0207red_Cover.v5 1/17/0711:32AMPage1

FEBRUARY • $5.95 Vista? Viva 02 > Vista? Viva Readers: VistaNotWorth It—Yet Vista 3-DAppsAre Coming (Slowly) Are Vista’sGainsWorth thePain? Web 2.0 Players Take theBattleto Microsoft

7125274 867 27 + + Google Ratchets Up ItsDesktop Plans Ethical Hackers: AFact ofITLife 21 32 39 ERAY20 REDMONDMAG.COM FEBRUARY 2007 51 11 43 Project2 1/9/07 11:37 AM Page 1 Project2 1/9/07 11:38 AM Page 1 FullArmorAdvertorialFinal.qxd 1/17/07 8:48 AM Page 1

ADVERTISEMENT Workplace Trends in the 21st Century

Today, organizations rely heavily on computing technologies to manage their business workload. But with the rising cost of business, the increasing globalization of all business processes and the continuing need to remain competitive, businesses of all sizes have begun to change the way they work. One of the most significant of these changes is the move to telework—the ability to work from remote locations that are not necessarily under corporate control. In a report released in 2005, International Telework Advisory Council (ITAC) found that out of 135.4 million American workers, more than 33 percent were working from home. Of these, ITAC estimated that about 26.1 million do it at least one day per month and some 22.2 million at least once a week. Today, teleworking is continuing on an upward trend with more and more organizations supporting it.

The Power and Limitations of Active Directory • Offshore outsourcing teams which have their own network but Another major trend is the use of Microsoft Active Directory (AD) must connect to yours for extended periods of time. and its corresponding Group Policy Objects (GPOs) to manage • Teleworkers, which may include users working from home on connected endpoints. With its extensive settings and controls, either corporate or personal equipment or employees working Group Policy provides an extremely powerful engine for the man- from public computer systems. agement of every aspect of a system’s configuration from compli- ance to security baselines. Each of these situations can lead to systems that are non-com- Group Policy is not the be all and end all of object management pliant because they do not have appropriate corporate settings. in Windows. That’s because GPOs are only effective with connected systems or systems that are part of a specific network and are The Arrival of Windows Vista members of a specific Active Directory structure. Disconnected sys- Group Policy remains very powerful and, with the coming of tems usually fall out of the scope of AD management. Disconnected Windows Vista, will boast more than 800 new settings, bringing the systems range far and wide (see Figure 1) and can include: total number of settings to 2,450. What’s more, Vista will also • Systems that are part of a connected network, but are subject change the way Group Policy is processed, using a new, independ- to GPO mismatches. ent processing engine that is now separate from the login system. • Systems that belong to road warriors or employees that spend This should help alleviate some of the problems previous editions of long periods out of the office. Windows had with Group Policy. • Branch offices or offices that are connected to the directory Organizations won’t move to Vista overnight, but one thing that through slow links. all public sources tend to agree on is the manner in which organiza- • Guest logins or logins to the internal network from systems tions will migrate. There are two: forklift or attrition. The first that are not members of the AD structure. involves a massive project that migrates all systems at once. The FullArmorAdvertorialFinal.qxd 1/17/07 8:48 AM Page 2

second relies on regular hardware refreshes to migrate systems as of this type of solution is the endpoint policy management products new hardware is introduced into the network. Hardware refreshes from FullArmor Corporation. These tools let you extend your exist- are usually performed on a three- or four-year cycle. This means ing policies and consistently apply them to both connected and that organizations choosing this method will need to manage mixed disconnected endpoints. In addition, they provide support for the client environments for at least two to three years. management of mixed Vista and non-Vista environments by sup- This can be significant, especially in light of the changes porting by-directional ADM to ADMX conversions. Microsoft has introduced to Group Policy in Windows Vista. Prior to Part two of this series will address how these solutions can help Windows Vista, all GPO definition templates used an ADM file your organization maintain a fully compliant state in any connected format—pure text files that were organized in a structured manner. or disconnected situation. If you’re interested in solving the discon- With Vista, Microsoft is introducing the ADMX format—a format nected management challenge, then don’t miss this second part. based on the Extended Markup Language (XML) which provides much richer content for GPO templates. ADMX templates are now language-independent, globalizing Group Policy settings. The ADMX format is incompatible with the ADM format, meaning that environments managing a mix of Windows 2000 and/or XP with Vista will need to either translate their existing templates to ADMX format or create new ones. They will also need to carefully manage mixed GPO content to make sure they do not cause more problems that they solve.

Solving Disconnected Management Problems Whether you’re working with Vista or not, you need to make sure your systems and the systems that connect to your network are compliant at all times. There are several potential solutions to the issues disconnected systems present when it comes to compliance control. • First, you should try to leverage the investments you make Figure 1. Potential Disconnected Systems in Group Policy. Group Policy is very powerful, but designing a complete com- Resources: pliance strategy based on GPOs can be challenging and time- ITCA Survey: www.workingfromanywhere.org/news/pr100405.htm. consuming, especially if you do it from the ground up. One of the best ways to do this is to document each GPO. But, as Best practices information on how to design an Active Directory for you may know, tools such as the GP Editor in Windows or the object management: www.reso-net.com/Documents/ Group Policy Management Console (GPMC) do not offer the 007222343X_ch03.pdf. ability to document the content of a GPO, though the GPMC at least will report on the settings it includes. Most organiza- How to minimize the number of GPOs in your network while provid- tions have opted for the use of other tools—for example, ing compete management services: Download “Redesigning GPO Microsoft Excel spreadsheets—to document the purpose and Structure for Improved Manageability” at www.reso-net.com/ content of each GPO they produce. download.asp?Fichier=P73. • Second, you can rely on local Group Policy to control disconnected clients. Microsoft licensed an ADM to ADMX conversion tool from Local GPOs give you a lot more control over computers that FullArmor Corporation: This free utility is available at may or may not be connected to an AD structure. And while www.fullarmor.com/ADMX-download-options.htm. previous versions of Windows only included a single local Group Policy, Windows Vista has the ability to include more than one Information on endpoint policy management products: local GPO on each computer system. It applies these local www.fullarmor.com. GPOs in layers. As in previous versions of Windows, the first layer applies it to the computer system. The second applies it to ABOUT THE AUTHORS a local group, either the Administrators or a Users group. The Danielle Ruest and Nelson Ruest are IT professionals specializing third can apply a local policy to specific local user accounts. in systems administration, migration planning, software manage- • Third, you can rely on third-party solutions to manage ment and architecture design. They are authors of multiple books policies at all times. and are currently working on the Definitive Guide to Vista The best solution is to fully rely on your AD and Group Policy Migration (www.realtime-nexus.com/dgvm.htm) for Realtime investments but leverage them on all possible computer systems Publishers as well as the Complete Reference to Windows that interact with your network. For this, you’ll need third-party Server Codenamed “Longhorn” for McGraw-Hill Osborne. They solutions—solutions that can extend the power of Group Policy to have extensive experience in systems management and operating support all of the disconnected scenarios. One excellent example system migration projects.

For a more in-depth overview of the new workplace trends, read the white paper at http://redmondmag.com/techlibrary/fullarmor 1.800.653.1783 Project1 1/3/07 10:06 AM Page 1

Uncontrolled use of USB sticks, MP3 players and PDAs opens up your network to data theft and viruses

Control user access to all devices connected to your network with GFI EndPointSecurity

You have invested in network anti-virus software, firewalls, email and web content security to protect against external threats. Yet any user can come into the office, plug in a USB stick and take in/out over 32 GB of data. Users can take confidential data or they can unknowingly introduce viruses, trojans, illegal software and more – actions that can affect your network and company severely. Yet, as an administrator you had no way to control this until now!

GFI EndPointSecurity allows administrators to centrally manage user access to devices such as iPods, USB sticks, PDAs, laptops and more. Controlling user access to such connectable devices allows you to: • Protect your network by ensuring users don’t introduce viruses and other malware • Stop the alarming rate of insider data theft • Increase employee productivity by preventing them from bringing other work, games or personal projects to their workplace • Prevent users from introducing illegal or unauthorized software on their machines.

Get full reports on devices usage – including actual filenames transferred to and from devices! The GFI EndPointSecurity ReportPack is a full-fledged reporting add-on to GFI EndPointSecurity. This reporting package can be scheduled to automatically generate graphical IT-level and management reports based on data collected by GFI EndPointSecurity, giving you the ability to report on devices connected to the network, device usage trends, files copied to and from devices (including actual names of files copied!) and much more.

Download your FREE trial version from www.gfi.com/res/

tel: +1 888 243 4329 | fax: +1 919 379 3402 | email: [email protected] | url: www.gfi.com/res/ 0207red_TOC3.v9 1/17/07 10:11 AM Page 3

Redmond FEBRUARY 2007 The Independent Voice of the Microsoft IT Community Contents COVER STORY

Laying the REDMOND REPORT 11 Google Takes Aim at the Desktop Groundwork Company to fortify Apps for Vista Domain platform. Vista will be a complex installation, but there are a handful of tools that can help ease your pain. Page 32 12 Standing Up to MOM Argent not shy to take on Microsoft. FEATURES 39 Will Vista’s New Look Attract Page 12 Developers? Adoption of Windows Presentation Foundation key to delivery of 3-D applications. 43 Google’s Descendants Innovative Web 2.0 firms are storming the next IT battleground. 14 The Low Down Process, Process

COLUMNS Page 43 6 Barney’s Rubble: Doug Barney Who Will Not Wear 51 It’s 10 O’Clock. Do You Know the Ribbon? Where Your Hacker Is? 16 Mr. Roboto: IT pros have reservations, but ethical Jeffery Hicks Page 51 hackers are becoming a fact of life. Members Only 59 Windows Insider: REVIEWS Greg Shields 18 Product Reviews 25 Redmond Roundup Vista’s ADMX Reach Out and Web-Filtering: Deal or No Deal? Marks the Spot Watch Your Getting the most out of any solution will 61 Security Advisor: Network require vigilance on your part. Joern Wettern Does Vista Matter? Longitude’s agent-less 21 Reader Review architecture gives you a Vista Not Quite Compelling 64 Foley on Microsoft: flexible solution for Mary Jo Foley network monitoring. Enough—Yet Windows Vista Down; Most early users are taking a “wait and On to Windows 7? see” approach to Vista.

ALSO IN THIS ISSUE 4 Redmond Magazine Online | 8 [email protected] | 63 Ad and Editorial Indexes

COVER ILLUSTRATION BY RYAN ETTER 0207red_OnlineTOC_4.v3 1/17/07 11:25 AM Page 4

Redmondmag.comFEBRUARY 2007

MCPmag.com Questions with ... PHOTO BY IRA WYMAN Windows Vista Exams Lafe Low Go Live in February Lafe Low, Redmond’s executive editor of icrosoft is set to release several new exams for Windows Vista-related reviews, is also very Lafe Low Mcertifications some time in February, but one in particular—70-624 TS: involved in developing Deploying and Maintaining Vista Client and Office System 2007 Desktops— the technical seminars for our TechMen- requires a fairly broad set of skills to get through. In an MCPmag.com review, tor conferences. We asked Lafe about Andy Barkl says that candidates “should be prepared to face questions on what attendees can expect at our up- such diverse technologies as ISA, SQL and SharePoint.” coming show in March in Orlando, Fla.: Andy Barkl reviews two other exams for MCPmag.com in February: 70-620 TS: Configuring Windows Vista Clients, and 70-622 TS: Installing, What’s new this spring at TechMentor? Maintaining, Supporting and Troubleshooting Applications on Windows Lots of Vista and lots of Exchange 2007. Vista Client-Enterprise. [There’s the] coming migration to See the latest exam reviews from MCPmag.com. FindIT code: MCPExamRvs Exchange 2007, [and] there will be an overtone of Vista throughout everything. TCPmag.com Why do you think TechMentor has so many repeat attendees? Salaries Up for Cisco Pros I think that speaks to the quality of the presenters—not just their technical ccording to TCPMag.com’s latest Internetworking salary survey, the knowledge, which never ceases to Aaverage salary of IT professionals who hold a Cisco certification are up amaze me, but also their teaching style. significantly from a few years ago. At the top of the scale, those holding Cisco’s flagship Cisco Certified Inter- What do you like most about going to network Expert (CCIE) title are now averaging a bit more than $116,000—up the TechMentor conferences? from $102,000 in 2004. Those with the Cisco Certified Network Professional The chance to really bond with our (CCNP) are averaging around $88,000, and those with Cisco’s Certified readers—to hear what they’re thinking, Security Professional reported an average salary of approximately $94,000. what they like and don’t like about the Experience, location and many other factors go into these averages. magazine. That’s pure gold. Find out more about the results. FindIT code: TCPSS2004 Quotable REDMONDMAG.COM RESOURCES Does the world pivot around Resources Enter FindIT Code Vista, or will Vista have to >> Daily News News pivot around the world? >> E-Mail Newsletters Newsletters Windows 95 and IE leader Brad Silverberg, in a >> Free PDFs and Webcasts TechLibrary recent interview with Redmond Developer News. >> Subscribe/Renew Subscribe [Read the full article. FindITcode: RDNSilver ] >> Your Turn Editor Queries YourTurn REDMOND MEDIA GROUP SITES: Redmondmag.com • RCPmag.com • RedDevNews.com MCPmag.com • CertCities.com • TCPmag.com • ENTmag.com • TechMentorEvents.com

4 | February 2007 | Redmond | Redmondmag.com | EventSentry_Redmond.ai 175.00 lpi 15.00°75.00°0.00°45.00° 1/5/2007 1/5/2007 12:40:42 12:40:42 PM PM Project2Process Cyan 1/16/07Process Magenta 11:16Process YellowAM Process Page Black 1 0207red_Rubble6.v5 1/17/07 10:21 AM Page 6

Barney’sRubble by Doug Barney

RedmondTHE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY REDMONDMAG.COM FEBRUARY 2007 ■ VOL. 13 ■ NO. 2

Editor in Chief Doug Barney [email protected] Who Will Not Wear Editor Ed Scannell [email protected] Executive Editor, Reviews Lafe Low the Ribbon? [email protected] Executive Editor, Features Carolyn A. April [email protected] Managing Editor Wendy Gonchar [email protected] Editor, Redmondmag.com Becky Nagel [email protected] emember Twin, or the late Adam Osborne’s VP Associate Managing Editor Katrina Carrasco [email protected]

Planner? If so, congratulations on surviving the Contributing Editors Mary Jo Foley Jeffery Hicks Greg Shields ’80s. If not, you’re probably pierced, tattooed and Joern Wettern

R Art Director Brad Zerbel think Windows 98 came from the Stone Age. [email protected] Senior Graphic Designer Alan Tao [email protected] These two short-lived Microsoft’s guidelines— spreadsheets mimicked the which means you can’t character mode interface improve the interface! If Group Publisher Henry Allain of the original Lotus 1-2-3. everyone follows these [email protected] Editorial Director Doug Barney While it might seem pretty guidelines, the only group [email protected] horrid today, twenty years that can define what is state Group Associate Publisher Matt N. Morollo [email protected] ago that UI was the of the art is Microsoft. Director of Marketing Michele Imgrund cat’s pajamas (not sure who What happens if you don’t [email protected] Creative Director Scott Shultz owns the copyright to cat’s follow guidelines? Will you [email protected] Senior Marketing Tracy S. Cook pajamas so I’ll take my have to throw out all your Manager [email protected] chances using the term). work when Microsoft bar- Senior Web Developer Rita Zurcher [email protected] Lotus wasn’t happy with risters come armed with Marketing Programs Videssa Djucich the 1-2-3 clones and re- cease and desist orders? Manager [email protected] Editor, ENTmag.com Scott Bekker peatedly sued to protect its look and Another issue is more troubling: [email protected] Editor, MCPmag.com Michael Domingo feel, as well as its macros and even Competitive products can’t use the UI. [email protected] @functions, if I’m not mistaken. Two things concern me. Microsoft is Associate Editor, Web Gladys Rama [email protected] I thought suits like these were deader competing with more and more ven- Intern Michelle Rutledge than an armadillo on Route I-40 in dors, including its third party partners. [email protected] Amarillo. But what seems like the deal What happens if Redmond enters your of the decade could bring these suits market after you’ve built your tool? President & CEO Neal Vitale back, and then some. Meanwhile Redmond is making noise [email protected] Microsoft put millions of dollars and about protecting its patents through CFO Richard Vitale [email protected] thousands of man-hours into building lawsuits—if you get too close to the rib- Executive Vice President Michael J. Valenti the well-regarded Office 2007 ribbon bon and don’t have a license, watch out. [email protected] interface—and it wants to give the UI This could split the market into Director, Financial Bill Burgin Planning and Analysis [email protected] to its friends free of charge. This way Microsoft and its friends—who all work Director, Circulation and Abraham Langer Data Services [email protected] custom apps, ERP front-ends, produc- well together—and the rest, whose soft- Director, Erik Lindgren tivity and more will all look and feel the ware looks like its comes from a differ- Information Technology [email protected] Director, Web Operations Marlin Mowatt same. This shortens the end-user learn- ent planet. [email protected] Director, Print Production Mary Ann Paniccia ing curve and shrinks the time it takes The real worry is that look and feel [email protected] corporate developers to design apps. lawsuits could come back in spades, Controller Janice Ryan [email protected] Vendors like Infragistics are ready with making the old Lotus suits look like a Director of Finance Paul Weinberger a helping hand and tools that make this landlord dispute on “The People’s [email protected] development a snap. Court”! Microsoft is already talking Chairman of the Board Jeffrey S. Klein [email protected] That’s the good news. But blogs and about protecting its intellectual pro- The opinions expressed within the articles and other contents my brain have been filled with the not perty, but does it, or anyone else, own herein do not necessarily express those of the publisher. so good news. For developers, the license the ribbon interface? You tell me at is pretty restrictive. You have to follow [email protected].—

6 | February 2007 | Redmond | Redmondmag.com | PHOTO ILLUSTRATION BY ALAN TAO Project2 1/16/07 10:54 AM Page 1

Seamless failover.

Never miss a beat.

Keeping Users Connected.

Whether your company is a start-up or a Global 100, suite of award-winning software solutions will help system downtime always harms your reputation, ensure that your business is always up and running profitability and productivity. With Neverfail, users and never misses a beat. stay continuously connected to their applications no matter when, where or why a failure occurs To make your business a more productive — and profit- in the server environment. We deliver “cluster- able — enterprise, visit neverfailgroup.com for your class” disaster recovery, data protection and high free white paper, The Future of Business availability software solutions at a significantly lower Continuity, a white paper from the Patricia Seybold total cost and complexity. With automatic failover Group that discusses affordable solutions that eliminate response measured in seconds rather than minutes, disruptions of any kind. Or, better yet, email us today to and no user or IT management intervention needed, join companies all over the world who have chosen anything less is a lesser solution. Designed for Neverfail for the most effective disaster recovery, data Windows-based applications, Neverfail’s comprehensive protection and high availability solutions in the industry.

Keeping Users Connected. www.neverfailgroup.com [email protected]

EXCHANGE • SQL SERVER • FILE SERVER • IIS • SHAREPOINT • BLACKBERRY • LOTUS DOMINO 0207red_Letters_8.v10 1/17/07 10:42 AM Page 8

[email protected]

There Ain’t No Such Thing as a Free Lunch Here’s an addition to Greg Shields’ “Cool Tools that Rule—and They’re Free!” article [December 2006]: A utility I find helpful for a variety of tasks is Ultraedit (www.ultraedit.com). It’s basically a text editor with syntax highlighting, macro capability, file-conver- sion tools (ASCII-EBCDIC), text-binary display and more. It’s very powerful and not very expensive (though not free). Mike Hines Lafayette, Ind.

Safety First One thing that I might place more license. So that’s where the calcula- Regarding the November Reader emphasis on is Datacenter (DC) server. tions can get complicated. Review (“Microsoft Virtual PC: Good The rules have changed a bit for this, I can run a single edition of enterprise Enough—for the Price”), VMware and and it promises even more economies. edition on eight procs, I believe, so if Virtual PC are just proof of concepts in Before, DC was licensed through spe- you need a lot of CPU per VM that the “safe” layer. cial OEMs, but it’s now available on the could be cheaper. On the other hand, if What we need is a boot environment volume products list to run on any hard- you don’t need a lot of CPU time per before any operating system that does ware. It’s sold on a per proc basis and VM and can cram a lot of VMs on one the job, either in the BIOS or bootstrap, costs about $3,000 per proc. If you can high-end CPU, Datacenter might be the which allows us to boot into profiles or get eight virtual machines (VMs) on one better choice. Paul DeGroot OSes as easily as a user logon. A place Kirkland, Wash. where our hardware can be back in our [Ed. note—Paul DeGroot writes the control. Drives, memory, processors and Directions column in Redmond’s sister ILLUSTRATION BY PHILIP HOWE networks could all be allocated to an publication, Redmond Channel Partner.] environment and kept safe from other environments. Andrew Muller Defender Beta Flaw Ballarat, Victoria, Australia I read Doug Barney’s column [“Vista Flaw Found, No Surprise There,” Jan. Creative Licensing 2 Redmond Report Newsletter] and Thanks for the excellent article on vir- it’s well enough talking about Vista, tualization in the December 2006 issue DC machine, the operating system but my worries about security were [“Can You Cash In with Virtualization licensing works out to less than $400 per enlarged by the notice on all of my Licensing?”]. I cover licensing for VM, compared with about $600 per VM Windows 2000 servers stating that the Directions on Microsoft, and it’s always on an Enterprise Server where you get Defender Beta had finished and I nice to see someone else tackling this four “free” OS instances. When we’re should click on the link to update the difficult topic. talking about eight VMs, we’re talking software. What it didn’t say was that about saving $1,600 per machine. you can’t update. So, all of us using Another small angle on this relates to Windows Server 2000 of whatever fla- Whaddya Think hardware vendors. VMs and this type vor have succumbed to a marketing of licensing opportunity could generate snafu. It’s not as if it would be difficult Send your rants and raves to a lot of interest in premium hardware. to allow Defender to work, because it [email protected]. ?! ?! In the case I just mentioned, I could was working until that very second Please include your first and spend another $1,000 on the hardware when the message appeared on the last name, city and state. If we and still save money. How-ever, I can’t screen. Welcome to Dec. 31 indeed. use it, you’ll be entered into a spend it on additional procs without And now what? Paul Dickins drawing for a Redmond t-shirt! incurring the cost of an extra DC Ottawa, Ontario, Canada

8 | February 2007 | Redmond | Redmondmag.com | Project1 12/11/06 10:43 AM Page 1

Announcing a breakthrough in automatic technology

NEW

FEATURING NEW!

® Enhancing File System Performance — Automatically™ A truly invisible system maintenance technology. InvisiTasking provides truly Diskeeper 2007 marks the dawn of the first ever truly automatic software of its kind. As transparent system automatically as the sun rising, with Diskeeper 2007 deployed your systems will run faster – period. maintenance by intelligently Through the use of brand-new InvisiTasking™ technology, Diskeeper eliminates potential problems enhancing operating system on the fly, IN REAL TIME without affecting system resources or intruding on system demands. multitasking to ensure continual maximum system performance Moving beyond the concept of “Set It and Forget It,”® Diskeeper 2007 represents a quantum leap and zero resource conflict even in system performance and reliability. Simply install the software — Diskeeper takes care of the rest. during periods of highest New! Real-time defragmentation automatically and transparently handles demand. InvisiTasking is the fragmentation as it occurs providing maximum system performance at all times! foundation for Diskeeper to eliminate fragmentation in real- I-FAAST™ 2.0 (Intelligent File Access Acceleration Sequencing Technology) dramatically time without affecting system increases file access by up to 80% above and beyond the improvement of resources or intruding on defragmentation alone. system demands. Terabyte Volume Engine™ 2.0 – Powerful defragmentation for high capacity & high traffic servers with disk volumes containing hundreds of thousands to millions of files (e.g. NAS, RAID, and SAN). Also allows unobtrusive, thorough free space consolidation SPECIAL OFFER: on busy 24/7 servers. Try New Diskeeper 2007 FragShield™ dynamically prevents fragmentation of critical system files, maintaining Free For 45 Days! system stability and reliability. www.diskeeper.com/r2007 Automatic online directory consolidation boosts anti-virus scans and back-up speed. (Note: Special 45 day trial only available at the above link) Every system will benefit from Diskeeper 2007. A site-wide Diskeeper installation will improve Volume licensing and Government and performance and reliability on all your systems. Education discounts are available from your Experience the dawning of a new era in automatic system performance favorite reseller or call: and reliability – get Diskeeper 2007 now! 800 829-6468 code 4387

® ©2006 Diskeeper Corporation. All Rights Reserved. Diskeeper, Enhancing File System Performance – Automatically, InvisiTasking, Terabyte Volume Engine, FragShield, I-FAAST, “Set It and Forget It” and the Diskeeper Corporation logo are registered trademarks or trademarks of Diskeeper Corporation in the United States and/or other countries. Diskeeper Corporation • 7590 N. Glenoaks Blvd. Burbank, CA 91504 • 800-829-6468 • www.diskeeper.com Project18 9/5/06 3:39 PM Page 1

Defragment Every Drive On Your Enterprise Without Leaving Your Chair (Or even lifting a finger)

PerfectDisk Command Center™ Perfection Made Automatic

Introducing Recognized as the world’s most powerful mentation without having to first open the file, defragmenter, PerfectDisk has always been the further reducing any system impact of defrag- secret to faster, more reliable computers. Now, mentation. And new disk and CPU throttling with a powerful new suite of enterprise tools, provide even greater control over resources. PerfectDisk 8.0 takes disk defragmentation to What’s more, Raxco’s exclusive AutoPilot the farthest reaches of the enterprise, while Scheduling™ provides automatic defragmenta- placing total control right at your fingertips. tion at the optimal time for each user. And Centralized Management Are you sitting down? Good. Because AutoPilot Scheduling’s Screen Saver Mode And Reporting with the PerfectDisk Command Center™ you enables idle-time defragging at user-defined can easily deploy, configure and manage the intervals. (There’s really nothing to it.) Patent-pending defragmentation of every system on the enter- And features like our Single File Defrag Resource Saver™ Technology prise... all from the comfort of your own desk- and Consolidate Free Space Defrag (part of top. And that’s just the beginning. PerfectDisk's Space Restoration Technology™ ) Exclusive Space Our all new enterprise reports deliver are particularly valuable for users working with ™ Restoration Technology valuable performance statistics and at-a-glance supersize files. Exclusive AutoPilot graphical displays that track and identify any Give your users reason to stand up and ™ fragmentation issue on any managed computer, cheer. And while PerfectDisk 8.0 is busy keep- Scheduling and much more. ing each computer in tip top shape, you can sit In addition, PerfectDisk‘s patent-pending back and simply take the credit. For the details Resource Saver™ technology finds file frag- and a free demo, visit www.pd8command.com

¤ ® 1-800-546-9728

www.raxco.com June 8, 2004 May 24, 2005 PerfectDisk 6.0 PerfectDisk 7.0

Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. PerfectDisk is a registered trademark of Raxco Software. PC Magazine Editors’ Choice Award Logo is a registered trademark of Ziff Davis Publishing Holdings Inc. Used under license. All other product names mentioned herein are the trademarks of their respective owners. 0207red_RedReport11-14.v11 1/17/07 10:35 AM Page 11

RedmondReport

Google Takes Aim at the Desktop Company to fortify Apps Domain platform.

oogle is taking a leading role thousands of domains. We have seen a in turning software into serv- substantial uptake of these services over Gices online. Between its own the last few months, with interest being internal development and last year’s shown among businesses of all sizes. acquisitions of JotSpot and Writely, Q: So your success has been equally the search giant has put together a divided between smaller businesses palette of office productivity and col- and enterprise accounts? apps on a departmental basis or via laboration applications that appeal to Sheth: A little bit of both, to be pilot projects? both corporate users and consumers. honest. Enterprises will take a longer Sheth: It depends on the organiza- Two of the executives overseeing these time to get rolling because they have tion. We see certain organizations applications sat down with Redmond existing infrastructure and can’t shift thinking about them as future applica- magazine. Jonathan Rochelle, product on a dime. But we have a lot of smaller tions, so they will deploy to a depart- manager of Docs & Spreadsheets, and companies that have taken it on whole ment or deploy a set of pilot users. Rajen Sheth, product manager of hog and adopted it right away. All of Others look at them as a way to enable Google Apps for Your Domain, these organizations are looking at this e-mail for users that never had e-mail detailed Google’s application strategy. Web 2.0 space and the concept of before. We are seeing a surprising Q: What is the general strategy for host applications and realizing there amount of that, too. Google’s business applications and are a lot of benefits it can bring. We Q: Do you feel you have a lead where do you see it going? have also seen a strong uptake in the here in terms of technology over Sheth: As product manager of educational space as well. Lots of uni- Microsoft with its Live offerings? Google Apps for Your Domain, which Rochelle: Not necessarily. This is consists of Gmail, the Calendar and so early in the maturation cycle of Google Talk, I see this as our platform these applications. But this is what for bringing Google technologies and makes it so exciting and why there’s so other services to organizations. So far much innovation. There’s so much many small businesses, universities and innovation still to come that anyone, other organizations have put their e- really—not just Microsoft and mail service in our hands and collabo- Google—but someone could come rate using our services. We give them from nowhere and just do this in a way the ability to customize their applica- that’s a little bit different and catches tions, control their user base and users’ attention. Or maybe does it ver- essentially run it like it’s their own tically within a certain space. It’s easier service. Later this year we’ll start to to create applications like this than it bring this to larger businesses as well. used to be. Almost anyone could do We feel the technologies we’re build- some interesting things here. We’re ing are valuable to not only consumer not saying we’re going to supplant end users but all end users, whether desktop software, we’re just saying we they’re sitting in an office or are at Jonathan Rochelle, Product Manager, have an interesting way to collaborate. home. We want to find ways to bring Google Docs & Spreadsheets Q: Do you see this Web 2.0 area those technologies to everyone. primarily as the domain of the desk- Q: So what sort of penetration versities are thinking about why they top application? Or do you see server have you had in business compared have to run this expensive infrastruc- applications playing a more promi- with consumers? ture for collaboration, maintaining nent role at some point? Sheth: We launched Google Apps it themselves. Rochelle: I don’t think there’s a way for Your Domain as a beta back in Q: How are the larger IT shops to describe these as either desktop or August and we already have tens of bringing you in? Are they using your server apps. I think of Docs & Spread-

| Redmondmag.com | Redmond | February 2007 | 11 0207red_RedReport11-14.v11 1/17/07 10:35 AM Page 12

RedmondReport

sheets as server apps. It actually exists on the server and it just happens to Standing Up to MOM download transient code to the desktop. Q: What is your tools strategy? Argent not shy to take on Microsoft. Rochelle: On the spreadsheet side we introduced new tools in Decem- By Doug Barney Andrew Blencowe, ber. They are consistent with some of he word “argent” can mean CEO, Argent our other APIs, allowing RSS feeds many things: the tincture of and syndication as well as deeper APIs Tsilver, a semi-successful 1970s to write these vertical apps. They use English rock band, or—for our pur- the spreadsheet as the basis, so you poses—a Microsoft-focused systems could have a collaborative list of your management vendor whose biggest favorite restaurants in the background competitor is Microsoft itself. on the spreadsheet, but I can write an The company was launched in New app that lets people search that or add York in 1990 by data to it. We give those tools to PowerBroker feisty Australian- developers to enhance things. APIs born CEO Andrew the same—timidity about the 900 are a way to extend the app without us Blencowe, who remains CEO 16 years pound gorilla is a mistake in our having to do it all. later. Argent was built with an aggres- view,” Blencowe insists. sive support model in mind. This approach speaks volumes about “The original concept is the same as the corporate culture. “Let’s just say the concept today. It’s based on the we’re not candidates for any political premise that most software companies correctness award,” Blencowe says. If are staffed by arrogant incompetents,” Blencowe is to be believed, his company Blencowe explains. “Software is such would be an HR director’s nightmare, an amazing medium to work in. as it’s staffed by “the usual mixture of Because it’s so flexible, so fungible, it defrocked preachers, boat sinkers who very quickly invites hubris and arro- claim insurance, psychopaths, toothless gance—make the sale, screw the cus- ex-junkies and others normally found in Sheth: The other part of this, too, is tomer. Argent’s foundation has always technology companies.” that we recognize [that] people will been to provide more support than a The company is now rewriting its have a lot of existing infrastructure customer needs, which is a novel con- monitoring tools in .NET, a project there and so we’re building a variety of cept in the software industry.” code-named Mobar set to bear fruit infrastructure APIs as well. For exam- Blencowe so believed in his idea that late this year. Under this plan, there ple, let’s say you have an Active Direc- he took no outside capital and suffered will no longer be separate Web and tory system: You can leverage that to through the recession of 1991. That GUI interfaces. The rewrite will also control users rather than shifting to November, the company lost some support remote debugging and diag- something else and leveraging that for $128,000 on sales of less than $10,000. nostics. Further down the road the authentication. We have similar types Today Argent has 400 employees, four .NET version will allow Argent to sell of APIs that can co-exist with existing locations and a couple thousand cus- its software as a service. mail servers you might have. tomers. It will need all of this bulk to Argent is also developing a series of Q: With the dawning of the Web compete with Microsoft, whose customer steering committees, a formal 2.0 age, have the ground rules Microsoft Operations Manager (MOM) way for customers to help drive future changed regarding buy vs. build? tool (now Systems Center Operations product designs, features and directions. Sheth: The only thing that’s Manager 2007) is aimed squarely at And as for the name? Blencowe was changed is there are a lot more players Argent’s market. But Argent is hardly looking for something that would make that rise up on the buy side. If you look shy about standing up to Microsoft. it to the top of the Yellow Pages. “I at the cool Web 2.0 apps that have “As my old Australian Rules football wanted a name that started with A to risen up out there, they virtually came coach, and a former player, used to say: get the top of alphabetic indexes, and from nowhere. The cycle has shortened ‘I hate playing against Psycho’—my something easy to spell. We were lucky so much that it always behooves us to pet name on the team—‘because he is enough to get the domain Argent.com look out there and ask what’s been always on you ... He’s not the best registered early.” done and what’s working and what player, he’s just one that hits you the So how often does Argent talk to users are responding to.— hardest.’ Our approach to Microsoft is Microsoft? Pretty much never.—

12 | February 2007 | Redmond | Redmondmag.com | Project2 1/16/07 10:26 AM Page 1 0207red_RedReport11-14.v11 1/17/07 10:35 AM Page 14

RedmondReport The LOW DOWN By Lafe Low Process, Process

n these days of doing more with Out with the Old BluestSoft’s DiskDeleter USB 2.2.0 is less, solid process development There are many things you can do with a handy little tool for quickly and com- and management is less of a luxury all those old machines as you replace pletely cleaning off a system’s hard Iand more of a necessity. So it them. Sell them to another company, drive. Just plug in the USB device and should come as no surprise that busi- or move them down to some non- it’s as good as done. You can also ness process management (BPM) has essential department that has been accomplish the same thing using just been getting a lot of attention of late. screaming for “new” computers. If you the software. Start the cleaning wizard Both Forrester and Gartner have rec- wait too long, though, you might just while Windows is running and it will ognized BPM vendors— be better off recycling them. While take you through the steps. It supports one Windows-based that’s the right thing to do if you’re just about any flavor of Windows, and one open not going to resell or reuse them, it Linux and Unix, and it performs pretty source—in their can also be a huge hassle. quickly as well. BluestSoft claims that it market reports. The Electronics Industry Alliance takes about 21 seconds to erase 1GB. In its recently (EIA) hopes to make that process DiskDeleter’s erasure methods are released market a bit easier. The EIA’s Web based on the U.S. Department of assessment, called site (www.Ecycling Defense DOD 5220.22-M directive for The Forrester Wave, Central.com) features clearing and sanitizing disk drives, the Cambridge, Mass.- an online guide to which ensures unrecoverable removal based market researcher electronics recyclers and of data. If it’s good enough for DOD recognized webMethods for other options for technology data, it ought to do the trick. its Fabric product suite and disposal across the country. overall market strategy in the Developed by EIA’s Environmental Upgrade Now BPM world. Forrester praised web- Issues Council, the E-Cycling Central Everybody likes something for free, Methods for realizing “the significance Web site has the scoop on where to right? If you use Grisoft’s AVG Anti- of XML interactions.” find electronics recycling, reuse and Virus Free Edition 7.1, you just got a The report continues, “Since that donation programs in all 50 states. You bit more time to upgrade to version time, [webMethods] has expanded its can search for local and national 7.5. Product support for the free scope to include enterprise application options for managing used elec- edition, which also lets you integration, electronic data interchange tronics. There’s also a list of upgrade, was originally set to and, most recently, business process recommended questions to ask a expire on Jan. 15, but management.” recycler to ensure they’re properly Grisoft just extended Gartner just published a First Take handling used electronics, infor- that deadline to Feb. on open source BPM developer Intalio. mation on the economic impact 18. So if that’s one of In its report, the Stamford, Conn.- of recycling electronics your anti-virus tools, based analyst firm states that “users products and how properly get with it and up- wanting support for BPM initiatives disposing of used technol- grade soon at http://free. would have to rely on commercial BPM ogy can protect privacy. grisoft.com. Version 7.5 is Vista- vendors. As the technology matured— ready and has improved built-in and market acceptance increased— Clean Slate heuristics, NTFS data-stream scan- prices climbed, making it difficult for Completely erasing a hard drive can ning, smaller update files and a new novices to get hands-on experience in be a little more involved than you interface. And yes, it’s free.— requisite BPM technology skills.” think. And with Vista deployments It sounds like business process man- looming in the near future, you may Lafe Low is Redmond’s executive editor of agement is no longer the sole province need to take some of your machines reviews. Reach him with any company or of the Fortune 500. BPM for the masses! down to bare metal. product scoop at [email protected].

14 | February 2007 | Redmond | Redmondmag.com | Project9 7/18/06 12:14 PM Page 1 0207red_Roboto_16.v5 1/17/07 11:24 AM Page 16

Mr. Roboto Automation for the Harried Administrator | by Jeffery Hicks

Members Only

hile browsing through a number of different management is modifying the descrip- tion field when you add a new computer support forums recently, I’ve seen numerous to the domain. W requests for an automation solution to the same This script is flexible enough for you to modify it to configure membership specific problem. Never fear—Mr. Roboto has heard the lists of the local Power Users group or any other local group. However, the call and is on the case. script isn’t a panacea. As it’s written, it only adds users to the Administrators Here’s the situation: You have a cer- from trusted domains. If you want to group. It cannot remove users tain user who needs to become a mem- specify multiple users or groups, sepa- (although I might add that feature at ber of the local Administrator group rate each one with a comma. For exam- some point). I’m also assuming you on a specific computer. As the admin- ple, to make jhicks and the Techs group have the Description property avail- istrator, you need to maintain unique local administrators of XPDESK01 in able. If you’re using Description for granular control of the local group the MYCO domain, find the computer other purposes, you could rewrite the membership. Usually, a Group Policy object. In the description field enter script to use another computer object object configuring restricted groups is myco\jhicks,myco\Techs. property. However, you’d have to the best way to handle this type of develop a tool or script to expose that issue. But how can you set a unique How can you set a unique property, as Description is the only policy for multiple computers without property in AD Users and Computers a great deal of Group Policy adminis- policy for multiple computers that’s available by default. tration? What solution is the easiest to without a great deal of Group As with any automation solution, implement and manage? Policy administration? especially one involving Group Policy, The solution I developed uses a VBS I strongly urge you to test it thoroughly script designed to run as a startup script, in a non-production environment. It’s along with a little Active Directory con- Get the Update Local Admin script better to be safe than sorry when it figuration. I’m well aware that there are (see “Roboto on Demand”). Create a comes to these types of changes.— many other ways to solve this problem, Group Policy object that runs this as a especially with third-party tools. But I startup script. Link the Group Policy Jeffery Hicks, MCSE, MCSA, MCT, is the wanted to present you with a solution object to the highest container so you co-author of “Advanced VBScript for that’s flexible, simple and—most impor- can have it applied to all the modified Microsoft Windows Administrators” tantly—free. It’s certainly not a one- computers. You could safely link it to (Microsoft Press 2006), “Windows Power- size-fits-all solution, but it can help you the domain level if all your computer Shell: TFM” (Sapien Press 2006) and sev- out in particular situations. objects have either a blank description eral training videos on administrative or one defined with user and group scripting. Reach him at [email protected]. Upgrade to Admin names. If you leave the description Here’s how this works: For every com- field blank, the script will quickly run Roboto on Demand puter you’re managing, add the name of but won’t do anything. Otherwise, it If you’d like to download the Update the user who you’re going to make a will parse out each name or group in Local Admin script, just log on to: local administrator to the description the description field and try to add it http://jdhitsolutions.com/scripts property of the computer accounts in to the local administrator’s group. AD. The format should be The script will log an event in the domain\ What Windows admin task would . You can also specify a group, local computer’s application log in the username you like Mr. Roboto to automate as long as you keep to the same format. event of an error or when a user is next? Send your suggestions to This is required for the script, but it added. If the user already exists, the [email protected]. also lets you specify users or groups script keeps going. The only ongoing

16 | February 2007 | Redmond | Redmondmag.com | Project3 11/10/06 11:45 AM Page 1 0207red_ProdRev18-20.v6 1/17/07 10:38 AM Page 18

ProductReviews

Reach Out and Watch Your Network Longitude’s agent-less architecture gives you a flexible solution for network monitoring.

By Rick A. Butler Heroix Longitude version 4.0 Many system management utilities do Pricing starts at $300 per managed server their thing by installing some sort of Heroix | 800-229-6500 | www.heroix.com agent on the target machine that com- municates with a central console. Being selfish with my system resources, I on your network or the Internet, if it’s data stream leading back to the Man- always ask myself, “How much RAM is properly configured. agement Console in a more manage- this agent going to take up? How many able fashion. When every machine CPU cycles will be allocated to manag- Secret Agent-less Man reports directly to the Management ing my server?” The Management Station can passively Station, it can create a lot of parallel There are certainly pros and cons to connect to a number of operating sys- traffic over your network. both the agent-based and agent-less tems and application plat- approach, but with all the interfaces out forms, such as Windows 2000, there like WMI, it amazes me that some 2003, XP, Linux, HP-UX, products today still mess around with SunOS, AIX, Oracle, SQL agents—but that’s just me. Longitude Server, MySQL, WebSphere, from Heroix immediately stood out WebLogic, Apache, IIS and from the rest of the pack, in my opinion, Exchange Server. One thing I as there are no agents to install on the love about Longitude’s managed nodes. After breathing a huge approach is that it talks to sys- sigh of relief, I dug around in the tool tems over standard protocols and found it makes for a great enter- and interfaces, including prise-level monitoring solution. Did I HTTP/HTTPS, WMI, SSH, mention that it’s agent-less? I think you REXEC, TELNET, JDBC, get the point, so let’s move on. JMX and SNMP. In most The Management Station is the cen- cases, these interfaces are tral point of activity in Longitude. The either available by default on Figure 1. Color-coded displays give entire platform is Web-driven: a Java- the systems you’re going to be manag- you a quick glance at factors like CPU based application running on top of a ing, or it’s not a big deal to install performance and service availability. Tomcat Web service. This means you them. The point is that Longitude can manage Longitude from anywhere sticks to industry standards, which I Installing Longitude was almost just by contacting the Management certainly appreciate. obscenely easy. Just install the tool on Station though the browser, anywhere Now, there is an agent in the box, but your system and within a few short it’s not for installing on the end nodes. moments, you’re looking at the Longi- RedmondRating It works more like a DHCP relay agent tude interface in your browser window. or a bridgehead node. The Manage- It’s easy to get going with Longitude, Documentation 20% 8.0 ment Station can direct the agent to another aspect that improves its posi- Installation 20% 9.0 collect statistical data from the remote tioning among similar tools. With Feature Set 20% 8.0 managed systems and bring it back to many utilities, you’ll have to spend time Performance 20% 7.0 the Management Station. installing the tool and then rolling out Management 20% 8.0 This method works well when cross- the agents to manage your target popu- ing domain or platform barriers. You lation. With Longitude, you’re done in Overall Rating 8.0 can configure security settings as tightly about 10 minutes. Key: as necessary and still allow the appro- One cool feature that’s not necessarily 1: Virtually inoperable or nonexistent 5: Average, performs adequately priate level of data gathering. This is a new—but is always worthy of mention— 10: Exceptional great feature, as it lets you shape the is correlated events. Essentially, you can

18 | February 2007 | Redmond | Redmondmag.com | Project10 1/16/07 11:11 AM Page 1

w Version Ne

Maximum Control. Minimum Effort. Due to a diverse range of platforms, computers and mobile devices in use across today’s corporate environments, providing effective remote support can prove to be a bit of a headache. That’s why NetSupport Manager (NSM) v10 is not your typical PC Remote Control solution. Aside from offering class leading PC Remote Control and monitoring functionality, NSM provides extensive multi-platform support, including Windows, Linux, Mac, Solaris and Windows Mobile as well as supporting real-time inventory and management tools. So if you need to focus on more than just your standard PC desktops take a look at NSM and see how it can give you the full picture. For more information and to download a free trial copy - visit: www.netsupportmanager.com [email protected] 770-205-4456 www.netsupport-inc.com

Are you sure your network is secure?

Confirm your network is secure and compliant with RecordTS- Your Terminal Services & Remote Desktop “Security Camera”.

What can RecordTS do for you?

· Records Terminal Server Sessions (RDP) · Citrix/ICA Version-COMING SOON! · Documents Everything Done to Your Servers · Easy Auditing of Users & Activities · Prevents Corporate Data Loss · Provides More Information Than Event Logs · Assists in Detecting Unethical User Activity · Produces Compact, Digitally Signed Video Files

Visitwww.TSFactory.com for FREE Trial.

© 2006 TSFactory. All rights reserved. The names of actual products and companies mentioned herein may be the trademarks of their respective owners. 0207red_ProdRev18-20.v6 1/17/07 10:38 AM Page 20

ProductReview

set Longitude to flag an event based on monitoring elements to Longitude. ruption, it will directly affect the statis- a mixture of different event conditions. This means you can monitor things like tical data being fed into Longitude. You might say, for example, “Alert me if Cisco routers, DHCP servers, Active That being the case, Longitude proba- Server 1’s CPU exceeds 90 percent and Directory, HP Insight and Dell Open- bly isn’t as appropriate for monitoring disk space falls below five percent avail- Manage. Longitude has a broad array across remote or temporary connec- ability.” You may not care if the proces- of operating systems and applications it tions. Since it doesn’t use end-node sor goes over 90 percent by itself, but if can manage. It seems the folks at agents, it can’t collect data unless the that disk goes below five percent avail- Heroix are always adding to that list, Management Station can see the node. ability while the CPU is pegged you can have the system fire off an alert. To do so, you’d configure Event Conditions You can configure security settings as tightly as necessary and still and tie them to your correlated event. allow the appropriate level of data gathering. You can also use correlated events to customize reporting. For example, you can have the correlated event say that given that the tool first rolled out in the You can tweak the sampling times in your project management group can’t Spring of 2005 and it’s already up to Longitude, but all things created equal, work because their Web server carry- version 4.0. you can’t monitor what you can’t see. ing the PMIS is offline. You create the A centerpiece to the new version of Longitude is equipped with a nice array defined event and use the correlated Longitude is the consolidation of event of reporting structures out of the box. event to shape it as needed. logs. A big concern for IT admins is You can run reports on an ad-hoc basis Longitude lets you monitor events to mining through event logs to locate or on a schedule for specific applications, keep you in line with your Service Level specific incidents. It’s a unique pain computers or departments based on how Agreements (SLAs). For example, if you when you have to do that across you’ve tagged the machines. You can agree that the database server will be numerous machines. create dashboards that let you watch available 99.9 percent of the time with Longitude makes it easy to work what’s happening in near real time (the only one percent of degraded perform- through event log monitoring. It cre- minimum is 10 seconds). I did notice, ance, you can set the criteria for what is ates filters you can use to sort through however, that this level of monitoring is considered good and degraded perform- irrelevant events and focus on the ones highly performance-dependent, so if you need to see, regardless of the you’re short on resources, this might not machine or platform on which the function quite as well. events happened. Having events from a Unix box alongside The Verdict Windows events is a nice feature The fact that Heroix Longitude is and truly unifies your system man- agent-less is huge for me. In my opin- agement efforts. ion, that’s how a monitoring tool The only gotcha I could put a should operate. By not using agents, finger on with this tool is that it the monitored machines aren’t directly does like to have a bit more RAM affected by the performance of the and processor on the Management monitoring software. Station. It needs 1GB to install in The ability to create correlated production mode and a 2.4GHz events and reports and align to estab- processor is recommended. Nowa- lished SLAs lets you use Longitude to Figure 2. The statistics dashboard shows per- formance data with several types of graphs. days, though, with hardware map to business expectations quite priced as it is, this really should be effectively. This level of visibility is ance. Longitude will happily trend to a non-issue for a current IT platform. available with very little intrusion or see if you’re meeting that requirement. Just know you can’t skimp on the investment of time, which makes Lon- This is nice because it takes the subjec- machine you choose to run the Man- gitude well suited for anyone needing a tivity out of the equation and gives you agement Station. no-nonsense monitor.— hard data by which to act on whether or Longitude relies on constant network not you’re meeting your SLAs. connectivity to properly gather and Rick A. Butler, MCSE+I, is the director of report on system data. The only real Information Services for the United States Monitor More drawback to a passive monitor is that if Hang Gliding and Paragliding Association. Stepping up from version 3.0 to 4.0, something prevents the machine from You can reach him when he lands at Heroix added more infrastructure being monitored, like a network inter- [email protected].

20 | February 2007 | Redmond | Redmondmag.com | 0207red_ReaderRev21-23.v3 1/17/07 11:23 AM Page 21

ReaderReview Your turn to sound off on the latest Microsoft products

Vista Not Quite Compelling Enough—Yet Early users like Vista’s new interface and security improvements, but most are taking a “wait and see” approach.

By Joanne Cummings Vista has a lot going for it, say testers Microsoft Windows Vista and early users, especially with its slick $149 for Home/Standard Edition to $679 for the Ultimate Edition new Aero interface and numerous secu- Microsoft Corp. | 800-426-9400 | www.microsoft.com/vista rity improvements. However, most aren’t planning a large-scale rollout end, graphics-intensive PCs to support “You have to protect users from anytime soon. “Wait and see” is the its CAD software, so hardware themselves sometimes, because they prevailing wisdom. upgrades aren’t an issue. Drivers are, don’t read or think before they click,” Besides Vista’s lack of drivers, docu- however, since most of the company’s says Jonathan O’Brien, systems engi- mentation and compatible software— engineers need to use large-format neer and owner of Active IT Design snags common to any new operating printers. “Those drivers will probably LLC, a two-person consulting firm in system rollout—there are other reasons be the last ones upgraded,” he says. Fort Mill, S.C. O’Brien’s firm adminis- readers are hesitant to widely deploy ters Windows PCs and servers for sev- Vista right now. It will require signifi- Safe and Secure eral small business clients. “The user cant hardware upgrades and training Once there are compatible drivers and shouldn’t be doing a lot of those (see “Still Waiting,” p.22). They like software available, readers say they look actions [that kick off the UAC box],” he what they see so far, but they’re in no forward to moving to Vista to take says. “It may get annoying but I’d hurry to make the switch. advantage of the many new security rather have the operating system pop “We’re waiting to see if it’s worth the features. The most compelling among up and ask for confirmation than get all money,” says Scott Anderson, MCSE these are the new Group Policy fea- those Web search spyware popups.” tures and User Account Confirmation Others have found ways to turn off the (UAC) dialog box. UAC prompts, at least at their desktops. You can carry so much now on In Windows XP, every user is set up “I found the UAC confirmation boxes a little thumb drive that it’s as an administrator by default. This left to be ridiculously annoying, so I dis- most users unwittingly open to hacks abled those on my own system,” says getting pretty dangerous. and spyware downloads. If they clicked Barr. “If I made a change that required Jonathan O’Brien, Systems Engineer the wrong button, malicious programs confirming in a UAC box, it required and Owner, Active IT Design LLC inherited their system admin privileges that I make that confirmation every and lodged themselves deep within the time I made the same change. There and messaging administrator at a 2,500- operating system. was no stickiness to it and I found that seat state agency. He’s tested Vista, but Vista permits a greater degree of to be a real design problem.” found most of the agency’s applications granularity in terms of locking down While the UAC might leave a bit to are incompatible (besides Office, natu- the operating system. It lets most users be desired, other security features like rally). “In testing it seems great, but it’s run in “standard user” mode, so they the improved firewall definitely have his certainly not worthwhile to upgrade all can get at the features they need for interest, says Barr. “The new firewall our hardware right now. Maybe in six everyday computing. It also designates can block both incoming and outgoing months, if there are enough third-party a system administrator mode as well. traffic, so that’s a big improvement,” he vendor offerings that add enough value, When a user tries to download software says. “That’s something security experts Vista will be worth it.” or make other admin-level system have been hitting XP on for quite a Others agree that time is on their changes, Vista presents a UAC dialog while, so it’s good to see.” side. “From a corporate standpoint, box. Previously, that box just asked if Although the new firewall has both there is literally no compelling reason the user was sure they wanted to make inbound and outbound blocking for us to upgrade to Vista right now,” the change. Vista prompts them to capabilities, Barr cautions that out- says Dennis Barr, manager of IT at enter the admin-level password. If they bound blocking is turned off by Larkin Group Inc., an engineering firm don’t have that password, they can’t default. That will have to be set up in Kansas City, Mo. Larkin uses high- make the change. separately after installation.

| Redmondmag.com | Redmond | February 2007 | 21 0207red_ReaderRev21-23.v3 1/17/07 11:23 AM Page 22

ReaderReview

all the event logs, Vista also lets him Still Waiting filter out only those that are most here are still a handful of obstacles that may prevent people important for him to see. Tfrom rushing to roll out Vista: Others agree that the monitoring and • No drivers—Readers have yet to see Vista-compatible drivers event logs are much improved. “The hit the market. For example, Scott Anderson, MCSE and messag- resource monitoring and event handling ing administrator at a state agency, had some problems with are all much enhanced over XP, as are printers. “We confirmed that the existing printer drivers just the Group Policy features,” Anderson don’t work with Vista correctly,” he says. “The only one we got says. “And that’s great, especially from working was just the universal driver for our existing printers— an administrator point of view.” the XP ones just won’t work.” Still, the lack of tools and documenta- Similarly, Jonathan O’Brien, systems engineer and owner of tion is holding some administrators Active IT Design LLC in Fort Mill, S.C., says he had trouble get- back. “I’m just very annoyed with ting Vista-compatible drivers for his HP scanner. “I couldn’t use Microsoft,” Barr says. “They went my install CD, so I’ll have to wait for drivers from HP.” ahead and released the Enterprise Edi- O’Brien says this is probably due to vendors waiting until tion of Vista in November well ahead of Microsoft makes Vista generally available. Dennis Barr, manager the retail version, but they didn’t finish of IT at Larkin Group Inc. in Kansas City, Mo., says he had trouble the documentation for administrators.” with his sound card, a Creative Labs Soundblaster HD card. It The same situation developed during was supported in earlier betas and then dropped. “I had to go to the rollout of XP as well. “When XP the Creative Labs site and download and install an XP driver and first came out, if you were on Windows run that in compatibility mode,” he says. 2000 Professional and you had admin • No software—Most say the software they depend on is not yet tools running on that, they wouldn’t run Vista-compatible. For example, every application Anderson’s correctly on XP. And now, they’ve done agency uses, aside from Microsoft Office, is incompatible with the same thing with Vista Enterprise. Vista. O’Brien had trouble with QuickBooks 2005. “I had to jump They expect enterprise customers to through some hoops to get that running and now it’s warning me move to Vista, but they don’t have the every time I start it up that it’s not compatible, but it seems to tools ready and they don’t have the doc- work fine,” he says. umentation ready. It makes no sense.” • No documentation/tools—Just as when Microsoft rolled out Cool Interface XP, the Vista rollout came before compatible administration tools and complete documentation. “It’s very annoying,” Barr says. The first change most users will notice • New hardware required—Most current systems will need in Vista is the new Aero Glass inter- memory and processor upgrades to run Vista well, especially the face. This redesigned interface uses new Aero Glass interface, which requires a special graphics card. high-end 3-D graphics and see-through • Training required—Though Vista is not that difficult to use, it will panes to provide a state-of-the-art navi- require some training and end-user education, especially in large gation experience. organizations. That must be budgeted up front, as well. —J.C. Unfortunately, you’ll have to upgrade most of your desktops to support Aero Another notable security feature is the workstations manually, but once they Glass. It requires a Longhorn Display integrated Windows Bitlocker Drive have Vista PCs, I can set up a subscrip- Driver Model (LDDM) graphics card, encryption, which enables users to tion from my computer to 20 or 30 a lot of memory (64MB minimum, encrypt their entire hard drive. “That others, and those other computers will 128MB recommended) and complete will be big for a lot of companies that forward all their event logs to a special DirectX 9 API support. If you can’t are afraid of data walking off their net- repository on my management station.” swing those upgrades, however, Vista work,” O’Brien says. “You can carry so The setup lets him monitor client will still run with a stripped-down Basic much now on a little thumb drive that PCs for warnings or critical events. version of the interface. it’s getting pretty dangerous.” “You can be very granular about what The new interface is sleek and fun to Vista makes life especially easy for you want to forward,” he says. “You use, say early users. “The interface is Windows administrators, say readers. don’t have to forward print jobs if you pretty slick. It’s nice, and it’s pretty,” For example, O’Brien says he has set up don’t care how many times the person O’Brien says, “but I had to buy a new event log subscriptions for the Vista printed. You can just forward warnings, computer to run it. I was running a PCs he manages. “I had been monitor- like hard drive errors and so on.” Dell that was about a year and half old, ing all my clients’ event logs on their Rather than manually sifting through and Vista did not like my video card.

22 | February 2007 | Redmond | Redmondmag.com | 0207red_ReaderRev21-23.v3 1/17/07 11:23 AM Page 23

ReaderReview

Even though I had a fairly decent files and folders beneath. “There used to being either bad or a must-have,” he NVIDIA card with 128MB of RAM in be a button you could right click and say says. Once it becomes more widely it, it was crashing every few minutes. ‘Sort by name’ to alphabetize everything, used, however, its value will grow. So if you want the new Aero interface, and now it’s just like that by default,” “Once a lot of my clients have Vista, I’ll you’ll probably need new hardware.” O’Brien says. “If you try and drag some have a lot more control and gain all these Others say they haven’t found the folders around the start menu, they new admin features,” he says. “But get- hardware requirements that onerous. won’t move, although that’s not too ting all my customers on Vista will prob- “I’ve been running Vista on a 1.4GHz annoying.” He does like the new search, ably take another two to four years— Athlon with 1GB of RAM, which is far however, and uses it primarily for e-mail. probably by the time they come out with from the desired platform,” Barr says. the next version of Windows.” — “I’m running the Aero interface with flip Good, Not Great 3-D and all that stuff and it runs accept- After using it for a month or so, Joanne Cummings is a freelance technology ably. It’s not terribly fast, but I can use it O’Brien says Vista is good, but not journalist. You can reach her at productively. If you have something great. “Nothing glaring jumps out as [email protected]. that’s two or three years old, and you’ve expanded the RAM to at least 1GB, I think almost anything could run Vista.” The new interface is decidedly differ- ent from XP, but it shouldn’t be that dif- ficult for users to pick up. Still, it may require some training. “It will require some training dollars and some user edu- cation, which we just don’t have in the budget right now,” Anderson says. “It’s more than a little bit of a learning curve, especially when you throw in the new version of Office all at the same time.” The biggest change most users have found is Vista’s reliance on search as a navigation tool. “For years, I’ve worked to educate our users on proper file organization,” Larkin’s Barr says. “Now it seems Microsoft is saying that’s no longer relevant. Search is the new para- digm for locating things in Vista.” That reliance on search is even built into the architecture, says Barr. “Even in the Start menu, search is supposed to be the mode in which you access an application. I like to organize my start menu so I know where applications are and I don’t have to search for them, but Vista makes it incredibly difficult to organize the start menu.” When Barr complained about the new reliance on search and the lack of an up arrow for navigating menus, a Microsoft employee told him that once he’d used search for a few months, he’d come around. “That was tremendously condescending,” he says. Others agree the navigation is a bit funky, noting that program icons now populate the top of the start menu, with Project4 1/19/07 11:51 AM Page 1 0207red_Roundup25-30.v8 1/17/07 10:28 AM Page 25

RedmondRoundup

Web-Filtering: Deal or No Deal? It’s a Web-savvy world out there, so getting the most out of any solution will require vigilance on your part.

By Bill Heldman InThisRoundup Most Web-savvy kids know more about gaming sites, relationship sites, Websense Web Security Suite chat rooms, illegal downloading and Pricing starts at $33 per user/per year hacker sites than I’ll ever know. I teach Websense Inc. | 858-320-8000 | www.websense.com computer science to 17- and 18-year- olds, so I see what they do. They’re SurfControl Web Filter always surfing the Web to avoid the Pricing starts at $18 per user/per year (plus $22.05 real stuff I’m trying to teach them. per user for annual database subscription) In a previous life as an enterprise SurfControl plc | 831-440-2500 | www.surfcontrol.com network administrator, I had a vested interest in keeping people away from SmartFilter Web sites they shouldn’t be visiting. Pricing starts at $27.95 per user/per year (based on 50 users) Web-filtering software was in its Secure Computing Corp. | 408-979-6100 | www.securecomputing.com infancy in the late 1990s, so it wasn’t all that effective. RedmondRating Surely, it must have gotten better by Websense Web SurfControl Secure Computing now, with clever new ways of restrict- Security Suite Web Filter SmartFilter ing access based upon policies, AD Documentation: 10% 6.0 7.0 6.0 membership, IP addresses and other Installation: 20% 8.0 8.0 6.0 novel approaches to segmenting, iso- Feature Set: 20% 8.0 8.0 7.0 lating and categorizing groups. Here, Performance: 20% 3.0 6.0 3.0 we’ve tested some of the latest and Management: 10% 8.0 8.0 7.0 greatest to check in on the state of Filter Updates: 20% 7.0 7.0 7.0 the art. Overall Rating 6.6 7.3 6.0 Websense Key: Web Security Suite 1: Virtually inoperable or nonexistent | 5: Average, performs adequately | 10: Exceptional Websense Web Security Suite is first up in our test. The download for this periodically so that Websense can hour later, certain that they’d still be well-known solution was massive. The watch for the latest and greatest set of grumpy. There they were, happily installation was straightforward but blocked URLs in place. working and surfing away. intense. At one point, it issued a stern Websense gives you a nice, granular The following morning we had a lit- warning: “Do not hit the Finish but- view of your filtered groups (called tle “How we hacked Websense” ses- ton.” Heed that installation warning. I category sets in Websense). Once the sion. Come to find out, there have jumped the gun and found that it really filter list was current, I did some cur- been quite a few well-known work- had not finished. Click the Finish sory testing and left for the day. I felt arounds for “Websense censorware.” button only after it notifies you it’s quite confident that none of my kids The kids found a convenient tool that done installing. would be able to hit any of the sites I let them get back online within 10 Once Websense was fully installed, had been trying to block. minutes of the morning bell. the program required another 400MB The next day, I came in to find a A “proxy-avoidance” site called or so to download the URL filter data- bunch of irritated kids. They couldn’t Toonel.org was responsible for helping base. The idea is that you not only fil- get to MySpace or the WOW sites, the kids break through. They simply ter for specific keywords and patterns, run their Trillian IM client or even downloaded the Toonel client compo- but also for known bad URLs. You’ll get out to Yahoo mail—just what I was nent, installed it on their computers and have to have the URL database updated hoping for. I checked back in about an thumbed their noses at Websense.

| Redmondmag.com | Redmond | February 2007 | 25 0207red_Roundup25-30.v8 1/17/07 10:28 AM Page 26

RedmondRoundup

When I notified Websense about the discovered by kids. No surprise there. Websense would be better if it was situation, they responded with this: It seems like it would make sense for written in .NET code and we could “Websense Client Policy Manager Websense to proactively try to head avoid the baggage Java brings to [CPM] and Websense Web Security off potential threats. Windows servers. Suite - Lockdown Edition are capable For those machines that already had of blocking applications like this. the Toonel client on board, the Web- We’ve added this particular program sense database update was ineffective. to our application database as proxy Each machine had to have the client avoidance and our application filtering individually removed. Interestingly, will now pick this up and prevent the Toonel did not work on the Vista launch of the program. Also, before machines. Toonel uses the loopback we categorized the application, it adapter address and port 8080 as a could have been blocked if a customer proxy avoidance mechanism. was using CPM or Websense Security The long and short of it is that I Suite - Lockdown Edition to block liked Websense for its ease of installa- uncategorized applications. Using tion and configuration, and its rela- CPM or Websense Web Security tively intuitive administrative Suite - Lockdown Edition is part of a interface. There were times when I layered approach to security that pro- wanted to specifically lock out one vides protection at the gateway, net- URL but had a hard time determining work and in this case at the endpoint. the category set to which the URL Alternatively, using our reporting belonged. Also, I modified the block

Figure 2. Websense describes its groups of filtered Web sites as Category sets, and gives you granular control within those sets.

It was somewhat alarming for me to see how quickly someone on a mission could get past the filter. This points to how proactive security admins have to be, but also brings to the forefront to the immensity of the problem that Web-filtering software tries to solve. Where there’s a will, there’s a way. SurfControl Web Filter Figure 1. Websense has an intuitive interface and configuration dashboard through The SurfControl installation process which you can control what it will filter and permit. follows a nicely built wizard. It easily interfaces with Active Directory and tools, the network administrator could page that shows up when someone gets right to work. The product uses see which machines had gone to the tries to hit a blocked Web site, but my SQL Server for its database and can proxy avoidance site and then remove modifications never appeared. install the Express Edition if you don’t the applications from those users.” Also, it appears that Websense is have a copy of SQL running locally. When I talked to Websense repre- written primarily, if not entirely, in I ran into problems when I tried to sentatives, I was told that a lot of the Java. I’m not a huge Java fan, because I install SurfControl on one box and hacks Websense finds out about are think it’s too big a of a CPU hog. then point it to SQL Server 2005 run-

26 | February 2007 | Redmond | Redmondmag.com | Project2 1/16/07 11:21 AM Page 1 0207red_Roundup25-30.v8 1/17/07 10:28 AM Page 28

RedmondRoundup

ning on a different computer. I tried it issue I couldn’t easily overcome in doing a little workgroup blocking twice, and in both cases SurfControl my test configurations. While there and you don’t have any local got through configuration but then is a stand-alone Windows version of firewalls? What if you are relying on the corporate firewalls to keep you safe? SurfControl’s support staff told me I had to have all of my nodes on a hub, or attached to a switch that was capa- ble of promiscuously loading the ports. Even though my classroom users are behind a workgroup-class “firewall” (the $69 kind that also does DHCP and some poor-man’s URL blocking), I could not get SurfControl to work correctly. In a previous job as a server admin, we ran SurfControl and liked it a lot. It worked well and kept folks out of trouble. I’ve always been a big fan of the product. On the other hand, using Surf Control is a moderately expensive proposition—especially when you consider that you’ll also need an ISA box to actually do any Web-filtering. Additionally, I found that the cus- Figure 3. SurfControl Web filter works with Active Directory, and installs through tomer support experience could have an easy-to-use wizard. been better. Overall, I’m impressed with the way the services refused to start. I’ve never SurfControl, it needs a downstream the code installs and runs—now if it been a fan of using across-the-net enterprise-class firewall to proactively would just block a user or two in SQL installations anyway, so I bagged block users. But what if you are just stand-alone mode. the dual-machine installation and went to the computer actually run- ning SQL Server. That installation went fine. On another machine, I took up SurfControl’s offer of installing Express Edition. I expected the soft- ware to be residing locally, waiting for installation, but it was natively bundled into the SurfControl instal- lation package. The filtering database is set to auto- matically download. This is sweet, fast .NET code that runs swift and well. The progress bar displays behind the SurfControl configuration window, so while you’re downloading the filter database you can’t really tell what the program is doing. That’s just a minor annoyance, though. SurfControl is easy to install, config- Figure 4. SurfControl lets you select the rules by which it will evaluate and filter ure and run. However, I ran into an suspect Web sites.

28 | February 2007 | Redmond | Redmondmag.com | 0207red_Roundup25-30.v8 1/17/07 10:29 AM Page 29

RedmondRoundup

Secure Computing SmartFilter SmartFilter has myriad installation possibilities. Want to run it against a Cisco Pix or on a Sun Java Server? No problem. SmartFilter very definitely wants to see a firewall as a partner in its opera- tions, though. There’s no stand-alone version here. There are more details on firewall installations and OEM partners that SmartFilter supports on the Secure Computing Web site. I chose to download and evaluate SmartFilter over Internet Security and Accelera- tion (ISA) Server 2004—one of my mistakes in the evaluation process. Even though I created a valid “Allow All” firewall policy, try as I might, I Figure 5. Secure Computing’s SmartFilter runs as a plug-in to Microsoft’s Internet could not hit the Internet using the Security and Acceleration Server 2004, but not as a stand-alone filter. ISA box as a proxy. I went through the standard 2004 SP1” stuff on the TechNet itself installed just fine, making itself Microsoft TechNet “To fix this Web site. This did nothing to fix the an add-in to ISA. The trouble was problem download and install ISA problem. The SmartFilter software with ISA.

Need to Consolidate Servers in 2007? VIRTUALIZE WINDOWS NOW !

Starting at $99 annual subscription Blazing Fast Bare Metal Performance for Windows Guests - Multi-Server Management - Seamless Upgrade Path Powerful Administrator Console - Easy Installation and Deployment - Fully Supported

Download XenExpress for free! Next generation x86 server virtualization. Plus, refer three friends and get a free t-Shirt!

www.xensource.com/redmond or call 650.798.5900 0207red_Roundup25-30.v8 1/17/07 10:29 AM Page 30

RedmondRoundup

I was very impressed with the prod- Parting Notes uct’s download and installation, These days, creating and updating new Complex Cure for though I would have preferred a URL filter lists on a regular basis is no stand-alone version instead of having longer an effective model. There are a Complex World to fight ISA. Why can’t someone just too many Web sites out there and invent a practical Web-filtering pro- too many variables to lend serious or those of you who don’t gram that doesn’t require the extra credibility to that methodology. Fbelieve in getting a thor- time and brain-cycles of a production- What if I forget to download the ough education in Web- class firewall? I don’t get it. Let me file? What if my server can’t connect filtering software, instead make my DHCP configuration option to the Internet at file-retrieval time? choosing to just plunge for- ward hoping that the wizard will walk you through to har- monious completion, you would be well advised to do your homework first. This class of software has gone through a series of improve- ments and now rivals the cockpit of the space shuttle in terms of complexity and capability. The current raft of software slices, dices, makes Julienne fries and cleans the kitchen afterward. By that I mean that some Web-filtering security pack- ages include protection Figure 6. Make sure you have ISA Server running and properly configured before you try to install SmartFilter to run alongside. against the so-called zero- day threat. Zero-day is that adjustments to point them to the box, What if there are all sorts of different period of time when a threat let it use NAT, whatever. ways to get at the content without the has been introduced, but the We use the SmartFilter BESS edi- filter server knowing about it? Where security software folks aren’t tion—a Children’s Internet Protec- there’s a will—there’s a way. If some- aware of it and thus haven’t tion Act (CIPA)-compliant version of one wants to hack the filter badly prepared any eradication, SmartFilter specifically developed for enough and has the right technologi- containment, curtailment or schools—in my school district. The cal skills, they’re going to get it done. quarantine methodology. kids were quick to tell me that they If you’re seriously considering Web- The idea is that there is could easily get past BESS, but it filtering software, recognize that you’ll detection code built into the turned out that they were using a have to make a big investment in the product that helps it deter- password which had been given to architecture and be extremely proac- mine there is unusual activity them by someone who must have got- tive about testing and reporting going on, presume that it’s ten tired of them complaining about workarounds. Ultimately, you’ll need malicious and take steps to not being able to hit their Gmail and to be prepared to block everyone do something about it. In MySpace sites. from the casual Web surfers in mar- addition to zero-day monitor- From a cost standpoint, SmartFilter keting to the hard core propeller- ing, Websense Client Policy is much more reasonable than Web- heads in programming.— Manager (CPM) helps with sense or SurfControl. Also, the other security issues like spy- ware, peer-to-peer threats, customer support from Secure Com- Bill Heldman ([email protected]) is virus outbreaks and IM puting was excellent. One of the cool- an instructor at Warren Tech, a career hacks. The other filtering er features of filtering products that and technical education high school in companies reviewed here SmartFilter provides is to let you Lakewood, Colo. He is a contributor to also have similar capabilities. grant temporary access so people can Redmond and MCP Magazine, plus —B.H. bypass filtering while they quickly several books for Sybex, including Comp- view a site. TIA IT Project+ Study Guide.

30 | February 2007 | Redmond | Redmondmag.com | Project9 1/16/07 4:15 PM Page 1 0207red_F1Vista_32-36.v8 1/17/07 10:55 AM Page 32

LayingLaying thethe GroundworkGroundwork forfor

32 | February 2007 | Redmond | Redmondmag.com | 0207red_F1Vista_32-36.v8 1/17/07 10:55 AM Page 33

By now you’ve certainly heard the news—Vista is ready. The second indispensable tool is the Application Com- The question is, are you ready for Vista? patibility Toolkit 5.0 (ACT 5.0). ACT 5.0 inventories and You’ll have to make a number of decisions before you analyzes any applications you have currently installed to actually being deploying Vista. Will you upgrade your identify potential compatibility issues in advance and existing machines or purchase new machines? What about deploy solution packages to help your applications run Bapplication compatibility with Vista? And how do you smoothly in the Vista environment. actually plan to deploy Vista? To use ACT 5.0, you’ll need a SQL database and the Among all the major releases coming out of Redmond .NET Framework 1.1. Two of Vista’s interesting new these days, none will likely have the impact of Vista. There technologies—Bitlocker and Windows Recovery Environ- is help, though. Vista’s new deployment technologies can ment—require a separate 1.5GB partition, distinct from make rolling out Vista far easier than Microsoft’s desktop the operating system partition. Once you’ve loaded and operating systems of the past. But even with these new run these tools, you’ll know how well your environment is deployment technologies, there is still a bit of a learning ready to receive Vista. Vista will be a complex installation, but there are a handful of tools that

can help ease your pain. By Rhonda Layfield

curve to fully understanding them and using them to their Vista upgrades over previously installed operating sys- best advantage. Here we’ll take a 10,000-foot view of these tems can be considerably more complex than installing to technologies to help you formulate your deployment plan. an empty or just-wiped hard disk (Vista upgrades may be Microsoft has developed two sets of tools to help out with the subject of a future piece), so we’ll focus on the so- your Vista deployment: the Business Desktop Deployment called “bare metal” installations. To smoothly install Vista, 2007 (BDD 2007) tool and the Windows Automated Instal- Microsoft has a new imaging technology called the lation Kit (WAIK). Both the BDD and WAIK are free Windows Imaging Format. This uses Windows Image downloads from Microsoft. You can install them on Win- files (.WIM files) and is file-based versus sector-based. dows XP, 2000 or Server 2003 operating systems. This is important because in the past, sector-based You’ll need both the .NET Framework 2.0 and MSXML images—like files created by Symantec’s popular 6.0, however, before you can install either of them. The Ghost tool—required that both the computer upon primary difference between the two is that the BDD which you created the image and the target computer includes additional scheduling tools (as well as everything upon which you planned to install the image had to that comes with the WAIK) to help you plan and manage have the same hardware abstraction layer (HAL) and your rollout. mass-storage device. Another limitation of sector-based images is that those Get Ready, Get Set ... images can be difficult, if not impossible, to modify. So if Before you even get that far though, you have some home- you wanted to add a new application, device driver, patch work to do in advance. Microsoft has also developed a cou- or service pack after you had created an initial image, you ple of new tools to help you determine whether your most likely had to create an entirely new image. existing machines and applications are ready for Vista. The first is the Windows Vista Readiness Assessment Ready to Roll (WVRA) tool. This is designed to help you quickly identi- There are two distinct phases to installing Vista on a fy which of your machines are Vista-ready and which are bare metal machine. In phase one, you’ll boot the target not. It can also create a list of recommendations to help machine. Then, in phase two, you’ll install the Vista you get them ready. operating system.

ILLUSTRATION BY RYAN ETTER | Redmondmag.com | Redmond | February 2007 | 33 0207red_F1Vista_32-36.v8 1/17/07 10:55 AM Page 34

Windows Vista

To accomplish phase one, you fit on a CD, DVD or USB flash either boot the bare metal machine device. Previously, WinPE was from the Vista product DVD, boot only available to Software Assur- it from a Pre-Installation Execu- ance customers, but now it’s tion Environment (PXE) on a available to anyone. This scaled Windows Deployment Server down version of Windows offers a (WDS—the replacement for command prompt interface with Remote Installation Services) or limited functionality. boot to a Windows Pre-Installation You can boot your target Environment (WinPE). The type machine with the default WinPE of boot you choose for the target (boot.wim) found on the Vista machine will determine the options product DVD in the \sources available for phase two when you’ll Figure 1. The Windows System Image folder, or create a custom WinPE Manager (WSIM) lets you configure actually install Vista: individual components. using copype.cmd, peimg.exe, Vista Product DVD—This will imagex.exe and oscdimg.exe. let you install Vista on a small number of machines via If you create a custom WinPE, you can then include an interactive installation routine. You boot the target additional tools and applications while you’re booted in machine from the Vista product DVD and automatically your WinPE. It’s a good idea to keep the size of your launch Setup.exe (Setup.exe replaces winnt32.exe). WinPE small, however, as the more you add to it, the Simply answer the setup questions and you’re done. longer it will take to boot the machine. You don’t want PXE Boot—A PXE boot connects the bare metal to add more than you can load into the target machines’ machine to a Windows Deployment Service (WDS) serv- RAM, or the boot may never even happen. er. You initiate a PXE boot by pressing F12 when prompt- There are a couple of caveats to using the WinPE ed during the boot sequence (but don’t blink or you might approach. It wasn’t designed to run as an operating miss it). The purpose of the WDS server is to store Vista system, so it reboots every 72 hours. Also, if you images for PXE clients to download across the network. close WinPE’s command-prompt interface, the system WinPE Boot—Microsoft designed WinPE to boot a will reboot. scaled down 32-bit version of Windows that can easily Install Time Now that you’ve booted the target machine, it’s time to actually begin installing Vista. Much like the pre- deployment and boot sequence, you have several options for installing Vista. You can install from the Vista Product DVD, from a network share or a WDS Server. Regardless of the installation method you choose, installing Vista requires that you create an installation image. Vista’s new imaging technology comes with a default installation image called install.wim. You’ll find it on the Win- dows Vista Product DVD in the \sources folder. You can also create a custom image file that contains all your applications and third-party device drivers with tools you’ll find in the BDD 2007 or WAIK. Creating a custom Vista image requires a master machine. Setting up a master machine is as easy as one, two, three: 1. Install Vista and any applications Figure 2. Vista’s new Control Panel display lists domain and system information or additional software that you’d like to help with maintenance and troubleshooting. to include in your image.

34 | February 2007 | Redmond | Redmondmag.com | 0207red_F1Vista_32-36.v8 1/17/07 10:55 AM Page 35

Figure 3. The built-in Performance Monitor is an extremely useful addition to Vista.

2. Run Sysprep /Generalize at the command prompt to WDSCapture.exe is the graphical equivalent of remove all of the unique computer information (like the imagex.exe /capture. It launches a wizard that asks all the computer’s SID and name). Then boot the master pertinent questions and creates a .wim image. You can run machine to a WinPE. both imagex and WDSCapture from a WinPE (though 3. Capture the image. You have three methods with which to capture the installation image: the command line utility imagex.exe with the /capture switch, WDSCapture.exe (GUI version of imagex.exe /capture) from the command line, or WDSCapture from a WDS server. Let’s look at imagex.exe first. Using the following command assumes you’ve installed Vista on the C: partition (on the master machine), that the image will be named Vista.wim and that it’s stored locally on the C: partition with a description of “C Drive”: Imagex /capture C: C:\Vista.wim “C Drive.”

Figure 4. You can boot a bare metal machine with a PXE Figure 5. Another resource-intensive aspect of the new boot to connect to a deployment server. interface is the multiple transparent windows.

| Redmondmag.com | Redmond | February 2007 | 35 0207red_F1Vista_32-36.v8 1/17/07 10:55 AM Page 36

Windows Vista

Consistency Is Key Whether you’re deploying Vista to 20 or 20,000 machines, answering the same questions over and over again gets old. Let’s face it—sometimes you can’t help but answer the ques- tions differently from one machine to the next. This can cre- ate a potentially unstable and inconsistent Vista installation. The Setup Manager used to guide you through this process. Now there’s the Windows System Image Manager (WSIM). This new tool creates .xml files with all the answers to those setup questions. The .xml files created by WSIM are called, appropriately enough, answer files. If you’ve worked with answer files before, you may be thinking, “Answer files aren’t new. They have been around for years.” Not these answer files. These are new and improved. The new .xml answer files not only answer all the setup

Figure 6. Windows Deployment Services is used to create system images for rollout.

you have to include imagex.exe in your custom WinPE, as it isn’t there by default). You can also run WDSCapture from a WDS server, but you’ll have to take a few extra setup steps. First, create a special type of WinPE called a “Capture Boot Program”

Figure 8. You can also use a WinPE boot to get Vista going on certain systems.

questions identically, but also let you add device drivers and third-party applications to your Vista installations. Answer files also contain Components and Packages. To understand components you need to first understand the Vista installation process. A Vista installation is performed in stages and certain configuration parameters are applied in each stage. These stages are called “Configuration Passes” and there are a total of seven, although not all passes are needed for an installation. It’s important to add components to the appropriate con- figuration pass. For example, partitioning and formatting a hard drive are performed in the first configuration— WindowsPE. Imagine if you formatted the installation partition in the last pass instead of the first. You would’ve Figure 7. The new Aero Glass interface is among the most just wiped out your new Vista installation. visible of Vista’s improvements, but you’ll most likely need Creating an answer file in WSIM is a simple process. Just to upgrade your systems to be able to use it. add the component to your answer file, highlight the com- on the WDS server. Once again, you’ll use the master ponent in the answer file and configure the component in machine you created earlier, and boot to a PXE. The the properties pane. There’s so much to this tool that it WDS server will provide a list of images, including the could fill an entire separate article. Look for step-by-step Capture Boot Program you created on the WDS server. instructions for each of these tools next month and in The master machine then boots the Capture Boot Pro- upcoming articles. — gram, which is really just a special WinPE that automati- cally launches WDSCapture.exe. Once you’ve created an Rhonda Layfield, MCT, NT/2000/2003 MCSE, MSCE: Security, image file, you can store it on a set of CDs, a DVD, a is a consultant and trainer. Her clients include Dow Jones, the WDS server or a network share. U.S. Air Force, IBM and EDS. Reach her at [email protected].

36 | February 2007 | Redmond | Redmondmag.com | Project2 1/16/07 10:59 AM Page 1

USER ACCOUNT CONTROL for the Enterprise

Microsoft Vista’s User Account Control requires that many users must be given administrator passwords in order to run critical applications. Distributing administrator passwords is not a secure enterprise solution. With them, users can wittingly or unknowingly add malicious software and make unauthorized system changes.

LEAST PRIVILEGE MANAGEMENT BeyondTrust enables enterprises to move beyond the need to trust users with excess privileges or administrator passwords. You can apply the principle of Least Privilege to all users by transparently and securely elevating privileges for only authorized applications. Built for Windows 2000, XP, and Vista; integrated with Active Directory and applied through Group Policy.

Contact us for a free pilot installation at 603.610.4250 or visit www.beyondtrust.com.

™ © 2007 BeyondTrust Corporation. All rights reserved. beyondtrust Project2 1/17/07 10:13 AM Page 1

You can WIN a Scripting Makeover: SAPIEN Edition!

Win the chance to let SAPIEN into your IT department...Our experts will give you pro training, software, follow-up consultations and a resource library–a $20,000 value–for FREE!! Visit www.redmond.scriptingmakeover.com today for complete contest rules and to download an application. Don’t delay. Your hero status awaits you.

™

scripting simplified™

Find our family of software, training, community and publishing websites at www.sapien.com. Copyright © 2006 SAPIEN Technologies, Inc. All rights reserved. Inc. Technologies, Copyright © 2006 SAPIEN 0207red_F2Apps39-42.v5 1/17/07 11:20 AM Page 39

WillWill Vista’sVista’s NewNew LookLook AttractAttract Developers?Developers?

While Microsoft has shipped the final version of Vista for Stanhope, vice president of technology for Adesso Systems business users and developers, it remains to be seen if the Inc., makers of a development environment for creating beauty of the long-awaited operating system’s Aero graph- applications with inherent distributed capabilities. “If I ical interface goes more than skin deep. were doing gaming or entertainment software I might feel What will help make that determination will be the level more urgency,” he says. Wof acceptance by developers of Vista’s underlying Win- Another factor that could throw a handful of nails in dows Presentation Foundation (WPF) graphics subsystem, Vista’s path is the learning curve third-party developers formerly code-named Avalon. With its ability to allow and IT shops must climb before it gains broad adoption, developers to create applications that blend 3-D graphics, according to some industry observers. The advance in animation and video all under one programming roof, as graphics technology between Windows XP and Vista rep- well as its promise of helping application designers and resents the biggest delta in Windows since the transition developers collaborate more effectively, WPF’s potential from Windows 3.1 to Windows 95, they believe. appears great. “Vista’s graphical user interface behavior will be a dis- But it could take the majority of developers a couple of ruptive factor not only for developers who need to learn years to first buy into it and then deliver the goods. While how to write for it and administrators who need to learn Microsoft officials guesstimate that more than half of its how to manage it, but for users who will need to learn how

Adoption of Windows Presentation Foundation

key to delivery of 3-D applications. By Ed Scannell

1,200 or so early adopters are actively engaged in creating to work with it. The sooner people start to climb it, the applications that fully exploit the splashy graphics of Aero, sooner they will get over it,” says Will Zachmann, presi- many other developers say their first Vista applications will dent of Canopus Research in Duxbury, Mass. focus on compatibility and stability. The pretty interfaces can wait, they say, for the second release of those applica- Bright Future tions over the next couple of years. At least one skeptical analyst has changed his mind about “I think for the most part you will find people will start the impact Vista’s new graphical capabilities might have on exploiting the GUI of Vista on the second release of their the application development community. In a recent Vista apps. From the developers we talk to, Vista’s not report, appropriately entitled “Okay, I Get It: Vista’s a going to be a big part of the market in the first half of Cool Application Platform,” Forrester Research Inc.’s Ted 2007,” says Richard Rabins, president of Alpha Software Shadler said he believes most developers will commit Inc., a desktop database developer in Burlington, Mass. resources to delivering exploitive applications. “I really like Vista—it’s the best Windows I’ve had. It’s “Vista won’t immediately convince consumers to upgrade stable and secure and I have no issues with things like the their computers. However, it’s now clear that smart appli- User Account Control. But the GUI stuff is not high on cation developers and technology product marketers will my list based on what sort of applications we do,” says Phil build killer applications using Vista’s advanced graphics

ILLUSTRATION BY RYAN ETTER | Redmondmag.com | Redmond | February 2007 | 39 0207red_F2Apps39-42.v5 1/17/07 11:20 AM Page 40

Vista’s New Look

in their view that the new graphics features developers can weave into enterprise-level applications will result in real productivity gains. “We think we are delivering a set of new technologies here that allow IT shops and ISVs to build apps across the entire enterprise that can increase the overall productivity of all those workers. The information workers who hunger most for information and data visualization will be the first to embrace them,” says Tom Caputo, Microsoft’s group product manager for the Windows Vista Partner Team. Tim O’Brien, director of the Plat- form Strategy Group at Microsoft, says nearly 2,000 applications have been Figure 1. Autodesk collaborated with Microsoft to integrate its registered in the Vista Early Adopter DWF technology with Vista using the XML Paper Specification ... Program, half of which are expected to be available by the end of February. With Vista, he says, ISVs should be able to and communications technology. The New York Times’ take advantage of richer functionality to move their existing Times Reader is the first such application that we have applications forward, as well as build new software. seen,” Shadler wrote. “These features are what we call .NET 3.0 from a devel- Applications expected over the short term that exploit opment standpoint,” says O’Brien, explaining that .NET WPF are few and far between, but they are starting to 3.0 finally unites the triumvirate of Windows Communica- appear. Besides the New York Times Reader, expected to tion Foundation (WCF) subsystem, Windows Presenta- be available in this year’s first quarter, two other major tion Foundation (WPF) graphics subsystem and Windows ISVs have promised applications and technologies exploit- Workflow Foundation for building customized workflows. ing Vista’s graphical capabilities, including Autodesk Inc. O’Brien notes that because the .NET 3.0 capabilities can and SolidWorks Corp. reach down to the Windows XP level, developers can Autodesk has signed a deal to jointly work with Microsoft on integrating its DWF technology with Vista using the XML Paper Specification (XPS), which allows users to view and manage detail- rich design information without the need to download plug-ins. XPS allows CAD users to collaborate with other team members more productively by making Vista’s built-in searching capabilities more accessible, according to Autodesk officials. SolidWorks has already shipped what it believes is the first 3-D CAD application for Vista that takes advantage of Vista’s graphics capabilities to enhance visual inter- action, company officials said. Microsoft officials, of course, con- tend WPF will be broadly success- ful because it’s built from the ground up to serve as more than just eye candy. They are steadfast Figure 2. ... So users can view and manage detail-rich design information without plug-ins.

40 | February 2007 | Redmond | Redmondmag.com | Project13 1/16/07 11:32 AM Page 1 0207red_F2Apps39-42.v5 1/17/07 11:20 AM Page 42

Vista’s New Look

broaden the audience they are selling to. “This can make developers can collaborate more effectively. In most devel- for an interesting value proposition for ISVs looking to tap opment environments today, designers hand developers a into demand for Vista,” he adds. blueprint for what they want an application to do and how it should look. Too often developers do not have the tools Lag Time to build what the blueprint calls for. Typically, what While many ISVs praise the work Microsoft has done with results is a hybrid application—a cross between what WPF, some say it could be at least another six to eight designers wanted and the best developers could do. months before Microsoft delivers the finished versions of “One of the biggest challenges of software development all the development tools needed for the technology to has been designers creating compelling user interfaces and realize its full potential. Most importantly, the company then handing them over to developers, and developers say- needs to deliver WPF support for Visual Studio. ing, ‘Well, that’s cool-looking but it’s hard for me to wire “There’s a good news-bad news angle to all this. The that all up.’ The disconnect between the two groups has good news is the plumbing for WPF is there and working resulted in sub-optimal apps,” Caputo says. very well. The bad news is, as is typical of Microsoft, the But in the WPF Microsoft has given designers the ability tools are lagging several months behind the plumbing to export their designs to developers through the Extensible Application Markup Language (XAML), which is also incorporated into the company’s primary set of development tools, Visual Studio. “Instead of designers just throwing some Photoshop file over the wall to developers, that they [then] have to recreate as best they can in Visual Stu- dio, developers can now get something with a slick UI. [Developers] can also wire up the appropriate business logic to those elements the designers have in place,” Caputo says. Help appears to be on the way. In late December Microsoft delivered the first betas of four components in its new Expression Studio user experience design and development suite, with Figure 3. SolidWorks for Windows Vista is the first available plans to ship the remaining three in 3-D CAD application for Vista, according to company officials. the second quarter. The objective of all four releases is to make it possible for developers and designers to work so the full capabilities are not there yet,” says Tim together more seamlessly by producing tools that both Huckaby, CEO of InterKnowlogy Inc., specialists in sys- groups can use collaboratively. tems and application architecture and design based in Also in late December the company delivered the first Carlsbad, Calif. community technology preview (CTP) of what it’s now Huckaby’s firm is working with The Scripps Research calling the “Windows Presentation Foundation Every- Institute on developing a Vista-based application to fur- where.” WPF/E is meant to provide a cross-platform ther cancer research. Over the past few months he’s given browser plug-in for delivering media, animation and video a raft of demonstrations showing off the application’s content based on Windows Media. The underlying code sophisticated use of 3-D graphics, which have drawn generated by the Expression design tools is XAML. immediate enthusiasm from developers. That enthusiasm “When we engineer types finally get these finished tools, quickly subsides, however, when they realize not all the we can work with the black turtlenecks [designers]. Two of tools are in place yet. the six tools in the Expression series are targeted at the “I have done the demo to many technical audiences black turtlenecks that will let them do their designs in showing them what is underneath the hood. They’ll say, ‘I Visual Studio. The bigger question is, ‘Will we be able to want to take that home and do something like that in 3-D.’ pry them off the Adobe type products they love so much?” Then they flail at it for six hours and get angry because the says InterKnowlogy’s Huckaby. — [tools] support just isn’t there,” Huckaby says. The other critical advantage WPF promises is a cohesive Ed Scannell is the editor of Redmond magazine. Reach him at framework in which corporate application designers and [email protected].

42 | February 2007 | Redmond | Redmondmag.com | 0207red_F2Web2_43-48.v11 1/17/07 10:50 AM Page 43 Google’s Descendants Innovative Web 2.0 firms are storming the next IT battleground.

By Carolyn A. April

f all the Web 2.0 hype has you Ibathed in skepticism, consider for a moment the success of a company like Zimbra Inc. Backed by $31 million in venture capi- tal, Zimbra developed an open-source, AJAX-fueled messaging and collabora- tion suite called Zimbra Collaboration Suite 4.0. The company spent most of its first three years in stealth mode, rolling out the Web-based suite to cus- tomers in February 2006. Sales have been brisk. In its first three quarters in the marketplace, Zimbra sold four million mailboxes at an average price of between $18 and $35 per mail- box per year. That’s cheaper than the Microsoft Exchange/Outlook duo, but exactly what the company’s predomi- nantly SMB, services provider and edu- cation market customers had been craving. Not too shabby for having just come out of the gates. “We believe that for Web-based offer- ings for business we are two years ahead of what’s out there,” contends Satish Dharmaraj, co-founder and CEO of Zimbra, which is based in San Mateo, Calif., and counts as its CTO former WebLogic and BEA bigwig Scott Diet- zen. “It’s a tremendous opportunity that’s emboldened us and been a large confidence booster.”

ILLUSTRATION BY DAVID CHESTNUTT | Redmondmag.com | Redmond | February 2007 | 43 0207red_F2Web2_43-48.v11 1/17/07 10:50 AM Page 44

Google’s Descendants

The Armies Amass You won’t find confidence in short supply in this next wave of software providers. Zimbra is just one of a crop of upstarts seemingly cut from the same Web-based cloth as Google and ready to put a little scare into the folks at Microsoft. Much like the dotcom class of the mid-’90s, the culture at these companies is nimble, innovative, smart and decidedly uncorporate, even by software industry standards. They’re also bent on growth and not afraid to take on the 800-pound gorillas in the traditional software industry. Even Google, clearly the one to follow today with its own cache of online applications from Gmail to Google Docs & Spreadsheets, is humbled by the rate of innovation taking place. Executives there say they expect the next few years to bring a cacophony of applications and technolo- gies to market, and it’s impossible to predict which ven- dors will lead the way. “There’s so much innovation still to come that anyone, really—not just Microsoft and Google—but someone could come from nowhere and just do this in a way that’s a little bit different and catches users’ attention,” says Jonathan Rochelle, product manager of Google Docs & Spreadsheets. “And it’s easier to create applications like this than it used to be. Almost anyone could do some interesting things here.” Satish Dharmaraj, CEO and Co-Founder, What’s Web 2.0? Zimbra Inc. Though Web 2.0 is a squishy term that some analysts reject as meaningless, there are commonalities to many of tive and social networking hallmarks as wikis, blogs and the companies popping up like dandelions all over the other media. country. To them, the Web, not the desktop, is the appli- Oh—and then there’s pricing. Forget about CALs and server access licenses here. The Web 2.0 brood favors subscriptions per user primarily and typically charges a lot less than Microsoft does for its packaged software. And The question comes down upgrades are just a click away online. “The question comes down to this: When, if ever, will to this: When, if ever, will people not spend $400 on a new license for Office because “ they can go here and it’s free?” asks Mark Fauci, president and CEO of Web-based software developer Gen-9 Inc., in people not spend $400 on a Mountain View, Calif. “As soon as people get past that, it’s ‘Game Over.’” new license for Office because Fauci’s point seems logical. While it’s unlikely that Web-based applications will ever substitute for back-end, they can go here and it’s free? mission-critical enterprise software, the desktop is another matter. Especially as offline usage solutions improve and As soon as people get past SMB customers continue banging down the door for easier to use, low-cost business apps that give them just the that, it’s ‘Game Over.’ capabilities they need—and not a bucketful they don’t. To ” that end, many of the Web 2.0 companies are focusing on —Mark Fauci, President and CEO, Gen-9 Inc. core desktop business apps like office productivity soft- ware and a raft of collaboration tools, including those with voice capabilities. cation delivery platform; the browser, not the operating There’s 37signals LLC, a Chicago-based company system, is the interface and engine that runs applications; whose Basecamp application has gained industry accolades what OS you use (or do not) doesn’t matter; and the for its simplicity of use and clean interface. Of its three resulting solutions often exploit such Web 2.0 collabora- Web-based applications, Basecamp has the most relevance

44 | February 2007 | Redmond | Redmondmag.com | Project12 1/16/07 11:27 AM Page 1

Software to Simplify and Share SAN Storage

Extend the Capability of Microsoft Windows Server System

Sanbolic shared data SAN software for Microsoft based Data Centers extends the capability of Windows server applications. Scale out your Windows file serving and web serving architecture. Create a truly flexible datacenter using Virtual Server 2005. Take advantage of the full potential of Microsoft Clustering Services for application availability. Easily configure and assign a pool of storage on a heterogeneous SAN centrally with familiar Windows tools.

Simple Information Lifecycle Manager

Move your files automatically based on storage policy. Copy your data for availability. Take control of your data.

Intuitive Software Designed for Windows Servers www.sanbolic.com. Or call us at 617-833-4249 0207red_F2Web2_43-48.v11 1/17/07 10:50 AM Page 46

Google’s Descendants

to business users, providing for online project manage- many of the companies there was confident—almost to ment and collaboration capabilities. Then there’s Vivox, the point of arrogance. But it essentially underscored a based in Framingham, Mass., which proffers a peer-to- bedrock attitude that Web apps of this nature are the wave peer voice technology service that integrates voice, video, of the future. messaging and the requisite social networking into a cus- “Fact is, there are alternatives out there now,” Fauci tomer’s existing data network. explains. “What was remarkable about this conference The list goes on: Sharpcast Inc., in Palo Alto, Calif., has a [was] that the only limitation to developing and distribut- patent-pending technology for synchronization. Its solu- ing products and providing services really is a person’s tion lets customers automatically synch any type of file, imagination. I mean, the barriers to building a Web site are gone.”

So Whither Microsoft? We have to understand the customer The obvious question is how and/or if any of these companies—or more importantly need. With the vast majority of things, the shifting business model they embody— “ might impact Microsoft, particularly sales of its Office suite and wide-reaching they do not want to rip and replace collaboration platform and tools. While Microsoft cannot ignore the rising tide of and get rid of software and go entirely Web 2.0 mania, some analysts dismiss the notion that the Redmond juggernaut is to the cloud.” not behind the trend. And no one is tak- —Jeff Hansen, General Manager, Microsoft Live Marketing ing them lightly. “For me, Web 2.0 means nothing spe- cific: It’s a Google-like world with a lot of Web focus and social networking and I application or media data across multiple PCs, mobile don’t see that Microsoft is in any way out of the loop in phones or the Internet. The platform it’s looking to patent that trend,” says Dwight Davis, industry analyst at Ovum helps smooth out the online and offline usage of data and Summit, who points specifically to Microsoft’s early player applications, which has long been a knock against Web status with AJAX technology. applications and in the past has hindered widespread However, as Davis points out, Microsoft at its core is still a acceptance at the corporate level. software company that, despite its foray into services with its Still other companies come to mind like ThinkFree Live offerings, isn’t keen to become a big online services Corp., which offers a full office productivity suite over the company. Ironically, that’s the path they seem headed down Web that’s Microsoft Office compatible and can be used with Live, at least to some extent, and that will pose a period offline as well. TimeBridge Inc. has a cool scheduling of serious adjustment for the firm and its culture. product that integrates with Microsoft Outlook. Users “Software is still a nice business if you can find a business merely send an e-mail inviting people to a meeting or model that works in this rapidly evolving industry,” explains event, then the TimeBridge product automatically maps Davis. “That said, the shift to Live definitely makes schedules and lets the user know who will be attending and Microsoft a services provider. And that’s a big shift.” whether there is a better date/time. Microsoft’s Live initiatives are largely a work in progress Many of these applications fall under the category of still. The tricky thing is that Microsoft is stuck trying to Enterprise Web 2.0, which analysts describe as Web-based justify a foot in both worlds; defining for customers what applications that also tie into existing corporate environ- software they ought to install on a device vs. what services ments via a services-oriented architecture that leverages optimally reside in the cloud of the Internet. It’s like Web services to create application “mash-ups.” deciding which child you like best. “In the business world, Enterprise Web 2.0 is where you Jeff Hansen, general manager of Microsoft Live market- are leveraging existing capabilities in the form of services ing, says the company is imposing the mantra “Software in the context of Web 2.0 applications,” says Jason plus services” to explain its approach to both models. Bloomberg, senior analyst at ZapThink LLC in Baltimore. “We have to understand the customer need,” Hansen “You can see it as an outgrowth of traditional collabora- says. “With the vast majority of things, they do not want tion products, like Lotus Notes or Groove.” to rip and replace and get rid of software and go entirely to The sheer number of Web 2.0 companies was on display the cloud.” Instead, he contends, customers will use serv- last November at a Web 2.0 conference in the Bay Area. ices to complement and round out what they already have Fauci, who attended the show, says that the vibe from installed today.

46 | February 2007 | Redmond | Redmondmag.com | Project6 8/11/06 3:10 PM Page 1

Still Looking For An Effective Solution To Train Your Entire Staff?

Unlimited Users Instructor Led Training On Demand

Content includes: Microsoft CompTIA Cisco Safety Ethical Hacker + Many More

Manage Courses And Students From One Location Connects Directly To Your Computer Network 40-90% Savings Over Individual Courses Over 500 On-demand Course Titles Unlimited Access Then Stop Looking!

Introducing... ® ThinkTank Learning Management System The Revolutionary, Enterprise-Wide Training Solution

ThinkTank3 provides a company with the necessary tools to effectively train an entire workforce. Affordable, scalable, and cost effective, ThinkTank3 answers all of your training needs

ThinkTank3 is designed to quickly plug into a standard network connection and be up and running within minutes. Built for ease-of-use, ThinkTank3 works on most networks with little or no configuration. ThinkTank3 uses a centralized, flexible, and portable hard-drive system allowing for fast and simple installation and maintenance. Call Now to Learn More 1-800-942-1660 or 1.866.268.2920 or visit www.specializedsolutions.com International: (727) 669-1415

Developing Tomorrow’s Training Standards Today. 0207red_F2Web2_43-48.v11 1/17/07 10:50 AM Page 48

Google’s Descendants

The Windows Live offerings are mainly still in beta, but tell you they are focused less on acquisition and more on once delivered will address a number of business needs from developing better applications for customers to access online. search, e-mail, messaging and community spaces to contact “We don’t have an exit strategy—we call it an exit rea- management and presence, Hansen says. Windows Live also lity,” says Luis Derechin, CEO and co-founder of JackBe serves as a platform so that third parties can pull the services Corp. “Our main preoccupation is making sure the com- into their own solutions and customize. Thirdly, there is a pany creates the best possible technology and quality, monetization component in the AdCenter service. Office Live now clocks in with 170,000 customers, Hansen says. The service mirrors in many respects the Google Apps for Your Domain service, providing SMB The challenge for any customers with a quick, easy way to construct their own Web site, domain names for corporate e-mail accounts and established company is to other basics of doing business online. It does not include, “ as the name would imply, online services versions of balance the cannibalization of Word, Excel or any other of the core Office applications. The other element to the Live strategy, Microsoft CRM your own products and exist- Live, is expected to be available this summer. Most analysts agree that the proof is in the execution ing portfolio vs. the need to when it comes to Microsoft’s Live portfolio, and that it is absolutely essential the company move more software to a services model. get into new markets. “The challenge for any established company is to balance the cannibalization of your own products and existing Microsoft is at a critical stage portfolio vs. the need to get into new markets. Microsoft is at a critical stage for making these decisions,” says Rob for making these decisions.” Enderle, industry analyst at the Enderle Group. —Rob Enderle, Industry Analyst, Enderle Group Build vs. Buy With the market overflowing with innovative applications from the Web 2.0 army of small companies, Microsoft and and by doing that we’ll be looking at many different Google—and any other large player for that matter—have exit realities.” an opportunity to shop. For some JackBe is one of the Enterprise Web 2.0 companies. It of these small companies, that’s recently upgraded its NQ AJAX Framework service from a exactly the plan as drawn up at presentation layer-only development environment to one the moment they locked in their that enables developers to pull forward services from a cus- VC money. But still others, like tomer’s SOA implementation. The new online service, Zimbra, for example, won’t cop called Presto REA Platform, is expected to launch in March. to such an exit strategy, instead Like JackBe, Zimbra too could be ripe for acquisition. insisting that they can build a CEO Dharmaraj is well aware, but says his goal—for viably competitive business by now—is to grow the company. He believes Zimbra is posi- appealing to customers’ desire for tioned well enough to become a force in the SMB market Luis Derechin, choice and simplicity. and elsewhere, including places where Microsoft domi- CEO and Co-Founder, The buying does go on, nates. The reasons: Getting out in front of the concept of JackBe Corp. however. Who can forget the browser as the delivery platform and understanding Google’s $1.65 billion splurge that the underlying OS does not much matter. on video-sharing services YouTube last year. Google also It will be interesting watching any of these Davids as laid claim to Web 2.0 companies with more of a corpo- they take aim at the industry’s Goliaths over the course of rate bent such as Writely and JotSpot. Writely, a word the next few years. processor and document management service, now “There are absolutely business model disruptions going comprises the Documents half of Googles Docs & on now which are pretty much completely at odds with Spreadsheet; whereby JotSpot gives Google entry into the culture and way of doing things at Microsoft,” Dhar- the world of wikis with its Tracker application and devel- maraj says. — opment environment. The lure of being acquired will always loom for the best Carolyn A. April is the executive editor of features for Redmond and the brightest of the Web 2.0 population. But most will magazine. Reach her at [email protected].

48 | February 2007 | Redmond | Redmondmag.com | Project11 1/16/07 11:19 AM Page 1

Lose that important file? Protect against accidental file deletions with NEW Undelete® 5 Now with version protection for Microsoft® Office files

According to the New York Times, file loss costs businesses an estimated $13 billion per year. The problem is that the Windows® recycle bin doesn't capture every deleted file, particularly files deleted over the network and older "saved-over" versions of Microsoft Office files. Not even your backup system provides comprehensive real-time protection. Now you can get complete up-to-the-minute file protection with instant recovery—get new Undelete 5! • NEW! Version protection allows instant recovery of older versions of Microsoft Word, Excel and PowerPoint® files • EXCLUSIVE! Recovery of deleted files is easy and instant • EXCLUSIVE! Undelete 5 captures and protects all deleted files in real time — even files deleted by other systems over the network. No more lengthy backup restores! • Server and workstation editions available Try Undelete FREE! Visit: www.undelete.com/recover

For volume license pricing and government or educational discounts, contact your favorite reseller or call 800-829-6468 reference number 9246

® ©2007 Diskeeper Corporation. All Rights Reserved. Undelete, Diskeeper and the Diskeeper Corporation logo are registered trademarks or trademarks of Diskeeper Corporation in the United States and/or other countries. Microsoft, Windows and PowerPoint are either registered trademarks or trademarks owned by Microsoft Corporation in the United States and/or other countries. Diskeeper Corporation • 7590 N. Glenoaks Blvd. Burbank, CA 91504 • 800-829-6468 • www.undelete.com Project2 1/16/07 10:46 AM Page 1

Knowledge is earning an IT degree in a way that makes sense. Online. With programs designed around CISSP® and CCNA certifi cations, Capella University is able to offer credit for prior learning, plus: • A broad array of IT-related PhD, master’s, and bachelor’s specializations • Courses that blend advanced knowledge with practical application to help advance your career • A fl exible learning environment to work around your schedule • Scholarships, grants, and fi nancial aid available • Accredited1 and fully online2 at capella.edu/ITeducation

Call 1-888-CAPELLA, ext. 22069

1. Capella University is accredited by The Higher Learning Commission and a member of the North Central Association of Colleges and Schools (NCA), 30 N. LaSalle Street, Suite 2400, Chicago, IL 60602-2504, (312) 263-0456, www.ncahigherlearningcommission.org. 2. PhD requires in-person attendance at colloquia. Capella University, 225 South 6th Street, 9th Floor, Minneapolis, MN 55402. ©2007 Capella University 0207red_F2Hack51-60.v12 1/17/07 10:06 AM Page 51

It’s 10 O’Clock. IT pros have reservations, but ethical hackers are Do You Know Where becoming a fact of life. By Joel Shore

thical hacking. That phrase Your Hacker Is? may seem incongruous to some, but for others it’s an essential component of their IT strategy. Whatever your Ereaction to the concept of ethical hacking, everyone agrees that someone, authorized or not, is trying to break into your IT infrastructure. “You want the good guys to find the security holes before the bad guys do,” says Jack Koziol, program manager at the InfoSec Institute, an organization that certifies security professionals. “If your people are not doing it, someone else will—and that someone won’t be on your side,” he says. It’s not just about keeping that nefarious “someone” out. Nabbing a successful perpetrator—or even sim- ply knowing that a break-in has occurred or is being planned—is too often well beyond the technical scope of many IT departments. Even worse, when a break-in is discovered, most IT professionals don’t know how to secure and preserve the evi- dence needed for the forensic analy- sis and prosecution. Enter the Good Guys Paul H. Luehr is a former computer crimes prosecutor with the U.S. Dept. of Justice and the Federal Trade Commission. After the Sept. 11 attacks, it was Luehr who oversaw the initial forensic investigation into computer evidence related to con- victed terrorist Zacarias Moussaoui. He has also prosecuted computer crimes perpetrated against eBay, Best

| Redmondmag.com | Redmond | February 2007 | 51 0207red_F2Hack51-60.v12 1/17/07 10:06 AM Page 52

Ethical Hacking

Buy and the corporate parent of Saks The stereotype of the invisible Fifth Avenue. hacker—someone sitting in his or her Today, Luehr is deputy general coun- apartment surrounded by computers— sel at Stroz Friedberg, a law firm that is “largely true,” says Gunter Ollmann, specializes in using forensic investiga- director of IBM Internet Security Sys- tions to prosecute computer crimes. tems’ X-Force Threat Analysis Service. “IT departments often jeopardize pros- His team invests their own personal ecution because they are unfamiliar time to improve their skills, he adds. with the use of the procedures and Most belong to groups that meet forensics required to catch and put the regularly where they exchange new bad guys behind bars,” he says. tools and techniques. “There’s a lot Matt Hillman, founder of the of alcohol involved and the burnout Legion of Ethical Hacking (LEH), rate for these people is very high, believes the concept is valid. He clas- typically five to eight years before sifies any authorized break-in as ethi- they become alcoholics or burn cal hacking, which eliminates some of themselves out,” he says. the confusion. “Hacking is essentially When hiring for X-Force, Ollmann neutral. It’s just a thing that you do. insists on candidates with a technical What you do it for is a whole other degree. Most come from the physical matter,” he says. Of course, Water- sciences, instead of computer science. gate was an authorized break-in, and His candidates must have three to five we all know how that turned out. years of multinational experience in So these days, we certify the good dealing with large infrastructures and a guys, or the people we hope are good breadth of attack types, or as security guys. For InfoSec’s Koziol, that researchers with a detailed understand- means running extensive background ing of how large institutions develop checks before students are taught and deploy systems. advanced techniques such as DNS Not surprisingly, hiring a “hacker host identification abuse, cache poi- gone straight” is generally frowned soning, password cracking, spoofing, upon. “The idea of a bank hiring a SSL session hijacking and malicious convicted robber as a security consult- log editing, just to name a few things IT Departments ant because he knows where the in a hacker’s bag of tricks. He notes money is just doesn’t make sense,” that students are typically experi- often jeopardize says Luehr. “It’s not the image any enced IT professionals from larger prosecution reasonable corporation should proj- corporations taking the next step ect. After all, the guy got caught.” toward protecting their companies’ because they are Cheryl Currid, a former IT direc- crown jewels. tor with a Fortune 100 company and Though thousands have taken these unfamiliar with current president of Currid & Co., tests and become certified hackers, even the use of the an IT strategy consultancy, takes a Koziol acknowledges the exams test more reticent position. She’s still only technical aptitude—not one’s procedures cautious, however, about recruiting underlying ethics. He’s quick to note, from the dark side. “It’s possible to however, that InfoSec has never heard and forensics learn a lot from these guys,” says of one of its certified hackers going bad. required to catch Currid. “I would hire only on a It can be a fine line, however, that short-term project basis. Bring him separates the hackers wearing white and put the bad on full time and he’ll get bored.” hats from those wearing black, says And the trouble with boredom, she Oliver Friedrichs, director of Syman- guys behind adds, is that it breeds curiosity, tec Security Response. “Checking for bars. which in turn breeds trouble. a criminal record or prior abuse gets Whether you call it ethical hacking Paul H. Luehr, Former Computer you only so far. After all, a successful Crimes Prosectutor, U.S. or penetration testing, the underly- hacker is someone who has managed Department of Justice ing philosophy of proactively finding to remain invisible,” he contends. weaknesses before the bad guys do is

52 | February 2007 | Redmond | Redmondmag.com | Project5 1/16/07 10:24 AM Page 1

Simplify Active Directory Management, Inventory Control, & Auditing. ®Provides Custom Reporting Options ®Contains Report Scheduler FEELING ®Includes Several Canned Reports ®Eases Software Inventory OVERWHELMED? ®Removes Unwanted Client Software ®HotFix&ServicePackViewer ®Advanced Export Features ®Bulk User Updating

FREE 30 Trial! Visit CNS-Software.com

Tools by Administrators for AdministratorsTM 1-866-344-6267 www.CNS-Software.com ©2006 CNS Software, LLC. All rights reserved. The names of actual products mentioned herein may be the trademarks of their respective owners. 0207red_F2Hack51-60.v12 1/17/07 10:06 AM Page 54

Ethical Hacking

very much alive at IBM’s Global Ser- it’s encrypted or not). This is a vices unit. In current online market- favorite way to leapfrog perimeter ing materials for its Ethical Hacking security and gain access to the corpo- service, IBM states that its team rate intranet with full privileges. members simulate a real intruder’s • Social engineering: These are not attack in a controlled manner and technical tests, but rather evaluations of “tell you what they find and how you staff behavior. Tests include calling can fix it.” The service comes at a tech support and asking for remote- steep price, though. One stand-alone access assistance or going on-site, look- IBM Ethical Hack will set you back ing lost, and asking where the computer as much as $45,000. room is located. Updated for life Is it worth the price? If the testers online, other tests include how employ- discover a damaging vulnerability, ees respond to e-mails from impostors, then it’s practically priceless. By their whether or not they click links that may very nature, though, any security test lead to sites with malicious software, can find only that which it is assigned and if they download multimedia that to look for. may contain embedded malware. “You’ve got to keep in mind that no • Physical entry: This test gauges matter how good any tool is, it can do on-site security, security guards, only what it’s designed to do,” says access controls and monitoring, and Michael Howard, senior security pro- security awareness by attempting to gram manager in the Security Engi- gain access to the premises. A hacker neering Group at Microsoft and a might try this by digging through world-renowned expert on software trash cans to find documents with security. “The nature of threats is con- the company logo. stantly changing and the people behind Palmer concludes that “regular those threats are more sophisticated auditing, vigilant intrusion detection, than ever. The tests will always be one good system administration practice step behind,” Howard says. and computer security awareness are all essential parts of an organization’s Testing, Testing security efforts.” Just one failure, he In his landmark 2001 white paper on says, can expose an organization to ethical hacking, Charles Palmer, man- To beat a hacker, cyber-vandalism, embarrassment, ager of the Network Security and loss of revenue, and/or litigation. As Cryptography department at the IBM you need to think for the ethical hackers themselves, Thomas J. Watson Research Center, while Palmer says they will help any identifies six key areas of testing. Pub- like a hacker. IT director better understand the lished years before the rise of social- Jay Bavisi, President, organization’s needs, they should be EC-Council networking platforms like MySpace carefully watched as well. and YouTube and the thriving music and video downloading industry, • Local network: This tests Simple Solution, Zero Cost Palmer’s target list seems positively employee or other authorized access Besides testing the stolen laptop sce- clairvoyant today: from within the perimeter. Targets nario, Luehr also recommends choos- • Remote network: Simulate an include intranet firewalls, internal ing servers at random and testing Internet attack by hitting perimeter Web servers, server security measures whether logging functions are on and firewalls, filtering routers and and e-mail systems. that firewall functions are operating Web servers. • Stolen laptop: Choose a key com- correctly. “One of the biggest prob- • Remote dial-up network: Tar- pany employee, then take his or her lems we see is IT directors who carry geting authentication schemes, this laptop computer without any advance the old habit of not turning on was originally conceived to attack notice and give it to the testers. Tar- enough logging functions,” he says. modem pools. It has been updated to gets include passwords stored in He ascribes this practice to a time include any channel providing external remote-access software, corporate when storage was expensive and log- access to the internal network, includ- information assets, personnel infor- ging tactics and tools, like mainframe ing a VPN. mation and customer data (whether CICS journaling or NetWare’s

54 | February 2007 | Redmond | Redmondmag.com | 0207red_F2Hack51-60.v12 1/17/07 10:06 AM Page 55

EGDI:8I Transaction Tracking System, slowed system performance. Today, he says, if you can log it, NDJG 8DBE6CNÁH then turn it on and do it. “In any security investigation, whether in a preventative mode or reactive mode H:CH>I>K: after a crime has occurred, those logs can prove invaluable.” Logging functions contain a gold- 96I6 mine of potentially useful forensic information, often including IP addresses, open port activity or even vectors of attack that investigators can analyze for patterns. “You can often tell whether the attack is coming from a domestic source, a former employee BLAUDE or from overseas hackers with more nationalistic goals in mind.” CSI: Data Center While the purpose of ethical hacking is to minimize the possibility of an actual attack, no scenario is perfect. Consequently, quickly securing the crime scene following an attack is essential. This doesn’t involve string- ing yellow crime-scene tape across the data center, but it does involve taking any compromised systems out of serv- ice, assuming you can determine which ones they are. “If a system is compromised and Ndjg _dW ^h id egdiZXi ndjg XdbeVcnÀh YViV# 7ji ndj forensics are needed, locking the XVc cZkZg WZ hjgZ l]ZgZ ndjg YViV b^\]i ZcY machine in a closet is far smarter and je# L^i] 9g^kZAdX` ndj l^aa `cdl/ Dcan l]ZgZ more effective than allowing an IT ^iÁh cZZYZY# JhZ 9g^kZAdX` id XZcigVaan bVcV\Z eZg^e]ZgVa YZk^XZ VXXZhh# Fj^X` id ^chiVaa! ZVhn id department’s bright minds and curious bVcV\Z VcY l^i] ÊZm^Wan iV^adgZY VXXZhh g^\]ih# ;dg fingers to poke away at it,” says Luehr. idiVa Xdcigda d[ ]dl bdW^aZ YZk^XZh XdccZXi id ndjg If you can’t take the system out of XdbeVcnÀh XdbejiZgh# service because it’s running mission critical software, you can use special- 9g^kZAdX` )#& ide [ZVijgZh/ ized forensic tools to go after live ´

March 26-30, 2007 Orlando, FL Hilton in the Walt Disney World Resort

NetworkNetwork andand CertificationCertification TrainingTraining forfor WindowsWindows ProfessionalsProfessionals 6 Tracks, 100+ Sessions, 165 Hours of Training Redmond Channel Partner magazine presents • Exchange / SQL Server a new conference! • MCSA • MCSE • Scripting and Automation • Security A Special Program for • System and Network Troubleshooting Microsoft Partners: Helping You Understand the Partner Opportunity in Microsoft’s New Waveof Software REGISTER BY FEBRUARY 23 March 28-29, 2007 AND SAVE $200! TechMentorEvents.com

Presented By TM07_Red_fpad.v9 12/12/06 11:42 AM Page 2

Microsoft is unleashing a new wave of technologies. Will you be ready? Make your way to Orlando, for a week of exceptional network training at Redmond magazine’s TechMentor Conference. You’ll join IT professionals for focused training sessions—led by expert instructors—on automating, managing, securing and troubleshooting Microsoft Windows server systems. NEW! Microsoft Live: March 27 Spend a day with Microsoft Technology Specialists as they preview technologies in Windows “Longhorn” Server and Exchange Server 2007. Learn about Network Access Protection (NAP) and Windows Deployment Services (WDS) in “Longhorn” and automating day-to-day administrative tasks in Exchange with PowerShell. NEW! TechPartner Conference: March 28-29 Microsoft partners check out our new co-located, 2-day TechPartner Conference. With Vista, Longhorn, Office 2007 and Exchange 2007, Microsoft partners have a new batch of desktop and server tools to look forward to. Play your cards right, and these products can mean untold riches, new markets and lots of fun. Attend this event and find out how! Who Should Attend • IS/IT Managers and Directors • Network and Systems Administrators • Network and Systems Engineers • MCPs, MCSAs and MCSEs • Security Specialists • Helpdesk/Desktop Professionals • Consultants • Systems Integrators/VARs Project4 10/13/06 12:44 PM Page 1

Before After Training Camp Training Camp

Don’t notice a difference? Your employer will.

Our unique accelerated learning programs offer you the knowledge to move ahead in the highly competitive IT industry. You'll not only have the skills needed, but you'll have a confidence that will be impossible to ignore. Find out more about the difference. Call us at 800-698-5501 or visit us at www.trainingcamp.com/redmond

Microsoft | Cisco | Oracle | Sun | Linux | CISSP | CEH | CompTIA | UNIX | Forensics | PMP | SOX 0207red_WinInsider59-60.v8 1/17/07 9:58 AM Page 59

WindowsInsider by Greg Shields Vista’s ADMX Marks the Spot

CLASS USER ust when you thought you had it figured out, they go CATEGORY "Adobe Acrobat Reader and change a whole language out from under you. 7.0" POLICY "Disable splash screen" JIt’s like stepping into your lifelong favorite burrito KEYNAME "Software\Adobe\Acrobat Reader\7.0\Originals" joint and getting greeted with, “Comment peux-je vous aider?” EXPLAIN "Set this value to disable the splash screen" With the release of Windows Vista, Central Store, eliminating duplication VALUENAME "bDisplayedSplash" Microsoft’s language change for Group and reducing the size of the SYSVOL. VALUEON NUMERIC 1 Policy template authoring has caused Creating your Central Store is a manual VALUEOFF NUMERIC 0 some serious confusion among process. As a Domain Administrator, log END POLICY Windows administrators. Although the onto a Domain Controller and create a END CATEGORY changeover to XML has been slowly new SYSVOL folder named C:\ taking over things like Security Config- Windows\SYSVOL\domain\Policies\ After converting it, the associated uration Wizard customizations and the PolicyDefinitions. You’ll also need to ADMX file looks like this. Note the new Office 2007 file format, adminis- create a subfolder for language-specific items in bold, which illustrate the actual trators are still struggling with XML’s files. For the English language, this sub- registry configuration components of more complicated syntax. Let’s drill folder’s name should be \EN-US. the file. The rest is all wrapper code down into what’s necessary to get you Then, from any Vista workstation and pointers to the ADML file: started customizing Group Policy in navigate to the C:\Windows\Policy tents to your newly created SYSVOL Shopping the Central location. Templates are now broken for multiple-languages, the reality is ciated descriptive text. Once the tem- single language. That being said, for and replicated, they’re available for use most of us Vista Group Policy’s major within the Group Policy Object Editor. centralized location for storing tem- eXtra Methods to Learn In the old format each of the default files, you’ll immediately notice that ADM templates was stored, along with they’re quite a bit meatier than those in a minimum of 4MB per GPO. As poli- dency to add lots of extra text. cies got added over time, this became a Let’s look at a very simple example of major contributor to SYSVOL bloat. the differences between the old ADM ates a tree view for any XML file that too, that XML files can be cantanker- Navigating to an element is done by configured according to the ADMX one is done from the right. natively case-sensitive, which can add a XML Notepad 2007 is handy for whole new suite of coding nightmares generic XML authoring, but it doesn’t if you’re generating templates by hand. provide any assistance with the specific If your head is still swimming in this schema for authoring ADMX files. To sea of XML elements and ADMX remedy this, Microsoft has licensed and schemas, take heart. For most admin- made freely available a tool from FullAr- istrators, this changeover to the mor Corp. called ADMX Migrator. ADMX format will not substantially Like XML Notepad, this tool generates change your experience.— a tree view for rendering graphically the Combining XML’s syntactic exces- contents of the ADMX file, but is specif- Greg Shields, MCSE: Security, CCEA, is siveness with the typical Windows ically coded for rendering ADMX files. a senior consultant for 3t Systems administrator’s distaste for program- ADMX Migrator can ingest an old- (www.3tsystems.com) in Denver, Colo. A ming means most admins will likely style ADM file and convert it to an contributing editor to Redmond magazine need a GUI tool to help build cus- ADMX file while allowing the admin- and a popular speaker at TechMentor tomized templates. A few have already istrator to create additional categories events, Greg provides engineering support been released by Microsoft that render and configurations. One function not and technical consulting in Microsoft, Cit- XML in a more visually friendly way. handled natively by the tool is multi- rix and VMware technologies.

containing more than 750 tools to No amount of training can prevent Ethical Hacking exploit them. The list of tools such threats. And penetration test- includes keyloggers, password crack- ing, by definition an attempt to break Continued from page 55 ers, rootkits, router hacking, Trojans in from the outside, is unlikely to and password cracking dictionaries in help in those cases. For that reason, the best known is Internet Scanner 163 languages. most security auditing firms recom- from ISS, which IBM acquired in mend frequent and comprehensive October. Others include Impact from Never a Certainty internal testing. Core Security Technologies, and Unfortunately, plugging every secu- It’s a fact of life that increasing per- Paraben Corp.’s software for analyz- rity hole, shutting down every centages of IT budgets are being allo- ing e-mail, instant messages and unused open port, changing default cated to security. That provides a sad handheld devices. passwords on routers and running commentary on the times in which we The New York-based EC-Council quarterly penetration tests still takes live. Using ethical hackers and pene- provides training that leads to certi- you only so far. Too often, the bad tration testing to maintain network fication as a Computer-Hacking guys find their way. and data integrity, and forensic tools to Forensics Investigator, which is sim- “We see an increasing number of analyze breaches and find the perpetra- ilar to InfoSec’s ethical hacking cer- content-borne threats, such as scripts tors has become an essential part of tifications. The EC-Council course embedded in word-processing files,” any IT security protocol. Jay Bavisi, teaches participants to identify says ISS’s Ollmann. A newer tech- president of the EC-Council, sums it intruders’ traces and to gather evi- nique, prized by hackers for its ele- up best. “To beat a hacker, you need to dence needed for prosecution. The gant simplicity, is placing a keylogger think like a hacker.” — list of companies that keep at least or other malware program on inex- one CHFI on staff reads like the pensive USB thumb drives handed Joel Shore is managing director of Refer- Fortune 100. out by the thousands as promotional ence Guide in Southborough, Mass. He While these tools and the investiga- items. “The moment you plug it into advises technology vendors on product tors who use them find the vulnera- a USB port, you are in serious trou- strategy and marketing matters. Reach bilities, InfoSec offers a CD-ROM ble,” he contends. him at [email protected].

60 | February 2007 | Redmond | Redmondmag.com | 0207red_SecAdvisor61-62.v4 1/17/07 10:17 AM Page 61

SecurityAdvisor by Joern Wettern Does Vista Matter?

here’s no question that Vista is a major step forward against a Microsoft database of known for Windows, but how much can it really do to phishing sites. This gives you reasonably good protection against Web sites that Tenhance the security of your network? Here we’ll try to gather log-on credentials by emu- lating legitimate banking Web sites. take a look at the security enhancements in Vista to help you While the Phishing Filter protects figure out if you should rush to upgrade your computers. against phishing attacks by giving you warnings, you can get the same protec- tion by installing IE7 on Windows XP User Account Control it was in pre-release versions of Vista. machines. There are some security fea- Vista’s User Account Control (UAC) is While UAC has a lot of potential, I pre- tures you’ll only find in the Vista ver- one of the features that has been most dict that it won’t increase security that sion of IE7, however. Home users may heavily promoted by Microsoft—and much compared to a Windows XP- benefit from the greatly improved most strongly ridiculed by early based environment where users aren’t parental controls, and those can also reviewers. If you’re logged on as a logged on as administrators. provide some benefits in a corporate non-administrative user and you’re environment where you need to restrict running a program that requires ele- BitLocker user browsing. vated privileges, Vista will temporarily BitLocker (covered in “Bit by Bit,” The Protected Mode is a much more block all input, prompt you to enter August 2006) encrypts your system significant factor with IE7. This severely administrative credentials and then run drive to ensure that no data is compro- restricts how applications can interact the program using those credentials. In mised when an unauthorized person with Internet Explorer. This feature, effect, this replaces the old Run As gains access to your hard drive. The which is also only available in the Vista command. In a corporate setting, most common use for BitLocker is on version of IE, makes it much more dif- though, most users don’t have an laptops. With BitLocker, you no longer ficult for malicious software to attack administrative account. have to worry about who reads your e- your computer through the browser. Even though it’s a bad practice to be mail or memos if you leave your laptop This new level of protection is proba- logged on as an administrator for nor- in the backseat of a taxi cab. bly the most valuable security enhance- mal computing tasks, it’s no secret that There are other programs that can do ment for Internet Explorer that you’ll it’s fairly common. Let’s face it, some this, but BitLocker’s features and tight get with Windows Vista. programs simply won’t run under a integration with the operating system normal user account and switching make it an appealing choice for corpo- Finally: A Real Firewall back and forth between two accounts rate IT departments. However, Bit- Windows XP comes with the Windows is cumbersome. Locker protection doesn’t come cheap. Firewall, which is an easy-to-use per- Thanks to UAC, now you can always It’s only included with Vista Ultimate, sonal firewall that remains politely in be logged on as an administrator with- the most expensive edition of the oper- the background most of the time. The out compromising security. With UAC ating system. Also, it requires that your trade-off for this ease of use is that its enabled, Vista runs all your programs computer have a Trusted Computing capabilities are fairly limited. Configur- with the regular user-level privileges. Platform (TCP) chip to protect the ing detailed firewall exceptions is diffi- When a program requires elevated encryption keys. cult, and you simply can’t configure privileges, Vista starts the program at a rules to block outbound network traffic. more privileged level, but only after Internet Explorer 7 Windows Vista gives you extremely prompting you for your permission (see Internet Explorer 7 (IE7) has a number powerful configuration options for set- Figure 1). If you’re starting an adminis- of security improvements over older ting firewall exceptions, including rules trative tool, you can give your approval. versions of IE. One big change you’ll based on specific applications. Even bet- UAC is definitely a good idea and it’s immediately notice is the new Phishing ter, it can block selected outbound net- much less cumbersome to use now than Filter. This filter checks Web sites work traffic. In other words, Windows

| Redmondmag.com | Redmond | February 2007 | 61 0207red_SecAdvisor61-62.v4 1/17/07 10:17 AM Page 62

SecurityAdvisor

now comes with an extremely powerful regular users. Vista solves this problem have a rudimentary ability to block the and full-featured personal firewall. by writing those changes to a tempo- use of hardware devices. Other security- Microsoft was afraid this power would rary user-specific area. It then inte- related components like Network confuse users. Their solution was to grates them with the unmodified Access Protection won’t be enabled provide a default configuration pro- versions on the fly so the application until they’re complemented by Long- gram that lets you configure the thinks it’s accessing protected areas. horn Server, which is not due to be Windows Firewall pretty much the The original files are left alone so no released until later in 2007. same way as in Windows XP—with the other users are affected and no critical same limited functionality. files or settings are changed. This lets Should You Upgrade? You’ll want to use the full Windows your users run many user accounts If you’re in the market for a new com- Firewall with Advanced Security, once without having to resort to an adminis- puter, there’s no question that you find it. It’s actually a snap-in for the trative account. Windows Vista will give you a more Microsoft Management Console. Not Kernel Patch Protection is another secure computing experience. If you only is this new Windows Firewall quite internal enhancement. To prevent look strictly at security, though, there powerful, you can also administer it rootkits from changing the Windows are few compelling arguments to rush with Group Policy. It’s unfortunate, kernel—the core component of the into a Vista deployment on your exist- however, that configuration is such a operating system—Windows Vista ing computers. complex task and that even the adminis- only allows limited access to these Companies with well-managed client tration tool is hard to locate. This will computers and a good security infra- probably prevent widespread use of this structure will likely find the improved powerful firewall. security features are not enough to justify the upgrade until the next regu- Defender to the Defense larly scheduled upgrade cycle. Others Windows Vista includes Windows may find that even a single feature is Defender, an anti-spyware program enough to make Vista a compelling that’s capable, if not altogether impres- purchase—for example, getting Bit- sive. Like the old version of the Locker protection for laptop comput- Windows Firewall, it was designed to ers. If you’re thinking about upgrading operate out of sight of users and only Figure 1. Privileged use requires the to 64-bit client computers in the next appropriate level of approval. become visible when something is few months, you might also consider blocked. Unfortunately, this also means components. It even shifts kernel com- holding off on the operating system that your ability to customize it is ponents around in memory to make it upgrade until then so you’ll get all the somewhat limited. It’s also hard to almost impossible for a rootkit to find security benefits of 64-bit Vista when manage in a corporate environment. its exact target. Unfortunately, Kernel you finally make your move. Microsoft is currently working on its Patch Protection is only available in the My recommendation to companies is Forefront Client Security product for 64-bit version of Windows Vista. to plan for moving to Windows Vista at corporate client protection, but you’ll On the downside, it makes it more some point in the near future to get the have to purchase that one separately. expensive for hardware manufacturers protection provided by its security Like IE7, Windows Defender is avail- and other software developers to cre- enhancements. However, you shouldn’t able as a free download for Windows ate 64-bit drivers. Microsoft already rush into any deployment decisions XP, so that doesn’t make a compelling ruffled the feathers of its antivirus without first carefully evaluating how argument for upgrading to Vista. partners by trying to prevent them many immediate benefits you’ll really from accessing the operating system get from Vista.— Under the Hood kernel at all. It reversed this decision Some of the most exciting security shortly before the launch of Vista. Joern Wettern, Ph.D., MCSE, MCT, enhancements in Windows Vista are Even though hackers will probably Security+, is the owner of Wettern Network not immediately obvious because they find a way to circumvent this protec- Solutions, a consulting and training firm. relate to modifications Microsoft made tion to plant their rootkits, it’s still a He has written books and developed train- to the internal operations of the operat- significant security enhancement, at ing courses on a number of networking and ing system. In previous versions of least for the time being. security topics. In addition to helping com- Windows, you often had to log on as There are numerous other small secu- panies implement network security solu- administrator to run applications that rity enhancements throughout Vista. tions, he regularly teaches seminars and insisted on writing to locations on your You can now configure more security speaks at conferences worldwide. Reach him disk or in the registry not accessible to settings through Group Policy and you at [email protected].

62 | February 2007 | Redmond | Redmondmag.com | 0207red_Index_63.v2 1/17/07 2:35 PM Page 63

AdvertisingSales RedmondResources AD INDEX Advertiser Page URL Acronis, Inc. C3 www.acronis.com Algin Technology 23 www.utools.com Altiris 31 www.altiris.com www.avepoint.com 15 www.avepoint.com Matt Morollo BeyondTrust 37 www.beyondtrust.com Brian Madden Company 27 www.brianmadden.com Associate Publisher 508-532-1418 tel Capella University 50 www.capella.com 508-875-6622 fax CenterTools Software 55 www.centertools.com [email protected] CNS Software 53 www.cns-software.com Diskeeper Corporation 9 www.diskeeper.com West/MidWest East Diskeeper Corporation 49 www.undelete.com FullArmor C2,1 www.fullarmor.com Dan LaBianca JD Holzgrefe GFI Software 2 www.gfi.com Director of Advertising, West Director of Advertising, East 818-674-3417 tel 804-752-7800 tel iTripoli Inc. 17 www.itripoli.com 818-734-1528 fax 253-595-1976 fax Lucid8 13 www.lucid8.com [email protected] [email protected] Netikus 5 www.netikus.com NetSupport, Inc. 19 www.netsupport-inc.com SALES IT CERTIFICATION Neverfail Group 7 www.neverfailgroup.com & TRAINING – USA, Raxco Software 10 www.raxco.com Bruce Halldorson Sanbolic, Inc. 45 www.sanbolic.com Western RegionalSales Manager EUROPE CA, OR, WA Al Tiano SAPIEN Technologies, Inc. 38 www.sapien.com 209-473-2202 tel Advertising Sales Manager Secure Computing Corporation 41 www.securecomputing.com 209-473-2212 fax 818-734-1520 ext. 190 tel Special Operations Software 24 www.specopssoft.com [email protected] 818-734-1529 fax Specialized Solutions 47 www.specializedsolutions.com [email protected] Danna Vedder St. Bernard Software C4 www.stbernard.com Microsoft Account Manager PRODUCTION TechMentor Conferences 56,57 www.techmentorevents.com 253-514-8015 tel Kelly Ann Mundy The Training Camp 58 www.trainingcamp.com 775-514-0350 fax TS Factory 19 www.tsfactory.com [email protected] Production Coordinator 818-734-1520 ext. 164 tel Western Governors University 38,53 www.wgu.edu Tanya Egenolf 818-734-1528 fax XenSource, Inc. 29 www.xensource.com Advertising Sales Associate [email protected] 760-722-5494 tel EDITORIAL INDEX 760-722-5495 fax Company Page URL [email protected] 37signals LLC 44 www.37signals.com Argent Software 12 www.argent.com CORPORATE ADDRESS Canada/Mexico $54.95; outside North Autodesk Inc. 40 http://usa.autodesk.com 1105 Media, Inc. America $64.95. Subscription inquiries, BluestSoft Inc. 14 www.bluestsoft.com 9121 Oakdale Ave. Ste 101 back issue requests, and address Core Security Technologies 60 www.coresecurity.com Chatsworth, CA 91311 changes: Mail to: Redmond, P.O. Box www.1105media.com 2063, Skokie, IL 60076-9699, e-mail FullArmor Corp. 60 www.fullarmor.com [email protected] or call (866) 293- Gen-9 Inc. 44 www.gen-9.net MEDIA KITS: Direct your Media Kit 3194 for U.S. & Canada; (847) 763-9560 requests to Matt Morollo, associate pub- for International, fax (847) 763-9564. Google 11, 44 www.google.com lisher, 508-532-1418 (phone), 508-875- POSTMASTER: Send address changes to Grisoft 14 www.grisoft.com 6622 (fax), [email protected] Redmond, P.O. Box 2063, Skokie, IL 60076- 9699. Canada Publications Mail Agreement Heroix 18 www.heroix.com REPRINTS: For all editorial and advertising No: 40039410. Return Undeliverable IBM Corp. 52 www.ibm.com Canadian Addresses to Circulation Dept. reprints of 100 copies or more, and digital Intalio 14 www.intalio.com (Web-based) reprints, contact PARS or DHL Global Mail, 7496 Bath Rd. Unit 2, International, Phone (212) 221-9595, Mississauga, ON, L4T 1L2. JackBe Corp. 48 www.jackbe.com e-mail: [email protected], Web: Paraben Corp. 60 www.paraben.com www.magreprints.com/QuickQuote.asp © Copyright 2007 by 1105 Media, Inc. All rights reserved. Printed in the U.S.A. Secure Computing Corp. 25 www.securecomputing.com LIST RENTAL: To rent this publication’s e- Reproductions in whole or part prohibited Sharpcast Inc. 46 www.sharpcast.com except by written permission. Mail mail or postal mailing list, please contact SolidWorks Corp. 40 www.solidworks.com our list manager Worldata: requests to “Permissions Editor,” c/o Phone: 800-331-8102. REDMOND, 16261 Laguna Canyon Road, SurfControl plc 25 www.surfcontrol.com E-mail: [email protected] Ste. 130, Irvine, CA 92618. Symantec Corp. 52 www.symantec.com Web site: www.worldata.com/101com Postal Address: 3000 N. Military Trail, The information in this magazine has not ThinkFree Corp. 46 www.thinkfree.com Boca Raton, FL 33431-6375 undergone any formal testing by 1105 TimeBridge Inc. 46 www.timebridge.com Media, Inc. and is distributed without any Vivox 46 www.vivox.com Redmond (ISSN 1553-7560) is published warranty expressed or implied. Implemen- monthly by 1105 Media, Inc., 9121 Oakdale tation or use of any information contained webMethods Inc. 14 www.webmethods.com Avenue, Ste. 101, Chatsworth, CA 91311. herein is the reader’s sole responsibility. Websense Inc. 25 www.websense.com Periodicals postage paid at Chatsworth, While the information has been reviewed CA 91311-9998, and at additional mailing for accuracy, there is no guarantee that the Yahoo! Inc. 25 www.yahoo.com offices. Complimentary subscriptions are same or similar results may be achieved in ZapThink LLC 46 www.zapthink.com sent to qualifying subscribers. Annual all environments. Technical inaccuracies Zimbra Inc. 43 www.zimbra.com subscription rates for non-qualified sub- may result from printing errors and/or new scribers are: U.S. $39.95 (U.S. funds); developments in the industry. This index is provided as a service. The publisher assumes no liability for errors or omissions.

| Redmondmag.com | Redmond | February 2007 | 63 0207red_Foley_64.v4 1/17/07 9:47 AM Page 64

FoleyOnMicrosoft by Mary Jo Foley Windows Vista Down; On to Windows 7?

he prolonged, three-month launch of Windows order for users of older versions to read Office 2007 Open-XML-formatted doc- Vista is finally history. Microsoft delivered Vista to uments. Nevertheless, Office still comes T business users on Nov. 30 and to the rest of the out smelling like a rose. What can Microsoft do to make world on Jan. 29. So now it’s on to the “Fiji” and “Vienna” Windows more like Office? • Don’t bite off more than you can releases about which we’ve been hearing for months, right? chew. Don’t over-promise. Wrong. watch for more incremental Windows • Trim (or, more accurately, ax) the Future versions of Windows are releases, supplemented by more feature size of the team developing the product. going to bear little resemblance to what pack/service pack updates. This will be • Stop talking about unreleased prod- we’ve heard so far officially—and unof- coupled with more new components ucts. Don’t share publicly a list of ficially—from Microsoft and the indi- released as services. promised features/functionality before viduals who love to leak tidbits about Given that Sinofsky, head of Windows the product is totally locked down. the company. In fact, according to one and Windows Live engineering, most Punish transgressors both inside and of my reliable tipsters, the new and recently lorded over the development of outside the company. reorganized Windows organization, led Microsoft Office, it seems natural to • Cease sharing any information by Senior Vice President Steven Sinof- look for clues about Windows in not about delivery milestones or dates. sky, is trying to wean folks completely only the Windows history archives, but Never talking about ship targets means off the Windows code names they have maybe especially in the Office annals. never having to say you’re sorry. been using for the next couple of Here’s what we know about Vista: It’s • Ban historical references. Anyone releases of Windows. too big, still hampered by internal code mentioning “WinFS,” “Cairo” or “Hail- Welcome to the brave new world of dependencies and was concocted by way storm” gets put in the penalty box. “Windows 7” (a boringly named com- too many cooks. Because of this, the Microsoft is currently facing some of plement to “Office 14,” the successor product kept slipping and shedding fea- the same problems with Vista it has to Office 2007). tures, missed the holiday buying season been experiencing with Office for a (This column, by the way, is purely and was released to market before many couple of years now. The biggest com- speculative, a cobbling together of Microsoft partners (and Microsoft petitor to Vista isn’t Mac OS X or source information and my own product teams) had delivered Vista- Linux—it’s Windows XP. Consequently, hunches. Microsoft won’t talk about compatible drivers and applications. the Windows team increasingly finds Windows futures right now, in part Here’s what we know about Office: itself in the same straits as the Office because the company doesn’t want to New versions ship every two years, like folks—namely, it needs to convince take the focus off Vista, and also because clockwork. If the development process is users who don’t really need a brand the Windows organization is still trying messy and features/functionality are cut, new release of Windows that they do. to sort itself out. Company officials no one seems to know or care. Even Let’s see what Sinofsky & Co. come aren’t even venturing to talk about when when it includes controversial new fea- up with, beyond making new, desir- Vista Service Pack 1 will hit.) tures—like Office 2007’s ribbon user able features available only to cus- Whatever Windows 7 ends up look- interface and the new XML file format tomers who sign multi-year volume- ing like, there’s one thing I’m counting that require a downloadable patch in licensing contracts. on—it’s not going to be developed, What are you expecting from tested or marketed anything like its GetMoreOnline Windows 7 and beyond? Write me at recent Windows predecessors. It’s likely [email protected].— to be less ambitious in its goals, feature Find out more about Office 7 set and its development, be more mod- and other Microsoft releases at Redmondmag.com. Mary Jo Foley is editor of the new ZDnet ular in its design and, possibly, more FindIT code: Foley0207 “All About Microsoft” blog and has been role-based in its delivery. In general, covering Microsoft for about two decades.

64 | February 2007 | Redmond | Redmondmag.com | Project1 9/13/06 1:12 PM Page 1

FOLD FOLD

DDAATTAA BBAACKUPCKUP WITH OUT ACRONIS

THE COMPLETE DATA BACKUP AND RECOVERY SOLUTION DOWNLOAD A FREE EVALUATION AT: WWW.ACRONIS.COM/LOL FOLD FOLD Project1 1/16/07 9:56 AM Page 1