrol these
forums and look to help the novice,
spyware-infected unfortunates.”
Joanna Lovett, IT support manager
with Cambridge Systematics Inc. in
Cambridge, Mass., says that Zone
Alarm can help as well. “I just upgraded my home computer to the latest
version on Zone Alarm. It has a spyware detector and real-time protector
that work pretty well. The spyware
scanner found things that Ad-Aware
missed on my computer,” she says.
Anti-Spyware Not Yet Perfect
While most readers run one or several
anti-spyware tools, they are not a perfect solution. Stephen Nichols, IT
continued ...
selves. I’ve had to boot into Recovery Console to get rid
of the root .DLL file, which regenerates the adware.
Most should show up in HijackThis.
If the cause does not show up in HijackThis and none
of the free programs remove it, odds are it’s one of the
nastier kinds that are not removable without digging
deep and spending too much time. I spend about one
hour on spyware removal. Back up data, format, reinstall
if it’s not removable in that timeframe. What you want to
avoid is spending three hours trying to remove a particularly nasty bug buried deep in the registry and then
having to spend two to three hours backing up data,
formatting, reinstalling because it’s buried too deep.
Davidson, owner of ARX Computers just northwest of
Chicago, Ill., squishes spyware for a living.
2/13/06
3:18 PM
analyst for International Truck and
Engine Corp., Engine and Foundry
Division, says that spyware packages
like Ad-Aware often struggle to pull
out spyware by the roots, in part
because viruses and other grayware
keep restoring the spyware. The ability of some malware to cripple virus
scanner software complicates matters.
How can you clean out tough infections? Nichols plays a game of
switcheroo with the malware. “I simply pop the case off the PC, plug in a
hard drive of at least 4GB, make it the
first bootable drive in the BIOS, and
install a fresh copy of XP. After it
comes up, I just need network drivers
and then I can use Trend Housecall
and download a fresh copy of AdAware,” Nichols explains. “I can get
99 percent of the junk off the system
this way. After that I just remove the
hard drive and voila, clean PC!”
Nichols takes the clean drive idea a
step further, by preparing a BartPE
boot disc with Ad-Aware and AVG
Anti-Virus included. “I can just boot
from CD to clean the hard drive,”
Nichols explains. “The only caveat
with this is that I have to keep updating the patterns. I could pull it off the
network or off of a floppy or flash
stick. It will still be faster than cleaning the PC manually or popping the
cover, and I will probably be able to
update the pattern, even from an
infected PC.”
Spyware Silver Bullet?
A growing problem is malware that
restores itself. Reader Greg Lara
says you can sometimes break the
cycle with a bit of preparation and
quick click-work.
“Once I’ve identified the executable
file that needs to be deleted, I open
the Task Tanager and find it in the
process list. In another adjacent
Explorer window, I navigate to the file
in question, highlight it, then press
the Delete key. With the delete confirmation dialog box up, I move over
to the task manager and end the
process. Now I move the end process
confirmation dialog box next to the file
Page 43
delete confirmation dialog, and in
quick succession, click OK in the file
dialog and then in the process dialog,
usually with a combination of mouse
click in one and the space bar in the
other. With the timing just right, the
file is deleted before the process can
kick off again, and the cycle is broken,” Lara says. “This won’t work in
every case, but it can jump start a
cleaning session when the frustration
level has reached a fever pitch.”
Safe Mode, Safe Harbor
MCP Eric Hanner takes no chances
with his clients’ machines. “I have
taken the approach of blast ’em
and see what comes back. If I have
any indication of an infestation, I
start by booting into Safe Mode,
update the files and run Microsoft
Anti-Spyware and Ad-Aware. While
I’m in Safe Mode, I also run a virus
sweep. I have never had a case
where I scanned later and I was still
infected. I’m not saying there aren’t
some files lingering somewhere, but
they apparently are not activated
or are idle if they are there at all,”
Hanner says.
The Manual Approach
Mike Matteucci constantly sees spyware-infected PCs in his work with
PC-Network Services in Bakersfield,
Calif. “As an end user, I hate spyware. As
a technician, I love spyware,” he says.
Matteucci claims an over 90 percent
success rate in removing spyware
without having to wipe the drive. The
cost, however, is time. “I advise my
GetMoreOnline
Log on to Redmondmag.com for easy
and direct access to the products and
tools mentioned here. Plus, you’ll be
able to download a full-length version
of this story, complete with additional
tips and tricks from the trenches for
fighting spyware.
FindIT code: SpyTips
redmondmag.com
clients/customers that it is a minimum
of three days for me to have their
machine. I run my in-house anti-virus
along with several free spyware utilities, plus use the Internet to trace the
.EXEs and .DLLs that are causing the
problems,” he explains.
Matteucci offers some useful advice
for PC users, including a switch to the
Firefox or Netscape Web browsers,
and setting up Windows Update so
that it automatically kicks off in the
morning, when the PC is most likely
to be running, rather than at 3 a.m.
“Another thing I advise customers is
to manually once a day use the Norton
or McAfee auto update service for
their anti-virus,” writes Matteucci. “It
seems that these companies—if the
update is not a major threat—delay
posting it on the scheduled update
Web site for two to five days, and
that’s when you get hit.”
Windows on Live CD:
Solution or Illusion?
One reader would like to change the
way that OSes, apps and data are intertwined. “Just an idea that nobody
seems to be doing anything about—
how about booting a live CD of
Windows, and using that as your boot
volume. All data could be stored on the
local hard drive, but the OS and necessary apps would reside on the CD,
where they couldn’t be harmed,” suggests Dennis Barr, manager of Information Technology for the Larkin
Group Inc. in Kansas City, Mo.
It’s not a bad idea. Many Linux
distros are available in “live”
versions, which run entirely from a
CD or DVD. The portability makes
live distros a staple among IT professionals who use Knoppix and
other live Linux packages as a system
rescue and recovery platform. So,
Barr asks, “if the penguinistos can do
it with their OS, why can’t it be done
with Microsoft’s?”—
Doug Barney is editor in chief of
Redmond magazine. Share your
spyware-fighting tips and tricks with him
at [email protected].
Project4
9/13/05
11:23 AM
Page 1
LEAST PRIVILEGE COMPLIANCE
IS NOW IN YOUR HANDS
In today’s corporate environment, it’s not an option. DesktopStandard’s Group Policy extensions
take you beyond built-in Windows security management, giving you the power to limit rights and privileges to
the least required for authorized tasks. Reduce the complexity of managing your distributed desktop environment while increasing security and compliance. Find out how at www.desktopstandard.com.
© 2005 DesktopStandard Corporation. All rights reserved.
desktopstandard
™
manage with standards.
0306red_F2NeverAgain45-48.v6
2/14/06
12:26 PM
Page 45
NEVER
AGAIN
hey go by many names: CLEs (Career
Limiting Events); Murphy Moments;
Blue Screen Memories; RUAs (Resume
Updating Actions). What they all have
in common is disaster.
Most IT folks have at least one tale of woe, of that time
when their career flashed before their eyes (those in the
biz for a long time often have more than one—sometimes many more). It often starts when the help desk
phones start lighting up like a Vegas casino. Users can’t
connect to the network or Internet. Servers aren’t talking to each other or to you. Then your mouth goes dry,
as you realize you haven’t tested your backups for—well,
you can’t remember for how long. And where is that
bootable CD now that you need it?
T
BY KEITH WARD
Chances are you also found a solution, recovered from
your error and got things shipshape again. Otherwise, you
probably wouldn’t be reading this article, because your
new job at the local car wash demands your total commitment. You learned a lesson, gained experience and wisdom,
and have become a better IT pro as a result.
But wouldn’t it be nice to learn those lessons without the
near-death experience? Our new continuing column,
called Never Again, aims to do just that. Each month, we’ll
present the most compelling story in print, and others will
appear online. If you have a tale of technical terror you’d
like to submit for this column, send in a 300- to 800-word,
first-person write-up of your scariest IT moment on the
job to Keith Ward at [email protected].
Now, let the nightmares begin.
2/14/06
12:26 PM
Page 46
NEVER
AGAIN
Out of Service
BY RON STEWART
work at an IT services company. Recently, we moved
the servers of a rapidly growing client from their own
office to a data center. We’ve performed similar server
moves several times in the past, and the first few tasks went
off without a hitch. We shut down the servers late on Friday afternoon, packed them up and had a bonded carrier
move them to the data center. Once there, we racked the
servers, reconnected them and booted them.
Our server technician watched the monitor as the first
server booted, preparing to log on to each server and perform some basic tests. He waited patiently for the familiar
Windows Server logon screen to appear.
After several minutes went by, it became clear that something was very wrong. “Applying computer settings,” the
screen read—for more than two hours, before a logon dialog box finally appeared. Logon itself took an hour to
complete. When the GUI appeared, it responded extremely slow. In addition, no network connections were listed.
The server and network techs double-checked all connections and settings, verifying that they were correct.
They formed a theory that the servers needed to boot onto
a network that used the IP addresses from the office LAN,
with which they were still configured. The techs reconfigured the network components and restarted the servers.
More than an hour later, as the servers took their sweet
time booting yet again, this theory was thrown overboard.
It was now well past midnight. The team phoned the
servers’ manufacturer for assistance. Discussion soon
focused on how the servers’ network cards were configured
I
The vendor’s support tech basically threw up
his hands, telling our guys to wipe the servers
clean and rebuild them from scratch.
to function together as a team; the vendor’s support tech
suggested disabling this so the network cards could operate
independently. But after doing this, the problems continued.
At this point, the vendor’s support tech basically threw up
his hands, telling our guys to wipe the servers clean and
rebuild them from scratch.
The exhausted and bleary-eyed server tech looked out of
the data center’s windows, saw the dull glow of dawn on
the horizon, and retained just enough good sense to
inform the support tech that no, he wasn’t going to do
that. He hung up, and our guys called it a night (not that
much was left of it). They would return to take another
crack at things the next day.
The following afternoon, our CIO called me (I should
never leave my cell phone on during weekends.) He
briefed me on what was going on. “A fresh set of eyes
might help,” he said. Could I get down to the data center
as soon as possible? After making the usual apologies to
my long-suffering wife, I went to ground zero.
Progress was slow and frustrating. Each server had
numerous issues in addition to the brutally slow boot time:
No network connections were listed; the GUI was sluggish; services couldn’t be stopped or started.
Because the servers were able to boot into Safe Mode
quickly, we figured the cause of the problem must have
been one of the non-essential services. So we went about
disabling all these services, then booted the servers normally (which now only took the usual couple of minutes)
and gradually started only the non-essential services
required for each server’s functionality.
By midnight, all the servers save one were operational.
Everyone else went home, leaving me to work on the last
non-functioning computer—an intranet Web server. As
this server had been designated a low priority, we hadn’t
used Safe Mode to reconfigure its services, and as the
hours passed, it had eventually become accessible.
With the pressure now gone, I finally had the time to
analyze the services. I went through the list, and spotted
the culprit behind our lost weekend. The APC PBE Agent
service, after six hours, was “Starting.” I disabled that one
service, rebooted, and all the problems went away.
I’m pretty sure I screamed.
We made some mistakes here. First, the data center had
its own huge, shared UPS, so the APC software wasn’t
needed and should have been removed. Second, (we discovered this later), the digital certificate used to sign the
APC software had expired just the week before. (To add
insult to injury, a Microsoft Knowledge Base article on
this very problem appeared the following week, just a
few days too late to help us.) And third, we should have
performed this analysis several hours before, but we’d
been too focused on restoring functionality.
Many of the lessons here are specific to this incident, but
the two reminders I took away from it are: A) When it
comes to technology, no change is simple, no matter how
many times you’ve done it before; and B) You can save
time if you take the time to work the problem, rather than
letting it work you.
Ron Stewart is a senior technical consultant at Syscom
Consulting in Vancouver, Canada. He has worked in IT
for more than 10 years, far too much of it on evenings
and weekends.
Project3
1/31/06
10:44 AM
Page 1
2/14/06
12:26 PM
Page 48
NEVER
AGAIN
That’s a Wrap
BY RYAN WI LLIAMS
’m a consultant, so I’ve seen a lot of issues in data centers
with my clients. One of the most memorable involved a
client that had all their data center servers go down
during some renovations. Imagine the surprise of the person
sent in to check the server room when he found that the
remodeling contractors had shrink-wrapped the racks of
servers to keep dust out! The contractors neglected to
mention that they would be doing this, so all the servers were
on when they wrapped them up. Naturally, the servers overheated and shut themselves down. Luckily, none of the
servers were fatally damaged.
The moral of this story: When remodeling your data
center, make sure the contractors are closely supervised.
I
Ryan Williams has more than nine years in the network
integration and the professional services field. He has extensive
experience in implementing and supporting Active Directory,
Exchange and collaboration technologies.
Disappearing DNS
BY E R N EST FRAN Z E N
ne of my worst experiences was finding out the
ramifications of deleting our main Active
Directory-integrated DNS zone.
We had to move one of our domain controllers to a new
IP subnet, so I changed the IP address of the DC and
rebooted. After the reboot, everything looked good—except
for DNS, which had a big red “X” through the zone.
So, knowing that the DNS is replicated from other DCs,
I deleted the zone and recreated a new zone with the same
name—my thinking was that it would populate within a
few minutes from one of the other DCs.
Instead, the phone started ringing with users having all
types of connectivity problems: Web pages wouldn’t
O
load; e-mail was down; file and print services were down.
The problem was affecting the whole corporation.
Things got louder when a support tech came in
while we were starting to troubleshoot the problem.
“You did what?!” he screamed. “You can’t do that!
DNS is integrated within AD; that’s why it’s called
an Active Directory-integrated DNS zone!” That
explained what was happening. By deleting DNS at the
remote site, it deleted DNS from all the sites. So when I
recreated the zone, it replaced our existing 15,000
records with a new zone—a zone containing only the
DNS record of the DC and the file and print server at
the remote site.
Luckily, we had a tape backup from another DC and
were able to perform an authoritative restore and get
back most of the original DNS records. But several
others were missed and had to be created manually (let’s
just say that it was a very long night).
Since that experience, I’ve had another problem with
DNS corruption on a single DC that required a call
to Microsoft support. I was dismayed during the troubleshooting process when the technician told me to
“delete the zone.” Needless to say, I argued against
this course of action—this was one lesson I learned
the hard way.—
Ernest Franzen is a senior network architect for a Fortune 500
company. He holds MSCA and MSCE certifications.
Redmond magazine wishes to thank Thomas
Haines and AOPA Pilot magazine for allowing
us to use the title of this column without
getting bent out of shape.
Project1
10/7/05
12:52 PM
Page 1
7i ÃÞÃÌiÃ } `Ü]
µÕVÞ LÕVi L>Vt
,iVÛiÀ Õ« Ì £ää¯ v VÀÌV>
`>Ì> Õ« Ì ä¯ v>ÃÌiÀ ÜÌ
,iVÛiÀÞ >>}iÀ Ó°ä°
7Ì ,iVÛiÀÞ >>}iÀÁ Ó°ä] }iÌÌ} ÞÕÀ ÃÞÃÌiÃ >`
`>Ì> L>V Ã v>ÃÌiÀ >` i>ÃiÀ Ì> iÛiÀt ,iVÛiÀÞ >>}iÀ
Ó°ä iÝÌi`Ã «ÜiÀvÕ ,iVÛiÀÞ *ÌÒ «ÀÌiVÌ LiÞ` Ìi
«iÀ>Ì} ÃÞÃÌi Ì «ÀÌiVÌ «ÀiVÃiÞ Ìi wiÃ ÞÕ VÃi ÞÕÀ
ÃÃVÀÌV> ÃiÀÛiÀÃ] ìÃÌ«Ã] >` ÌiLÃ° 7i > ÃÞÃÌi
LiViÃ ÕLÌ>Li À ÕÃÌ>Li] Ã«Þ À Ì L>V Ì > Ü }`
ÃÌ>Ìi° 9Õ½ ÀiÃÌÀi Ìi ÃÞÃÌi Ì «iÀviVÌ i>Ì Õ« Ì ä¯ v>ÃÌiÀ
Ì> ÜÌ VÛiÌ> iÌ`Ã] ÜÌÕÌ Ã} À ÛiÀÜÀÌ} >Þ
Û>Õ>Li `>Ì>° 9Õ V> ÀiÃÌÀi i ÃÞÃÌi >Ì > Ìi] À ÌÕÃ>`Ã v
ÃÞÃÌiÃ ÃÕÌ>iÕÃÞ] vÀ > ViÌÀ>] ÀiÌi V>Ì° />Ì «ÀÌiVÌ
iÝÌi`Ã Ì Li V«ÕÌiÀÃ iÛi Üi ÌiÞ >Ài `ÃViVÌi` vÀ
Ìi iÌÜÀ] LiV>ÕÃi Ìi iÜ ->ÀÌÝ 7â>À`Ò >ÜÃ Li ÕÃiÀÃ Ì
µÕVÞ >` i>ÃÞ ÀiVÛiÀ ÌiÀ Ü ÃÞÃÌiÃ Ìi wi`° 7i ÃÞÃÌiÃ
v>] LÀ} Ìi L>V ÀiVÀ` Ìi ÜÌ ,iVÛiÀÞ >>}iÀ Ó°ä°
,i«>À°
,iVÛiÀ°
VViiÀ>Ìi°
7HATS .EW IN 7INTERNALS 2ECOVERY -ANAGER "ROADER RECOVERY CAPABILITIES
s
s
0ROTECTION FOR MORE THAN THE /3
2ECOVERY 3ETS NOW FOR SYSTEM FILES PROGRAM FILES USER SETTINGS AND USER DATA
&LEXIBILITY IN PROTECTION WITH CUSTOM 2ECOVERY 3ETS
s
5SING THE NEW 2ECOVERY 3ET %DITOR ADMINISTRATORS CAN DEFINE CUSTOM 2ECOVERY 3ETS TO INCLUDE
OR EXCLUDE FILES DIRECTORIES FILE EXTENSIONS REGISTRY KEYS AND VALUES
4RUE NETWORK FLEXIBILITY
s
2ECOVERY -ANAGER PROVIDES COVERAGE FOR ANY SYSTEM THAT CAN BE REACHED BY 4#0)0
2ECOVERY PROTECTION AND SELFSERVICE FOR MOBILE 0#S
s
s
2ECOVERY 0OINTS CREATED EVEN WHEN NOT CONNECTED TO THE NETWORK AND STORED LOCALLY ON THE MOBILE 0#
3YSTEM ADMINISTRATOR CAN ENABLE SELFSERVICE RECOVERY FOR MOBILE 0# USERS FROM THEIR LOCAL 2ECOVERY 0OINT
AND SELFHELP FOR LOST FILES
!DVANCED MANAGEABILITY
s 3MART"IND © PROVIDES THE ABILITY TO BIND AN !CTIVE $IRECTORY NODE TO A 2ECOVERY 0OINT SCHEDULE
s 2ECOVERY -ANAGER NOTIFIES SYSTEM ADMINISTRATORS BY EMAIL OF KEY EVENTS IMPACTING COMPLETION OF 2ECOVERY 0OINTS
%NHANCED SECURITY
s
2ECOVERY -ANAGER ENCRYPTS DATA MOVED ACROSS THE NETWORK BETWEEN 2ECOVERY -ANAGER HOSTS AGENTS
AND BOOT CLIENTS
-IGRATION 7IZARD TO FACILITATE MIGRATING FROM 2ECOVERY -ANAGER TO 2ECOVERY -ANAGER i>À Àit
£nää{änn{£x
ÜÜÜ°ÜÌiÀ>Ã°V
¥7INTERNALS3OFTWARE,07INTERNALSAND7INTERNALS2ECOVERY-ANAGERAREREGISTEREDTRADEMARKSOF7INTERNALS3OFTWARE,0 2ECOVERY0OINT3MART&IX7IZARDAND3MART"INDARETRADEMARKSOF7INTERNALS3OFTWARE,0 !CTIVE$IRECTORYISAREGISTERED
TRADEMARKOF-ICROSOFT#ORPORATIONINTHE53ANDOROTHERCOUNTRIES
0306red_Roboto50.v5
2/14/06
10:55 AM
Page 50
Mr. Roboto
Automation for the Harried Administrator | by Don Jones
Service Pack It Up
W
elcome to Mr. Roboto! Most of you know me
as Beta Man, but I’ve taken on a new role at
Redmond. I’m strapping on a tin helmet and
diving into the world of Windows automation.
Let me be perfectly clear right up
ure it to allow remote administration
front—this isn’t just a scripting column. traffic (specifically, the tool connects
Sure, I’ll turn to scripting when it’s the
to the Windows Management Instruright technique for the job at hand (as I
mentation service on each computer
have this month), but this column is
you target).
primarily about the job. More specificalThis script should work with NTly, this column will focus on tools and
based computers all the way back to
tricks for getting the job done.
Windows NT 4, including Windows
Sometimes that will mean a
2000, Windows XP and Windows
Resource Kit tool, other times a free
Server 2003. The account you use to
tool from someone else, or occasional- run the tool needs to have local
ly even a script. I’ll always try to give
administrator permissions targeted for
you some additional tips on how you
each computer, which means you’ll
can tweak or extend
probably need to run
What Windows
the script, tool or
the tool as a domain
Administrator’s task
whatever so you can
admin (launch the tool
would you like Mr. Roboto
use it for other purusing RunAs if you
to automate next? Send
poses. My primary
need to specify alteryour suggestions to
focus each month,
[email protected] nate credentials).
I wrote this tool as a
though, will be on
VBScript, but it’s written in the WSF
using the tool or script to automate a
Windows administrative task and help format, meaning you can just run it as
a command-line tool. Its name is
you get the job done faster and easier.
ListServicePack.wsf, and it accepts
This month, I’ll focus on an often
a few command-line arguments
annoying task that’s hard to do without
(including /?, if you need help with
using a heavy-duty solution like
it) that tell it what to do. For example,
Microsoft Systems Management Servif you have a text file that contains
er: figuring out which service pack is
running on a specific set of computers.
First, I have to offer a few caveats. My
solution uses a tool that you will run on
your computer.
Download this month’s tool from
It will use your network to contact
www.ScriptingAnswers.com/
whichever computers you specify,
roboto/col1.zip.
meaning you need to have those comPlease keep this URL. That way, if
puters turned on and connected.
problems occur, I can update the
You’ll also need to either turn off the
posted file more easily.
Windows Firewall (or whatever local
firewall you may be using) or config-
DownLoad
the computer names you want to
check (one computer name per line in
the file), run:
ListServicePack /list:computers.txt
(or whatever the filename is). If you just
want to test it with a single computer, run:
ListServicePack /computer:MyComputer
instead. Or, if you want to try and hit
every computer in an Active Directory
organizational unit, run:
ListServicePack /container:Sales
specifying the appropriate Organizational Unit (OU) name instead of
“Sales;” tack on “/recurse” to process
sub-OUs as well. You can also specify
the “/output:filename” argument, which
writes the tool’s output to the specified
text file, rather than just displaying
everything on-screen. If you run the
script on an XP or 2003 machine, specifying the “/ping” argument will help
reduce the wait time for computers that
aren’t available.
The tool has some other goodies, too.
Run it with “/?” to get a complete
breakdown of what it can do. This is a
great, easy-to-use tool for quickly
checking the service pack level on a
number of machines. If you’re a
VBScript fan, feel free to crack it open
and play with it. Otherwise, just use it
as-is to help make your administrative
life a little bit easier. Domo arigato.—
Don Jones is a columnist and contributing
editor for Redmond magazine, and the
founder of ScriptingAnswers.com. His latest
book is Windows Administrator’s Automation Toolkit (Microsoft Press). Reach Don at
[email protected].
Project5
8/8/05
3:00 PM
Page 1
0306red_Winsider50-52.v8
2/14/06
2:28 PM
Page 52
WindowsInsider
Greg Shields
Down the Winding InfoPath
I
hate forms in Microsoft Word. I really do. You know what
I’m talking about—those nasty little grey boxes that make
text hard to read, jump around when you hit the Tab key,
and sometimes delete too much when you try to Backspace.
Not long ago I decided I’ll never use
Word 2003 forms again. So, when handed yet another project that needed them,
I chose to look into Microsoft’s leastunderstood Office tool: InfoPath 2003.
Offered as a stand-alone product or
bundled with Office Professional Enterprise Edition, InfoPath is an XMLbased forms design tool with tight
constraints on how your form conforms
to an established XML schema.
Whether you submit your form to a
database or save it as an XML file on a
file share or SharePoint server, starting a
project in InfoPath is a lot like Microsoft
Access. Before you ever begin designing,
you must understand the data you’re
collecting and how you want it stored.
That being said, here are six quick tips I
learned that’ll come in handy as you create your first InfoPath project.
1. Create Your Data Source First
For simple forms that won’t submit to a
database, creating your XML schema is
easy. As an example, open InfoPath and
choose to design the sample Status
Report form. You’ll see that text boxes
in the form map to fields in the Data
Source. This is a key factor in forms
design. Before you create any text or
check boxes on your form, you must
already have an existing entry in the
data source where that box’s data will
be stored. In forms that don’t attach to
databases, you create new fields in the
data source by selecting the folder
group and then clicking the Add…
button (see Figure 1).
2. To Database or Not to Database
Where it gets harder is when you want
to submit your forms to a database.
InfoPath supports direct database connections only to SQL Server and
Access databases, and won’t allow you
to submit your forms if the database has
a many-to-one relationship between
related tables. Forms that submit to a
database seem more difficult because
you can’t directly add or remove fields
in the data source from within
InfoPath. Fields in your data source are
completely constrained by the columns
in your database. Need a new field in
your form? Create a new column in
your database and update the SQL
query in your Data Connection.
If you’re using SQL Server as the
database for your form, consider linking the form to a SQL View rather than
directly to a table. This makes it easier
to manipulate the view if you need to
make a change, as well as making it easier to apply security to your database.
3. Drop and Give Me 20!
Drop-down list boxes can be a little
tricky. There are three ways you can
populate a drop down list box:
• Manual entry in the drop down’s
properties
• Use a lookup table stored inside the
form’s code
• Use a secondary lookup to a database
Of these, the lookup to the database
is the most useful, and also the most
complicated. To populate a dropdown list from a database table,
you’ll want to create a Secondary
Connection to a lookup table in your
database and populate the entries
from that Secondary Connection.
What’s not immediately obvious—and
annoying—is InfoPath’s inability to
restrict that lookup to just a single
instance of each entry in your secondary lookup. If you’re seeing doubles in
your drop down list box, you’ll need to
create an XPath filter expression that
eliminates the duplicates. Do this with
the following expression:
not(. = ../preceding-sibling::*/@<Column Name>)
4. Donning Your Input Mask
Figure 1. The singleName text box in the form design maps to the singleName field in the
form’s Data Source.
If you’re used to Access, you’re probably
familiar with the friendly input mask
feature that forces data into a predetermined structure—like when you
want to force phone numbers be stored
as (XXX) XXX-XXXX. InfoPath doesn’t
natively have that capability, but you can
Project1
1/20/06
10:21 AM
Page 1
0306red_Winsider50-52.v8
2/14/06
2:28 PM
Page 54
WindowsInsider
cheat it using Data Validation. Though
InfoPath Data Validation won’t prepopulate the field’s mask characteristics,
users will be forced to enter data in the
correct format or the form will reject it.
You can do this by double-clicking on a
text box in your form, selecting Data
Validation…, and then Add…. In the
Data Validation dialog box, select Does
Not Match Pattern from the second
drop-down box and Select a Pattern
from the third. You’ll be given a few
example patterns, like our phone number
example above, or you can create your
own by using /d to represent any digit or
\p{L} to represent any letter. Make sure
to enter in an error message to alert users
when an entry doesn’t match the pattern.
Because InfoPath doesn’t pre-populate the mask characteristics, you’ll
probably want to inform your users of
the correct pattern for that text box. Do
this by entering your pattern as a Placeholder on the Display tab of the text
box properties, as shown in Figure 2.
5. Trust Me
While simple forms that lack
VBScript- or Jscript-coded events
don’t require certificates, any form
that interfaces with a computer’s
WMI (Windows Management Instrumentation interface) does. For example, if you want to store the Active
Directory username of the person
filling out the form to a field in your
form, you can create an OnLoad
event that does this with the following
snippet of code:
Sub XDocument_OnLoad(eventObj)
Set wscNet =
CreateObject("WScript.Network")
XDocument.DOM.selectSingleNode("/my:<group>/my:<field>").text =
wscNet.UserName
End Sub
InfoPath’s strict security model won’t
allow the form to interface with the
local computer’s WMI unless the form
is considered Fully Trusted. To do this,
you’ll need to sign your form with a
trusted code signing certificate:
Figure 2. Use InfoPath Data Validation to display an error when users enter data in an
incorrect format.
• If you don’t already have one, build
a Certificate Server and generate its
root certificate.
• Then, create a Group Policy that
adds that certificate to the Trusted
Root Certification Authorities container on your machines.
• Create a code signing certificate
with an exportable private key.
• Finally, in the Design View of your
form, select Tools | Form Options |
Security, sign the form with your code
signing certificate and set the security
level to Full Trust.
Users will be prompted with a window requiring them to trust the certificate when they first attempt to load
your signed form.
6. Feels Like the First Time
Sometimes, even a complete install of
Office 2003 won’t properly configure
the client machine to make it easy for
new users, who will get a dialog box
asking them if they want to save the file
or open it from its current location.
To eliminate the dialog box, you can
use Group Policy to configure your
machines to automatically open the
form. Do this by creating a Group
Policy startup script that calls regedit /s
GPStartupScript.reg. Then, create a
GPStartupScript.reg file with the
following syntax:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\InfoPath.Sol
ution.1]
@="Microsoft Office InfoPath Form
Template"
"EditFlags"=dword:00010000
"BrowserFlags"=dword:00000008
Even with this startup script, you
may still have some client requirements for your InfoPath forms to
work. Make sure that all your clients
have a recent version of both the
.NET Framework and the Microsoft
Data Access Components installed.
Diamond in the Rough
Although it’s still a little rough around
the edges and its GUI has some
annoying quirks, InfoPath gets high
marks as a useful tool for creating
XML-based forms for both small
business and the enterprise. Unfortunately, in trying to be everything for
everyone, it ends up with a pretty
hefty learning curve.
My advice: Start small. It’s incredibly
easy to build forms that don’t integrate
with SharePoint, SQL, Access or Web
services. Once you’re familiar with the
basics of InfoPath, you can add a little
scripting and a database back-end and
never again experience the pain of
Word’s grey boxes. —
Greg Shields, MCSE: Security, CCEA,
is a senior systems engineer for Raytheon Co.
in Aurora, Col. He’s a contributing editor to
Redmond magazine and frequently speaks
at TechMentor events. You can reach him at
[email protected].
Project3
2/9/06
12:01 PM
Page 1
Concerned about broken links in files during data migrations?
LinkFixerPlus™ is the first software
application that automatically fixes
broken links in Excel and other files
caused by data migrations!
re you performing a data
migration due to server
upgrades, server consolidations
or new storage servers? Or are you
performing folder reorganizations or
server name changes? Are you
concerned about broken links caused by
these changes? What if there was a
way you could find and fix broken links
automatically, eliminating the extra
time and cost associated with manually
fixing them?
A
Well with LinkFixerPlus you can!
LinkFixerPlus is the first application that
automatically maintains links in files
when conducting a data migration.
With LinkFixerPlus, you can move or
rename Microsoft Excel, Word, Access,
Copyright © 2006 LinkTek. All rights reserved.
LinkFixerPlus is a trademark of LinkTek
Corporation. Patent-Pending. All other
products mentioned are trademarks of their
respective holders.
PowerPoint, Autodesk AutoCAD,
HTML, Adobe PageMaker,, InDesign
and PDF files, in batch, including the
files they point to, and the links to
those files are automatically
maintained! You can even find and
repair broken links in batches of files
that have already been moved.
Imagine not having to manually find
or fix broken links due to data
migrations ever again!
LinkFixerPlus is the solution you
need to report, find, manage and
repair links in many different types of
files whether you are working with
dozens of files on a desktop computer
or thousands of files during a data
migration.
Advanced Features:
• Perform data migrations
of Excel, Word, Access,
PowerPoint, AutoCAD,
HTML, PageMaker,
InDesign and PDF files,
in batch, without causing
broken links.
• Automatically fix broken
links in files that have
already been moved.
• Generate broken link
reports and detailed
parent and child file
reports.
Request your free 30-day evaluation copy of
LinkFixerPlus from: www.linkfixerplus.com. E-mail us
at [email protected] or call +1-727-442-1822.
Project8
1/16/06
1:36 PM
Page 1
Network and
Certification
Training for
Windows
Professionals
TechMentorEvents.com
Orlando, FL
March 20-24, 2006
Real-World Training
» Integrate Linux into your Windows environment.
» Improve your network security.
» Diagnose and repair common network problems.
Peer Networking
» Problem solve with peers during networking events.
Certification Prep
» Upgrade your skills to Windows 2003 with the MCSA and MCSE tracks.
» Broaden your knowledge of network operations with the CCNA track.
Group Discounts
» Send your team and save up to $500 per person.
Register Today!
TechMentorEvents.com
0306red_SecAdvisor57-60.v5
2/14/06
11:21 AM
Page 57
SecurityAdvisor
Joern
Roberta
Wettern
Bragg
That Isolated Feeling
T
raditional IT security relies on assigning different
levels of trust to different network zones. A more
effective solution is to rely on trust between
computers, instead of trusting the networks they’re
connected to. Domain isolation and server isolation
leverage Windows capabilities to reach this goal.
A Matter of Trust
Chances are that your current network consists of the main internal
network, and one or more demilitarized zone (DMZ) networks. Maybe
there are a few tightly controlled networks with limited access, such as one
that connects the research department’s computers. In addition, you
might have branch office networks
connected over WAN links, but computers on them have full access to
your internal network, so they really
belong to the internal network from a
security point of view.
When we analyze the security functions of a network, physical infrastructure becomes secondary. Instead, we
often think about security zones and
agonize over which zone network should
contain a network resource, or how to
best control traffic between these zones.
We know that the Internet is entirely
untrustworthy; even in our wildest
dreams, we wouldn’t connect a server
directly to that malware playground.
If we need to allow someone to access
a server from the Internet, we routinely
place the server into a DMZ and use a
firewall to tightly control and monitor
access to it. We trust the DMZ more
than the Internet, but not enough to
allow unrestricted communications
between it and our internal network. If
such connections are required, we use
another firewall to further restrict and
monitor them, because we only want to
allow network packets that we trust on
our internal network.
This trust seems to be justified
because, in addition to using firewalls,
we make sure that only legitimate users
get access to this internal network. We
try to keep intruders out by authenticating users, using selective permission
assignments on file servers, and requiring an employee badge for entering a
building with network taps. Figure 1
illustrates this type of network design,
which allows any computer considered
part of the internal network to communicate with any other computer—
because the internal network is trusted.
This philosophy of network segmentation has been the de facto security
Figure 1. On a typical network, computers on the internal network all
trust each other. This can be a problem when an outside, possibly
compromised computer is introduced to this network segment.
Internet
(No Trust)
DMZ
(Partial Trust)
Firewall
Firewall
Internet
Network
(Full Trust)
2/14/06
11:21 AM
Page 58
SecurityAdvisor
standard for a long time, and most corporate networks rely on it. Looking at
the network as a set of security zones
can be useful, but relies on the oftenunrealistic assumption that access to
the network is tightly controlled.
Instead, many internal networks
include a variety of computers: managed
clients at corporate headquarters; home
computers connected over a VPN; the
laptops of outside consultants or visiting
customers; a kiosk computer in the
lobby; wireless users inside the building
and in the coffee shop across the street;
and so on. Because all computers on a
typical network like this shouldn’t be
trusted equally, it’s a dangerous a practice
to trust based on zones.
Divide and Conquer
One way to restore the trust in your network is to further divide it. For example,
you could create a separate network for
the accounting department and disallow
access to it for VPN and wireless clients.
Readily available tools for such segmentation include firewalls, routers and
VLANs (virtual LANs), but each of these
tools has its own shortcomings:
• Large-scale, effective VLAN deployment requires all switches to support
this type of segmentation.
• Routers make decisions based on IP
addresses and ports.
• Firewalls can be expensive and difficult to manage.
And none of these solutions can protect you against an employee who plugs
a virus-infected personal laptop computer into the corporate network.
802.1x: Not Just for Wireless
A better method for ensuring trust in
your network is to require computer
authentication when connecting to
your network infrastructure, then
restricting which authenticated computers are allowed to connect. This is
commonly done for wireless clients by
using 802.1x-based access control.
The wireless clients need to be configured with a certificate or some type
of shared secret before the wireless
access point (WAP) allows any network
packets to be transmitted across the
network (note that 802.1x can also be
used for regular wired connections.)
Windows supports this out of the box,
and many recent switches have 802.1x
support built-in. 802.1x can be an effective method for ensuring that only
authenticated computers and devices
can send and receive packets on your
network—if an employee plugs a personal laptop into a hub, or a visiting
untrusted computers from sending and
receiving network packets, it relies on
your trusted computers to ignore such
traffic. You’re essentially treating your
entire network as if it’s untrustworthy,
and letting your trusted computers make
decisions about whether to trust computers with which they’re communicating,
independent of the network. This creates
a security domain of trusted computers
which can securely communicate across a
network that may not be entirely trusted.
Figure 2 shows how only computers in
Internet Network
(Domain Members
Only Talk To Other
Domain Members)
Figure 2. Using domain isolation, trusted computers ignore communications from untrusted
computers, no matter which network segment they’re on, or which security zone they’re in.
sales representative plugs a computer
into the conference room’s network tap,
they’ll be stopped at the switch. 802.1x
can be an effective solution, but the
resulting administration work, the need
for an existing PKI (Public Key Infrastructure), an the scarcity of devices that
support it often put and end to any plans
to implement 802.1x company-wide.
Domain Isolation
Domain isolation tries to accomplish a
goal similar to 802.1x, but with a different method. Instead of preventing
this trusted domain can talk to each
other.
Using domain isolation instead of
network-based security models has several advantages:
• It’s much more flexible.
• It can be rolled out incrementally, at a
pace that works for you.
• It will probably require no additional hardware.
If you have an existing Active Directory infrastructure and most of your
computers are running Windows 2000
or higher, you already have the two
Project4
1/24/06
11:44 AM
Your life
Page 1
shouldn’t.
The
Windows IT Pro Readers’ Choice Winner three years in a row,
iHateSpam for Exchange lets you control spam according to the
needs of your company and users — not to mention your needs.
Spam detection 98.5% out of the box: You can “configure it and
forget it” for easy, effective “hands-off” spam management.
And setup takes
minutes, not hours
or days. Low
false positives:
Control aggressiveness of spam
detection with
simple threshold
settings. Set server
or user-level whitelists.
And end-users
always get email
from the people
in their own
for Microsoft Exchange 5.5, 2000 and 2003
Contacts folder.
Constantly updated dual spam engines:
Field-tested, powerful spam detection.
Filtering based on tunable parameters:
Use our default engine or customize
with your own rules or blacklists.
Customizable treatment of spam:
Delete it, route it to a designated mailbox, put
a custom message in the subject, or even quarantine it
to a spam folder in the end-user’s mailbox. Filter at the
server — no client software needed: Set flexible
server-level policies for groups or single users.
Download the 30-day FREE trial at www.sunbelt-software.com / ihred
Sunbelt Software Tel: 1-888-NTUTILS (688-8457) or 1-727-562-0101 Fax: 1-727-562-5199 www.sunbelt-software.com [email protected]
© 2006 Sunbelt Software. All rights reserved. All trademarks used are owned by their respective companies.
2/14/06
11:21 AM
Page 60
SecurityAdvisor
The Many Uses of IPsec
I
Psec (IP Security) is a standard for securing IP communications at the network
layer. Unlike Secure Sockets Layer (SSL), which secures application data, IPsec
was designed to be completely independent of the application and handle all IP
packets at the network layer. IPsec has many security uses:
Virtual Private Network (VPN) tunnels: This is the most common use for
IPsec. It can provide encryption and packet integrity checking for a VPN tunnel, either
for client connections or site-to-site tunnels. Many vendors have implemented IPsec
in their VPN solutions.
Authentication: Microsoft is one of the few vendors that has fully supported
the use of IPsec for any type of network connection, and not just VPN tunnels. The
Windows IPsec driver, part of the network stack, can perform authentication of a
remote computer before IP packets are further processed by the stack. Microsoft
supports shared secrets, certificates and Kerberos for authentication.
Encryption: IPsec can be used to encrypt network traffic (but this isn’t
required—you can require authentication without encryption). Encrypting packets
provides confidentiality for all network traffic, and you get this even if the application you use doesn’t provide encryption itself. IPsec has a built-in mechanism for
negotiating encryption algorithms and exchanging encryption keys.
Integrity: Packet integrity ensures that a network packet hasn’t been altered
since it was sent. IPsec can detect such alterations and automatically drop packets that have been changed in transit.
— J.W.
tools you need for domain isolation:
IPsec and Group Policy. IPsec, which
takes care of the authentication, is built
into all versions of Windows since
Win2K. Group Policy, which allows
you to implement domain isolation
across a large number of computers, is a
core component of AD.
IPsec to the Rescue
IPsec is a versatile network security
protocol (for a refresher on IPsec, see
the sidebar “The Many Uses of Ipsec”).
IPsec authentication occurs much
earlier than resource access authentication. When a computer authenticates
a user who wants to access a shared
folder, a network connection has
already been established. But IPsec
authentication occurs even before the
first network packets, excluding the
authentication traffic itself, can be sent
or received.
IPsec authenticates computers and not
users. When used as part of domain isolation, an IPsec policy on each computer
determines how it will communicate
with other computers. For example,
you can require that two computers
authenticate each other before
exchanging any network packets. The
policy can also include exceptions based
on ports or IP addresses.
The most basic form of domain isolation uses an IPsec policy that instructs
client computers and servers in your AD
domains to process network packets
only from computers within the same
AD. IPsec can use shared secrets, certificates or Kerberos. Of these options,
Kerberos is the clear choice if your
infrastructure is Windows-based. Shared
secrets aren’t secure, and certificates can
be difficult to deploy and administer.
Kerberos, on the other hand, can be
used by domain members to authenticate each other without any additional
administration or configuration.
Configuring IPsec separately on each
computer is a waste of manpower.
Instead, configure a Group Policy for
all your clients that includes the IPsec
policy designed to accomplish your
authentication goals. You can apply this
policy to all computers in a domain or
Organizational Unit (OU), but you can
also easily configure exemptions for
computers that should accept unauthenticated connections, such as connections
from non-domain members. Designing
such exemptions will probably require
the most work during the planning
phase; but unless all your computers are
running Windows and are AD members,
there will likely be times you’ll have to
allow non-authenticated connections,
like allowing a consultant to connect to
a server from a laptop, or enabling users
to access corporate resources over a
VPN from home.
Next Time: Isolating Servers
Keeping unauthenticated computers off
your network is only the first step.
Malicious actions can originate from
authenticated computers, and I often
find that I want to tightly restrict which
computers can connect to critical
resources, such as servers that contain
payroll data. Also, when the access
involves confidential data, and the
application I’m using has no built-in
encryption, I often want to encrypt the
data at the network layer instead. Server isolation is an IPsec-based scheme to
accomplish these goals by building on
the principles of domain isolation and
going several steps beyond it. Next
month I’ll show you how to use server
isolation by itself or in conjunction
with domain isolation to increase security. I’ll also provide more details on
using IPsec and group policy to achieve
your security goals. —
Joern Wettern, Ph.D., MCSE, MCT,
Security+, is the owner of Wettern
Network Solutions, a consulting and
training firm. He’s written books and
developed training courses on a number
of networking and security topics. In
addition to helping companies implement
network security solutions, he regularly
teaches seminars and speaks at conferences
worldwide. You can reach him at
[email protected].
Project6
1/6/05
5:17 PM
Page 1
By day three,
Jack was finally
enjoying his
IT training.
Unfortunately, you can’t dream
your way to certification.
• Microsoft
• Cisco
Our accelerated programs, featuring our exclusive 3 1/2 step method,
• Oracle
makes learning fast and effective. In less than two weeks, you’ll
• Sun
return to your job empowered with the knowledge, confidence
• Linux
and certification you need to advance your career…and your life.
• CISSP
TM
To find out more about our all-inclusive certification programs,
• C EH
call 800-698-5501 or visit www.trainingcamp.com.
• CompTIA
Enter the special promotion code “HELP” and receive a 20%
• UNIX
discount on select courses.
• Forensics
Project3
2/9/06
12:11 PM
Page 1
Free
Web
Seminars
Now Available On-Demand
® Expect the Unexpected: Disaster Recovery for your Microsoft
Server Environment
® Demonstrating Compliance for Multiple Regulations in a Complex,
Heterogeneous System Environment
® Microsoft Virtualization and Data Protection — How the Two
Technologies Meet
® Best Practices for Windows Applications on iSCSI
® Strategic Storage: Exchange Management Strategy that Makes
Everyone Happy
Brought to you by:
Visit: Redmondmag.com/techlibrary/webcasts
0306red_Index_63.v1
2/14/06
4:12 PM
Page 63
RedmondResources
ADVERTISING SALES
Matt Morollo
Associate Publisher
508-532-1418 phone
508-875-6622 fax
[email protected]
Northwest
No. CA, OR, WA, Alberta, British
Columbia, Saskatchewan
Bruce Halldorson
Northwestern Regional Sales
Manager
209-473-2202 phone
209-473-2212 fax
[email protected]
West/Mid West
AK, AR, AZ, So. CA, CO, HI, ID, IA, IL,
IN, KS, MI, MN, MO, MT, ND, NE,
NM, NV, OH, OK, SD, TX, UT, WI, WY,
Manitoba, Pacific Rim, Australia, New
Zealand, India, Pakistan
Dan LaBianca
Western Regional Sales Manager
818-674-3417 phone
818-734-1528 fax
[email protected]
Production
Kelly Ann Smith
Production Coordinator
818-734-1520 ext.164 phone
818-734-1528 fax
redmondadproduction@
101com.com
Corporate Headquarters: 9121 Oakdale Ave.,
Suite 101, Chatsworth, CA 91311
www.101com.com
Media Kits: Direct your Media Kit requests to
Matt Morollo, Associate Publisher,
508-532-1418 (phone), 508-875-6622 (fax),
[email protected].
Reprints: For all editorial and advertising
reprints, contact PARS International at
212-221-9595 (phone), 212-221-9195 (fax);
e-mail:[email protected]; online:
www.magreprints.com/QuickQuote.asp
List Rentals: To rent REDMOND’s or other
101communications’ publications postal,
telemarketing or e-mail lists, please contact our
list manager: Worldata, 3000 N. Military Trail,
Boca Raton, FL 33431-6375, 800-331-8102,
www.worldata.com
CONFERENCES
TechMentor Conferences: contact Al Tiano,
Sales Manager, 818-734-1520 ext. 190,
[email protected]. The Data Warehousing
Institute: contact Diane Smith, Exhibit Sales,
206-246-5059 ext.108, Denelle Hanlon, Publication and Sponsorship Sales, 206-246-5059
ext.102, [email protected]. FCW
Events and Conferences: contact Lucy Cooley,
Events Director, 703-876-5081, lcooley@
101com.com. Syllabus Conference and
Exhibition: contact Anne Morris, Exhibit Space
or Sponsorship, 818-734-1520 ext.219,
[email protected].
© 2006 by 101communications. All rights
reserved. Reproductions in whole or part
prohibited except by written permission.
East
AL, CT, DE, FL, GA, KY, LA, MA, MD,
ME, MS, NC, NH, NJ, NY, PA, RI, SC,
TN, VA, VT, WV, Quebec, Ontario, Europe
JD Holzgrefe
Eastern Regional Sales Manager
804-752-7800 phone
253-595-1976 fax
[email protected]
AD INDEX
Advertiser
Page
URL
2X Software
C2
www.2x.com
Capella University
21
www.capella.edu
CrossTec
52
www.crossteccorp.com
Citrix
35
www.citrix.com/edu/redmond
DesktopStandard
44
www.desktopstandard.com
Devon IT
37
www.ntavo.com
ESP by Lucid8
18,19
www.Lucid8.com
GFI Software
C3
www.gfi.com
iTripoli
51
www.AdminScriptEditor.com/redmond
IBM
53
www.ibm.com
LearnKey, Inc.
26
www.learnkey.com
LinkTek
55
www.linkfixerplus.com
Network Appliance
11
www.netapp.com
NSI Software, Inc.
27
www.nsisoftware.com
IT Certification &
Training—USA, Europe
Al Tiano
Advertising Sales Manager, IT
Certification & Training
818-734-1520 ext.190 phone
818-734-1529 fax
[email protected]
Palm, Inc.
7
www.palm.com
Quest Software
C4
www.quest.com
RedHat, Inc.
5,38
www.redhat.com
Softtree Technologies
61
www.softtreetech.com
Special Operations Software
15
www.specopssoft.com
Sunbelt Software
8,59
Softtree Technologies
23
www.softtreetech.com
ENTmag.com &
TCPmag.com
Tanya Egenolf
Account Executive
760-722-5494 phone
760-722-5495 fax
[email protected]
TechMentor
56
www.TechMentorEvents.com
TechLibrary
62
www.redmondmag.com/
techlibrary/webcasts
Mail requests to “Permissions Editor,” c/o
REDMOND magazine, 16261 Laguna Canyon
Road, Ste. 130, Irvine, CA 92618. The information in this magazine has not undergone any formal testing by 101communications and is
distributed without any warranty expressed or
implied. Implementation or use of any information contained herein is the reader’s sole
responsibility. While the information has been
reviewed for accuracy, there is no guarantee
that the same or similar results may be achieved
in all environments. Technical inaccuracies may
result from printing errors, new developments in
the industry and/or changes or enhancements
to either hardware or software components.
REDMOND magazine (ISSN: 1553-7560,
USPS: 0015-657) is published monthly by
101communications LLC, 9121 Oakdale
Avenue, Ste. 101, Chatsworth, CA 91311.
Periodicals postage paid at Chatsworth, CA
91311-9998, and at additional mailing offices.
Annual subscription rates for U.S. $39.95
(U.S. funds); Canada/Mexico $54.95; outside North America $64.95. Subscription
inquiries, back issue requests, and address
changes: Mail to: REDMOND, P.O. Box
2063, Skokie, IL 60076-9699, e-mail
[email protected] or call 866-2933194 for U.S. & Canada; 847-763-9560
for International, fax 847-763-9564.
POSTMASTER: Send address changes
to REDMOND, P.O. Box 2063, Skokie, IL
60076-9699. Canada Publications Mail Agreement No: 40039410. Return Undeliverable
Canadian Addresses to Circulation Dept. or
DHL Smart & Global Mail, 2-7496 Bath Rd.,
Mississauga, ON, L4T 1L2, Canada.
Copyright 2006 by 101communications LLC.
All rights reserved. Printed in U.S.A.
The Neverfail Group
47
www.neverfailgroup.com
The Training Camp
61
www.trainingcamp.com
TNT Software
31
www.tntsoftware.com
Websense
3
www.websense.com
Winternals Software
49
www.winternals.com
EDITORIAL INDEX
Company
Page
URL
Acronis Inc.
41
www.acronis.com
Apple Computer Inc.
29, 30,
32-34, 36
www.apple.com
Bitform Technology Inc.
10
www.bitform.net
Cisco Sytems Inc.
32
www.cisco.com
Code Weavers
36
www.codeweavers.com
Dell Inc.
33
www.dell.com
Faronics Corp.
41
www.faronics.com
Google
40, 41
www.google.com
Grisoft Inc.
43
www.grisoft.com
Javacool Software LLC
42
www.javacoolsoftware.com
IBM Corp.
32
www.ibm.com
Kaspersky Lab
12
www.kaspersky.com
Lavasoft
41, 42
www.lavasoft.com
Novell Inc.
33
www.novell.com
Online ToolWokrks Corp.
16
www.onlinetoolworks.com
Safer-Networking.org
41, 42
www.safer-networking.org
ScriptLogic Corp.
20
www.scriptlogic.com
Shavlik Technologies LLC
13
www.shavlik.com
Sunbelt Software
40
Sun Microsystems Inc.
29, 36
www.sun.com
Trend Micro Inc.
41
www.trendmicro.com
Zone Labs LLC
42
www.zonelabs.com
This index is provided as a service. The publisher assumes no liability for errors or omissions.
0306red_Foley64.v2
2/14/06
10:51 AM
Page 64
Foley on Microsoft
By Mary Jo Foley
Is Microsoft Buying into
the Web 2.0 Hype?
S
ometimes, it pays to be a follower. That’s what I
thought, at least when it came to Microsoft and Web
2.0. Microsoft has been slow to jump on the latest
Internet bubble bandwagon, which offers up utopian
visions of the emerging Internet as a vastly integrated
and self-improving platform. I had high hopes that the
company could avoid being caught up in the web of hype
around Web 2.0.
But with the advent of this month’s
Microsoft Mix ’06 event in Las Vegas,
I’m starting to wonder. While
Microsoft doesn’t mention “Web 2.0”
explicitly in its conference materials,
the company is undeniably jockeying to
cash in on the hot Web 2.0 themes:
AJAX development, RSS Monetization;
“Conversations” as opposed to “Conferences,” and so on.
That sinking feeling in my stomach
got a bit stronger when I read some
recent remarks by Gary Flake, the head
of Microsoft’s newly unveiled Live
Labs. And according to Nathan Weinberg who runs the “Inside Microsoft”
blog, Flake is prone to use terms like
“macro-ization” of computing; “Internet singularity”; and (the dead giveaway
of too much 2.0-ism) The Long Tail.
It’s tough to accuse Microsoft of Web
2.0 pandering without providing a
more complete definition of Web 2.0.
Many have tried, but few have latched
onto something tangible.
O’Reilly Media founder Tim O’Reilly
attempted a concise definition that
goes like this: “Web 2.0 is the network
as platform, spanning all connected
devices; Web 2.0 applications are those
that make the most of the intrinsic
advantages of that platform: delivering
software as a continually updated service that gets better the more people use
it, consuming and remixing data from
multiple sources, including individual
users, while providing their own data
and services in a form that allows
remixing by others, creating network
effects through an ‘architecture of participation,’ and going beyond the page
metaphor of Web 1.0 to deliver rich
user experiences.”
(And yes, for those of you counting—
that was one sentence. So much for
brevity.)
All I can say is, I know Web 2.0
shucksterism when I see it. It’s almost
always promoted by vendors sporting
inane names and venture capitalists and
GetMoreOnline
Learn more about Web 2.0 by following
our links to additional resources,
including O’Reilly’s definition and the
Microsoft Mix ’06 blog.
FindIT code: Foley0306
redmondmag.com
journalists who happily rode the last
Internet Bubble wave. It’s fraught with
companies with half-baked ideas and
flimsy business plans.
Now that you know how I really feel,
you can see why I am loath to watch
Microsoft become a big Web 2.0 backer.
I don’t think Microsoft can or should
ignore the Web. Microsoft made a
major mistake in the early 1990s when
Jim Allchin trumped Brad Silverberg,
who had urged Microsoft to open
Windows to the Web. With the
announcement of the Microsoft Live
initiative last year, the company is
finally recovering from Allchin’s effort
to preserve the Windows franchise
against all threats.
But being Web savvy doesn’t mean
jumping on every Internet scheme that
floats down the pike. There has to be
discernment between fly-by-night fads
and real technology changes that affect
the future of computing. Microsoft
needed to integrate its evolving services platform with its shrink-wrapped
software, as it plans to do via the Live
strategy spearheaded by Chief Technology Officer Ray Ozzie. But it doesn’t need to swallow any Web 2.0 snake
oil in the process.
What say you, readers? Is Microsoft
in danger of succumbing to the siren
call of Web 2.0 and its backers? Or do
you think Microsoft could benefit from
a little more Web 2.0 thinking? Write
to me at [email protected]
and let me know what you think.—
Mary Jo Foley is editor of Microsoft Watch,
a Web site and newsletter (MicrosoftWatch.com) and has been covering Microsoft
for about two decades. You can reach her at
[email protected].
Project1
1/20/06
10:35 AM
Page 1
Is your network open to attack?
Only
for 32 $495
$2575 IPs!,
512 IP for
s!
FIND OUT WITH THE #1 SOLD NETWORK SECURITY SCANNER
Network Security Scanner (N.S.S.)
GFI LANguard Network Security Scanner (N.S.S.) checks your network for possible security vulnerabilities
by scanning your entire network for missing security patches, service packs, open shares, open ports and unused
user accounts. With this information you can easily lock down your network against hackers. GFI LANguard N.S.S.
can also remotely deploy missing patches and service packs in applications and OS; use it to:
Check for unused user accounts on workstations
Audit your network for security vulnerabilities (Windows and Linux)
Detect unnecessary shares and open ports
Check for and deploy missing security patches and service packs (includes
multilingual support for Windows)
Detect wireless nodes/links and scan for USB devices
Detect unauthorized or dangerous software on your network.
GFI LANguard N.S.S. main screen
Download your FREE trial version from www.gfi.com/nss/
tel: +1 888 243 4329 / +1 919 379 3397 | fax: +1 919 379 3402 | email: [email protected] | url: www.gfi.com/nss/
© 2005 Quest Software, Inc. All rights reserved. Quest and Quest Software are trademarks or registered trademarks of Quest Software.
4 Redmond
All other brand or product names are trademarks or registered trademarks of their respective holders. 11/2005/C4
Project3
12/9/05
10:57 AM
Page 1
See your e-mail.
Send your e-mail.
Get your e-mail.
Quest Availability Manager for Exchange eliminates
the evils of Exchange outages.
Quest Software has addressed the evils of outages with a solution for fast, reliable,
always available e-mail. Switch users rapidly and automatically to a defined
Exchange server. Provide users ongoing access to historical messages. Move users
back to their original server without data loss after the failed server/store has
been restored.
No more fooling around with e-mail when outages occur. Keep your critical communications flowing with continuous access to e-mail with Quest—Microsoft's 2004 Global
ISV Partner of the Year.
Learn how to ensure critical send/receive e-mail availability. Get your free white
paper titled: Exchange High Availability: Patterns and Practices.
——————————————————————————————————————————
Visit www.quest.com/getyouremail for your free white paper!
——————————————————————————————————————————
Application Management | Database Management | Infrastructure Management

The 800-Pound The 800-Pound

Transcription

Similar documents

Mission College

REDMOND EYE DOCTORS

SVR302: Windows Server code name “Longhorn” Technical Overview

The software that controls your logistic flows The software that

Khalil Abd El

Microsoft Windows Server Codename "Longhorn"

Blackadders uses FloSuite Legal

The Full Picture - Army Technology

JOVACO Project Suite - Empower Business Solutions

Microsoft - сервисна платформа за грађане

MCTS Biztalk Server 2010 Administrator Courseware