MARCH 2006 45 50 39 Project2 1/20/06 10:55 AM Page 2

0306red_cover.v2 2/14/0610:45AMPage1 Gorilla The Gorilla The Off ItsPerch? BeKnocked Can Microsoft

MARCH • $5.95 03 > 800 800

7125274 867 27 Spyware: ReadersStrike Back! Your Worst ITNightmare for theHarried Administrator Mr. Roboto: Automation New Column 28 -Pound -Pound AC 06WWW.REDMONDMAG.COM MARCH 2006 45 50 39 Project2 1/20/06 10:55 AM Page 2

Get your FREE trial version of GFI MailSecurity today!

GFI MailSecurity for Exchange/SMTP is an email content checking, GFI MailSecurity for Exchange/SMTP Features exploit detection, threats analysis and anti-virus solution that removes Multiple virus engines all types of email-borne threats before they can affect your email users. Norman Virus Control and BitDefender virus engines included GFI MailSecuritys key features include multiple virus engines, to guarantee Kaspersky and McAfee virus engines optional higher detection rate and faster response to new viruses; email content Trojan & Executable Scanner and attachment checking, to quarantine dangerous attachments and Email content and attachment checking content; an exploit shield, to protect against present and future viruses Exploit shield based on exploits (e.g., Nimda, Bugbear); an HTML threats engine, to HTML threats engine disables HTML scripts disable HTML scripts; a Trojan & Executable Scanner, to detect malicious Best of breed Exchange and gateway message scanning technology executables; and more. Spyware detection Detection of attachment extension hiding Embedded mail scanning Approve/reject quarantined mail using the web-based moderator Seamless deployment with Exchange Server User-based, flexible rules configuration Checkmark and ICSA certified Used by customers like Caterpillar, IBM, NASA, US Navy, Fujitsu and many others

GFI MailSecurity supports multiple virus engines

tel: +1 (888) 243 4329 | fax: +1 (919) 379 3402 | email: [email protected] | url: www.gfi.com/rms Project2 1/20/06 10:54 AM Page 1

Whos guarding your mail server?

Fifi = a single anti-virus engine! Buster = the real thing!

Only $925 for 50 users!

Get the leading email content security & anti-virus solution!

Multiple virus engines Email content checking/filtering Exploit shield & HTML threats engine Trojan & executable analyzer Get a FREE trial version today from www.gfi.com/rms Project2 1/4/06 11:14 AM Page 1 0306red_TOC_1.v5 2/14/06 2:20 PM Page 1

MARCH 2006 WWW.REDMONDMAG.COM

Winner for Best Computer/Software Magazine 2005 RedmondTHE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY

REDMOND REPORT 9 Vista Security: Worth Paying For? Why the next version of Windows may not be as secure as you think. 10 Next Chapter Opens for Open Formats Massachusetts reaffirms its open format vision with new CIO. 12 Windows Vulnerabilities COVER STORY

ILLUSTRATION BY GERAD TAYLOR for Sale The 800-Pound Hackers sold the WMF zero-day exploit for as much as $4,000 on Gorilla Russian black market Web sites. Windows and Office each dominate the landscape, like King Kong on Skull Microsoft Banishes Beta Island. What would it take to shoot Smaller, faster Vista test cycles this monkey down and give other already improving feedback. species a fighting chance? COLUMNS Page 28 4 Barney’s Rubble: Doug Barney FEATURES Linux (and the Mac) Aren’t Even Trying 39 Reader Tips: Do Away with Spyware Many programs block spyware, but few know how 22 Beta Man: Don Jones to get rid of it. Redmond readers offer some clever Windows Goes High Performance ways to banish these nasties. 50 NEW COLUMN 45 Never Again Mr. Roboto: What’s the worst thing that’s happened to you in Don Jones your IT career? Readers share their scariest Service Pack It Up Page 39 on-the-job experiences, and you can learn from their mistakes. 52 Windows Insider: Greg Shields Down the Winding InfoPath REVIEWS 13 Kill Two Birds 20 Manage the Forest 57 Security Advisor: Joern Wettern That Isolated Feeling with One Stone and the Trees NetChk Protect combines the Administer your entire 64 Foley on Microsoft: functionality of Shavlik’s Active Directory domain from Mary Jo Foley patching and anti-spyware one location. Is Microsoft Buying into the Web tools in a single console. 2.0 Hype? 25 Your Turn: 16 Schedule Jobs BizTalk Server: Getting ALSO IN THIS ISSUE the Easy Way Better All the Time 2 Redmond Magazine Online The latest version of Users say Microsoft BizTalk SmartBatch helps Server 2004—and the 2006 6 [email protected] you centralize and streamline version—significantly ease 63 Ad and Editorial Indexes Windows job scheduling. enterprise application integration.

COVER ILLUSTRATION BY GERAD TAYLOR 0306red_OnlineTOC.v6 2/14/06 10:53 AM Page 2

RedmondMARCH 2006 mag.com

REDMOND COMMUNITY REDMONDMAG.COM Redmond Newsletters Want More of What You Read • Redmond Report: Delivered to your in Redmond? Visit the TechLibrary inbox three times a week—featuring news on Redmondmag.com! analysis, context and laughs. By Redmond’s The TechLibrary section of Redmondmag.com is your Editor in Chief Doug Barney. resource for more in-depth information for the topics FindIT code: Newsletters we cover here in Redmond. For example, right now in • Security Watch: Keep current on the the TechLibrary you can download a free,expanded latest Windows network security topics. copy of this month’s cover story on p. 28, “The 800- This newsletter features exclusive, Pound Gorilla” (FindIT online columns by Contributing Editor code: GORPDF), in which Russ Cooper of NTBugTraq fame. author Doug Barney offers FindIT code: GORPDF FindIT code: Newsletters even more on the chal- Discussion and Forums lenges Microsoft faces in the future. And since we Post your thoughts and opinions under know you can never have too much disaster recovery our articles, or stop by the forums for information, we’ve also just posted a PDF featuring an more in-depth discussions. expanded version of last month’s cover story, “Worst FindIT code: Forum Case Scenarios” (FindIT code: WCPDF). Your Turn All PDFs in our TechLibrary are free,although a The interactivity center of the one-time registration is required. Get these resources Redmond universe, where you get to today and find out more about what our express your views. FindIT code: WCPDF TechLibrary has to offer (FindIT code: TechLibrary). FindIT code: YourTurn OTHER 101COMMUNICATIONS SITES MCPMAG.COM • MCP Radio: Host RCPmag.com Michael Domingo inter- Coming to Winning the Linux Wars views Zenprise Marketing Can you sell against free? Get the partner MCPmag.com Manager Ahmed Datoo perspective on taking on open source. in March: and Macrovision Product FindIT code: RCPLW • Recovering from Manager Bob Corrigan Chaos: Disaster Recovery • SBS Live! Microsoft ENTmag.com Tales from the Trenches MVP and Small Business Upgraded Backup Tool Restores to • What’s all the hubbub Office Servers? Read Mike Gunderloy’s take Server expert Andy Goodman ‘Dissimilar’ Hardware around security patches on MCPmag.com. heads this one-hour SBS UBDR Gold restores files to a machine from non-Microsoft troubleshooting chat on March 21 not physically identical to the one the sources? Mike Gunderloy takes backup was performed on. a closer look at how our patching FindIT code: ENTUPT practices can be better FindITCodes • Greatest Scripting Hits: Don Jones CertCities.com Throughout Redmond magazine, looks at his most popular scripts ever you’ll discover some stories contain Forcing Group Policy Application • Your Network Troubleshooting FindIT codes. Key in those codes at Derek Melber on ensuring Group Policy pains can be eased here: Send Redmondmag.com to quickly access configurations you set up stay that way. your networking woes to expanded content for the articles FindIT code: CCGPA containing those codes. [email protected] with “IT Just enter the code in the box at Help” and get assistance from our TCPmag.com the top-right corner of any page sharp networking and server experts on Redmondmag.com. Note that all Q&A: Are You Experienced? FindIT codes are one word, and are Break into the networking field. Chris Wolf, Zubair Alexander and not case sensitive. FindIT code: SMExp Sekou Page

2 | March 2006 | Redmond | redmondmag.com | Project7 1/11/06 11:17 AM Page 1

WE FIND THEM BEFORE THEY FIND YOU.

Web Security

Web Filtering

Endpoint Security

Websense® Security LabsTM

You can’t afford to sit around and wait for the next attack, and neither can we. Websense® Security Labs™ scans over 350 million websites a week, discovering spyware, viruses and other web-based threats before they get to you. Get proactive. www.websense.com/security

Barney’sRubble Doug Barney

Linux (and the RedmondTHE INDEPENDENT VOICE OF THE MICROSOFT IT COMMUNITY MARCH 2006 ■ VOL. 12 ■ NO. 3

Mac) Aren’t Even Trying Group Publisher Henry Allain Redmond Media Group Editorial Director Doug Barney Redmond Media Group ay what you will about Larry Ellison and Scott Group Associate Publisher Matt N. Morollo Redmond Media Group McNealy, when they tried to topple the Microsoft Editor in Chief Doug Barney desktop monopoly with thin clients, they put their [email protected] S Editor Keith Ward [email protected] hearts into it. Like you, I got pretty sick of the speeches, Executive Editor, Reviews Lafe Low [email protected] grandstanding and pithy quotes, but at least they were out Editor at Large Michael Desmond [email protected] there mixing it up. News Editor Scott Bekker [email protected] Managing Editor, Wendy Gonchar It ultimately didn’t work (Citrix no response. I’ve never seen such a Web Editor [email protected] owns the thin client space and they all PR black hole. Finally, after calling his Editor, Redmondmag.com, Becky Nagel run Windows!), but they gave it their office directly, Red Hat got back to CertCities.com [email protected] Editor, MCPmag.com Michael Domingo best shot. me, and in no uncertain terms told me [email protected] Today’s XP rivals consist of a dozen or that Linux at this point is not an alter- Editor, ENTmag.com Scott Bekker more flavors of Linux clients, and the native to Windows clients, and it isn’t [email protected] Associate Editor, Web Dan Hong Mac. The programmers building Linux competing with Microsoft in this [email protected] take it seriously—but none of the com- space. Shocked? So was I! Linux is an Contributing Editors Mary Jo Foley panies selling (or giving away) this stuff alternative, if companies like Red Hat Don Jones really seem to care about want it to be. Greg Shields desktops and laptops. A unified Linux with easy Joern Wettern Right now the Linux installation, application sup- Art Director Brad Zerbel PC market is fragmented port, and a decent array of Senior Graphic Designer Alan Tao worse than a champagne drivers could be a worthy glass at a Jewish wedding. alternative—could. And Red Director of Marketing Michele Imgrund Meanwhile, we’ve never Hat—more than anyone— Senior Web Developer Rita Zurcher Marketing Programs Associate Videssa Djucich been called by Apple ask- could make this happen. ing us to review its latest This is all pretty funny. Director of Print Production Mary Ann Paniccia machines (and the company never Redmond magazine serves the Windows thanked me for a recent gushing edito- community, yet we’re interested in pre-

rial or two), nor is it telling us why senting alternatives to Microsoft. But Enabling Technology Professionals to Succeed Apple is such a great alternative for the the alternatives aren’t interested in pre-

enterprise. In love with its iPod success, senting themselves! That’s why it’s easy President & CEO Jeffrey S. Klein the company barely seems to care about to say they aren’t serious about com- Executive VP & CFO Stuart K. Coppens the Mac—unless it is to gain a couple of peting with Microsoft. Executive VP Gordon Haight home market share points. In this market, if you play dead, you Senior VP & General Counsel Sheryl L. Katz Linux is a newer entrant and its failure are dead. What do you think about the Senior VP, Human Resources Michael J. Valenti is more egregious. For more than a year so-called alternatives to Microsoft? Tell I tried to put a major Linux exec on the me at [email protected]. Redmondmag.com cover. Every time I had something lined The opinions expressed within the articles and other contents herein do not necessarily express those of the publisher. up with Novell, its leader would quit or See You in Orlando! Postmaster: Send address changes to get the boot. At least Novell gave us the Later this month Redmond magazine Redmond, P.O. Box 2063, Skokie, IL 60076-9699 time of day. will be in Orlando for our TechMentor Red Hat is another story. For that conference. There’s still time to register same year I pestered the company seek- at http://techmentorevents.com. If you ing an interview with the CEO—with show up, make me buy you a beer.—

4 | March 2006 | Redmond | redmondmag.com | Project6 1/13/06 3:53 PM Page 1

ª3FE)BU *OD"MMSJHIUTSFTFSWFEi3FE)BUwBOEUIF3FE)BUi4IBEPXNBOwMPHPBSFUSBEFNBSLTPSSFHJTUFSFEUSBEFNBSLTPG3FE)BU *ODJOUIF64BOEPUIFSDPVOUSJFT-JOVYJTBSFHJTUFSFEUSBEFNBSLPG-JOVT5PSWBMET"%464 0306red_Letters_6.v4 2/13/06 2:30 PM Page 6

[email protected]

Stand Up I’m stunned that Redmond’s advice to those threatened with software audits is to roll over for these thugs [“Software Raids: Sur- viving an Audit,” January 2006]. The BSA and SIIA are shakedown organizations, lacking the force of law. The proper response to such gross intrusions of privacy is to fight them tooth and nail. If the software audit blackshirts start harassing you, quickly move to open source software. Better to have an open source transition plan ready to go the moment a threatening letter appears in your mailbox, than to have to deal with the likes of the BSA and SIIA marauders. Make it as costly as possible for them to audit you, and ensure that you move to products whose vendors are respectful of the fact that violated customers don’t buy twice. Micah B. Haber Nashua, N.H.

Roundup Rebuttal 2006. The Redmond Roundup had been in Every Rose Has Its Thorn By reviewing an older version of Cam- the works for months and came out in the After reading the December 2005 col- tasia Studio (“Allow Me to Demon- February 2006 issue (the completion of which umn, “Rose-Colored Google Glasses,” by strate,” February 2006), Redmond has occurred in mid-January). Doug Barney, I feel his portrayal of done a disservice to its readers. They I’ve used Camtasia for several years and Google as a dime-a-dozen, Web-based were led to believe that Mr. Jones was generally like it. I’ve produced about 14 hours Internet company is all wrong. reviewing the latest version, when in of training videos with it and I understand it Although Open Office has next to no fact he reviewed the 2003 version. The pretty well. Sometimes the ratings encompass market share, it doesn’t mean that the current edition of Camtasia Studio is things that aren’t easy to make clear in the programs are useless. For a small business significantly different. next. For example, I felt Camtasia is indeed that can’t afford steep license fees, it This is a disservice to TechSmith, but easy to use, but for tasks like adding annota- would truly be a great alternative. It’s also much worse, to Redmond readers who tions, editing annotations and modifying cap- great to repair corrupt office documents. look to the magazine as a resource for tured video, I felt Captivate was easier. Look Open Office could very well be a threat their purchasing decisions. If the review- for a follow-up review of the 3.1 version of to Microsoft Office if Google could er had called TechSmith or visited the Camtasia coming up on Redmondmag.com. implement it correctly. Web site, he would have learned about Barney also claims “Google isn’t so the current version. I look forward to see- Busted Stuff much an innovator as it is an imitator.” ing a review of Camtasia Studio 3.1 in [In reference to Barney’s Rubble, “A I haven’t seen anything that has come your magazine so your readers can learn Tangled Web of Services,” January out of the Microsoft machine that’s about its new features. Troy Stein 2006] The reason for fatter clients is truly innovative for 10 years. Using TechSmith pretty obvious—disk space is a cheap “Microsoft” and “innovation” in the same commodity, and shows every sign of sentence makes me nauseous. However, Contributing Editor Don Jones responds: getting cheaper. Google as a search engine was the first I was very clear about which version I But, there are many vested interests full-text search engine. I would catego- reviewed. I realize new versions of products limiting effective net bandwidth, and not rize this as “an act of doing something are continually released, but publication a lot of real competition in most places. different,” which is Barney’s definition deadlines are often far in advance of actual Oh sure, one day we’ll all be on fiber or of innovation. Seeing the reaction from publication date and we can’t delay publica- secure 100GB wireless, but until then, Microsoft in response to anything that tion until every company involved has best keep your valuable stuff on your Google does is very entertaining, and released their latest and greatest. The 3.1 pluggable USB drive. Owen Gilmore downright pathetic. Marc Read, MCP version of Camtasia came out in January San Mateo, Calif. Nevada, Iowa

6 | March 2006 | Redmond | redmondmag.com | Project1 2/1/06 12:20 PM Page 1

Introducing a version of the future that’s compatible with the present.

It’s easy to add a mobile email solution when it works with your current email solution. The Palm® TreoTM smartphone is compatible with multiple email servers and vendors.* Plus, it’s easy to manage, deploy and secure. With integration this simple, the future is looking bright. Try the Treo smartphone with GoodLink enterprise email free for 30 days. Find out more today at palm.com/business.

The Treo smartphone is now available on Windows Mobile® and Palm OS® platforms.

Wireless service plan required. Wireless coverage may not be available in all areas and is subject to interruption. Email and web require wireless data services and ISP, additional charges apply. *Third party software may be required, sold separately. Screen image simulated. ©2006 Palm, Inc. All rights reserved. Palm and Treo are among the trademarks or registered trademarks owned by Palm, Inc. Other brands are trademarks of their respective owners. Project4 1/24/06 11:51 AM Page 1

Your weapon: CounterSpy Enterprise. Centralized spyware eradication.

Spyware: the new number one enemy Console, you have the ability to centrally control for IT. Recent surveys of IT specialists show that what actions are taken when these monitors detect spyware infections have reached epidemic change on the desktops. proportions and that existing antivirus tools are not enough to fight the war on spyware. Spyware is one The best spyware database in the of the most serious security threats and productivity industry. Period. CounterSpy Enterprise’s killers today. For the enterprise, common antispyware and database has been independently validated as the best antivirus can’t cut it. antispyware database in the industry. Why? It benefits from multiple sources for new spyware definitions, including CounterSpy Enterprise: Knock out spyware Sunbelt’s Research Team, information collected from from one centralized location. Company-wide consumer users through Sunbelt’s ThreatNet™, and spyware management requires a real enterprise product Microsoft. No other antispyware product can claim that! with centralized management. CounterSpy Enterprise is just that: a scalable, policy-based, antispyware tool built Free trial. Find out how many machines in from the ground up for system and network administrators your organization are infected NOW. Scan the to kill spyware quickly and easily. machines in your enterprise for free.

Real-time protection. Active Protection™ Monitors Download the trial at www.sunbelt-software.com/csered. deliver real-time desktop protection to workstations to reduce the chance of spyware infection. From the Admin

SPECIAL OFFER: Evaluate the FREE trial and get a “HIT SPYWARE. HARD.” t-shirt: www.sunbelt-software.com/csered

Sunbelt Software Tel: 1-888-NTUTILS (688-8457) or 1-727-562-0101 Fax: 1-727-562-5199 www.sunbelt-software.com [email protected] © 2006 Sunbelt Software. All rights reserved. CounterSpy and ThreatNet are trademarks of Sunbelt Software. All trademarks used are owned by their respective companies. 0306red_Report_9-12.v4 2/13/06 3:07 PM Page 9

March 2006 INSIDE: Windows vulnerabilities sold on Russian black market. RedmondReport Page 12 Vista Security: Worth Paying For? Why the latest version of Windows may not be as secure as you think. BY MICHAEL DESMOND locking up Windows system files and the Outgoing Microsoft executive Jim hibernation file. Hardware hooks for the Allchin has been stumping hard for Trusted Platform Module (TPM) 1.2 Windows Vista, as the much-anticipat- chip should ease management. ed client operating system enters its Bi-directional Firewall: The Win- stretch run. By the time you read this, dows Firewall will finally assess and fil- the nearly feature-complete beta 2 of ter both inbound and outbound Vista should be in testers’ hands. But application traffic. The client firewall Figure 1. Making a change that requires while Vista offers a host of improve- can be managed via Group Policy. admin privileges? You’ll be challenged to ments over Windows XP—including Network Access Protection: Once provide a password each time. the touted Aero Glass GUI—the most Windows Server “Longhorn” gets that’s a great step in the right direction, compelling reason to step up to Vista deployed, client-side agent software but if I want full functionality, I am going could be security, Allchin argues. will enable servers to assess the security to look at a third-party product,” Mac- He has a point. Windows XP SP2 state of client systems and prohibit Donald says, citing Symantec’s Critical patched a lot of holes in the Windows entry to those that fail. System Protection as an example. foundation, but it clearly did not finish Perhaps most important is User He also voices concerns about gaps in the job. Internet Explorer remains a busy Account Control (UAC): It allows users features such as BitLocker full volume route for malware infection, and Win- with restricted system rights to enter a encryption, which can house keys on dows’ user privileges structure ignores password and gain administrative privi- USB dongles. “The drawback is, if I that most basic tenet of security—thou leges for a specific task, such as installing stick those keys on the USB dongle, shalt not run as root. a device driver (see Figure 1). Today, and I leave the dongle in the laptop … such a task requires logging out of the then I’ve just blown my protection,” limited rights account and logging back says MacDonald, who wonders why the in as an administrator. No surprise, many encryption won’t extend to devices like users simply log on as administrators all USB hard drives. “There are bits and One look at the list of security-centric the time and leave their PCs wide open pieces Microsoft is tackling here.” improvements in Vista, however, shows to manipulation by uninvited malware. Windows Vista could create new secu- that Microsoft is working to plug the UAC finally applies a model that has rity concerns, as well. The powerful remaining holes. Among the changes: been employed in the Linux world desktop search feature is a vast improve- Windows Service Hardening: Pre- for years. ment over the clumsy facility in Win- vents compromised Windows services, It’s an impressive list, but Gartner dows XP.One possible enhancement is which run silently in the background, Inc. Vice President and Distinguished the ability to search on metadata key- from making changes to key file system Analyst Neil MacDonald contends words input by users. But MacDonald or Registry settings. that it remains incomplete. While con- thinks the feature may compound a Internet Explorer Protected Mode: sumers and small businesses should be long-standing problem with Microsoft IE7 will run on Windows XP, but well-served, the new security tweaks Office and other files. under Vista it gains the benefit of fall short for most enterprises. Mac- “The issue is the inadvertent disclosure “protected mode” operation, which Donald singles out service hardening, of metadata,” MacDonald says. “Now denies the browser the right to change which prevents malware from hijack- you can take a file and add even more user settings or data. ing background processes. metadata to it, and you have layers of Hardware Level Data Protection: “Microsoft is late putting it into the metadata as it were.” The new BitLocker secure startup fea- operating system and they are only doing Microsoft has released client-side tools ture provides full volume encryption, it for Windows services. It’s another one for Office that let users strip metadata

| redmondmag.com | Redmond | March 2006 | 9 Project2 2/6/06 2:37 PM Page 1

Fig. 1a

Seeing desktop management problems everywhere?

The solution is here. See back for details and FREE t-shirt oﬀ er. Project2 2/6/06 2:38 PM Page 2

Desktop Authority® Triumph over your worst desktop management phobias. Script writing stress syndrome? Compliance access issues? Deep-seated spyware phobia? Now there’s a comprehensive, award-winning solution that relieves these conditions — and more — by centralizing desktop management for you. With Desktop Authority®, you can gain control over desktop management and break through to heightened productivity.

Download the FREE 30-day trial now and get a FREE T-shirt! www.scriptlogic.com/inkblot

© 2006 ScriptLogic Corporation. All rights reserved. The ScriptLogic and Desktop Authority logos are registered trademarks of ScriptLogic Corporation in the United States and/or other countries. All trademarks used are owned by their respective companies. T-shirt offer valid while supplies last. Allow 4 to 6 weeks for delivery. 0306red_Report_9-12.v4 2/13/06 3:07 PM Page 10

RedmondReport

such as author names, company data, “It’s a problem now and Vista’s Windows Vista brings important and hidden revision marks from docu- features only make it worse,” says Philip and effective improvements to ments, but no such tool has been Boutros, chief technology officer of Windows security. The question is, announced for metadata applied to Bitform Technology, a firm that special- are those enhancements really com- files within Windows Vista. And the izes in scrubbing metadata from docu- pelling enough to prompt a switch? lack of a managed solution—such as a ments. “There are client side products, “It’ll raise the bar. But again, I don’t metadata scrubber at the gateway— but they create no defense in depth and think people will race out and buy means IT managers could face another there is no global management. There is Vista,” says MacDonald. “We got a lot hard-to-manage conduit for informa- no commercial server side solution that I of the goodness in XP SP2, in terms tion leakage. know about.” of security.”

Next Chapter Opens for Open Formats Massachusetts reaffirms its open format vision with new CIO. BY MICHAEL DESMOND When former Massachusetts CIO BytheNumbers Peter Quinn resigned his post on Jan. 9, it looked like the months-long Critical Patch Intervals Increase effort to require open, standards- based file formats in state government Microsoft almost indisputably spends more money, time and effort on security than might fail. The initiative has drawn any other company. That’s not really a compliment, however—if its products weren’t strong opposition from Microsoft, so laden with security holes, the company wouldn’t have to dedicate so many which has thousands of copies of resources to the issue. Microsoft Office installed on systems However, all that attention hasn’t shortened the cycle between a critical vulner- in the state government. ability being found in one of its products and a patch being released for that vul- In his resignation letter, Quinn cited nerability. Washingtonpost.com IT security reporter Brian Krebs recently did political pressure and difficult working some digging and found that the “critical vulnerability/patch” cycle actually takes conditions created by the high-stakes longer than it did several years ago. standoff. The conflict hit a low point last Year Number of Average No. of Days Nov. 26, when The Boston Globe pub- Critical Patches from Report to Patch lished a front-page article detailing a 2003 33 90 state investigation into improperly man- 2004 29 134 aged travel by the CIO. Those allega- 2005 37 133 tions were quickly discredited—Quinn’s manager Eric Kriss approved all the Stephen Toulouse, a security program manager at Microsoft, verified the fig- travel—but the damage was done. ures. He told Krebs that the longer cycle starting in 2004 is likely due to extra Now it appears the diligence on Microsoft’s part, making sure the patches work across the breadth format push could get a second wind, of the network, and that they don’t break anything else. with the appointment of Louis It’s also worth noting that there hasn’t been an appreciable rise in critical Gutierrez as CIO of the Information vulnerabilities in the last three year (a “critical” vulnerability is general regarded Technology Division (ITD) on Feb.6. as one that will give a successful attacker full control of a system). Krebs’ article A statement released by Massachusetts can be found at http://tinyurl.com/8un7f. Administration and Finance Secretary — KEITH WARD Thomas Trimarco specifically notes that “Gutierrez will be responsible for mean Microsoft’s goose is cooked. In Open XML will meet our new stan- overseeing the final stages of imple- January, Trimarco’s office lauded an dards for acceptable open formats,” mentation of the state’s new Open announcement that Microsoft would Trimarco said in a statement. Document format proposal, to go into submit its XML-based Office schema In short, we could end up where we effect in January 2007.” to standards body Ecma International. started—with Microsoft Office firmly But even if the state mandates “If Microsoft follows through as ensconced on tens of thousands of standards-based file formats, it doesn’t planned, we are optimistic that Office government PCs in Massachusetts.

10 | March 2006 | Redmond | redmondmag.com | Project7 9/15/05 3:01 PM Page 1 0306red_Report_9-12.v4 2/13/06 3:07 PM Page 12

RedmondReport Windows Vulnerabilities for Sale Hackers sold the WMF zero-day exploit for as much as $4,000 on Russian black market Web sites. BY MICHAEL DESMOND the graphics handling engine of Win- of spyware packages, including one When the WMF zero-day exploit dows. Within a week or so, the group that posed as anti-virus software. The emerged for a previously unknown crafted WMF files that would allow demand makes for a thriving black Windows flaw, it prompted a lot of code to execute on Windows PCs. market in code exploits. concern. After all, the lack of advance The exploit turned up for sale from at “These adware companies are hiring warning meant that PC owners were least two different groups around the professional programmers to write pro- unable to harden their PCs against the middle of December. grams that are able to bypass security attack. That concern took on a new Security firm F-Secure reported the measures, and they are paying pretty tenor when researchers at Kasper- existence of the WMF exploit on top dollar for their skills,” says sky Lab discovered that hackers Dec. 27. Microsoft produced a Coursen, who calls the $4,000 price tag had been selling the exploit on patch for the flaw on Jan. 5, a for the WMF exploit “a steal.” the black market for as much few days ahead of the sched- Microsoft is striving to combat the as $4,000. uled Patch Tuesday release. issue with initiatives like Trustworthy For Shane Coursen, senior The timeline underscores Computing and the Secure Develop- technology consultant for an undeniable trend in mal- ment Lifecycle (SDL), which employs Kaspersky, the discovery is ware activity. “What these guys rigorous security planning and review part of a larger trend. “We really are doing is writing these little pro- in the code design process. The goal is started seeing [this activity] grams to be used for little more to eliminate flaws such as the one ramp up early last year. To some- than Internet crime and financial exploited by the WMF malware. body in our field, it comes as no gain,” Coursen says. Coursen lauds the Microsoft effort, surprise whatsoever.” Spyware and adware companies but he’s not getting his expectations According to Kasperky spokesperson tap the secretive market for black- up. “I think we can look forward to Derek Lyons, hackers in Russia start- market malware to spread their wares, less exploitable code, but something ed working in early December to Coursen says. The WMF exploit, for that is completely unexploitable? No, develop an exploit against a flaw in instance, was used to install a variety we’ll never see that.” Microsoft Banishes Beta Smaller, faster Vista test cycles already improving feedback.

BY MICHAEL DESMOND can more frequently test the code,” says release of Vista Beta 2. From that Microsoft has changed the way it Michael Burk, product manager for the point forward, Microsoft plans to delivers pre-release versions of Win- Windows Client Division at Microsoft. eliminate full beta and release candi- dows Vista to testers. Rather than ship Microsoft has employed a CTP pro- date milestones. It’s quite possible occasional beta versions for review, gram before, for instance in the run future product launches could adopt the company has opted for more fre- up to SQL Server and Visual Studio the same methodology. quent test releases under the Commu- 2005. The up-tempo testing is work- “The development goals and needs of nity Technology Preview (CTP) ing with Vista—Burk says the last every team at Microsoft are different,” Program. In effect, the switch breaks Vista CTP produced “double the Burk says. “But we’ve seen evidence large beta releases into a series of amount of feedback” compared to that that more frequent releases of code can smaller CTP releases. from the beta 1 release. lead to better end results, so it’s likely “Our partners and customers request- A feature-complete CTP release in that CTPs or similar programs will be ed regular access to builds so that they February corresponded to the planned used more often.”—

12 | March 2006 | Redmond | redmondmag.com | 0306red_ProdRev13-21.v6 2/14/06 2:32 PM Page 13 ProductReview Kill Two Birds with One Stone NetChk Protect combines the functionality of Shavlik’s patching and anti-spyware tools in a single console.

NetChk Protect Pricing starts at $35 per set Shavlik Technologies LLC 800-690-6911 www.shavlik.com

BY CHAD TODD You could set your machines There are two ongoing and to automatically install all inescapable tasks that any updates from the Windows network administrator must update site, but that may face—patch management cause more problems than it and spyware prevention. solves. This approach doesn’t Both are as essential as they allow for testing, which is Figure 1. From the NetChk Protect console, you can choose which are incessant. essential—especially in larger machines to scan and whether you want to scan for spyware or If you aren’t diligent environments. It’s one thing patch status. about applying software to have a “bad” patch take updates and scans are occur- immediately or schedule updates, you open your down 20 users. It’s quite ring as they should. Manag- them for later—during the network to security vulner- another when that same ing spyware this way will evening or weekends. After abilities on out-of-date patch takes down 2,000 users. work, but it’s inefficient to patches are applied, you can machines. Waiting a few A tool that automates patch say the least. In larger envi- reboot your machines auto- months to patch a machine management and facilitates ronments, it’s virtually matically or manually. can mean the difference testing is a must. impossible. Shavlik’s NetChk NetChk Protect uses XML between being hacked and Keeping a diligent eye on Protect gives you a central and cabinet (CAB) files being secure. Last year, spyware is just as critical as console with which to man- maintained by Microsoft to Gartner Inc. predicted that timely patch management. age both patching and spy- determine the patch state of 90 percent of all Internet Spyware that sneaks onto ware prevention for all of a machine. It compares the attacks during 2005 would your systems can gather per- your machines. file versions on the comput- be against previously sonal information about your er it’s scanning with the patched security holes. users’ Internet habits, and Patch Management XML file versions. Depend- relay that to advertisers who NetChk Protect works sim- ing on the type of scan being REDMONDRATING bombard them with targeted ply and automatically. It will performed (quick scan or full pop-up ads. It can also kill scan your Windows-based scan), it may also compare Documentation: 15% ____ 8 Installation: 10% ______9 productivity due to computer machines and determine the file checksums. Feature Set: 35% ______9 instability and unbearably their patch status. Then it NetChk Protect copies all Performance: 30%______8 slow network performance. generates a status report for patches to the target ______Management: 10% 9 Most anti-spyware prod- each machine, which can be machines and uses ucts manage one machine at sent to you automatically via Microsoft’s Qchain.exe to Overall Rating: 8.5 ______a time. You install the client e-mail notifications. install them all at once. This

Key: and configure locally on Once you know which lets it deploy all patches with 1: Virtually inoperable or nonexistent 5: Average, performs adequately each machine, then check in patches need to be applied, only one reboot. All scan- 10: Exceptional continually to make sure you can push them out ning and patching takes

| redmondmag.com | Redmond | March 2006 | 13 0306red_ProdRev13-21.v6 2/14/06 2:32 PM Page 14

ProductReview

place behind the scenes. The work traffic, but it works that you want to patch and root% share (i.e. C$) must only thing your users will without having to copy any- choose “Deploy patches.” You be accessible. notice is whether or not a thing to the target machine. can select to deploy all patch- Installing NetChk Protect is reboot is required. A machine-based scan copies es or certain patches based on a breeze. If your system does- The software offers four an instance of the spyware their criticality level. At this n’t have all the requisite soft- levels of patching, depending scan engine to the target point all of the patches are ware components, it will on which version you select: machine and runs the scan pushed to the selected automatically download and • NetChk Patch, Basic “locally.” This improves the machines. install the missing pieces dur- Edition: This supports up to scan speed, as each machine ing setup. The readme file 500 machines, provides lim- is responsible for running its Simplified Scanning- says that you won’t have to ited reporting and can run own scan. Machine-based Whether scanning for patch reboot after installation, but I up to 13 different scanning scans also dramatically reduce status or spyware, you can was prompted to reboot my threads at once. network traffic. scan computers by name, IP laptop after installing NetChk • NetChk Patch, Audit Protect. It’s always a good Edition: This provides all of Within an hour of installing the software, I had idea to do so anyway. the functionality of NetChk already scanned all eight of my machines for When I first started using Patch, Basic Edition. It sup- NetChk Protect, I thought ports an unlimited number spyware and missing patches and deployed all the I might be doing something of machines, provides more up-to-date patches. wrong because using it was robust reporting and can run so easy. Within an hour of up to 256 different scanning NetChk Protect identifies address, domain name or installing the software, I threads at once. and categorizes instances of Active Directory Organiza- had already scanned all • HFNetChkPro: This spyware based on its per- tional Unit (OU) structure eight of my machines for provides all of the function- ceived level of threat. The (see Figure 1). You can also spyware and missing patch- ality of NetChk Patch, Audit software will kill any destruc- create machine groups and es and deployed all the up- Edition. It supports the tive or invasive processes target your scans toward to-date patches. SafeReboot feature, gives associated with the spyware. these groups. This lets you I was also pleasantly you access to different It then deletes all associated establish a test group for surprised to learn that schedulers, auto-deployment files, folders and registry data. safely and securely testing NetChk supports updates features and pre- and post- You can also have the sus- patches before rolling them for more than just installation scripts. You can pected spyware files quaran- out to your entire network. Microsoft products. In my export reports in a number tined in a secure area if you NetChk Protect supports testing, I was able to update of different formats. wish to inspect them later. network scanning of the fol- my Adobe Reader and • HFNetChkPro Plus: This also provides rollback lowing clients: RealPlayer software as well. This provides all of the func- functionality. If a necessary • Windows NT 4.0 NetChk Protect does a tionality of HFNetChkPro. program or file is inadver- • Windows 2000 great job of keeping your It also lets you deploy cus- tently removed, you can easily • Windows XP (although machines clean of spyware tom patches, supports a restore it from the quarantine you’ll have to disable simple and up to date with the latest Microsoft SQL database for area. Removing spyware may file sharing for the scan to patches. If you’re responsible storing those patches and or may not require that you work properly) for patch management and can preserve bandwidth over reboot the target machine, • Windows Server 2003 spyware control for your WAN links by using distri- but if so you can do it manu- To scan a machine—any network, you owe it to your- bution servers. ally or automatically. machine—you’ll need self to give it a try.— The interface for NetChk administrative rights to that Spyware Scanning Protect is very straightfor- machine (which shouldn’t be Chad Todd, MCSE:Messaging, You have two general options ward and easy to navigate. a problem). You’ll also have MCSE:Security, MCT, CEH, to scan for spyware with For example, first it will ask to start the Server service is the co-owner of Training NetChk Protect—console- you what you want to scan. and the Remote Registry Concepts (www.training based scans and machine- After completing the scan, it service, and enable file and concepts.com), which specializes based scans. Console-based displays a summary report of print sharing. Finally, you’ll in Windows, Exchange, ISA and scans run over the network what it found. Click on details need access to the remote Cisco training and consulting. from the console machine. and then right click on the machine over TCP ports 139 You can reach him at This can cause a lot of net- machine, group or domain and 445, and the %system- [email protected].

14 | March 2006 | Redmond | redmondmag.com | Project3 2/14/06 11:31 AM Page 1 0306red_ProdRev13-21.v6 2/14/06 2:32 PM Page 16

ProductReview Schedule Jobs the Easy Way The latest version of SmartBatch helps you centralize and streamline Windows job scheduling.

SmartBatch 2006 Standard Edition: $695 per single- or dual-processor computer, $295 for each additional processor Enterprise Edition: $1,295 per single- or dual-processor computer, $495 for each additional processor Remote agent: $595 per computer Online ToolWorks Corp. 503-297-0609 www.onlinetoolworks.com

BY BILL HELDMAN do you rope all these activi- There’s an endless array of ties into a single framework jobs you must run to manage that you can easily manage today’s intricate, multi-plat- from a central location? form environments. You That’s where SmartBatch Figure 1. The SmartBatch interface is easy to navigate and includes might have one batch file 2006 comes in. plenty of options for specifying job parameters. that routinely deletes temp. the way. I particularly liked Then group multiple steps files from your servers, Getting Started the SmartBatch multimedia into a single job. When you’re another that periodically The folks at OnlineTool- overview because it lets you finished, you’ll have multiple extracts data from a main- Works clearly get what it watch the keystrokes jobs running, all working frame, and a script file that means to be a busy Windows required to assemble your from different calendars, and performs a whole series of administrator. They know the jobs into a cohesive group. configured to notify you or complex tasks. things you’ll need and—just SmartBatch doesn’t help another designee (the Enter- Most of these jobs connect as important—the things you you craft your own batch files prise edition has different to a host of different sys- don’t need. There is a “quick- or scripts. The assumption is user designations that allow tems, manage just about up-and-running” sensibility that you’ve already done that for more granular security every type of file, run on a built into SmartBatch. The work up front. When you control) of operational status. variety of schedules and have installation process is simple. have assembled a collection of all sorts of outcomes. So how You can be fully functional in pre-scripted tasks that you’re Scheduling Routine virtually no time. It comes ready to run, SmartBatch Suppose you want to free up REDMONDRATING in a Standard and Enterprise helps you generate numerous disk space on your file edition. The primary differ- different schedules and servers by periodically purg- Documentation: 15% ___ 10 Installation 10%______10 ence between the two is tie them to your job scheduling unnecessary files and Feature Set: 35% ______9 that the Enterprise edition ing operations. unused data. The data sits on Performance: 30%______8 supports agent-based opera- The idea is relatively three different computers, ______Management: 10% 9 tions across your entire fleet straightforward: First you and you have a variety of of servers. create your computer groups user and database files occu- Overall Rating: 9 ______SmartBatch has an elo- and schedules. Then set up pying the space on those

Key: quent interface (see Figure your operations—these are servers. Here’s how you 1: Virtually inoperable or nonexistent 1). It’s easy to understand the batch files, scripts or pro- might work out a Smart- 5: Average, per- and navigate and still comes grams you need to run. Next, Batch job scheduling routine forms adequately 10: Exceptional with plenty of tutorial you’ll want to group similar (note that you’ll need the screens to help you along operations into a single step. Enterprise Edition of Smart-

16 | March 2006 | Redmond | redmondmag.com | 0306red_ProdRev13-21.v6 2/14/06 2:32 PM Page 17

ProductReview

Batch 2006 and a remote you’re only going to use it tions use MSDE, which is a can be a big help. The sim- agent for each computer): on the machine upon which huge plus. plicity and centralization is • Create a group that it is installed. With the Both editions of SmartBatch well worth the price of includes the computers on Enterprise Edition, you get support notification, native admission. With careful which you need to work. extensibility, which lets you Windows and Web adminis- planning and attention to • Create a calendar with the run SmartBatch operations tration interfaces, dependen- detail, you can set up a job- days and times you want to on multiple computers, cies, error recovery, .NET scheduling environment run your jobs. each of which has to have programming interfaces, and that will free up your time • Set up each operation (see an agent installed. a “Runbook”—a place where for more important tasks. Figure 2) so it initiates a sin- If there are any showstop- you can detail instructions for If you’re just beginning to gle maneuver you wish to pers or problems with Smart- the folks who will run and use batch files and scripts to perform. For this example, I Batch, it is the agent issue. troubleshoot the jobs you’ve lasso in those infernal manu- call a command window and Many administrators are hesi- established. This last element al operations, get them ready pass in the command to tant to install an agent com- is a very mainframe-like capa- and then try SmartBatch. It delete all temp files from the volume’s C drive. • You’ll need a second operation to purge the D drive. You could also create a batch file with the necessary commands and call it from the operation instead. • Create an operation that calls stored procedure(s) to groom your database files. • Once all operations are in place, link them together as steps. • Create a job that ropes in all your file-server groom- ing steps. • Repeat the process for other automation operations. • Assign an operator to monitor your jobs and select Figure 2. The operational schedules and procedures set the parameters within which your jobs will run. notification options. You can perform the same ponent on a server because it bility to carefully monitor was designed and written by operations on either a com- may introduce new problems. your operations. The Enter- a long-time Microsoft- puter group or a single com- Agentless management soft- prise edition includes a Dia- friendly company that truly puter, especially when it’s a ware is often weak in the gram View (similar to understands the needs of globally applicable opera- knees, so I can see why Microsoft Operations Man- Windows administrators.— tion. For example, you could OnlineToolWorks felt it ager), fault-tolerance and do the above temp file delete could only provide sufficient load-balancing, as well as Bill Heldman is an instructor at operation on a pre-defined performance by using remote agents. Warren Tech, a career and tech- group because it’s almost a onboard agents. nical high school in Lakewood, given that every computer The Enterprise Edition Finding Free Time Colo. He is a contributor to Red- has a C drive with .TMP also lets you use SQL If you’re an administrator mond and several other technolo- files to delete. Server as the database grappling with numerous gy publications. He has also for the SmartBatch job job-scheduling opera- authored several books for Sybex, Showstoppers scheduling data. However, tions—whether they’re including the CompTIA IT With the SmartBatch Stan- by default, both the Stan- scripts, batch files or Project+ Study Guide. Reach dard Edition, the idea is that dard and Enterprise edi- executables—SmartBatch him at [email protected].

| redmondmag.com | Redmond | March 2006 | 17 Project5 2/3/06 1:45 PM Page 1

Most People Don’t Have ESP. B

With the Enterprise System Protector (ESP) Su Microsoft Exchange disasters... you will pr

While Exchange is down, employees can’t communicate, salespeople don’t sell, compliance can’t be kept, reputations are at risk, and customers can’t do business with your company.

Lucid8’s ESP Suite combines two powerful disaster prevention solutions—GOexchange and DigiVault—at a savings of 20% off the individual programs. Prevent disasters with GOexchange and depend on minute-to-minute data protection with DigiVault. Protect your vital E-mail system with a comprehensive solution that delivers Disaster Prevention, Optimization, and Recovery for Microsoft Exchange.

These are just some of the organizations currently enjoying the benefits of ESP...shouldn’t you? on ESP Suite – Tiffany’s – Welch Foods refer to offer code 8479 – Blue Cross/Blue Shield – Mellon Financial Corporation – American Eagle Tanker – NATO At Lucid8, we go beyond the sixth sense.

To save 20% on ESP for Exchange, visit www.lucid8.com/espsuite to download a trial version or call 425.456.8479. Project5 2/3/06 1:46 PM Page 2

P. But You Can...

P) Suite from Lucid8, you won’t just recover from l prevent them from ever happening.

Customer Perspectives “We knew we had issues, however, the number of errors and warnings that existed in the database was far more than we would have suspected. GOexchange worked as expected, solved every problem, reduced the databases by 48%, automatically notified us, and even provided a great report upon completion. Excellent product and people!” Joshua Nunes, IT Director, Perseus Group

“When I first downloaded your product I was very skeptical of your promises for improvements on my Exchange server. After the first maintenance run, I’m now a true believer of your product.” Raul Ramos, Director of Information Systems, The First Tee

Analyst Perspectives “Microsoft Exchange Server, like any complex database system, slowly degrades over time. Without routine maintenance, decreasing performance, increased warnings and errors accumulate and database fragmentation transpires, leading to Exchange disasters. Given the significance of email in today’s business environment, it is important that businesses proactively address server degradation before it occurs.” Ray Paquet, Vice President & Distinguished Analyst with Gartner

“Companies often overlook their e-mail infrastructure as an area where minor adjustments can deliver significant ROI. Solutions such as Lucid8’s GOexchange help Microsoft Exchange administrators reduce the time they spend supporting Exchange, lower overall IT costs and improve end user productivity by proactively managing and maintaining Exchange servers, thereby, increasing the likelihood that minor server problems are resolved before they culminate into a major disaster.” Rebecca Wetteman, Vice President of Research, Nucleus Research 0306red_ProdRev13-21.v6 2/14/06 2:32 PM Page 20

ProductReview Manage the Forest and the Trees Administer your entire Active Directory domain from one location.

Active Adminstrator 4.0 $12 per user ScriptLogic Corp. 561-886-2400 www.scriptlogic.com

BY RICK A. BUTLER of Active Administrator, While the tools that come which is poised to be a solid with Windows Server work enterprise AD management just fine for most Active tool. (You can read the Directory management review of Active Adminis- tasks, they aren’t really set trator 3.0 in the November up to manage your entire 2003 review archives at enterprise from a single spot. Redmondmag.com.) You have to at least connect The new version has a host to a domain and look at its of improvements. My person- properties or connect to a al favorite on the new feature local system to see the GPO. list is AD Object Restore. If You don’t really have a clean you’ve ever done something Figure 1. Active Administrator’s Object Restore window lets you interface for all-encompass- as boneheaded as wiping out specify object and attributes to restore. ing GPO management right the CEO’s user account or out of the box. Usually, you blowing away an entire can easily restore a single to their machine or give jun- have to customize the organization unit (OU), you object in AD—whether a ior administrative rights to a Microsoft Management will love this one as much as I single account or an entire help desk technician. The Console to build an interface do. AD doesn’t have any sort OU—without the usual Active Templates let you pro- that pulls in the entire forest. of object level recovery to madness. Life hasn’t been vide the right amount of Active Administrator easily fix this problem, and as this good since single mail- access your users need to get fills that gap by taking a you know, you can’t just box restores in Exchange. their jobs done without pro- top-down approach to recreate an object or objects viding too much access. If you administering your entire you’ve accidentally deleted. If Active Management need to customize the tem- AD domain. ScriptLogic you’ve found yourself in this Active Administrator 3.0 plates for specific tasks and has taken some major steps situation, you know it usually introduced Active Templates permissions, you can certainly forward with the 4.0 release meant making the walk of as a means of delegating and do that as well. shame to the tape vault. managing the permission lev- In version 4.0, these REDMONDRATING After finding the correct els in AD—without providing templates are actually self- Documentation: 20% ____ 9 backup tape, you’d have to unnecessary privileges. These healing, using a service that Installation: 20% ______9 restore a domain controller templates are really cool if fixes anomalies within the ______Feature Set: 20% 8 and do an authoritative you absolutely need to know templates. If a setting were Performance: 20%______8 Management: 20% ______9 restore in Directory who has what level of permis- changed in the policy, a serv- Services Restore Mode sion. You can create a tem- ice in Active Administrator Overall Rating: 8.6 (DSRM)—all the while plate defined by permissions. would revert that setting ______praying there haven’t been Users are assigned roles based back to how it was originally Key: 1: Virtually inoperable or nonexistent many changes to AD since on an AD task, so you can do specified in the template. It 5: Average, performs adequately your inadvertent delete. things like provide users would also alert you to the 10: Exceptional With Object Restore, you “almost” administrative access change.

20 | March 2006 | Redmond | redmondmag.com | 0306red_ProdRev13-21.v6 2/14/06 2:32 PM Page 21

IT Education your forest, figure online from out where it’s linked, review sta- an accredited tistical information, copy to another domain university. and adjust it accordingly. It also keeps a historical Master’s degree record of your specializations include: GPOs so you’ll know who changed • Project Management what and when those changes were and Leadership Figure 2. In the Group Policy Offline Repository, you can select, edit and report on GPOs. made. If any change • Information Security you make doesn’t This is a cool upgrade from Active work out the way you or one of your • Network Architecture Administrator 3.0, where you would admins had intended, just roll it back. have to review your templates regularly Another of Active Administrator 4.0’s and Design to ensure compliance. new features that applies specifically • Business Administration In short, when you set role-based user to GPO management is the Offline security to a specific standard, it stays Repository. If you frequently have to (MBA) that way. With some GPO settings, a change your GPOs, this repository is savvy user can make certain changes to very helpful because you can isolate • IT General the GPO, whether or not he is author- your GPO, make your changes offline ized to do so by IT management. Active without affecting your production Administrator keeps the settings as spec- environment and publish it back when You may be closer than you think. ified in the template. you’re ready for it to go live. You can apply to earn credit The Offline Repository also has a for the technical knowledge Auditing Made Easy check-in/check-out management and skills you have gained If you have to monitor AD security and structure that lets you control who’s from real-world experience, you have multiple domain controllers, authorized to make changes and how training, certifications (such you have to visit each DC and scroll frequently they can do so, should you as CCNP,® MCSE, CISSP,® and through each log to find the events have multiple administrators manag- PMP®), and previous education. you’re hoping aren’t there. Active ing GPOs. There’s even a nifty report- Administrator’s AD Auditing (which has ing tool you can use for review or to been part of Active Administrator since produce a maintenance record book version 3.0) is cool because you can now (for you old school techies out there). check these event logs from one location. I like this tool and I think ScriptLogic You can also configure the logs to did well with the additions and send alerts for certain events. For exam- enhancements to the 4.0 release. Active ple, if one of your administrators on the Administrator is simple to get up and other side of the country goes messing running and easy to use. If you need - - around with your “Computer’s” con- some serious configuration manage- 1 888 CAPELLA ext. 22041 tainer or users, you’ll know about it ment for your AD forest, you’d do well www.capella.edu/redmond right away—not after something has to consider it.— already gone wrong. Capella University is accredited by The Higher Learning Commission and a member of the Rick A. Butler, MCSE+I, is the Director North Central Association of Colleges and Schools, 30 N. LaSalle Street, Suite 2400, Get a Handle on GPOs of Information Services for the United Chicago, IL 60602-2504, (312) 263-0456; Active Administrator gives you easy States Hang Gliding Association. You www.ncahigherlearningcommission.org. Capella University, 225 South 6th Street, access to solid GPO management fea- can reach him when he lands at mcpma- 9th Floor, Minneapolis, MN 55402. © 2006 Capella University tures. You can look at each policy in [email protected].

| redmondmag.com | Redmond | March 2006 | 21 0306red_BetaMan22-23.v7 2/14/06 10:42 AM Page 22

BetaMan Don Jones Windows Goes High Performance

hat was once old is new again. High-performance You’ll have to tune your applications to run on a cluster. To give you an idea of computing (HPC) has returned as one of the old-school, hardcore nature of this the biggest trends in computing—with a big type of computing, look at the program- W ming languages that CCS2003’s compo- difference. Back in the day (the early 1990s) you could nents support out of the box: Fortran77, Fortran90 and C. Yikes. Configure the drop $40 million on a Cray Y-MP supercomputer. system to submit applications to the cluster’s scheduler on the head node, and to Now, thanks to cheap, off-the-shelf bargain-basement version of Windows, run completely unattended using only components (COTS), new Intel- and however. It’s being put together specifi- data files (and not keyboard commands AMD-based HPC servers make sense cally to address HPC concerns. or mouse clicks) for input. from both a financial and technological As a result, you won’t be able to install You’ll also have to be fluent in several perspective. For example, you can pick this special version of Windows on any new acronyms if you’re going to set up a up a four-way, 2.2GHz AMD Athlon64 computer that isn’t part of a dedicated compute cluster. MPI (Message Passing server with 4GB of RAM for about computational cluster. It’s also only Interface) is an industry-standard appli- $4,000. As far as the technology goes, available in an x64 edition—the theory cation programming interface designed the point of HPC these days is to rely being that nobody would want to build for rapid data exchange between com- less on a single massive machine and a computational cluster out of legacy pute nodes in HPC environments. more on compute clusters—groups of 32-bit hardware. Microsoft’s MPI (MSMPI) is a version of interconnected machines that divide the Argonne National Labs Open Source the workload among themselves. What Is a Compute Cluster? MPI2 implementation that supports A compute cluster is a single-head node more than 160 function calls. Applica- Windows Compute Cluster that accepts computing jobs and distrib- tions submitted to CCS2003’s job sched- Server 2003 utes the workload across at least two uler need to support this. Version Reviewed: Beta 2 attached nodes. CCS2003 won’t support As you might expect, CCS2003 makes Current Status: Beta high availability for the head node, so heavy use of Microsoft’s infrastructure make sure it’s already running on highly components. For example, all nodes have Expected Release: 2006 available hardware. This is the brains of to belong to the same Active Directory your HPC operation, so it has to stay up. domain so you can manage them as a In fact, universities and research insti- You can have as many attached com- unit and share security information. tutions have been using Linux-based pute nodes as you can afford. As we’ve supercomputing clusters for years. The learned from distributed computing What It Isn’t Beowulf Project (www.beowulf.org) can projects like SETI@home (which is an CCS2003 is not the same kind of clus- give you some guidance on building clus- excellent real-world example of how tering as Windows Cluster Service. ters of Linux-based servers. you would use a compute cluster), the While CCS2003 is designed to have It’s little wonder that Microsoft is more compute nodes, the merrier. several computers interconnected, looking for a piece of the HPC action. I To avoid bottlenecks that can limit the those computers work together to solve got a good look at Windows Compute number of nodes in your compute clus- computationally intensive problems, Cluster Server 2003 (CCS2003) at a ter, you’ll want to use switched gigabit rather than provide failover or fault tol- recent Microsoft briefing. Remember Ethernet as a minimum—a 10 gigabit that the “C” in COTS stands for cheap. Ethernet or Myrinet network is even BETAMAN’S ROUTINE DISCLAIMER CCS2003 (which is based on Windows better. CCS2003 includes Windows The software described here is incomplete Server 2003, hence the name) will actu- Sockets Direct Interface, which is specifi- and still under development; expect it to change before its final release—and hope it ally cost less per socket than other edi- cally designed to take advantage of these changes for the better. tions of Windows. This won’t be a types of high-speed connections.

22 | March 2006 | Redmond | redmondmag.com | 0306red_BetaMan22-23.v7 2/14/06 10:42 AM Page 23

BetaMan

erance. You won’t run Exchange Server so deployment to bare-metal machines and Microsoft Operations Manager on CCS2003. In fact, unless you have is easier (CCS2003 includes RIS). (MOM) get into the compute cluster’s some heavy-duty number crunching to Standard backup and restore tech- head node for management purposes. do, CCS2003 probably isn’t for you. niques apply, so whatever you’re So you could have each CCS2003 The thought of deploying and man- already using should work fine. Of machine connected to as many as three aging a dozen or so compute nodes course, the usual MMC snap-ins will networks at once. sends a chill down my spine, and not let you control the entire cluster. The just because the data center housing setup process for Compute Cluster is Too Much Horsepower? Unless you have to do some serious Unless you have to do some serious number crunching, such as number crunching, such as simulating simulating nuclear explosions, modeling fluid dynamics or nuclear explosions, modeling fluid assessing potential oil deposits, CCS2003 may not be for you. dynamics or assessing potential oil deposits, CCS2003 may not be for you. Still, CCS2003 makes HPC accessible them is going to need heavy-duty air also straightforward, using a standard to organizations that never would have conditioning to avoid a meltdown. In Wizard-based interface. considered it before.— an era when everyone’s downsizing the CCS2003 loves networks and wants to data center, CCS2003 heads in the connect to as many as possible. A private Don Jones is a contributing editor for opposite direction. network for administrative traffic, the Redmond and the owner of Scripting Microsoft feels your pain. CCS2003 MSMPI network for exchanging cluster Answers.com, a Web site for automating includes a command-line interface to communications and data, and a public Windows administration. His most recent help you to create and submit jobs. network like your corporate intranet. book is Windows Administrator’s You can use Remote Installation Ser- This last conduit also lets applications Automation Toolkit (Microsoft Press). vices (RIS) to deploy compute nodes, like Systems Management Server (SMS) Reach him at [email protected]. MS SQL Server security requirements giving you a headache? DB Audit Expert addresses key MS SQL Server security concerns that include database security and vulnerabilities assessment, database access and user activity auditing, business and regulatory compliance. DB Activity Tracking • Data-Change Tracking • Multiple Auditing Methods • Centralized Control • Real-time Alerts Audit Trail Monitoring and Alerting • Robust Reporting Audit Storage Performance Management Protect Your MS SQL Data without the headaches!

For more information visit us at http://www.softtreetech.com/no_headaches Project6 12/8/05 1:44 PM Page 1 0306red_YourTurn_25-27.v6 2/14/06 11:28 AM Page 25

Redmond’s readers test YourTurn drive the latest products. BizTalk Server: Getting Better All the Time Users say Microsoft BizTalk Server 2004—and the 2006 version— significantly ease enterprise application integration.

BY JOANNE CUMMINGS market issue,” says Summers, enter- When it comes to enterprise application prise architect at Software Architects, a Microsoft BizTalk Server 2004 integration (EAI), Microsoft’s BizTalk consulting firm in Dallas. After think- Enterprise Edition: $24,999 per Server is tough to beat. For most Win- ing about building that level of core processor Standard Edition: $6,999 per dows shops, its ease-of-use, resiliency functionality into a Web service with processor and performance are giving even Web limited management capabilities, they Microsoft Corp. services a run for its integration money. often opt for BizTalk.“After some con- In some cases, BizTalk can also be easi- sideration,” he says, “the conversation 800-426-9400 er and less expensive to implement than will shift to BizTalk.” www.microsoft.com Web services. Erickson Retirement Communities in Baltimore, Md., used Vertically Challenged BizTalk Server 2004 to build a system Microsoft has a variety of BizTalk Using BizTalk and the vertical acceler- that integrates 10 separate applications vertical accelerators ready to support ators as integration points also helps tie to create a resident demographic man- numerous industries, like retail, finan- in key business processes, Clausen says. agement system (DMS). David Clausen, cial services and healthcare. These For example, Erickson’s DMS, based on systems architect at the company, and accelerators are intended to ease inte- BizTalk Server 2004,now includes an his colleagues ultimately determined gration with applications that adhere to “eventing” system whereby any con- that they wouldn’t have been able to cre- industry-specific protocols. stituent system can post an “event” and ate a Web service for all their systems on BizTalk’s HL7 support sold Clausen make that information available in real time and within budget. BizTalk was and his colleagues at Erickson Retire- time to any other integrated system. When DMS receives a new resident, Using BizTalk and the vertical accelerators as integration points for example, it publishes an event. That also helps tie in key business processes. becomes a message in the BizTalk Mes- sage Engine, explains Joe Schneebaum, equipped with the level of integration ment Communities. “That was really the senior software engineer at Erickson. functionality they needed to get up and key for us,” Clausen says, adding that his There are about four other applications running quickly. For example, it could company spent $70,000 in software and that subscribe to that event, he says, already communicate with flat files, FTP hardware on its BizTalk implementation. because new residents need immediate and HL7 (Health Level 7— a health He says it was money well spent. access to certain services when they care networking protocol). Before deploying BizTalk,says move in. “The residents need to be able Others still consider Web services the Clausen, integrating with an HL7 to get fed in our dining halls, request a easier option for both development and application meant writing code from shuttle to the mall and so on,” he says. management, but that’s not always the scratch and parsing out complex proto- Before Erickson started using BizTalk, case. Most users can build something rel- cols. The HL7 accelerator treats the it took a day or so for the IT staff to atively quickly, but they often haven’t entire protocol as XML schemas, and ensure that each system had access to the thought through the problems of main- lets Clausen use the BizTalk map to proper data when a resident arrived. The taining a Web service to ensure its con- convert outgoing data to HL7. Then he real-time “eventing” system helps them tinued resiliency and performance. configures the map and accelerators to ensure that an incoming new resident’s That’s frequently the case with convert incoming data to whichever data is populated throughout its systems Jonathan Summers’ clients, who often format he requires for his internal almost immediately. “Within one minute express an initial preference for Web structure and database. “It really of becoming a resident,” Schneebaum services. “For them, it’s a speed to streamlined the whole process,” he says. says, “you can eat your first meal here.”

| redmondmag.com | Redmond | March 2006 | 25 0306red_YourTurn_25-27.v6 2/14/06 4:12 PM Page 26

YourTurn

Power at a Price He says BizTalk requires a multi-step configuration and deployment process, While BizTalk scores high on the manual deployment process. users say, the documentation is fairly application and process integration Configuration and deployment does go sparse. Fortunately, there are numerous scale, that comes at a price. BizTalk’s faster with practice, others say. The online resources to fill that void. installation, configuration and deploy- BizTalk 2004 configuration and setup Summers agrees with that assessment. ment mechanisms can be cumbersome, guide is a very specific three-page docu- He called the documentation “bare,” and time-consuming and unforgiving, say ment. “You have to follow it exactly,” says says the one book about BizTalk Server Clausen and other BizTalk users. Erickson’s Schneebaum. He eventually 2004 he knows of didn’t come out until Software Architects’ Summers points had to supplement the process with his the summer of last year. He found what to the need to properly configure own steps customized for his organiza- he needed online. “There was a grass- accounts and accurately establish data- tion. In his three-tiered infrastructure roots effort put together by one of the base permissions—and to get it right that includes development, test and pro- BizTalk MVPs,who compiled help files the first time. “If you get anything duction environments, he claims he can from blog entries, called the Bloggers wrong, the whole thing gets rolled wipe it out and rebuild it within an hour. Guide to BizTalk,” he says. “That was back,” he says. “The product doesn’t For a product with such a convoluted one of the key sources of information.” make many allowances for errors.” Others have had a similar experience Still Under Construction during deployment. “BizTalk is a GetMoreOnline BizTalk 2004 is missing some key nightmare to deploy,” says Yitzhak Read more about what to expect in features, such as a strong administrative Khabinsky, software architect at BizTalk 2006, and see the full list of toolset and robust encryption capabili- Odimo Inc., an online retailer based in available vertical accelerators. ties. For example, Erickson needed Sunrise, Fla. He uses BizTalk 2004 to FindIT code: BetterBiz to build its own encryption into its integrate with applications from BizTalk implementation for communi- Odimo’s trading partners, such as redmondmag.com cating with two of its external trading MSN, Amazon, Yahoo! and Google. partners. “BizTalk only supports S-

LAUNCH YOUR CAREER THROUGH THE ATMOSPHERE! Wireless Network Certiﬁcation training is on us this time! Be among the ﬁrst 20 to purchase Microsoft MCSE Training and get LearnKey’s CWNA training free! visit: www.learnkey.com/redmondmag

Increase your salary potential . . . LearnKey Career Tracks guide you through the courses you’ll need to get the career you want.

Download your Career Tracks guide at www.learnkey.com/redmondmag to get on track and begin your career journey.

YourTurn

they need, when they need them. Con- Flat file wizard. A new wizard Up Next figuration mistakes will no longer affect eases the building of flat file schemas Here are some key features users are the entire package. to the point where they can be looking forward to in the forthcoming Administrative capabilities. The offloaded to business analysts, without BizTalk Server 2006: new version will include server health further burdening developers. Better documentation. A better monitoring and a new “applications” Data interchange processing. effort has been made to provide real- concept that significantly eases admin- BizTalk 2006 offers a new recoverable world help in the documentation for 2006. level deployments. interchange processing capability. Easier installation, configura- Business Activity Monitoring Encryption. Users would like to see tion and deployment. BizTalk 2006 (BAM). BAM now lets users access a stronger encryption than the S-MIME will offer a raft of changes, including a Web portal to identify and track key per- support in BizTalk 2004. Early testers more modular approach that lets users formance indicators from within BizTalk- of 2006 say this issue may not be install and configure only the features integrated applications. addressed until future versions. — J.C.

MIME, which really didn’t suit our also feels the administrative tools tasks of data interchange more appeal- purposes,” Clausen says. “It would be could be improved, especially for ing to a developer by giving them rich nice if they offered better encryption.” server health monitoring. tools for development and good, fast While BizTalk 2004 is well integrat- One reason users appreciate a tool schema editors. You might still not ed with Microsoft SQL Server, the like BizTalk is that enterprise applica- want to do it at seven in the morning, overall level of integration could be tion integration can be one of the more but it’s less painful.”— tighter, says Clausen. Fortunately for boring tasks facing an IT professional, him, his SQL Server administrator at says Erickson’s Schneebaum. “One Joanne Cummings is a freelance technology Erickson was able to take on BizTalk thing Microsoft did really well with journalist based in Massachusetts. You can administrative duties as well. Clausen BizTalk was make the rote,mundane each her at [email protected]. 0306red_F1Gorilla.v6 2/14/0610:47AMPage28

Windows and Office each dominate the landscape, like King Kong on Skull Island. What would it take to shoot this monkey down and give other species a fighting chance? 0306red_F1Gorilla.v6 2/14/06 10:47 AM Page 29 The Microsoft Quilt—Domination Through Integration Quilt—Domination Through Microsoft The And that position is fortified by an array of ancillary products, including Active Directory; Outlook; Exchange; SQL Server Servers; Windows and so on. For better than a decade, Microsoft has been building an elaborate technology quilt that makes it difficult to break away from the family. Even if, for example, another database or e-mail system works better, IT usually opts for the Microsoft solution due to its tight integration with the installed base. Word.Windows, Through an absolute commitment to exploiting Office has become more and entrenched. ecosys- Windows Now Office is part of the tem, indispensable,Windows and its popularity likewise makes creating dual and intimately connected monopolies. Thus, anyone hoping to unseat one has to deal with the other. -Pound -Pound 800 800 hen it comes to clients, seat. Microsoft is in the catbird’s Despite the Mac, thin clients like Sun Rays, and dozens of iterations desktop Linux, is on at least Windows nine out of 10 clients. And almost every one of those is running some version of Microsoft Office. Microsoft critics claim that there’s competition and viable alternatives,Microsoft critics claim that there’s but What conditions would be necessary to turn the fringe into mainstream exalted position is to realize that Office A key to understanding Microsoft’s BY DOUG BARNEY W only the truly passionate among them buy Macs, or load desktop Linux and open source Office alternatives like OpenOffice. and end Microsoft client domination forever? Is there a perfect software storm that could wash away Office and XP like so much flotsam? came first,Windows are mutually supporting entities: Windows and then shep- herded Office applications into its healthy market share, starting with Excel and ILLUSTRATION BY GERAD TAYLOR ILLUSTRATION Can Anything Threaten the Microsoft Desktop Empire? Can Anything The Gorilla The Gorilla

| redmondmag.com | Redmond | March 2006 | 29 0306red_F1Gorilla.v6 2/14/06 10:47 AM Page 30

The 800-Pound Gorilla

“As a corporation we’ve standardized on Active Directory Policy for control of the environment and Windows Server and Exchange, XP,Office and, soon, SharePoint. And it took 2000 and 2003 are working very well for us. We also use years to get to this point,” says an IT pro who asked not to Exchange—again working wonderfully well,” says Bailey. be identified. “Individual offices might go off the reservation Sydney McCoy says management at his company could about one application or another, but it would never change be persuaded to switch—with hard numbers. “If it can be the monoculture. Decisions are firmly top-down.” demonstrated that necessary functionality and full compat- In order to compete, non-Microsoft Office suites and PC ibility exists, with no demonstrative impact to productivity operating systems have to offer the same level of integra- or processing overhead, then potential open source licens- tion. That is perhaps one reason the European Commis- ing cost savings and broad-based support and acceptance sion is trying to force Microsoft to fully document its would likely be overwhelmingly welcomed throughout Windows interfaces, giving competitors the same ability to management,” says McCoy. “I’ve been dabbling with the integrate as Redmond itself. potential substitution of a SLES [SuSE Linux Enterprise Server] file and print server, but the biggest obstacle is our Politics of Switching inexperience with the platform, rather than any potential No level of integration will matter, however, unless the licensing costs vs. savings. As go the bean counters and decision makers give the green light. And entrenched man- lawyers, so follows the entire staff.” agement thinking will keep Microsoft solidly in place, according to Edward Bailey, with HVAC distributor Carrier All About the Beans Great Lakes in Livonia, Mich. “The top management here Ah yes, the beans. Open source fans tout the cost savings: are e-mail users only—nothing more. [The issue is] mostly after all, it’s pretty hard to beat cost more than anything else. We are using AD and Group free. Even in this arena, Is Microsoft Losing Its Grip?

ony Bove has written the book on getting What would off of Microsoft—literally. His book, aptly cause a titled Just Say No to Microsoft, talks about mass move Thow and why you should look at alterna- away from tives. Bove talked to Redmond magazine about poten- Microsoft to tial Windows/Office tipping points. alternatives? More bad press What events or factors could cause about viruses and mal- the Microsoft XP and Office monopolies ware. It amazes me that Tony Bove to crumble? the industry and press still Tony Bove: It’s happening now. The company as it is refer to new outbreaks as “computer today just wasn’t made for these times. As Gates him- viruses” and “computer adware and spyware,” rather self pointed out in his recent memo to Microsoft execu- than what they really are: Windows, Outlook, IE and tives, a “services wave” of applications is about to reach Office viruses and malware. millions of users, and Microsoft needs to catch up. But Office has matured to the point that it’s not only easy the move to offer a services platform for developers to clone but easy to improve upon. Windows is under puts Microsoft between a rock and a hard place with constant attack from Linux and Mac OS X. The reason regard to its existing software business models. So people give for needing to use Windows—because Microsoft has to start over. they need to run certain applications—is quickly erod- The latest Gates memo indicates that Microsoft faces ing. To use the new Internet services, all you need is a competition on all fronts—not just Windows; not just computer that runs a browser. Office. Open source software threatens everything I think [potential] missteps by Microsoft in the coming from server and client systems to e-mail clients and year—with Vista, and with advertising-supported software— servers, databases and applications. Mac OS X is a will reduce the Microsoft monopoly enough to enhance threat to Microsoft’s entire computing experience. competition and spark more innovations. At some point a Even though the vast majority of everyday computer low-cost, non-Windows computer will be very popular for users are stuck in Windows XP, the cutting edge of the consumer market, and so will Apple Macs on the innovation is happening elsewhere. “high end.” It’s only a matter of time. — D.B.

30 | March 2006 | Redmond | redmondmag.com | Project1 1/9/06 10:32 AM Page 1 0306red_F1Gorilla.v6 2/14/06 10:47 AM Page 32

The 800-Pound Gorilla

though, open source contenders still have to prove them- will need to improve. Fortunately for them, Microsoft selves, as costs other than the software must be considered. may have provided an opening. “For some products, “Any consideration of a replacement to Microsoft products Microsoft has stopped having higher-level support avail- would have to entail administration, deployment, security able during evenings and weekends,” laments Karl W. and upgrades, at a minimum,” says JC Warren, a network Palachuk, of KPEnterprises Business Consulting Inc. “So management specialist for a high tech company. “I’d have a call might get escalated during the week, but you’re to be dramatically dissatisfied with our current product back to Tier-One [support] on Friday night and all week- suite to even begin to consider alternatives. If an alternate end. In other words, the highest level of support for the product suite could be found that would improve user pro- biggest problems is only available during business hours, ductivity, I’d then have to consider the costs of deploy- during the week. In what universe does this make sense? ment, administration, etc., in order to get a handle on the I’m not ready to make the switch today, but I find myself total cost to switch. Then we’d need to factor in the learn- surprisingly open to the possibility.” ing curve for users to attain their previous functional state. Even with some level of dissatisfaction, though, the Any time lost is money lost to my employer.” Microsoft Quilt concept continues to give it an advantage, says Jason Thompson, a consultant architect in Arlington, Va. Tech Support “My network has three players; Cisco, Dell and Microsoft. Downtime also costs money, and tech support is a huge All software is from Microsoft, so we know that it works well tipping point factor. “I’ve had former colleagues relate together. If we do have problems, we only need to call one the horror stories of being forced to switch to an open place. For me to leave Microsoft, a single vendor would need source product by misguided management, only to strip to support database, e-mail, Web, etc., from a single, highly it out after it proved totally unsupportable in a corporate supported platform. IBM is the only vendor I currently know environment,” says Warren. that can accomplish this, but [it isn’t] competitive in price.” For Microsoft challengers to make Another aspect of support working in Microsoft’s favor is inroads, it’s clear that tech support the army of IT pros trained on its software. “Businesses Why I’m Sticking with Windows

By David R. Bayer users are heavily relied on to help nearby users with easy-to-solve problems, leaving LAN admin and desktop s network admin- support to handle more involved issues. Most users still istrator for a small fall into the category of “if it’s not obvious and easy, I Apart of a very can’t find it or do it.” large heterogeneous network, Another reason we stay with Windows is for messag- I’ve had to weigh the pros and ing solutions such as Exchange. Entourage on the Mac cons of alternate OSes for my cor- doesn’t do nearly as good a job interfacing with an ner of the world. Even in my small area of Exchange server as Outlook does on the PC (although responsibility—250 workstations, three servers and one Entourage is much better in Office 2004 than earlier ver- virtual server—we’re running various versions of Win- sions). Exchange is very convenient and streamlined for dows and Macs, along with Windows and Linux servers. combining messaging and calendaring, and other solu- This is all part of a large Active Directory network tions don’t do as good a job or have as nice an interface (30,000-plus nodes). There are several things that pre- (at least the ones I’ve seen). vent me from really migrating away from Windows. Microsoft Office is available on the Mac, and Sun’s The first, and most important, reason is the remote con- OpenOffice is available on Linux. Both options seem to trol capabilities we get with AD and Group Policy. Con- have very good compatibility with the ubiquitous Win- trolling logins, software updates and distribution and dows versions of Microsoft Office. I enjoy getting to various other items are a big plus for us. I haven’t heard work with Macs and Linux boxes, but at this point it just of a good way to do that on Linux yet, and haven’t gotten doesn’t seem practical, on multiple levels, to migrate to buy-in from management for Apple’s Open Directory. another option. Another biggie is user education. The best users I have are now comfortable running Windows and making Bayer is LAN manager, Divisions of Hematology/ some tweaks, things like video resolution changes and Oncology and Nephrology at Vanderbilt University other such tidbits. In a network the size of ours, those Medical Center.

32 | March 2006 | Redmond | redmondmag.com | 0306red_F1Gorilla.v6 2/14/06 10:47 AM Page 33

Why I Ditched Windows

By Rob Hughes XML, being text, is pretty easy to did a basic cost-benefit analysis when considering a manipulate pro- migration, as my network was then mainly Windows, grammatically. Iwith one Linux box and two Solaris boxes for test- Opendoc also ing. It had reached the point where I was mostly running doesn’t use any around trying to fix various problems with Windows, binary “blobs” within both at the server and on the client. I needed to add sev- the XML schema like eral boxes for a new project and looked at the cost of Microsoft Office 2003 doing it on Windows vs. Linux, as what I needed could does, which makes trying to be done on either platform. I found that in that situation, use Office 2003 files with anything with Linux, I could get by with two fewer systems [and other than Office nearly impossible. decided to move to Linux]. Since the migration, I spend Another advantage is that I can read and write most very little time doing administration on my network, and other file formats, including Microsoft formats, giving me most of my time doing research. I’m using Linux, BSDs good compatibility with whatever someone sends me. and Solaris as both client and server OSes. I find these tools offer really good performance and Two of the main advantages of KOffice [the office soft- flexibility—and, being open source software, integration/ ware that runs on the KDE Linux desktop environment] extension possibilities are limited only by the amount of and OpenOffice are Opendoc/XML compatibility and time and effort one is willing to put into a project. At the cross-platform support. KOffice doesn’t currently run end of the day, what I’m talking about here is openness. easily on Windows, but KDE can be compiled under Not just in the published sense (open standard format), cygwin if you’re fairly patient (big package, long compile but in the true sense of an Open Standard format. time). And there’s a lot of talk of porting KDE/QT (QT being already available) to Windows when version 4 of Rob Hughes is an escalation engineer with a both products are released. technology company.

would not go to alternatives such as Linux or OpenOffice But even with those advantages, the Mac hasn’t made unless the support staff were readily available to resolve significant inroads into the Wintel space. That may be issues. Currently, Linux and Unix professionals are in short changing, however, with Apple’s switch to Intel proces- supply and thus command higher wages. Just look at the sors. The Intel machines could be cheaper in the long demise of Novell,” says Allen Thomas, systems engineer run (the early units have premium pricing), perhaps with Lockheed Martin in Baltimore, Md. pushed by low-cost marketing powerhouse producers Given these factors, it’s clear it will take more than like Dell. Macs that could compete with PCs on the cost just management buy-in, cost savings which may or may and speed side would certainly be a cause for concern not appear and improved, across-the-board tech support in Microsoftland. to loosen the Microsoft desktop stranglehold. The prod- Another advantage Intel processors will provide, and ucts and platforms have to be comparable (or better) in which could prove significant, is the ability to run Win- quality. Are they? dows alongside the Mac OS. “If the future generation Macs (the ones using Intel processors) can run Windows Big Mac Attack software effectively, I’d switch in a heartbeat,” says Jerry In the case of Apple, the answer is clearly yes. If Redmond Koch, chief technical officer for WebNow1 LLC. “I’m reader response is indicative of the industry, the Mac has a sick and tired of Microsoft getting rewarded for its fail- clear client edge over Linux as a Windows alternative. ures, like selling anti-spyware software because its OS Many readers hype their switch to the Mac, while almost has so many holes.” no one mentions moving to Linux PCs. David Cantrill, a London-based Redmond reader, Perhaps the Mac has an edge because it has the polish of echoes that sentiment. “What have I discovered in my an OS with two decades’ worth of evolution, is backed by a time with a Mac? It works. No viruses, no spyware and commercial company and has solid application support, consequently no AV software to constantly update. I can including an official and up-to-date version of Microsoft still do everything I did on my PC and don’t need to Office. And because there’s less malware, troubleshooting worry that I’m going to lose all my information by hav- and help desk tasks are less onerous. ing to reformat the thing. Microsoft better hope Vista

| redmondmag.com | Redmond | March 2006 | 33 0306red_F1Gorilla.v6 2/14/06 2:14 PM Page 34

The 800-Pound Gorilla

creates a whole new ball of momentum, or this mag will be retitled Cupertino sometime in the next three years,” Market Share says Cantrill. Linux has 3 percent desktop Desktop Linux—Untapped Potential market share and will have 6 Linux PCs are much rougher around the edges than Macs, percent two years from now no doubt about it. They’re still much more difficult to (2008), IDC says. Meanwhile, install and use than Windows and Macs, often lacking any- the Mac is generally thought thing but the most basic instructions. That leaves a dedi- to have slightly less than 3 cated group of hard-core, tech-savvy consumers, hobbyists percent market share. and geeks to tweak and improve it, just as they did with Altairs 30 years ago. that as many as 150 million units will But these pioneers are small in number, and on the cor- be built in the next two years. porate side, things are even worse. The few widespread That’s a lofty goal; but even if only a tenth of those get adoptions are almost all among the Linux vendors them- built, it still means 15 million Linux laptops will be in selves—companies like IBM, which has more than 10,000 use. At that price, and with that kind of base, it becomes desktops running Linux. Peruse the Red Hat Web site, and an interesting and proven proposition for lots more folks. you’ll find 38 case studies, only two of which mention Add some polish and some apps and you may just have a Linux desktops to any degree. popular, new portable platform. One bright spot, which could portend a tipping point, is in a market not yet dominated by Microsoft, or any other Whither Office? vendor for that matter: those who are too poor to even have If Windows on the desktop could be toppled, what about considered a computer in the past. Nicholas Negroponte, Kong’s other arm—Microsoft Office? Much as with desktop of the MIT Media Lab, and his team have designed Linux Linux, the potential is there, but the open source competi- laptops for the third world. For about $100 the machines tion still has a way to go. come with a range of applications, 1GB RAM, peer-to-peer One user tried OpenOffice, but the performance simply capabilities and wireless connectivity. Negroponte hopes wasn’t there. “Upon reading benchmarks of the new

To p Tipping Points

>> A unified or dominant Linux client – such a >> Major change in Office 12 causes disruption – client could have better driver and apps support interface and file formats (if native XML is really sup- >> Intel-based Macintoshes – cheaper Macs ported, are file formats still a lever?)—like with Vista, the running XP or Vista alongside Mac OS X could appeal Office suite, code-named Office “12,” could be as tough to Windows shops to move to as Office rivals >> Third-world $99 Linux laptops – a huge base >> Dramatically improved Windows interoper- of Linux clients could jumpstart the apps markets ability with Linux or the Mac – if Linux and the Mac >> Dell selling Macs or solid, reliable and become a seamless part of the Microsoft Quilt, IT usable Linux PCs – a trusted low-cost supplier objections will be answered could give these machines corporate cachet >> Brand new computing paradigm/architecture – >> A bug-laden, insecure Vista – if Vista is a just as the PC killed off the Apple II, a compelling new huge pain to secure, and requires loads of training, approach could sweep away legacy Windows and Office an alternative may not be viewed as altogether >> Web services take over and bring back disruptive the Network Computer – if Web services become >> A bug-laden, insecure Internet Explorer – dominant, fat client PCs won’t be necessary if IE7 is no better than today’s browser, corporations >> Open Source becomes a broad corporate could move in droves to Firefox, which already has mandate – if open source offers a compelling ROI, about 10 percent market share CEOs could mandate a move away from Microsoft

34 | March 2006 | Redmond | redmondmag.com | Project3 8/2/05 10:58 AM Page 1

Peace of Mind... Offered by Citrix Education

Whether you choose Training or Certification, Citrix Education offers you peace of mind by providing you with the knowledge and skills to achieve the following benefits:

• Ensures skills and knowledge are current and can be applied on the job • Increases value and productivity of IT professionals • Improves reliability and efficiency of the Citrix environment • Exposes IT professionals to new products and functionality • Helps IT professionals troubleshoot problems without the help of technical support

Visit www.citrix.com/edu/redmond to find out which training courses and certifications are right for you!

©2005 Citrix Systems, Inc. All rights reserved. Citrix® is a registered trademark of Citrix Systems, Inc. in the United States and other countries. All other trademarks and registered trademarks are the property of their respective owners. 0306red_F1Gorilla.v6 2/14/06 10:47 AM Page 36

The 800-Pound Gorilla

StarOffice/OpenOffice versions that have up to 10 times Microsoft has responded by proposing its own XML- the processing overhead compared to the Microsoft prod- based format others can support, but that Redmond ucts we already license, there’s just no way to justify con- ultimately controls. That makes it less appealing to many, sideration in a shared environment,” says Sidney McCoy. and, ironically, may lead to a move away from Office. “The On the other hand, critics claim that Office suffers serious XML stuff and the Open format specification of Open- feature bloat, perhaps providing an opening. “I would Document is extremely relevant for any organization that absolutely move away from Office and XP for the majority of considers control over its data a priority, rather than giving my users, if I could have a solid desktop and office suite with that control to a single vendor via proprietary formats

In Microsoft’s Corner: Keeping Windows Large and in Charge

>> The Microsoft Quilt – XP and Office aren’t stand- >> Office training – as tough as it can be to use, no alone but work closely with other Microsoft tools program has more training muscle behind it than Office >> The sheer number of applications – no one can >> Office file formats – many shops use Office just match the volume of Windows programs so they can share files with partners >> Custom Corporate Client Code – internal appli- >> OEM lock-in – PC vendors unanimously support cations developers have written billions of lines of Win- Windows, not Linux or the Mac dows code that would have to be re-crafted >> Price/Performance – competition has pushed >> Active Directory – the standard corporate directory PC prices to an all-time low works best with Microsoft tools >> The Groove factor – Ray Ozzie, one of three >> Exchange – Exchange works with Outlook, which CTOs, is planning to bring rich collaboration technologies works with Office, which works with XP ... to the Office suite, code-named Office “12,” and Vista

similar core functionality and interactions as XP and Office. and forced upgrades in order to maintain supported That seems to be a rather broad stroke until you evaluate status,” says Rob Hughes, an escalation engineer with what “core functionality and interactions” really means to a a technology company. “The fully documented nature given set of users, and the respective business processes. In of OpenDoc would also play on the enterprise develop- most cases, Office and XP are overkill in function and cost,” ment side, as things like integration with various sorts says Yusuf F.Abdalhakim, of Abdalhakim & Associates, an IT of database back-ends and so forth are all greatly eased.” consultant with 20-plus years of experience. In addition to the footprint, interoperability is another From Hunter to Hunted potential tipping point away from Microsoft. OpenOffice There’s no doubt that right now, Microsoft is sitting cracked the door open for the OpenDocument file format, pretty. But there’s accumulating evidence that its place an XML format derived from StarOffice that may be able on the perch could be getting more precarious. In fact, to break Microsoft’s deathgrip on productivity file formats. according to author Tony Bove,who’s written a book If these file formats become open, Office suddenly on how to swear off of Microsoft completely (read the becomes less necessary. sidebar, “Is Microsoft Losing Its Grip?” on p. 30), the possible seeds of its demise can paradoxically be found in its overwhelming success. Cool Tool “Microsoft is essentially held back by its monopoly and the complexity of its products, and can’t innovate fast enough Code Weavers without hurting its existing business,” Bove says. “That (www.codeweavers.com) has a wasn’t always the case—in the early days of the monopoly, tool, called Crossover Office, Microsoft was invincible. There was so much activity on which is a version of WINE that so many fronts that the company was a moving target. lets Linux run key Windows apps. Now … the company has become a big fat target.”— WINE essentially implements the Windows API set on Linux. Doug Barney is editor in chief of Redmond magazine. Contact him at [email protected].

36 | March 2006 | Redmond | redmondmag.com | Project1 2/13/06 2:38 PM Page 1

NTAVO Thin Client Terminal Start Your Virtual Office Weight Loss Program Start Your Virtual Office Weight Loss Program

75% Lower TCO Than Standard PCs Starting at $149

Secure thin client access to any application. NTA Virtual Office™ advanced thin-client terminals are ICA, RDP, and PXE capable and support server-centric computing in any enterprise environment. Access Windows, Linux, UNIX, and mainframe applications. No client applications to load and no hard drive to fail. More options at lower costs than competing products. Used by leading companies worldwide. From Devon IT.

Visit ntavo.com 1.888.524.9382 [email protected]

© 2004 Devon IT, Inc. NTA Virtual Office is a trademark of Devon IT, Inc. All other products and trademarks referred to are property of their respective owners. Project1 1/13/06 11:24 AM Page 1 0306red_F2SpyTips.v6 2/13/06 3:18 PM Page 39

Many programs block spyware, but few know how to get rid of it. Redmond readers offer some clever ways to banish these nasties. BY DOUG BARNEY

e all know spyware is bad stuff, the real question is: How to get rid of it. To find out,we went to the experts—you, the Redmond reader. Dozens of you responded to our pleas. Here are the best bits of spyware removal advice, sprinkled with a healthy dose of W anger and frustration. Removing Aurora Aurora is a nasty bit of adware/spyware that can be a real pain to root out. Redmond reader and IT Specialist Robert Butler knows. “I’ve discovered that Aurora changes the file names of the files it uses to re-infect the host. Aurora also apparently hijacks some legitimate running processes,” Butler explains. Butler has spent hours trying to clean Aurora out of sytems. “I’ve found that one needs to boot in command prompt safe mode and delete the file c:\winnt\ceres.dll. The file will not delete in normal mode and will regenerate the software if not

| redmondmag.com | Redmond | March 2006 | 39 0306red_F2SpyTips.v6 2/13/06 3:18 PM Page 40

Reader Tips: Do Away with SPYWARE

deleted. No anti-spyware software will be leery of using it, but I figure this PC. The kids recently complained delete the file either.” company has already had its way with about slow performance, and Heape Aurora also seeds confusion, says this computer, so going back for discovered the system was riddled Butler. “Aurora is part of a group more shouldn’t do additional with malware. Heape, who is director from Direct Revenue that includes: damage. The uninstall proof media & technology for ABetterInternet, ABI Network, Ceres, gram for Aurora works the South Carolina Bar, ran Aurora, WinFixer, Direct Revenue and like a charm. However, a host of free spyware killers, Search Assistant.” remember the best tool as well as Microsoft The confusion extends to Aurora for fighting spyware AntiSpyware, but to Networks, a technology company that in general is no avail. has nothing to do with the spyware, System Restore.” “I learned about killing but finds itself mistaken for the male- Matt Yeager also tried processes, HijackThis, etc. I tried factor. The firm has gone so far as to the Aurora removal tool, Joey Heape CounterSpy (home version, I actu- publish helpful updates and links for after seeing positive ally use the enterprise version at managing the Aurora spyware threat feedback on a number of forums. our office), Ad-Aware (I own a copy on its Web site. He says the tool removed the perni- of this for my workstation), you name That site includes a link to the Auro- cious spyware. it, I tried it,” Heape recounts. “Needless ra authors’ own removal tool. It would “A malware company you can to say, I ended up reformating.” seem foolish to trust such a tool, but at trust? I don’t think so,” Yeager least one reader, Scott Davidson, writes. “A malware company Stuffing Surf Sidekick owner of ARX Computers, had good that’s worried about prosecution is Another tough customer is Surf Side- luck with the Aurora-built fix. probably more like it.” kick, which can seem impossible to “In the effort to stay ‘legal,’ many dispose of. But for the patient and spyware purveyors offer uninstall pro- More Aurora Horror technically adept, there is a removal grams. They don’t make it easy to Joey Heape ran into trouble after giv- procedure that can help you. (Go to find, but they’re out there on a regu- ing his 13-year-old children their own Redmondmag.com and use FindIT lar basis,” says Davidson. “You may code: SpyTips for a direct link to the procedure.) This heads up comes cour- tesy of Ryan Carrier, ISA CCST III, A Bloody Irish Answer and an IT pro at Fraser Papers Inc. By Kevin Jordan “My worst experience with spyware? How about spyware (or maybe it was a ow can IT professionals hope to put an end virus) that replaces the host file so you Hto the malware scourge? Kevin Jordan, of can’t go to Microsoft, Symantec and Belfast, Ireland, offers an idea. other sites you need to remove it. If you Kevin Jordan “Here in Belfast we have a shop called B&Q and it’s a repair the host file, it gets replaced hardware/home/garden improvement type of place. Now in there they sell again! Shuts down the browser when nice, handy lengths of timber. Sand one end until it’s rounded and provides a certain words are typed in Google (like nice tight grip, allowing both hands to hold roughly four feet of 6x4. Find out ‘virus,’ ‘spy,’ etc.). And it disables Task from the local authorities who the onion is that wrote the spyware code. Go Manager and any [other] program that around to his/her (you never know) workplace or home using transport of looks like a task manager. I was eventu- your choice—preferably low-budget airline or bus because you’re already out ally able to find one that wasn’t recog- the price of the lumber. Apply the said piece of timber several times to the nized by the spyware,” recalls Carrier. body of the numpty who’s responsible for causing this irritation. Before “The fix ended up being a combina- he/she loses consciousness, try to find out anything about his/her contacts tion of spyware detection tools, a task and pass this info on to like-minded people you know. manager not recognized by the virus, Hopefully this will mitigate the cost of the timber and transport by going into safe mode and a pinch of spreading it about and eventually these people will give up their activities luck!” Carrier says. since it’s hard to type with broken fingers. Incidentally, in order to comply with health and safety legislation, it may Prevention Through Privileges be prudent to wear some form of protective gloves and visor, just in case Many spyware problems result from some loose splinters are flying about.” users running Windows with full administrative privileges, says reader Kevin Jordan is a presales IT consultant. Rick Lobrecht. He urges IT managers to set up accounts with normal user

40 | March 2006 | Redmond | redmondmag.com | 0306red_F2SpyTips.v6 2/13/06 3:18 PM Page 41

privileges. “Your spyware problems will Shared Computer Toolkit for tual hard drive are dumped each time disappear,” he says. Windows XP. I reboot the machine,” erasing infec- Paul Witting is emphatic The free software helps tions from the previous session. in his agreement. “DO keep users from chang- Reader J.D. Norman, who is CTO NOT RUN WITH ing settings and of PCS Enterprises Inc., says virtual- LOCAL ADMIN PRIV- installing software, and it ization simplifies his life. “Turn on ILIGES,” he writes. “I defines what changes snapshots, and if there is a problem, know it’s a pain, as way too can be made to roll back to a previous snapshot,” he much stuff still insists on hav- hard drives. This tool is says. “Makes it easier to move the user ing admin rights, but the largely aimed at shared to a different PC, too.” difference this one little Rick Lobrecht computers in public places Charles Hodgkins uses what you piece of preventative such as waiting rooms and kiosks, but might call manual virtualization to maintenance makes is could be just the trick for the spyware keep his kids’ surfing from messing night and day.” sponges in your shop. up his system. He describes two Witting describes his company as There’s a similar third-party tool, as tricks: “One is to use a removable having to deal “with the most nefari- well, called Deep Freeze. This tool disk tray like those from Addonics. ous corners of the Internet day in and allows users to make whatever mis- This way I keep a separate drive for day out.” And yet, none of its PCs chief they can get away with, after the kids, which I can reformat as have suffered an infection. He credits which the admin can restore the orig- needed, and keep a drive for myself restricting administrative privileges inal system state. Some labs have the that I keep locked way from the kids. for the difference. systems automatically rolled-back Another is once I get the machine set every night, to make sure everything up the way I like, I create an image The Microsoft Way will be working in the morning,” says using Acronis True Image that I write Microsoft offers a number of tools, a senior systems engineer who asked onto several CDs or DVDs. That including spyware blocker Windows not to be identified. way, I can easily re-create a drive as Defender (formerly known as required,” Hodgkins explains. Microsoft AntiSpyware). It also has a A Virtual Solution “Of course, I also disable every serv- new tool to protect computers used Several readers suggested virtualiza- ice I can, as well as keep my comput- by more than one person, which tion as a solution. “I use Virtual PC ers behind a NAT router and enable reader Byron Hynes is a fan of. Hynes with undo on,” says Dave Cline. He software firewalls on all of them. This suggests downloading the Microsoft describes how “all changes to the vir- doesn’t stop everything, but it helps.”

Spyware Removal: The Unabridged Version By Scott Davidson

Here is my standard removal procedure, up-to-date Uninstall all known spyware programs you see in as of the new year: 3 Control Panel Add/Remove Programs. Sometimes System Restore—ask how long the problem has they demand Internet access to remove themselves, 1 occurred and whether the user made any major which is why we’re using Safe Mode w/Networking. changes to the system since then. If it’s a new problem Make sure the user is not using these programs. I had surfacing in the last few days, roll it back two weeks. This a customer who was annoyed that I removed his fixes some of the nastiest problems cold. Explain that Sys- Alexa toolbar. tem Restore does not affect data like documents and Run the latest CWShredder, owned by Trend Micro music, but any programs installed in the last couple weeks 4 for the moment. Takes one minute, can help. will need to be reinstalled. This is an overlooked and very OPTIONAL, only for severe infestations: Install and useful tool for all problems, not just spyware. 5 update Ad-Aware. Scan and clean. Install and Boot into Safe Mode w/Networking, go to Control update Spybot, without using their TeaTimer or active 2 Panel then Internet Options. Delete temporary Inter- protection. Scan and clean. net files, cookies and clear history. Set Internet zone Run HijackThis and take out all suspicious-looking security back to Default if it’s on “Custom.” Check 6 items, looking them up on Google if needed to make “Trusted Sites” zone and make sure it’s clear (some- sure they’re not legitimate programs. times spyware will add their sites to it). Check Cookies Reboot in normal mode and install Microsoft Anti- setting, make sure it’s Medium, not “Accept all cookies.” 7 Spyware, update, scan, clean. Continued on p. 42

| redmondmag.com | Redmond | March 2006 | 41 0306red_F2SpyTips.v6 2/13/06 3:18 PM Page 42

Reader Tips: Do Away with SPYWARE

Handy Tools removal tools: SpyBot Search other anti-spyware programs, includ- Today’s anti-spyware tools usually do & Destroy, Lavasoft’s Ad- ing Lavasoft Ad-Aware and Spybot a great job blocking the nasties, and as Aware Plus, and Trend Micro’s S&D, both of which have some pre- such, you should have plenty of this Anti-Spyware. I also use ventive measures as well. And I’m look- software on hand (and installed!). avast! antivirus software, ing into downgrading my IE and Firefox Here’s a few of the tools which also finds mali- process privileges, since I’m usually Redmond readers enjoy. cious spyware. The logged in as an administrator—and John Richardson, it seems, company also domain privileges—when at work.” has used them all. He has what they Bill H. has also been hit with spy- applied HijackThis, call their BART CD ware, though to be fair, Bill deflects Spybot S&D [Search & Destroy], Ad- (Bootable Antivirus & the blame. “It was my wife who Aware, Microsoft AntiSpyware and Recovery Tools CD),” caused the trouble ... lots of tension Bullet Proof Soft on a customer’s John Richardson explains Olin, who also followed, of course!” Bill used PC infected with more than 20 differ- suggests switching to the Firefox HiJackThis and posted the results to ent Trojans and numerous spyware Web browser. a Web forum on the TomCoyote infections. Richardson, an MCSE “It is so much easier to keep spyware Forums Web site. “There are some BCNTS and BCCTS who is owner of from ever entering the box than very generous souls who patrol these Austin, Texas-based computer support cleaning it up afterward,” says Sys- forums and look to help the novice, firm BrainWerkz, also singles out tems Administrator Eric Wallace. He spyware-infected unfortunates.” EWIDO as an important tool. urges people to use Javacool’s Spy- Joanna Lovett, IT support manager “This was a slow process (taking wareBlaster, which uses the ActiveX with Cambridge Systematics Inc. in three-plus hours to complete) that ran “kill bit” to lock-out known spyware Cambridge, Mass., says that Zone exclusively under Safe Mode and programs. He also tells users to never Alarm can help as well. “I just upgrad- worked wonders. As there were two log on as an Administrator unless ed my home computer to the latest separate accounts on the Windows installing software. version on Zone Alarm. It has a spy- XP Pro system, I made sure to run the “It’s not a panacea,” he says, “but just ware detector and real-time protector apps under both profiles to catch any these two steps will probably make a that work pretty well. The spyware lurking bugs,” he says. huge difference in anyone’s spyware scanner found things that Ad-Aware A good rule of thumb is a layered arrival. Prevention is the key!” missed on my computer,” she says. approach, just as with firewalls, anti- Wallace goes a few steps further. “I virus, and anti-spam. IT Specialist only browse with Firefox with AdBlock Anti-Spyware Not Yet Perfect Charles Olin has a set of tools he likes extension and Filterset.G, which pre- While most readers run one or several to use when combating threats. “I vents ads and spyware-type content anti-spyware tools, they are not a per- generally use three or more spyware from loading. Then I run a couple of fect solution. Stephen Nichols, IT Spyware Removal: The Unabridged Version continued ...

Reboot and browse the Web for a couple minutes, selves. I’ve had to boot into Recovery Console to get rid 8 going to a few different sites, and see if you get of the root .DLL file, which regenerates the adware. repeated adware-style popups still. If you do, go back to Most should show up in HijackThis. HijackThis and be more heavy-handed, you probably If the cause does not show up in HijackThis and none missed something. of the free programs remove it, odds are it’s one of the While doing this, explain to the user how to avoid this nastier kinds that are not removable without digging 9 problem in the future. “Be very skeptical of free pro- deep and spending too much time. I spend about one grams, especially toolbars, search bars, shopping helpers, hour on spyware removal. Back up data, format, reinstall music download programs, bargain finders, screensaver if it’s not removable in that timeframe. What you want to programs, security applications, etc. Be wary of official- avoid is spending three hours trying to remove a partic- looking security warnings.” List the legit anti-virus and anti- ularly nasty bug buried deep in the registry and then spyware programs and explain that for every legit one, having to spend two to three hours backing up data, there are 25 charlatans. “The same scumbags who put the formatting, reinstalling because it’s buried too deep. spyware on your computer in the first place are the ones trying to sell you a bogus antivirus/anti-spyware program.” Davidson, owner of ARX Computers just northwest of Some of the worst kinds of spyware regenerate them- Chicago, Ill., squishes spyware for a living.

42 | March 2006 | Redmond | redmondmag.com | 0306red_F2SpyTips.v6 2/13/06 3:18 PM Page 43

analyst for International Truck and delete confirmation dialog, and in clients/customers that it is a minimum Engine Corp., Engine and Foundry quick succession, click OK in the file of three days for me to have their Division, says that spyware packages dialog and then in the process dialog, machine. I run my in-house anti-virus like Ad-Aware often struggle to pull usually with a combination of mouse along with several free spyware utili- out spyware by the roots, in part click in one and the space bar in the ties, plus use the Internet to trace the because viruses and other grayware other. With the timing just right, the .EXEs and .DLLs that are causing the keep restoring the spyware. The abili- file is deleted before the process can problems,” he explains. ty of some malware to cripple virus kick off again, and the cycle is bro- Matteucci offers some useful advice scanner software complicates matters. ken,” Lara says. “This won’t work in for PC users, including a switch to the How can you clean out tough infec- every case, but it can jump start a Firefox or Netscape Web browsers, tions? Nichols plays a game of cleaning session when the frustration and setting up Windows Update so switcheroo with the malware. “I sim- level has reached a fever pitch.” that it automatically kicks off in the ply pop the case off the PC, plug in a morning, when the PC is most likely hard drive of at least 4GB, make it the Safe Mode, Safe Harbor to be running, rather than at 3 a.m. first bootable drive in the BIOS, and MCP Eric Hanner takes no chances “Another thing I advise customers is install a fresh copy of XP.After it with his clients’ machines. “I have to manually once a day use the Norton comes up, I just need network drivers taken the approach of blast ’em or McAfee auto update service for and then I can use Trend Housecall and see what comes back. If I have their anti-virus,” writes Matteucci. “It and download a fresh copy of Ad- any indication of an infestation, I seems that these companies—if the Aware,” Nichols explains. “I can get start by booting into Safe Mode, update is not a major threat—delay 99 percent of the junk off the system update the files and run Microsoft posting it on the scheduled update this way. After that I just remove the Anti-Spyware and Ad-Aware. While Web site for two to five days, and hard drive and voila, clean PC!” I’m in Safe Mode, I also run a virus that’s when you get hit.” Nichols takes the clean drive idea a sweep. I have never had a case step further, by preparing a BartPE where I scanned later and I was still Windows on Live CD: boot disc with Ad-Aware and AVG infected. I’m not saying there aren’t Solution or Illusion? Anti-Virus included. “I can just boot some files lingering somewhere, but One reader would like to change the from CD to clean the hard drive,” they apparently are not activated way that OSes, apps and data are inter- Nichols explains. “The only caveat or are idle if they are there at all,” twined. “Just an idea that nobody with this is that I have to keep updat- Hanner says. seems to be doing anything about— ing the patterns. I could pull it off the how about booting a live CD of network or off of a floppy or flash The Manual Approach Windows, and using that as your boot stick. It will still be faster than clean- Mike Matteucci constantly sees spy- volume. All data could be stored on the ing the PC manually or popping the ware-infected PCs in his work with local hard drive, but the OS and neces- cover, and I will probably be able to PC-Network Services in Bakersfield, sary apps would reside on the CD, update the pattern, even from an Calif. “As an end user, I hate spyware. As where they couldn’t be harmed,” sug- infected PC.” a technician, I love spyware,” he says. gests Dennis Barr, manager of Infor- Matteucci claims an over 90 percent mation Technology for the Larkin Spyware Silver Bullet? success rate in removing spyware Group Inc. in Kansas City, Mo. A growing problem is malware that without having to wipe the drive. The It’s not a bad idea. Many Linux restores itself. Reader Greg Lara cost, however, is time. “I advise my distros are available in “live” says you can sometimes break the versions, which run entirely from a cycle with a bit of preparation and CD or DVD. The portability makes quick click-work. GetMoreOnline live distros a staple among IT pro- “Once I’ve identified the executable fessionals who use Knoppix and Log on to Redmondmag.com for easy file that needs to be deleted, I open other live Linux packages as a system and direct access to the products and the Task Tanager and find it in the tools mentioned here. Plus, you’ll be rescue and recovery platform. So, process list. In another adjacent able to download a full-length version Barr asks, “if the penguinistos can do Explorer window, I navigate to the file of this story, complete with additional it with their OS, why can’t it be done in question, highlight it, then press tips and tricks from the trenches for with Microsoft’s?”— fighting spyware. the Delete key. With the delete confirmation dialog box up, I move over FindIT code: SpyTips Doug Barney is editor in chief of to the task manager and end the Redmond magazine. Share your process. Now I move the end process redmondmag.com spyware-fighting tips and tricks with him confirmation dialog box next to the file at [email protected].

| redmondmag.com | Redmond | March 2006 | 43 Project4 9/13/05 11:23 AM Page 1

LEAST PRIVILEGE COMPLIANCE IS NOW IN YOUR HANDS

In today’s corporate environment, it’s not an option. DesktopStandard’s Group Policy extensions take you beyond built-in Windows security management, giving you the power to limit rights and privileges to the least required for authorized tasks. Reduce the complexity of managing your distributed desktop environment while increasing security and compliance. Find out how at www.desktopstandard.com.

NEVER AGAIN

BY KEITH WARD hey go by many names: CLEs (Career Chances are you also found a solution, recovered from Limiting Events); Murphy Moments; your error and got things shipshape again. Otherwise, you Blue Screen Memories; RUAs (Resume probably wouldn’t be reading this article, because your TUpdating Actions). What they all have new job at the local car wash demands your total commit- in common is disaster. ment. You learned a lesson, gained experience and wisdom, Most IT folks have at least one tale of woe, of that time and have become a better IT pro as a result. when their career flashed before their eyes (those in the But wouldn’t it be nice to learn those lessons without the biz for a long time often have more than one—some- near-death experience? Our new continuing column, times many more). It often starts when the help desk called Never Again, aims to do just that. Each month, we’ll phones start lighting up like a Vegas casino. Users can’t present the most compelling story in print, and others will connect to the network or Internet. Servers aren’t talk- appear online. If you have a tale of technical terror you’d ing to each other or to you. Then your mouth goes dry, like to submit for this column, send in a 300- to 800-word, as you realize you haven’t tested your backups for—well, first-person write-up of your scariest IT moment on the you can’t remember for how long. And where is that job to Keith Ward at [email protected]. bootable CD now that you need it? Now, let the nightmares begin.

| redmondmag.com | Redmond | March 2006 | 45 0306red_F2NeverAgain45-48.v6 2/14/06 12:26 PM Page 46

NEVER AGAIN

Out of Service The following afternoon, our CIO called me (I should BY RON STEWART never leave my cell phone on during weekends.) He work at an IT services company. Recently, we moved briefed me on what was going on. “A fresh set of eyes the servers of a rapidly growing client from their own might help,” he said. Could I get down to the data center Ioffice to a data center. We’ve performed similar server as soon as possible? After making the usual apologies to moves several times in the past, and the first few tasks went my long-suffering wife, I went to ground zero. off without a hitch. We shut down the servers late on Fri- Progress was slow and frustrating. Each server had day afternoon, packed them up and had a bonded carrier numerous issues in addition to the brutally slow boot time: move them to the data center. Once there, we racked the No network connections were listed; the GUI was slug- servers, reconnected them and booted them. gish; services couldn’t be stopped or started. Our server technician watched the monitor as the first Because the servers were able to boot into Safe Mode server booted, preparing to log on to each server and per- quickly, we figured the cause of the problem must have form some basic tests. He waited patiently for the familiar been one of the non-essential services. So we went about Windows Server logon screen to appear. disabling all these services, then booted the servers nor- After several minutes went by, it became clear that some- mally (which now only took the usual couple of minutes) thing was very wrong. “Applying computer settings,” the and gradually started only the non-essential services screen read—for more than two hours, before a logon dia- required for each server’s functionality. log box finally appeared. Logon itself took an hour to By midnight, all the servers save one were operational. complete. When the GUI appeared, it responded extreme- Everyone else went home, leaving me to work on the last ly slow. In addition, no network connections were listed. non-functioning computer—an intranet Web server. As The server and network techs double-checked all con- this server had been designated a low priority, we hadn’t nections and settings, verifying that they were correct. used Safe Mode to reconfigure its services, and as the They formed a theory that the servers needed to boot onto hours passed, it had eventually become accessible. a network that used the IP addresses from the office LAN, With the pressure now gone, I finally had the time to with which they were still configured. The techs reconfig- analyze the services. I went through the list, and spotted ured the network components and restarted the servers. the culprit behind our lost weekend. The APC PBE Agent More than an hour later, as the servers took their sweet service, after six hours, was “Starting.” I disabled that one time booting yet again, this theory was thrown overboard. service, rebooted, and all the problems went away. It was now well past midnight. The team phoned the I’m pretty sure I screamed. servers’ manufacturer for assistance. Discussion soon We made some mistakes here. First, the data center had focused on how the servers’ network cards were configured its own huge, shared UPS, so the APC software wasn’t needed and should have been removed. Second, (we dis- The vendor’s support tech basically threw up covered this later), the digital certificate used to sign the his hands, telling our guys to wipe the servers APC software had expired just the week before. (To add insult to injury, a Microsoft Knowledge Base article on clean and rebuild them from scratch. this very problem appeared the following week, just a few days too late to help us.) And third, we should have to function together as a team; the vendor’s support tech performed this analysis several hours before, but we’d suggested disabling this so the network cards could operate been too focused on restoring functionality. independently. But after doing this, the problems continued. Many of the lessons here are specific to this incident, but At this point, the vendor’s support tech basically threw up the two reminders I took away from it are: A) When it his hands, telling our guys to wipe the servers clean and comes to technology, no change is simple, no matter how rebuild them from scratch. many times you’ve done it before; and B) You can save The exhausted and bleary-eyed server tech looked out of time if you take the time to work the problem, rather than the data center’s windows, saw the dull glow of dawn on letting it work you. the horizon, and retained just enough good sense to inform the support tech that no, he wasn’t going to do Ron Stewart is a senior technical consultant at Syscom that. He hung up, and our guys called it a night (not that Consulting in Vancouver, Canada. He has worked in IT much was left of it). They would return to take another for more than 10 years, far too much of it on evenings crack at things the next day. and weekends.

46 | March 2006 | Redmond | redmondmag.com | Project3 1/31/06 10:44 AM Page 1 0306red_F2NeverAgain45-48.v6 2/14/06 12:26 PM Page 48

NEVER AGAIN

That’s a Wrap load; e-mail was down; file and print services were down. BY RYAN WILLIAMS The problem was affecting the whole corporation. ’m a consultant, so I’ve seen a lot of issues in data centers Things got louder when a support tech came in with my clients. One of the most memorable involved a while we were starting to troubleshoot the problem. Iclient that had all their data center servers go down “You did what?!” he screamed. “You can’t do that! during some renovations. Imagine the surprise of the person DNS is integrated within AD; that’s why it’s called sent in to check the server room when he found that the an Active Directory-integrated DNS zone!” That remodeling contractors had shrink-wrapped the racks of explained what was happening. By deleting DNS at the servers to keep dust out! The contractors neglected to remote site, it deleted DNS from all the sites. So when I mention that they would be doing this, so all the servers were recreated the zone, it replaced our existing 15,000 on when they wrapped them up. Naturally, the servers over- records with a new zone—a zone containing only the heated and shut themselves down. Luckily, none of the DNS record of the DC and the file and print server at servers were fatally damaged. the remote site. The moral of this story: When remodeling your data Luckily, we had a tape backup from another DC and center, make sure the contractors are closely supervised. were able to perform an authoritative restore and get back most of the original DNS records. But several Ryan Williams has more than nine years in the network others were missed and had to be created manually (let’s integration and the professional services field. He has extensive just say that it was a very long night). experience in implementing and supporting Active Directory, Since that experience, I’ve had another problem with Exchange and collaboration technologies. DNS corruption on a single DC that required a call to Microsoft support. I was dismayed during the trou- Disappearing DNS bleshooting process when the technician told me to BY ERNEST FRANZEN “delete the zone.” Needless to say, I argued against ne of my worst experiences was finding out the this course of action—this was one lesson I learned ramifications of deleting our main Active the hard way.— ODirectory-integrated DNS zone. We had to move one of our domain controllers to a new Ernest Franzen is a senior network architect for a Fortune 500 IP subnet, so I changed the IP address of the DC and company. He holds MSCA and MSCE certifications. rebooted. After the reboot, everything looked good—except for DNS, which had a big red “X” through the zone. So, knowing that the DNS is replicated from other DCs, Redmond magazine wishes to thank Thomas I deleted the zone and recreated a new zone with the same Haines and AOPA Pilot magazine for allowing name—my thinking was that it would populate within a us to use the title of this column without few minutes from one of the other DCs. Instead, the phone started ringing with users having all getting bent out of shape. types of connectivity problems: Web pages wouldn’t

48 | March 2006 | Redmond | redmondmag.com | Project1 10/7/05 12:52 PM Page 1

7 i ÃÞÃÌiÃ }} `Ü`Ü]] µÕVÞ LLÕViÕVi L>Vt

,iVÛiÀ Õ« Ì £ää¯ v VÀÌV> `>Ì> Õ« Ì ä¯ v>ÃÌiÀ ÜÌ ,iVÛiÀÞ >>}iÀ Ó°ä° 7Ì ,iVÛiÀÞ >>}iÀÁ Ó°ä] }iÌÌ} ÞÕÀ ÃÞÃÌiÃ >` `>Ì> L>V Ã v>ÃÌiÀ >` i>ÃiÀ Ì > iÛiÀt ,iVÛiÀÞ >>}iÀ Ó°ä iÝÌi`Ã «ÜiÀvÕ ,iVÛiÀÞ *ÌÒ «ÀÌiVÌ LiÞ` Ì i «iÀ>Ì} ÃÞÃÌi Ì «ÀÌiVÌ «ÀiVÃiÞ Ì i wiÃ ÞÕ V Ãi ÞÕÀ ÃÃVÀÌV> ÃiÀÛiÀÃ] `iÃÌ«Ã] >` ÌiLÃ° 7 i > ÃÞÃÌi LiViÃ ÕLÌ>Li À ÕÃÌ>Li] Ã«Þ À Ì L>V Ì > Ü }` ÃÌ>Ìi° 9Õ½ ÀiÃÌÀi Ì i ÃÞÃÌi Ì «iÀviVÌ i>Ì Õ« Ì ä¯ v>ÃÌiÀ Ì > ÜÌ VÛiÌ> iÌ `Ã] ÜÌ ÕÌ Ã} À ÛiÀÜÀÌ} >Þ Û>Õ>Li `>Ì>° 9Õ V> ÀiÃÌÀi i ÃÞÃÌi >Ì > Ìi] À Ì ÕÃ>`Ã v ÃÞÃÌiÃ ÃÕÌ>iÕÃÞ] vÀ > ViÌÀ>] ÀiÌi V>Ì° / >Ì «ÀÌiVÌ iÝÌi`Ã Ì Li V«ÕÌiÀÃ iÛi Ü i Ì iÞ >Ài `ÃViVÌi` vÀ Ì i iÌÜÀ] LiV>ÕÃi Ì i iÜ ->ÀÌÝ 7â>À`Ò >ÜÃ Li ÕÃiÀÃ Ì µÕVÞ >` i>ÃÞ ÀiVÛiÀ Ì iÀ Ü ÃÞÃÌiÃ Ì i wi`° 7 i ÃÞÃÌiÃ v>] LÀ} Ì i L>V ÀiVÀ` Ìi ÜÌ ,iVÛiÀÞ >>}iÀ Ó°ä°

,i«>À° 7HATS .EW IN 7INTERNALS 2ECOVERY -ANAGER "ROADER RECOVERY CAPABILITIES ,iVÛiÀ° s 0ROTECTION FOR MORE THAN THE /3 s 2ECOVERY 3ETS NOW FOR SYSTEM FILES PROGRAM FILES USER SETTINGS AND USER DATA VViiÀ>Ìi° &LEXIBILITY IN PROTECTION WITH CUSTOM 2ECOVERY 3ETS s 5SING THE NEW 2ECOVERY 3ET %DITOR ADMINISTRATORS CAN DEFINE CUSTOM 2ECOVERY 3ETS TO INCLUDE OR EXCLUDE FILES DIRECTORIES FILE EXTENSIONS REGISTRY KEYS AND VALUES

4RUE NETWORK FLEXIBILITY s 2ECOVERY -ANAGER PROVIDES COVERAGE FOR ANY SYSTEM THAT CAN BE REACHED BY 4#0)0

2ECOVERY PROTECTION AND SELF SERVICE FOR MOBILE 0#S s 2ECOVERY 0OINTS CREATED EVEN WHEN NOT CONNECTED TO THE NETWORK AND STORED LOCALLY ON THE MOBILE 0# s 3YSTEM ADMINISTRATOR CAN ENABLE SELF SERVICE RECOVERY FOR MOBILE 0# USERS FROM THEIR LOCAL 2ECOVERY 0OINT AND SELF HELP FOR LOST FILES

!DVANCED MANAGEABILITY s 3MART"IND© PROVIDES THE ABILITY TO BIND AN !CTIVE $IRECTORY NODE TO A 2ECOVERY 0OINT SCHEDULE s 2ECOVERY -ANAGER NOTIFIES SYSTEM ADMINISTRATORS BY EMAIL OF KEY EVENTS IMPACTING COMPLETION OF 2ECOVERY 0OINTS

%NHANCED SECURITY s 2ECOVERY -ANAGER ENCRYPTS DATA MOVED ACROSS THE NETWORK BETWEEN 2ECOVERY -ANAGER HOSTS AGENTS AND BOOT CLIENTS

-IGRATION 7IZARD TO FACILITATE MIGRATING FROM 2ECOVERY -ANAGER TO 2ECOVERY -ANAGER

i>À Àit £nää{änn{£x ÜÜÜ°ÜÌiÀ>Ã°V

¥7INTERNALS3OFTWARE,07INTERNALSAND7INTERNALS2ECOVERY-ANAGERAREREGISTEREDTRADEMARKSOF7INTERNALS3OFTWARE,0 2ECOVERY0OINT 3MART&IX7IZARD AND3MART"INDARETRADEMARKSOF7INTERNALS3OFTWARE,0 !CTIVE$IRECTORYISAREGISTERED TRADEMARKOF-ICROSOFT#ORPORATIONINTHE53ANDOROTHERCOUNTRIES 0306red_Roboto50.v5 2/14/06 10:55 AM Page 50 Mr. Roboto Automation for the Harried Administrator | by Don Jones Service Pack It Up

elcome to Mr. Roboto! Most of you know me the computer names you want to check (one computer name per line in as Beta Man, but I’ve taken on a new role at the file), run: Redmond. I’m strapping on a tin helmet and W ListServicePack /list:computers.txt diving into the world of Windows automation. (or whatever the filename is). If you just Let me be perfectly clear right up ure it to allow remote administration want to test it with a single computer, run: front—this isn’t just a scripting column. traffic (specifically, the tool connects Sure, I’ll turn to scripting when it’s the to the Windows Management Instru- ListServicePack /computer:MyComputer right technique for the job at hand (as I mentation service on each computer have this month), but this column is you target). instead. Or, if you want to try and hit primarily about the job. More specifical- This script should work with NT- every computer in an Active Directory ly, this column will focus on tools and based computers all the way back to organizational unit, run: tricks for getting the job done. Windows NT 4, including Windows Sometimes that will mean a 2000, Windows XP and Windows ListServicePack /container:Sales Resource Kit tool, other times a free Server 2003. The account you use to tool from someone else, or occasional- run the tool needs to have local specifying the appropriate Organiza- ly even a script. I’ll always try to give administrator permissions targeted for tional Unit (OU) name instead of you some additional tips on how you each computer, which means you’ll “Sales;” tack on “/recurse” to process can tweak or extend probably need to run sub-OUs as well. You can also specify the script, tool or What Windows the tool as a domain the “/output:filename” argument, which whatever so you can Administrator’s task admin (launch the tool writes the tool’s output to the specified would you like Mr. Roboto use it for other pur- using RunAs if you text file, rather than just displaying to automate next? Send poses. My primary your suggestions to need to specify alter- everything on-screen. If you run the focus each month, [email protected] nate credentials). script on an XP or 2003 machine, spec- though, will be on I wrote this tool as a ifying the “/ping” argument will help using the tool or script to automate a VBScript, but it’s written in the WSF reduce the wait time for computers that Windows administrative task and help format, meaning you can just run it as aren’t available. you get the job done faster and easier. a command-line tool. Its name is The tool has some other goodies, too. This month, I’ll focus on an often ListServicePack.wsf, and it accepts Run it with “/?” to get a complete annoying task that’s hard to do without a few command-line arguments breakdown of what it can do. This is a using a heavy-duty solution like (including /?, if you need help with great, easy-to-use tool for quickly Microsoft Systems Management Serv- it) that tell it what to do. For example, checking the service pack level on a er: figuring out which service pack is if you have a text file that contains number of machines. If you’re a running on a specific set of computers. VBScript fan, feel free to crack it open First, I have to offer a few caveats. My and play with it. Otherwise, just use it solution uses a tool that you will run on DownLoad as-is to help make your administrative your computer. Download this month’s tool from life a little bit easier. Domo arigato.— It will use your network to contact www.ScriptingAnswers.com/ whichever computers you specify, roboto/col1.zip. Don Jones is a columnist and contributing meaning you need to have those com- editor for Redmond magazine, and the puters turned on and connected. Please keep this URL. That way, if founder of ScriptingAnswers.com. His latest problems occur, I can update the You’ll also need to either turn off the posted file more easily. book is Windows Administrator’s Automa- Windows Firewall (or whatever local tion Toolkit (Microsoft Press). Reach Don at firewall you may be using) or config- [email protected].

50 | March 2006 | Redmond | redmondmag.com | Project5 8/8/05 3:00 PM Page 1 0306red_Winsider50-52.v8 2/14/06 2:28 PM Page 52

WindowsInsider Greg Shields Down the Winding InfoPath

hate forms in Microsoft Word. I really do. You know what in your database. Need a new field in your form? Create a new column in I’m talking about—those nasty little grey boxes that make your database and update the SQL text hard to read, jump around when you hit the Tab key, query in your Data Connection. I If you’re using SQL Server as the and sometimes delete too much when you try to Backspace. database for your form, consider link- ing the form to a SQL View rather than Not long ago I decided I’ll never use Report form. You’ll see that text boxes directly to a table. This makes it easier Word 2003 forms again. So, when hand- in the form map to fields in the Data to manipulate the view if you need to ed yet another project that needed them, Source. This is a key factor in forms make a change, as well as making it eas- I chose to look into Microsoft’s least- design. Before you create any text or ier to apply security to your database. understood Office tool: InfoPath 2003. check boxes on your form, you must Offered as a stand-alone product or already have an existing entry in the 3. Drop and Give Me 20! bundled with Office Professional Enter- data source where that box’s data will Drop-down list boxes can be a little prise Edition, InfoPath is an XML- be stored. In forms that don’t attach to tricky. There are three ways you can based forms design tool with tight databases, you create new fields in the populate a drop down list box: constraints on how your form conforms data source by selecting the folder • Manual entry in the drop down’s to an established XML schema. group and then clicking the Add… properties Whether you submit your form to a button (see Figure 1). • Use a lookup table stored inside the database or save it as an XML file on a form’s code file share or SharePoint server, starting a 2. To Database or Not to Database • Use a secondary lookup to a database project in InfoPath is a lot like Microsoft Where it gets harder is when you want Of these, the lookup to the database Access. Before you ever begin designing, to submit your forms to a database. is the most useful, and also the most you must understand the data you’re InfoPath supports direct database con- complicated. To populate a drop- collecting and how you want it stored. nections only to SQL Server and down list from a database table, That being said, here are six quick tips I Access databases, and won’t allow you you’ll want to create a Secondary learned that’ll come in handy as you cre- to submit your forms if the database has Connection to a lookup table in your ate your first InfoPath project. a many-to-one relationship between database and populate the entries related tables. Forms that submit to a from that Secondary Connection. 1. Create Your Data Source First database seem more difficult because What’s not immediately obvious—and For simple forms that won’t submit to a you can’t directly add or remove fields annoying—is InfoPath’s inability to database, creating your XML schema is in the data source from within restrict that lookup to just a single easy. As an example, open InfoPath and InfoPath. Fields in your data source are instance of each entry in your second- choose to design the sample Status completely constrained by the columns ary lookup. If you’re seeing doubles in your drop down list box, you’ll need to create an XPath filter expression that eliminates the duplicates. Do this with the following expression: not(. = ../preceding-sibling::*/@)

4. Donning Your Input Mask If you’re used to Access, you’re probably familiar with the friendly input mask feature that forces data into a pre- determined structure—like when you want to force phone numbers be stored as (XXX) XXX-XXXX. InfoPath doesn’t Figure 1. The singleName text box in the form design maps to the singleName field in the form’s Data Source. natively have that capability, but you can

52 | March 2006 | Redmond | redmondmag.com | Project1 1/20/06 10:21 AM Page 1 0306red_Winsider50-52.v8 2/14/06 2:28 PM Page 54

WindowsInsider

cheat it using Data Validation. Though InfoPath Data Validation won’t pre- populate the field’s mask characteristics, users will be forced to enter data in the correct format or the form will reject it. You can do this by double-clicking on a text box in your form, selecting Data Validation…, and then Add…. In the Data Validation dialog box, select Does Not Match Pattern from the second drop-down box and Select a Pattern from the third. You’ll be given a few example patterns, like our phone number Figure 2. Use InfoPath Data Validation to display an error when users enter data in an example above, or you can create your incorrect format. own by using /d to represent any digit or \p{L} to represent any letter. Make sure • If you don’t already have one, build @="Microsoft Office InfoPath Form to enter in an error message to alert users a Certificate Server and generate its Template" when an entry doesn’t match the pattern. root certificate. "EditFlags"=dword:00010000 Because InfoPath doesn’t pre-popu- • Then, create a Group Policy that "BrowserFlags"=dword:00000008 late the mask characteristics, you’ll adds that certificate to the Trusted Even with this startup script, you probably want to inform your users of Root Certification Authorities contain- may still have some client require- the correct pattern for that text box. Do er on your machines. ments for your InfoPath forms to this by entering your pattern as a Place- • Create a code signing certificate work. Make sure that all your clients holder on the Display tab of the text with an exportable private key. have a recent version of both the box properties, as shown in Figure 2. • Finally, in the Design View of your .NET Framework and the Microsoft form, select Tools | Form Options | Data Access Components installed. 5. Trust Me Security, sign the form with your code While simple forms that lack signing certificate and set the security Diamond in the Rough VBScript- or Jscript-coded events level to Full Trust. Although it’s still a little rough around don’t require certificates, any form Users will be prompted with a win- the edges and its GUI has some that interfaces with a computer’s dow requiring them to trust the certifi- annoying quirks, InfoPath gets high WMI (Windows Management Instru- cate when they first attempt to load marks as a useful tool for creating mentation interface) does. For exam- your signed form. XML-based forms for both small ple, if you want to store the Active business and the enterprise. Unfortu- Directory username of the person 6. Feels Like the First Time nately, in trying to be everything for filling out the form to a field in your Sometimes, even a complete install of everyone, it ends up with a pretty form, you can create an OnLoad Office 2003 won’t properly configure hefty learning curve. event that does this with the following the client machine to make it easy for My advice: Start small. It’s incredibly snippet of code: new users, who will get a dialog box easy to build forms that don’t integrate Sub XDocument_OnLoad(eventObj) asking them if they want to save the file with SharePoint, SQL, Access or Web Set wscNet = or open it from its current location. services. Once you’re familiar with the CreateObject("WScript.Network") To eliminate the dialog box,you can basics of InfoPath, you can add a little XDocument.DOM.selectSingleN- use Group Policy to configure your scripting and a database back-end and ode("/my:/my:").text = machines to automatically open the never again experience the pain of wscNet.UserName form. Do this by creating a Group Word’s grey boxes. — End Sub Policy startup script that calls regedit /s InfoPath’s strict security model won’t GPStartupScript.reg. Then, create a Greg Shields, MCSE: Security, CCEA, allow the form to interface with the GPStartupScript.reg file with the is a senior systems engineer for Raytheon Co. local computer’s WMI unless the form following syntax: in Aurora, Col. He’s a contributing editor to is considered Fully Trusted.To do this, Windows Registry Editor Version 5.00 Redmond magazine and frequently speaks you’ll need to sign your form with a [HKEY_CLASSES_ROOT\InfoPath.Sol at TechMentor events. You can reach him at trusted code signing certificate: ution.1] [email protected].

54 | March 2006 | Redmond | redmondmag.com | Project3 2/9/06 12:01 PM Page 1

Concerned about broken links in files during data migrations? LinkFixerPlus™ is the first software application that automatically fixes broken links in Excel and other files caused by data migrations!

re you performing a data PowerPoint, Autodesk AutoCAD, Advanced Features: migration due to server HTML, Adobe PageMaker, InDesign Aupgrades, server consolidations and PDF files, in batch, including the • Perform data migrations or new storage servers? Or are you files they point to, and the links to of Excel, Word, Access, performing folder reorganizations or those files are automatically PowerPoint, AutoCAD, server name changes? Are you maintained! You can even find and HTML, PageMaker, concerned about broken links caused by repair broken links in batches of files InDesign and PDF files, already these changes? What if there was a that have been moved. in batch, without causing way you could find and fix broken links Imagine not having to manually find automatically, eliminating the extra or fix broken links due to data broken links. time and cost associated with manually migrations ever again! • Automatically fix broken fixing them? links in files that have LinkFixerPlus is the solution you already been moved. Well with LinkFixerPlus you can! need to report, find, manage and LinkFixerPlus is the first application that repair links in many different types of • Generate broken link automatically maintains links in files files whether you are working with reports and detailed when conducting a data migration. dozens of files on a desktop computer parent and child file With LinkFixerPlus, you can move or or thousands of files during a data reports. rename Microsoft Excel, Word, Access, migration.

Request your free 30-day evaluation copy of LinkFixerPlus from: www.linkfixerplus.com. E-mail us

Copyright © 2006 LinkTek. All rights reserved. LinkFixerPlus is a trademark of LinkTek at [email protected] or call +1-727-442-1822. Corporation. Patent-Pending. All other products mentioned are trademarks of their respective holders. Project8 1/16/06 1:36 PM Page 1

Network and Certification Training for Windows Professionals

TechMentorEvents.com

Orlando, FL March 20-24, 2006

Real-World Training » Integrate Linux into your Windows environment. » Improve your network security. » Diagnose and repair common network problems.

Peer Networking » Problem solve with peers during networking events.

Certification Prep » Upgrade your skills to Windows 2003 with the MCSA and MCSE tracks. » Broaden your knowledge of network operations with the CCNA track.

Group Discounts » Send your team and save up to $500 per person.

SecurityAdvisor JoernRoberta Wettern Bragg That Isolated Feeling

raditional IT security relies on assigning different access to it. We trust the DMZ more than the Internet, but not enough to levels of trust to different network zones. A more allow unrestricted communications effective solution is to rely on trust between between it and our internal network. If T such connections are required, we use computers, instead of trusting the networks they’re another firewall to further restrict and monitor them, because we only want to connected to. Domain isolation and server isolation allow network packets that we trust on leverage Windows capabilities to reach this goal. our internal network. This trust seems to be justified A Matter of Trust When we analyze the security func- because, in addition to using firewalls, Chances are that your current net- tions of a network, physical infrastruc- we make sure that only legitimate users work consists of the main internal ture becomes secondary. Instead, we get access to this internal network. We network, and one or more demilita- often think about security zones and try to keep intruders out by authenti- rized zone (DMZ) networks. Maybe agonize over which zone network should cating users, using selective permission there are a few tightly controlled net- contain a network resource, or how to assignments on file servers, and requir- works with limited access, such as one best control traffic between these zones. ing an employee badge for entering a that connects the research depart- We know that the Internet is entirely building with network taps. Figure 1 ment’s computers. In addition, you untrustworthy; even in our wildest illustrates this type of network design, might have branch office networks dreams, we wouldn’t connect a server which allows any computer considered connected over WAN links, but com- directly to that malware playground. part of the internal network to commu- puters on them have full access to If we need to allow someone to access nicate with any other computer— your internal network, so they really a server from the Internet, we routinely because the internal network is trusted. belong to the internal network from a place the server into a DMZ and use a This philosophy of network segmen- security point of view. firewall to tightly control and monitor tation has been the de facto security

Figure 1. On a typical network, computers on the internal network all trust each other. This can be a problem when an outside, possibly compromised computer is introduced to this network segment.

Internet (No Trust)

DMZ (Partial Trust)

Internet Network Firewall Firewall (Full Trust)

| redmondmag.com | Redmond | March 2006 | 57 0306red_SecAdvisor57-60.v5 2/14/06 11:21 AM Page 58

SecurityAdvisor

standard for a long time, and most cor- of shared secret before the wireless untrusted computers from sending and porate networks rely on it. Looking at access point (WAP) allows any network receiving network packets, it relies on the network as a set of security zones packets to be transmitted across the your trusted computers to ignore such can be useful, but relies on the often- network (note that 802.1x can also be traffic. You’re essentially treating your unrealistic assumption that access to used for regular wired connections.) entire network as if it’s untrustworthy, the network is tightly controlled. Windows supports this out of the box, and letting your trusted computers make Instead, many internal networks and many recent switches have 802.1x decisions about whether to trust comput- include a variety of computers: managed support built-in. 802.1x can be an effec- ers with which they’re communicating, clients at corporate headquarters; home tive method for ensuring that only independent of the network. This creates computers connected over a VPN; the authenticated computers and devices a security domain of trusted computers laptops of outside consultants or visiting can send and receive packets on your which can securely communicate across a customers; a kiosk computer in the network—if an employee plugs a per- network that may not be entirely trusted. lobby; wireless users inside the building sonal laptop into a hub, or a visiting Figure 2 shows how only computers in and in the coffee shop across the street; and so on. Because all computers on a typical network like this shouldn’t be trusted equally, it’s a dangerous a practice to trust based on zones.

Divide and Conquer One way to restore the trust in your network is to further divide it. For example, you could create a separate network for the accounting department and disallow access to it for VPN and wireless clients. Readily available tools for such segmentation include firewalls, routers and VLANs (virtual LANs), but each of these tools has its own shortcomings: • Large-scale, effective VLAN deployment requires all switches to support Internet Network this type of segmentation. (Domain Members • Routers make decisions based on IP Only Talk To Other Domain Members) addresses and ports. • Firewalls can be expensive and difficult to manage. Figure 2. Using domain isolation, trusted computers ignore communications from untrusted And none of these solutions can pro- computers, no matter which network segment they’re on, or which security zone they’re in. tect you against an employee who plugs a virus-infected personal laptop com- sales representative plugs a computer this trusted domain can talk to each puter into the corporate network. into the conference room’s network tap, other. they’ll be stopped at the switch. 802.1x Using domain isolation instead of 802.1x: Not Just for Wireless can be an effective solution, but the network-based security models has sev- A better method for ensuring trust in resulting administration work, the need eral advantages: your network is to require computer for an existing PKI (Public Key Infra- • It’s much more flexible. authentication when connecting to structure), an the scarcity of devices that • It can be rolled out incrementally, at a your network infrastructure, then support it often put and end to any plans pace that works for you. restricting which authenticated com- to implement 802.1x company-wide. • It will probably require no addi- puters are allowed to connect. This is tional hardware. commonly done for wireless clients by Domain Isolation If you have an existing Active Direc- using 802.1x-based access control. Domain isolation tries to accomplish a tory infrastructure and most of your The wireless clients need to be con- goal similar to 802.1x, but with a differ- computers are running Windows 2000 figured with a certificate or some type ent method. Instead of preventing or higher, you already have the two

58 | March 2006 | Redmond | redmondmag.com | Project4 1/24/06 11:44 AM Page 1

’ And end-users Your life shouldn t. The always get email Windows IT Pro Readers’ Choice Winner three years in a row, from the people iHateSpam for Exchange lets you control spam according to the in their own needs of your company and users — not to mention your needs. Contacts folder. for Microsoft Exchange 5.5, 2000 and 2003 Spam detection 98.5% outofthebox: You can “configure it and Constantly updated dual spam engines: forget it” for easy, effective “hands-off” spam management. Field-tested, powerful spam detection. And setup takes Filtering based on tunable parameters: minutes, not hours Use our default engine or customize or days. Low with your own rules or blacklists. false positives: Customizable treatment of spam: Control aggres- Delete it, route it to a designated mailbox, put siveness of spam a custom message in the subject, or even quarantine it detection with to a spam folder in the end-user’s mailbox. Filter at the simple threshold server — no client software needed: Set flexible settings. Set server server-level policies for groups or single users. or user-level whitelists.

Download the 30-day FREE trial at www.sunbelt-software.com/ihred

Sunbelt Software Tel: 1-888-NTUTILS (688-8457) or 1-727-562-0101 Fax: 1-727-562-5199 www.sunbelt-software.com [email protected]

SecurityAdvisor

policy to all computers in a domain or The Many Uses of IPsec Organizational Unit (OU), but you can also easily configure exemptions for Psec (IP Security) is a standard for securing IP communications at the network computers that should accept unauthen- I layer. Unlike Secure Sockets Layer (SSL), which secures application data, IPsec ticated connections, such as connections was designed to be completely independent of the application and handle all IP from non-domain members. Designing packets at the network layer. IPsec has many security uses: such exemptions will probably require Virtual Private Network (VPN) tunnels: This is the most common use for the most work during the planning IPsec. It can provide encryption and packet integrity checking for a VPN tunnel, either phase; but unless all your computers are for client connections or site-to-site tunnels. Many vendors have implemented IPsec running Windows and are AD members, in their VPN solutions. there will likely be times you’ll have to Authentication: Microsoft is one of the few vendors that has fully supported allow non-authenticated connections, the use of IPsec for any type of network connection, and not just VPN tunnels. The like allowing a consultant to connect to Windows IPsec driver, part of the network stack, can perform authentication of a a server from a laptop, or enabling users remote computer before IP packets are further processed by the stack. Microsoft to access corporate resources over a supports shared secrets, certificates and Kerberos for authentication. VPN from home. Encryption: IPsec can be used to encrypt network traffic (but this isn’t required—you can require authentication without encryption). Encrypting packets Next Time: Isolating Servers provides confidentiality for all network traffic, and you get this even if the applica- Keeping unauthenticated computers off tion you use doesn’t provide encryption itself. IPsec has a built-in mechanism for your network is only the first step. negotiating encryption algorithms and exchanging encryption keys. Malicious actions can originate from Integrity: Packet integrity ensures that a network packet hasn’t been altered authenticated computers, and I often since it was sent. IPsec can detect such alterations and automatically drop pack- find that I want to tightly restrict which ets that have been changed in transit. — J.W. computers can connect to critical resources, such as servers that contain tools you need for domain isolation: with other computers. For example, payroll data. Also, when the access IPsec and Group Policy. IPsec, which you can require that two computers involves confidential data, and the takes care of the authentication, is built authenticate each other before application I’m using has no built-in into all versions of Windows since exchanging any network packets. The encryption, I often want to encrypt the Win2K. Group Policy, which allows policy can also include exceptions based data at the network layer instead. Serv- you to implement domain isolation on ports or IP addresses. er isolation is an IPsec-based scheme to across a large number of computers, is a The most basic form of domain isola- accomplish these goals by building on core component of AD. tion uses an IPsec policy that instructs the principles of domain isolation and client computers and servers in your AD going several steps beyond it. Next IPsec to the Rescue domains to process network packets month I’ll show you how to use server IPsec is a versatile network security only from computers within the same isolation by itself or in conjunction protocol (for a refresher on IPsec, see AD. IPsec can use shared secrets, certifi- with domain isolation to increase secu- the sidebar “The Many Uses of Ipsec”). cates or Kerberos. Of these options, rity. I’ll also provide more details on IPsec authentication occurs much Kerberos is the clear choice if your using IPsec and group policy to achieve earlier than resource access authentica- infrastructure is Windows-based. Shared your security goals. — tion. When a computer authenticates secrets aren’t secure, and certificates can a user who wants to access a shared be difficult to deploy and administer. Joern Wettern, Ph.D., MCSE, MCT, folder, a network connection has Kerberos, on the other hand, can be Security+, is the owner of Wettern already been established. But IPsec used by domain members to authenti- Network Solutions, a consulting and authentication occurs even before the cate each other without any additional training firm. He’s written books and first network packets, excluding the administration or configuration. developed training courses on a number authentication traffic itself, can be sent Configuring IPsec separately on each of networking and security topics. In or received. computer is a waste of manpower. addition to helping companies implement IPsec authenticates computers and not Instead, configure a Group Policy for network security solutions, he regularly users. When used as part of domain iso- all your clients that includes the IPsec teaches seminars and speaks at conferences lation, an IPsec policy on each computer policy designed to accomplish your worldwide. You can reach him at determines how it will communicate authentication goals. You can apply this [email protected].

60 | March 2006 | Redmond | redmondmag.com | Project6 1/6/05 5:17 PM Page 1

Unfortunately, you can’t dream • Microsoft By day three, your way to certification. • Cisco

Jack was finally 1 TM • Oracle Our accelerated programs, featuring our exclusive 3 /2 step method, enjoying his makes learning fast and effective. In less than two weeks, you’ll • Sun return to your job empowered with the knowledge, confidence • Linux

IT training. and certification you need to advance your career…and your life. • CISSP

• CEH To find out more about our all-inclusive certification programs,

call 800-698-5501 or visit www.trainingcamp.com. • CompTIA

Enter the special promotion code “HELP” and receive a 20% • UNIX

discount on select courses. • Forensics Project3 2/9/06 12:11 PM Page 1

Free Web Seminars

Now Available On-Demand

® Expect the Unexpected: Disaster Recovery for your Microsoft Server Environment

® Demonstrating Compliance for Multiple Regulations in a Complex, Heterogeneous System Environment

® Microsoft Virtualization and Data Protection — How the Two Technologies Meet

® Best Practices for Windows Applications on iSCSI

® Strategic Storage: Exchange Management Strategy that Makes Everyone Happy Brought to you by: Visit: Redmondmag.com/techlibrary/webcasts 0306red_Index_63.v1 2/14/06 4:12 PM Page 63

RedmondResources ADVERTISING SALES Matt Morollo AD INDEX Associate Publisher Advertiser Page URL 508-532-1418 phone 2X Software C2 www.2x.com 508-875-6622 fax Capella University 21 www.capella.edu [email protected] CrossTec 52 www.crossteccorp.com Citrix 35 www.citrix.com/edu/redmond DesktopStandard 44 www.desktopstandard.com Devon IT 37 www.ntavo.com Northwest East ESP by Lucid8 18,19 www.Lucid8.com No. CA, OR, WA, Alberta, British AL, CT, DE, FL, GA, KY, LA, MA, MD, GFI Software C3 www.gfi.com Columbia, Saskatchewan ME, MS, NC, NH, NJ, NY, PA, RI, SC, TN, VA, VT, WV, Quebec, Ontario, Europe iTripoli 51 www.AdminScriptEditor.com/redmond Bruce Halldorson IBM 53 www.ibm.com Northwestern Regional Sales JD Holzgrefe LearnKey, Inc. 26 www.learnkey.com Manager Eastern Regional Sales Manager 209-473-2202 phone 804-752-7800 phone LinkTek 55 www.linkfixerplus.com 209-473-2212 fax 253-595-1976 fax Network Appliance 11 www.netapp.com [email protected] [email protected] NSI Software, Inc. 27 www.nsisoftware.com West/Mid West IT Certification & Palm, Inc. 7 www.palm.com Training—USA, Europe Quest Software C4 www.quest.com AK, AR, AZ, So. CA, CO, HI, ID, IA, IL, Al Tiano IN, KS, MI, MN, MO, MT, ND, NE, RedHat, Inc. 5,38 www.redhat.com Advertising Sales Manager, IT NM, NV, OH, OK, SD, TX, UT, WI, WY, Softtree Technologies 61 www.softtreetech.com Certification & Training Manitoba, Pacific Rim, Australia, New 818-734-1520 ext.190 phone Special Operations Software 15 www.specopssoft.com Zealand, India, Pakistan 818-734-1529 fax Sunbelt Software 8,59 www.sunbelt-software.com Dan LaBianca [email protected] Softtree Technologies 23 www.softtreetech.com Western Regional Sales Manager TechMentor 56 www.TechMentorEvents.com 818-674-3417 phone ENTmag.com & TCPmag.com TechLibrary 62 www.redmondmag.com/ 818-734-1528 fax techlibrary/webcasts [email protected] Tanya Egenolf Account Executive The Neverfail Group 47 www.neverfailgroup.com Production 760-722-5494 phone The Training Camp 61 www.trainingcamp.com 760-722-5495 fax Kelly Ann Smith TNT Software 31 www.tntsoftware.com Production Coordinator [email protected] Websense 3 www.websense.com 818-734-1520 ext.164 phone 818-734-1528 fax Winternals Software 49 www.winternals.com redmondadproduction@ 101com.com EDITORIAL INDEX Corporate Headquarters: 9121 Oakdale Ave., Mail requests to “Permissions Editor,” c/o Company Page URL Suite 101, Chatsworth, CA 91311 REDMOND magazine, 16261 Laguna Canyon www.101com.com Road, Ste. 130, Irvine, CA 92618. The informa- Acronis Inc. 41 www.acronis.com tion in this magazine has not undergone any for- Apple Computer Inc. 29, 30, www.apple.com Media Kits: Direct your Media Kit requests to mal testing by 101communications and is 32-34, 36 Matt Morollo, Associate Publisher, distributed without any warranty expressed or 508-532-1418 (phone), 508-875-6622 (fax), implied. Implementation or use of any informa- Bitform Technology Inc. 10 www.bitform.net [email protected]. tion contained herein is the reader’s sole Cisco Sytems Inc. 32 www.cisco.com responsibility. While the information has been Reprints: For all editorial and advertising reviewed for accuracy, there is no guarantee Code Weavers 36 www.codeweavers.com reprints, contact PARS International at that the same or similar results may be achieved Dell Inc. 33 www.dell.com 212-221-9595 (phone), 212-221-9195 (fax); in all environments. Technical inaccuracies may e-mail:[email protected]; online: result from printing errors, new developments in Faronics Corp. 41 www.faronics.com www.magreprints.com/QuickQuote.asp the industry and/or changes or enhancements Google 40, 41 www.google.com to either hardware or software components. List Rentals: To rent REDMOND’s or other Grisoft Inc. 43 www.grisoft.com 101communications’ publications postal, REDMOND magazine (ISSN: 1553-7560, telemarketing or e-mail lists, please contact our USPS: 0015-657) is published monthly by Javacool Software LLC 42 www.javacoolsoftware.com list manager: Worldata, 3000 N. Military Trail, 101communications LLC, 9121 Oakdale IBM Corp. 32 www.ibm.com Boca Raton, FL 33431-6375, 800-331-8102, Avenue, Ste. 101, Chatsworth, CA 91311. www.worldata.com Periodicals postage paid at Chatsworth, CA Kaspersky Lab 12 www.kaspersky.com 91311-9998, and at additional mailing offices. Lavasoft 41, 42 www.lavasoft.com CONFERENCES Annual subscription rates for U.S. $39.95 TechMentor Conferences: contact Al Tiano, (U.S. funds); Canada/Mexico $54.95; out- Novell Inc. 33 www.novell.com Sales Manager, 818-734-1520 ext. 190, side North America $64.95. Subscription Online ToolWokrks Corp. 16 www.onlinetoolworks.com [email protected]. The Data Warehousing inquiries, back issue requests, and address Institute: contact Diane Smith, Exhibit Sales, changes: Mail to: REDMOND, P.O. Box Safer-Networking.org 41, 42 www.safer-networking.org 206-246-5059 ext.108, Denelle Hanlon, Publica- 2063, Skokie, IL 60076-9699, e-mail ScriptLogic Corp. 20 www.scriptlogic.com tion and Sponsorship Sales, 206-246-5059 [email protected] or call 866-293- ext.102, [email protected]. FCW 3194 for U.S. & Canada; 847-763-9560 Shavlik Technologies LLC 13 www.shavlik.com Events and Conferences: contact Lucy Cooley, for International, fax 847-763-9564. Events Director, 703-876-5081, lcooley@ POSTMASTER: Send address changes Sunbelt Software 40 www.sunbelt-software.com 101com.com. Syllabus Conference and to REDMOND, P.O. Box 2063, Skokie, IL Sun Microsystems Inc. 29, 36 www.sun.com Exhibition: contact Anne Morris, Exhibit Space 60076-9699. Canada Publications Mail Agree- or Sponsorship, 818-734-1520 ext.219, ment No: 40039410. Return Undeliverable Trend Micro Inc. 41 www.trendmicro.com [email protected]. Canadian Addresses to Circulation Dept. or Zone Labs LLC 42 www.zonelabs.com DHL Smart & Global Mail, 2-7496 Bath Rd., © 2006 by 101communications. All rights Mississauga, ON, L4T 1L2, Canada. reserved. Reproductions in whole or part Copyright 2006 by 101communications LLC. prohibited except by written permission. All rights reserved. Printed in U.S.A. This index is provided as a service. The publisher assumes no liability for errors or omissions.

| redmondmag.com | Redmond | March 2006 | 63 0306red_Foley64.v2 2/14/06 10:51 AM Page 64 Foley on Microsoft By Mary Jo Foley Is Microsoft Buying into the Web 2.0 Hype? ometimes, it pays to be a follower. That’s what I journalists who happily rode the last Internet Bubble wave. It’s fraught with thought, at least when it came to Microsoft and Web companies with half-baked ideas and flimsy business plans. 2.0. Microsoft has been slow to jump on the latest S Now that you know how I really feel, Internet bubble bandwagon, which offers up utopian you can see why I am loath to watch Microsoft become a big Web 2.0 backer. visions of the emerging Internet as a vastly integrated I don’t think Microsoft can or should ignore the Web. Microsoft made a and self-improving platform. I had high hopes that the major mistake in the early 1990s when company could avoid being caught up in the web of hype Jim Allchin trumped Brad Silverberg, who had urged Microsoft to open around Web 2.0. Windows to the Web. With the announcement of the Microsoft Live But with the advent of this month’s that make the most of the intrinsic initiative last year, the company is Microsoft Mix ’06 event in Las Vegas, advantages of that platform: delivering finally recovering from Allchin’s effort I’m starting to wonder. While software as a continually updated serv- to preserve the Windows franchise Microsoft doesn’t mention “Web 2.0” ice that gets better the more people use against all threats. explicitly in its conference materials, it, consuming and remixing data from But being Web savvy doesn’t mean the company is undeniably jockeying to multiple sources, including individual jumping on every Internet scheme that cash in on the hot Web 2.0 themes: users, while providing their own data floats down the pike. There has to be AJAX development, RSS Monetization; and services in a form that allows discernment between fly-by-night fads “Conversations” as opposed to “Con- remixing by others, creating network and real technology changes that affect ferences,” and so on. effects through an ‘architecture of par- the future of computing. Microsoft That sinking feeling in my stomach ticipation,’ and going beyond the page needed to integrate its evolving servic- got a bit stronger when I read some metaphor of Web 1.0 to deliver rich es platform with its shrink-wrapped recent remarks by Gary Flake, the head user experiences.” software, as it plans to do via the Live of Microsoft’s newly unveiled Live (And yes, for those of you counting— strategy spearheaded by Chief Tech- Labs. And according to Nathan Wein- that was one sentence. So much for nology Officer Ray Ozzie. But it does- berg who runs the “Inside Microsoft” brevity.) n’t need to swallow any Web 2.0 snake blog, Flake is prone to use terms like All I can say is, I know Web 2.0 oil in the process. “macro-ization” of computing; “Inter- shucksterism when I see it. It’s almost What say you, readers? Is Microsoft net singularity”; and (the dead giveaway always promoted by vendors sporting in danger of succumbing to the siren of too much 2.0-ism) The Long Tail. inane names and venture capitalists and call of Web 2.0 and its backers? Or do It’s tough to accuse Microsoft of Web you think Microsoft could benefit from 2.0 pandering without providing a a little more Web 2.0 thinking? Write more complete definition of Web 2.0. GetMoreOnline to me at [email protected] Many have tried, but few have latched Learn more about Web 2.0 by following and let me know what you think.— our links to additional resources, onto something tangible. including O’Reilly’s definition and the O’Reilly Media founder Tim O’Reilly Microsoft Mix ’06 blog. Mary Jo Foley is editor of Microsoft Watch, attempted a concise definition that FindIT code: Foley0306 a Web site and newsletter (Microsoft- goes like this: “Web 2.0 is the network Watch.com) and has been covering Microsoft as platform, spanning all connected for about two decades. You can reach her at devices; Web 2.0 applications are those redmondmag.com [email protected].

64 | March 2006 | Redmond | redmondmag.com | Project1 1/20/06 10:35 AM Page 1

Is your network open to attack?

Only $495 for 32 IPs!, $2575 for 512 IPs!

FIND OUT WITH THE #1 SOLD NETWORK SECURITY SCANNER

Network Security Scanner (N.S.S.)

GFI LANguard Network Security Scanner (N.S.S.) checks your network for possible security vulnerabilities by scanning your entire network for missing security patches, service packs, open shares, open ports and unused user accounts. With this information you can easily lock down your network against hackers. GFI LANguard N.S.S. can also remotely deploy missing patches and service packs in applications and OS; use it to: Check for unused user accounts on workstations Audit your network for security vulnerabilities (Windows and Linux) Detect unnecessary shares and open ports Check for and deploy missing security patches and service packs (includes multilingual support for Windows) Detect wireless nodes/links and scan for USB devices

Detect unauthorized or dangerous software on your network. GFI LANguard N.S.S. main screen

Download your FREE trial version from www.gfi.com/nss/

tel: +1 888 243 4329 / +1 919 379 3397 | fax: +1 919 379 3402 | email: [email protected] | url: www.gfi.com/nss/ Project3 12/9/0510:57AMPage1

© 2005 Quest Software, Inc. All rights reserved. Quest and Quest Software are trademarks or registered trademarks of Quest Software. All other brand or product names are trademarks or registered trademarks of their respective holders. 11/2005/C4 Redmond Application M anagement | Database Management | anagement |DatabaseManagement — — paper titled: your free Get white Learn how to ensure criticalsend/receive e-mailavailability. ISV Partner ofthe Year. cations flowing withcontinuous 2004Global access to e-mailwithQuest—Microsoft's Keepyour criticalcommuni- No more fooling aroundwithe-mailwhenoutagesoccur. been restored. has thefailedserver/store withoutdatalossafter back to theiroriginalserver Move users Provide usersongoingaccess to historical messages. Exchange server. Switch usersrapidlyandautomaticallyto adefined always available e-mail. reliable, hasaddressedtheevilsofoutageswithasolutionforQuest Software fast, the evils ofExchange outages. Quest Availability Managerfor Exchange eliminates your e-mail. Get yourSend e-mail. yourSee e-mail. — — — — Visit www — — — — — — — — xhneHg viaiiy Patterns andPractices. Exchange HighAvailability: — — — — .quest — — — — — — — — .c — — om/get — — — — — — — — Infrastructure Management y — — our — — — — email — — — — — — — — for your free white paper! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —